Massachusetts Data Privacy Law Blog

Last Thursday two masked men, operating a stolen jeep, pulled up next to a courier's white van that was parked outside a MA RMV location, jumped out of the jeep and stole five bags from the courier's van. This is according to witness' accounts reported to police.

According to the MA Department of Transportation Press Secretary the private courier worked for the Registry of Motor Vehicles and the five bags contained documents not money. The documents included:

"Personal customer information is contained in the types of paperwork stolen. The records included names, dates of birth, addresses and license numbers. The types of paperwork stolen do not include the social security numbers of Massachusetts residents," she said.

As reported by the Gloucester Times

Apparently between 500-600 customers were affected.

The police are saying it was a targeted theft, but that maybe the men thought the bags contained money. These guys used a car that had been recently stolen and had a second get-a-way car parked nearby.

This seems like a lot of work to go through to steal 500-600 people's registry transaction paperwork. The "they thought the bags had money" theory seems more likely.

But... if the bad guys had this thing so planned out, why didn't they know that the bags didn't contain money? Does the courier usually have the Registry's money, but only had the paperwork on this particular morning? That is an important question.

The other important question is: exactly what information was taken? Was there something about the information that would be valuable? The registry took care to say that no "social security numbers" or "credit card information" was taken. But if the stolen information was in the right (wrong) hands, what could they do with it?

Usually a theft like this involves access to inside information. It's not like these guys would sit outside the Wilmington branch of the RMV every day to learn the courier's schedule. That might happen in the movies, but in my experience, criminals are just too lazy to do that leg work. They will either know someone on the inside who can tell them the schedule, or one of them IS on the inside and works for either the RMV of the courier service. Either way, the information should have included the fact that no money would have been in those bags or we have yet another example of "world's stupidest criminals."

From a data security standpoint, this crime should serve as notice to those companies still using data in paper form that they are not immune from being "hacked." This incident is technically a data breach, right? And since it involves a State agency, different rules apply.

Executive Order 504 requires Massachusetts State Agencies to protect "Personal Information." Because M.G.L. 93H and 201 CMR 17 do not apply to public entities, this order seeks to close a loophole with one big exception: penalties for non-compliance... or lack thereof.

Since it appears that the courier was a private company and the RMV is a State agency, they would have had to execute a contract with specific language regarding the protection of Personal Information of Massachusetts residents. Exec Order 504 commands it.

So, what at first blush appears to be a couple of bungling idiots taking the wrong bags (or the right bags on the wrong day) may turn into an "investigation" into the lack of protection afforded 500-600 Massachusetts' residents personal information.

Did the contract between the RMV and the courier have the appropriate language?

Did the courier have the appropriate protections in place?

How much will this incident cost the courier? The State? There are procedures under Exec Order 504 that must be followed.

Until I hear that this courier usually carried money I will presume that the theft of information was the goal of the bad guys' actions. I mean, these guys stole a car just hours before this crime, had a second car ready to go, wore masks, and pulled this off at 9:00am? If you go to all that trouble and don't know exactly what's in those bags you deserve to serve time for stealing paper...

If 2011 was "The Year of the Data Breach", then 2012 is fast becoming "The Year Anonymous Became Public Enemy # 1!"

Anonymous, Anonymouse, and "tools", are all terms I have used to describe this decentralized group of computer operators who use their skills to harass, embarass and otherwise annoy. If you think they're going away anytime soon, think again.

Let's have a look at just this month so far, and see what these folks have been up to:

I would put these in order, but does it matter... (These all happened in the last 16 days)

  "they" is Anonymous

• Boston, West Virginia, and Salt Lake Police Departments - they just don't like cops
• Basically the whole City of Oakland's leadership - they didn't like Occupy Oakland's end
• Federal Trade Commission - they don't like ACTA, an international anti-counterfeiting treaty, and the FTC supports it
• Croatian President's website - this Preseident does like ACTA, therefore, they don't like him
• United Nations - apparently because it was easy, but maybe they don't like the whole world
• CIA - any guesses why they did this one?
• Mexican Chamber of Mines (Camimex) - they don't like the working conditions of miners
• Syrian (soon to be ex-) President Bashar al Assad - any questions?
• New Zealand Foreign Minister's email - they don't like recent NZ legislation on illegal downloading
• Microsoft's India Store - apparently by a Chinese contingent of Anonymous, but no real reason
• Brazilian banks: Banco do Brasil, Bradesco, Itau, HSBC - must be members of the 1%
• Law Firm that was defending the Marine found guilty in the Iraqi town of Haditha killings - he didn't go to jail, the attorneys did their job... if Anons disagreed, wouldn't the judge have been a better target?
• Westboro Baptist Church - go get 'em fellas... (and ladies)
• NASDAQ, Chicago Board Options Exchange - damn the financial system, let's take it down
• Combined Systems, US Corporation - makers of tear gas that was apparently shipped to Egypt
• Symantec - high tech security company, Anons stole the souce code for PC Anywhere
• State of Alabama - apparently AL has some "racist legislation" regarding immigrants
• FBI - UK (Met Police) PHONE CALL!!! - the investigators tapped by the "investigees"
• And apparently today they are launching "Operation Global Blackout", which is supposed to cause havoc all over the Internet - maybe this site is currently down...

 So, there's a snap shot of the last two weeks or so. If you think these are all harmless pranks, think again. The State of Alabama hack resulted in 46,000 citizen's personal information, including Social Security numbers being stolen. Where are they now? Do you think the thief cares?

Also, remember back to the Strategic Forcasting (Stratfor), I wrote about it here. Back in December, Anonymous both claimed and denied responsibility. Recently, however, clients of Stratfor have been receiving emails that are clearly "phishing" attempts. These emails purport to be from Stratfor informing the recipient that they need to click a link in order to assist with the "healing process" (my words, not theirs) of their data breach (link claims to load some protection program for the client). The link is actually to a malicious program designed to steal things like banking credentials.

So, it could be that Anonymous is pulling a Taliban (poppies are illegal where we're in power, but we own them all when we're not), and using the stolen information for financial crimes (not merely for protest purposes). Many times they post the information publicly to prove they did it. Along comes the wolves, and, well, Houston, we have a problem. (If a guy buys a gun, and then leaves it on a sidewalk, loaded, is that a problem?)

But ah ha, the US Senate recently released a long awaited piece of legislation, The Cybersecurity Act of 2012! Thank heavens...

Let me have just two more minutes of your time so I can give you the headlines of this piece of legislation:

...the Cybersecurity Act of 2012 would do the following:

Coordinate Cybersecurity Reseach and Development

Determine the Greatest Cyber Vulnerabilities

Protect Our Most Critical Infrastructure

Protect and Promote Innovation

Improve Information Sharing While Protecting Privacy and Civil Liabilities

Improve the Security of the Federal Government's Networks

Clarify the Roles of Federal Agencies

Strengthen the Cybersecurity Workforce

In the last 16 days, hackers have operated without abandon and caused mayhem. Let's hope that the next 16, and the 16 after that and the 16 after that, and so on, and so on... will get this bill on our President's desk so these folks can have a new target (whitehouse.gov) and make themselves public enemy number one.

PS - if you have Symantec's PC Anywhere... I'd be nervous.

The Boston Police have (or should I say had), a very useful website called "BPDNEWS.COM" that fell victim today to some tom-foolery.

If you try to reach the site now, it asks for a password or will just error out. They must have taken it off-line.

If you were one of the lucky ones who accessed the site after the hack but before the take-down, you would have found a music video by KRS-ONE, a hip hop artist whose songs are not so flattering of the police.

Here are the local news stories about the hack: Channel 5 and Boston Herald.

Just when you think the whole "Occupy Boston" thing was over... they bring you back in. I used to visit that site regularly, it's pretty useful. I don't know if there was any data worth stealing attached to it, and for the sake of the BPD, I hope not.

So, I went to Zappos.com for the first time today. I thought I would see what they had to say about this weekend’s announcement that just about everyone who shopped there has had their information stolen (well, 24 million people, which may or may not be “everyone” who shopped there, but man, that’s a lot of people).

What did I find? Nothing, nada, zilch, zip. Not a single mention could I find. I even used their search function and typed in “data breach”, which resulted in the site showing me a watch for $90.

I checked out their “blogs” section thinking that maybe they’d put something up there… nope, just the announcement of the winner of the “Ultimate Tee Shirt Design Contest.”

I heard from media reports that all affected accounts would need a new password, so I clicked on “new password” – no mention of the breach there either.

Lastly I scrolled down about a quarter mile and found the “privacy policy” link. For sure there will be some mention there… ah, no. But wait – look over on the right, a picture of a lock and the words “shopping with confidence.” And even better a link to “Learn how we protect your personal data…”

Here’s a quote from that section:

“Zappos.com servers are protected by secure firewalls—communication management computers specially designed to keep information secure and inaccessible by other Internet users. So you're absolutely safe while you shop.”

So, if I didn't watch the news or read the Internet, would I know? 

But wait just one minute. According to a Fox news account from two days ago, there was a posting that said “security email” – it’s right here: http://blogs.zappos.com/securityemail And in that email was the announcement that the customers would start getting an e-mail in a couple of hours.

And in that posting there was a link to this: http://www.zappos.com/passwordchange

Look, I’m no expert computer designer, but I’m not a neophyte either… I simply could not find any way to access those pages. If it’s there, it certainly not prominent. I challenge someone, anyone, to find it from their homepage.

I have never shopped at Zappos, so I would not expect an email notification from them. In the email to their employees dated Jan 15^th they inform them that “in the next hour or so we will begin the process of notifying the 24 million people involved…”

My wife shops there, a lot it appears, even has a “zapp app”… but lo and behold…no email… nothing, nada, zilch, zippo… OK, 24 million people is a lot to email, well, not according to certain Spam operators...just maybe 48 hours is not enough time. Since she heard about it on the news she decided that she better take action. 

My wife used her fancy-dancy "zapp app" and clicked "change password" - she was brought to a page that listed Ugg boots for sale... She eventually went to the Zappo site and tried to log in with her old credentials...

Here’s the message my wife got when she tried to log in:

We apologize for the inconvenience however a recent security update has resulted in the need for you to reset your password. By resetting your password, you'll have a more secure experience on our website.

“…a recent security update…”, that’s how it’s being phrased… lovely. I think it’s only fair that you prominently post relevant, important, accurate information on your home page. Sure, it’s embarrassing when something like this happens, but you can’t hide from it.

According to a simple Google search, there are a lot of media outlets covering this story. The media is reporting all over the place that it was a “cyber hacking incident” and not a “mistake” or a “lost piece of equipment.”

But what if you don’t consume news like I do, or preferred to watch the Packer’s game on Sunday afternoon (what was THAT all about – 15-1-and done?)

If you didn't read the news about this incident and relied on Zappos to provide you with the relevant information you would be told that a "recent security update" requires you to use a new password. No worries my friend - remember, at Zappos you can shop with confidence. They have really cool firewalls...

So, what is it? Were the servers in Kentucky hacked into by criminals? If it's my information involved, that's a WHOLE different story than a "recent security update."

Lots of people use the same email address and password at several different retail outfits. Right now there is someone, or someone(s), with my wife's email address and password for Zappos. How hard would it be to figure out that maybe she shops elsewhere with the same info - oh, and at that other site, she has her credit card information saved there to "make the shopping experience that much faster..."

Incidents like this are going to happen, but to keep the integrity of the online commerical world intact, they have to be handled properly.

Chaos reigns in the early moments of a data breach. Getting it right requires ADVANCE preparation because YES, it can happen to you. Do you think they had a "data breach response policy manual?"

Me either.

PS - how about a WISP? I'll be curious to see how our AG handles this one.

If I were a C-level person, meaning Chief Executive Officer(CEO), Chief Operating Officer (COO), Chief Financial Officer (CFO), Chief Information Officer (CIO), Chief Bottle Washer (CBO)... I would certainly bring up certain questions regarding my company's data security and what will, can or even could happen if the hackers get in. Sure, all these folks want to talk about is money, but look what can happen if you either a) trust your IT people without question or b) ignore the issue.

Strategic Forecasting Inc., known better as "Stratfor", was the latest hacking victim over the weekend. This company's product is essentially cyber security. These guys are supposed to be the real deal; with major governments and corporations from around the world being member clients of this "Stratfor." I mean, when the US Military is buying your newsletter and research papers on cyber security, it must be pretty good, right? (well, there was that whole Iran drone theft problem)

So, how embarrassing is it that group of hackers can break into a company whose purpose is to teach others how to secure their information. Well, it appears someone did just that and stole a lot of information; and if current media reports are correct, it's A LOT of information. There is some question as to exactly what was taken and Stratfor is asserting that the "confidential client list" was not taken (of course they are).

To add insult to injury, it appears that Stratfor stored credit card numbers of their members in plain text (not encrypted) even though (according to a Threat Level story) they seem to have had a product in place that would have encrypted the credit card information had they not "turned it off" or otherwise disabled it. Oh, it looks like they had those CVV numbers as well... (3 digits on back of some card) - usually a no, no.

There I am at Christmas dinner, the CIO of a major cybersecurity company and I get THE call. What??? Really??? I better have those Christmas present receipts, because it looks like I'm gonna have to start returning some of the more expensive items I bought...

I just can't get my head around how this can happen. OK, since I'm not a computer expert hacker guy, I will just accept that if your computer is connected to the Internet it's never completely safe. I will even accept the fact that most company seem to store purely internal information that can be accessed via the Internet. I cannot accept the fact that a company will store credit card information without encrypting it AND store the CVV numbers, (which is usually a violation of the credit card company's PCI-DSS regulation), all accessible via the Internet.

Many media stories have the group Anonymous claiming responsibility, but others quote Anonymous as denying responsibility. So, whodunnit?

What if, just ponder the thought, that those who actually did this are "pretending" to be the loose knit group of hackers known as Anonymous. Would I know how to make a hack look like it was them? Probably. Maybe the real goal of this hack was much more nefarious. A major world power (see: China), who has teams of hackers working round the clock could certainly design an operation that makes it look like someone else did it.

The real goal of the operation was probably to steal information, and not the credit card numbers. But to fool people, you take the credit card info, use it to donate some money, go all twitter-crazy, make outlandish statements about "world order" and whatever other quotes you can find in Orwell's "1984." Sure, I bet you could make it look like Anonymous did it.

At the same time, this Anonymous thing is so amorphous, it could be anyone with the right skills.

With four days left in 2011 and the hacks still coming, will this be the Year of the Data Breach? Or will this trend continue into 2012? Well, check out the recent story that "computers traced to China breached the US Chamber of Commerce...", apparently the US Chamber has quite a library of valuable information. The hackers had access to those files and sensitive information for over a year.

Ya, we're going to see more of this next year, for sure...

           As the saying goes, imitation is the sincerest form of flattery, but this imitation is downright criminal. Identity theft is not a crime of violence, but the impact can be awfully similar. Wounds from an injury will generally heal over time. The fear that remains after being a victim of violence can be very troubling, and last a long time. In cases of identity theft the impact can last a very very long time and it starts out with no one believing you!

One day a man knocks on your door. You dutifully answer the door, saying “hello.” The man in turn says, does Sam Smith live here? Sam is your 10 year old son and so you say, “why yes, Sam does live here. How can I help you?”

“You’ve just been served” – as he hands you a copy of a complaint filed in court. Sam Smith is being sued in court for defaulting on a mortgage of $405,000.00.

How could my 10 year old son have a mortgage? He doesn’t, his social security number does.

A report by Richard Powers of Carnegie Melon Cylab shows a very troubling trend. Child Identity Theft is growing. This powerful report discusses specific instances where children as young as FIVE MONTHS OLD have become victims of identity theft. If you have children, please take the time to read this report, just so you become aware of how real this is. (I wrote about this report back in April, but thought it time to revisit and remind the readers about this troubling trend.)

Once the victim realizes that something is wrong what do they do? What should they do? Who do they call? How bad is it?

Generally speaking it’s best to gather information and then proceed to your local police department to file a report. The police probably won’t do much, not because they don’t want to help but probably because the crime occurred in some far away place. Usually the police will not take a report of crime outside their jurisdiction; however, Massachusetts has a law that requires the local police department to at least take a report of identity theft from anyone who lives in that locality.

If you decide to call the credit agencies first to report the identity theft their initial reaction will probably be a cross between “ok sir, here’s the procedure” and “sure pal, this debt isn’t yours…not the first time I heard this one pal…”

You need to find out the extent of the damage via a credit report (all three agencies), and then file a police report. Once the report is filed you’ll need several copies to provide to the credit agencies and any creditors who claim you owe them money.

This process takes a long time and you don’t get much help from the creditors because the last thing they want to hear is the debt will never be paid. Just as there are people out there who would use the identity of a five month old baby, there are people who will claim identity theft when there is none.

The report states that the national average of adults experiencing identity theft is 1%. That number jumps to 10% for the 45,000 children examined in this report. There are several really good reasons (to the bad guys) to steal a child’s identity: it won’t be noticed for years, there’s no existing credit issues, and the chances of getting caught are low. 70% of the incidents involved loan and credit accounts and 18% involved utility accounts.

I have personally seen incidents where an adult with poor credit will use a child or child relative's social security number to establish utility accounts and get credit cards. This is unforgivable, it's a crime and it's unfortunately, not as rare as you'd hope.

Another report recently released by the Department of Justice states that in 2010, 7% of households in the United States reported at least one member of the home (over 12) was the victim of identity theft (NOTE: this number included unauthorized use of a credit card which is distinctly different from identity theft and much easier to rectify).

As I have written before, the Social Security Administration issues a social security number to a named person with a date of birth. The credit card companies, mortgage companies and whoever else who issues credit/debt usually require a social security number and they do not access the SSA’s information. This means that a 25 year old could present the SSN of a 1 year old and no one would be the wiser.

What’s probably making this situation worse is the fact that, according to the Ponemon Institute's recent study on patient privacy and data security, 96%of healthcare organizations have experienced a data breach…

So there you are in the hospital with your little bundle of joy. He comes with his own social security number because the hospital is so efficient. You name him Sam.

UPDATE: Thanks to a reader, I was informed that the "hack" described here wasn't a hack at all but rather a technician on vacation in Russia doing his job. You can read all the details here. I did originally put the term "hacked" in quotes because there was no confirmation. I stand by the fear mongering about the National infrastructure, however, because if your operation is attached to the Internet, it's subject to risk.

A fascinating news story is being generated out of Illinois. A water plant has apparently been “hacked”. The water plant uses computers and software to control the flow of water. Those computers use what is called a SCADA network, supervisory control and data acquisition, to manage the systems that control various industrial processes.

According to the few sources reporting this (CNN, Wired, Krebs), a water pump was burned out by hackers. They seem to have manipulted the SCADA system and caused the pump to malfunction. 

This is big news because these SCADA networks are everywhere in our “infrastructure”. They are used to operate nuclear power plants, electric grids, and a whole host of other industrial processes. You may recall a story a while back about a computer virus known as Stuxnet being used to destroy the centrifuges used by Iran to make enriched uranium for nuclear bombs. That virus effectively told the SCADA system to speed up the centrifuges while at the same time having the system report “all normal” to the operators. The centrifuges spun so fast that they effectively destroyed themselves. The SCADA system, if operating properly, would have kept that from happening.

There has been a lot of talk in Washington about “cyber war” and “cyber terrorism”. The fear is that some dangerous person or persons would be able to access our “infrastructure” and cause a nuclear power plant to “meltdown” or have an electric grid shut down a whole city or some other impact that causes either horrific injuries and death or significant economic harm.

In order to access our “infrastructure”, the bad guys would probably need to get to the SCADA systems controlling it. That’s why this “incident” in Illinois is so troubling. If true, this may be the first time that a SCADA network in the United States has been effectively breached or hacked (at least the first we’ve heard about publicly).

How this one came to light is that a state “cyber fusion” notice dated November 10, 2011 was somehow obtained by a guy named Joe Weiss, who apparently works for a company that deals with security for SCADA systems. Mr. Weiss went public with the information via a blog post. In his post you can read between the lines that he’s a little upset that the Feds aren’t all over this.

He reports that someone stole usernames and passwords from a SCADA software vendor and used the stolen credentials to hack into the water plant’s SCADA network, meaning whoever they are probably have more than just this one… (someone better go chat with the “vendor” – soon)

Mr. Weiss also reports that the IP address of the hacked was traced to Russia. This may be too simplistic a conclusion because, like license plates for cars, IP addresses can be manipulated for the purpose of evading identification.

According to a CNN report, officials at the Department of Homeland Security are “looking into it” and have not concluded that it was in fact a hack that caused the issues at the water plant’s SCADA network.

This might all sound like tech-babble, but if it turns out that an industrial SCADA network was breached from outside the United States, then this is a very, very, very big deal. Our authorities should consider this a shot across our bow from somewhere.

I give Mr. Weiss a lot of credit for making this public. If nothing else it will hopefully spur our Congress to deal with these digital world issues as soon as possible.

PS - on the Washington thing... this is what makes me mad: Congress is all over "online piracy", oh dear, someone watched Shrek 3 without paying for it... but they aren't even close to dealing with the nation's cyber infrastructure. Get your priorities straight!!!

As we've all heard by now, Steve Jobs has passed away. In the past 25 years or so I have been torn between the Mac world and the PC world... My first computer was an Apple IIe. I can still see it in my mind's eye, although physically I have no idea where it is (or what's on it!). After that it was PC after PC after PC. I can't even recall how many there were.

What is really amazing to me is the massive advances that Apple continuously make that leaves the PC in the dust. Even I, a diehard PC person, has to admit that Apple's technology is wicked cool. I do have a G5 at home that is pretty cool, I'm just not sure I'm a "mac guy"...

In the 80's and 90's I watched Apple get relegated to the "educational institutions of the world" only to reinvent itself as THE consumer computer company over the last 15 or so years. I know that Steve Jobs made that happen. It's also been fascinating to see how for a while there were "mac" people and "PC" people, just check out the ads about it. The way I see it now, with the iPad and the iPhone, it's gonna be a "Mac" world soon enough. Everything else will simply be a copy of theirs. (anyone remember the story about the first graphical interface? Karma's a bitch, Bill)

Rest in peace Steve.

PS - I am disgusted but not surprised that within hours of his passing, idiot advertising/affiliate/marketing/scammers started doing their thing. They set up "stevejobsfuneral[dot]com" which has no legitimate purpose. Check out the story over at Threatpost...

About two weeks ago a company called DigiNotar reported to the world that they had a problem. It was August 30, 2011 and the company was discussing an “intrusion” that had occurred on or about July 19, 2011. DigiNotar, located in Netherlands, is a subsidiary of VASCO, an American company. DigiNotar issues what are called “Certificate Authorities” or CA’s.

As you will see, this is scary.

Imagine you are walking down the street and have $1,000.00 cash in your pocket that you want to deposit into your bank. As you turn the corner, you see a new bank location that appears to be open. It’s not the one you usually go to, but it has all the right signs and colors and it looks like your bank just opened another location – how convenient for you. You walk in and hand them your money as a deposit and go about your day. Later that day you walk by the same location, except now it's not your bank anymore, it appears to be a tax preparation service location with people walking in with their tax information.

Man, how’d that happen so fast…

Now imagine that the whole story above happened on the Internet. Since you can’t “see” on the Internet you are at the mercy of certain organizations in order to “trust” where you are on the Internet. Anyone can copy a website, but there are technologies to assure you that when you are visiting your bank or downloading your latest Amazon purchase you actually are doing just that. This “trust” happens because of the existence of Certificate Authorities.

But on August 30, 2011, DigiNotar told us that back in July some one broke in and stole their CA’s, some 500 of them. (PS - another company, NJ-based Comodo suffered a breach losing about nine Certificate Authorities. The real difference is that DigiNotar didn't tell anyone for a wwwhile.)

Whose were stolen?  They don’t say.

Who stole it?  The Iranians, they say.

Why were they stolen?  So the Iranian Government could snoop on their possible protest planning people… that was one story.

Picture courtesy of the Internet, although it's a fairly accurante representation of the error message generated by Firefox if the CA is invalid - please hit the "get me outta here" button if you see this in your travels.

These Certificate Authorities are kinda key to the safety of the Internet. I say “kinda” just to be funny, because they’re not “kinda” key – they’re essential. They’re essential and so is their authenticity. Their whole purpose of existence is to deliver one message and one message only: “HEY YOU, YA YOU, YOU ARE DEFINITELY WHERE YOU THINK YOU ARE…” (well, it has more than one purpose, it also provides for encrypted communication and some other details but I don't want to confuse the issue further)

How would having one of these CAs be helpful? You could easily set up a look-a-like website, send a link purporting to come from the actual site and when the traffic arrives, they will all think they are in the right location because of the stolen Certificate. The bad guys would simply be collecting your user-name and passwords and then showing you a message that says something like “Error 612, Please try again later”. (remember, there’s no site to enter)

If the Iranians really did it, then they could collect email addresses and passwords for lots of people and then read the emails and do what oppressive regimes do.

If a cyber crook did it, they could collect user-names and passwords at the bank and then log into the real bank, transfer your money, and disappear.

This scam WILL WORK. There's no way to stop it once the CA is compromised (well, unless the CA issuer tells the world and the various Internet browser providers make some very quick adjustments).

Let’s just try something for kicks: click this link to “Bank of America Home Personal” and see what happens.

Bank of America Home Personal.mht

It somewhat appears that you are at Bank of America’s site, right? I left it incomplete so as to avoid any “issues” with the powers that be (see generally: Law Enforcement), but if I cleaned up the file, at first blush you’d think you were at Bank of America’s site, right? It’s not the site, not even close. It’s a sub-file of my blog’s site, uploaded from my computer. I could disguise the name on the link so it looked legit, could clean up the site so it appeared to be the real bank…even fix the address bar so you wouldn’t see the real location you were visiting.

Note what’s clearly missing: the little “LOCK” that appears at the real Bank of America site and the associated SSL (secure socket layer). Now imagine that you can set up a duplicate Bank of America site AND have that “lock” and the SSL (https)?  The Certificate Authority will take care of all that for you. Here's a link to the real bank, with the "lock" and SSL intact.

Bank of America Home Personal mht

I am only slightly above the "digital idiot" level and could probably figure a way to make that work, imagine what the real bad guys could do...

The digital world “revoked” trust in DigiNotar, and now we all should be updating our Internet browsers (IE, Firefox, Chrome, Safari, etc.) so that our little innocent PC’s know about the “trust issue.”

Is it a case of the trusted trust givers dropping the ball? Or is it simply impossible to lock anything useful down in the digital world?

Man, oh man, or Woman, oh woman, whatever. I think I am starting to see what it was like to live in the Western United States in the 1800’s…. and why everyone carried a gun.

UPDATE: Department of Homeland Security has issued a warning... about this very issue.

Over the weekend, the "tools" over at Anonymouse (my new name for them is "anonymouse"), hacked into the website of a public transit agency and released a bunch of information about their riders. They apparently did so in protest of the agency's decision to suspend cell / mobile service in their tunnels and stations.

Apparently, on July 3rd, there was a tragic event on San Francisco's public transportation network known as BART. The BART police department shot and killed a man who was wielding a knife. I say "police department" because I don't know if one, two or seven police officers were involved, and really, I don't care. The police carry guns for a reason and sometimes they have to be employed. Maybe there was a better way for that encounter to have ended, maybe not. That's not my call to make, nor is it Anonymouse's either.

The officials at BART appeared to have information that a planned protest of the shooting would take place on their trains and be organized and adjusted via cell phone. In the wake of the London riots that were apparently aided in their organization by just such technology, BART shut down cell service in their tunnels and stations. We all saw the carnage that occurred in London. A close family member of mine emailed and tweeted what was happening daily. It was terrible, truly terrible. If you take a minute, one could actually understand why this decision may have been made. I am not saying that BART shut down cell service because of the London riots, I am only suggesting that it would be a logical conclusion.

Well, in steps the experts over at Anonymouse to tell us what is right and what is wrong. These folks hacked into one of BART's websites, stole 2,000 people's information and posted it. Names, addresses, email addresses, site passwords, phone numbers; apparently they took whatever they could get. The anonymouses were upset about BART's decision to shut down cell service in the tunnels and stations, or was it the shooting that upset them...

How does this action accomplish anything? If there was a civil rights violation, there are plenty of ways, legal ways, to address it. If those legal ways fail to bring justice, and sometimes they don't, then shame on us all. Taking rider Mary Jo's BART login information, her home address, phone number, email address and giving it to the world does this: it makes Mary Jo nervous, it makes her scared, it makes her angry. It doesn't do anything to adjudicate whatever happened on July 3rd.

In the wake of the Hurricane Katrina, something terrible happened on a bridge one night. The men involved, police officers, were convicted of murder. Patience and perseverance were great traits of previous generations that are unfortunately degrading over time.

On a few occasions I have opined that these Anonymouse hackers are kids. A few arrests have supported that opinion. If this act was a legitimate protest, it would have, or should have, shut down BART's website, or in some other way expressed the group's disagreement without creating a new set of victims. Adults make decisions, kids act out.

The looting of businesses in London wasn't done in protest of a police shooting, it was absolutely a crime of opportunity committed by cowards.

The larceny of innocent public transportation riders' information and then subsequent release of it to the wild is similarly wrong. With all their skills, they decided to post little ol' ladies' personal information in the wild. Whether other, diabolical, individuals use that information or not will not negate the fear that has likely been generated by its release.

I vehemently disagreed with the theft and release of the US Diplomatic cables by Bradley Manning via Julian Assange's Wikileaks. This behavior is not an effective protest tactic. It is extremely dangerous behavior. "Blowing the whistle" on some injustice is one thing, releasing information in hopes of embarrassing someone or some group and then expecting change is simply juvenile, especially when the information being released belongs to innocent people.

Just because you CAN do something, (like hack into anything), doesn't mean you SHOULD do something, even if you think you have the right to do so (which you don't).

So just yesterday I was using my laptop, checking the weather, reading the latest data breach news, seeing when Whitey Bulger was next due in court and WHAMMO...

A screen popped up on my computer appearing to be "my" virus protection software telling me that I had an infection. Because I am a freak, I recognized that it wasn't "my" virus software (I know my brand). I was very hesitant to click any links. I looked at the various options, the most prominent being "Activate Now". hmmm... isn't "my" virus protection already "activated?"

I found what appeared to be a link that said "Help and Support" and tried to click it. Nothing happened. Do you know why?  There is no help, not from this thing.

All of a sudden a little box appeared and then disappeared, then appeared, then disappeared. This happened over and over and over again. I could make out that the box was reporting that "my" virus protection software had been "interrupted". 

[Image "borrowed" from my savior, "howtogeek.com". This is almost identical to what I saw.]

This is what is known as a "Fake AV attack" (AV stands for Anti-Virus).

I tried to click on the start menu, nothing... tried to launch the internet browsers (I have several), nothing happened.

The only button that would work was "ACTIVATE NOW". If you click activate now, you are taken to a devilish place in the back alleys of the Internet where you are politely asked for your credit card information to "activate" your subscription and rid yourself of this "infection". This plays out thousands of times a day across the Internet. Check out this story, we're talking about $133 million dollars in revenue from this scam.

I did not click the "activate now" link. The first thing I did was manually turn off the wireless signal. I didn't want the, now "out of my control", computer getting any other "friends" from the Internet to come visit me. I did manually turn off the computer by holding down the power button for at least 10 seconds. Then I unplugged it and packed it into my bag to take to work.

I took the computer to work in order to "clean" it up. No, I don't has a fancy computer lab, in fact I have no tools whatsoever to "clean" a computer. What I did have was a protected, clean computer that I could use to research how to clean up my machine.

I found a website, "howtogeek.com". Thank you fellas. They provide a step by step "how-to" get rid of this thing.

I had to use my work computer and download the 2 separate software packages available, for FREE, mind you...! I downloaded them to a USB memory stick. Then I fired up my pesky friend in SAFE MODE (F8 before Windows loads - if you miss it, shut it off manually and try again).

I was able to follow their directions to the letter and run SuperAntiSpyWare - CHECK (24 minutes) - found 313 problems (of which 310 were "ad ware tracking cookies", thanks BestBuy)

I then had to restart and run MalwareBytes - CHECK (20 minutes) My new friend, MB, found another 5 or so issues.

I then restarted, in normal mode now, and things looked great. No insane pop-ups... But I did run "my" anti-virus software and found what was called a "cybot-backdoor" and got rid of it (I hope I did, don't like the thought of a backdoor, do you?)

All appears fine now, but I don't think that I will be visiting my bank from that computer any time soon, and THAT'S the moral of this story. I cannot trust that machine anymore can I...?

And based on this article, can we trust ANY machine? This article is about a revelation that there are brand new computers in the supply chain that are destined for America's retail stores, except you're getting more than you bargained for if you buy one. Apparently, officials have found brand new machines coming into America pre-loaded with Malware, spyware, and other "things" that may give control over your machine to someone else.

Allow me to play out one scenario: 50 million machines are built by a Chinese company (or a company who outsources their construction to China) and shipped to America pre-loaded with Malware that gives "someone" remote control over the devices. Each of the 50 million devices are purchased by regular joes and put in homes across America. One day that "someone" decides to take down a website in Tibet, or Pakistan or maybe even our own NYSE... they "activate" their 50 million strong computer army (without the owner's knowledge) and WHAMMO, that site is down. All the evidence would point to the attack originating in America wouldn't it. And how about having 50 million different IP addresses from which to conduct a hack into an American computer system...

This is a profound problem, kids...

I ask again: who is responsible for safety and security in the digital world?

As we approach our nation's 235th birthday we should reflect on our amazing accomplishments. Well, how about just one, the Internet. A marvelous creation that allows for the instantaneous delivery of information anywhere in the world. It started out as a knowledge base for our universities, then the obvious military applications (and money) came along and then the commercial use.

I remember pre-Internet days, although it gets harder each year to remember life "before" the Internet. I don't recall if I was a news junky in those "pre-Internet" days, and although a curious lad, it was probably a little more difficult to get the information that today is available in my pocket (see: smartphone).

Since I am a news junkie, let's see what I found recently:

Let's start with LulzSec. Even though in my last post I hoped never to speak their name again, they have seemingly imploded. Ryan Cleary was arrested in England. A search warrant was executed on a house in Ohio that was purportedly the home of a teenage member of the "pinheads" (LulzSec). And I'd like to thank Paul Roberts over at Threatpost for the regular intel on the issues in cyberspace. I recently met Paul, very knowledgeable.

OK, just when you thought that law enforcement was taking them to task, I read a story out of Arizona where the wife of a police officer received a threatening phone call, a bomb threat. In that same story another police officer had a bogus facebook page set up by someone. There were also personal emails of police officers released. Think these events have something to do with the "pinheads"? Ya, me too. These stories came out as we discovered that a second round of private data belonging to Arizona law enforcement was released. A group named "AntiSec" took responsibility for the second release. How creative... wasn't that the name of the "operation" undertaken by the "pinheads" and the group Anonymous? Their new logo is a combination of LulzSecand Anonymous, so we may or may not be dealing with the same folks.

Of course, we're not dealing with Mr. Cleary anymore now are we? Eventually these folks will all "face the man". I sincerely hope that each one will face severe punishment. This is a clear opportunity to exhibit deterrence.

Along those lines, my last post was picked up by "databreaches.net". That's a site that does a great job compiling all the data breaches that are occurring around the globe. The author thought that I was angry in my tone (I was), seemed to agreed with the reasons for that, but seemed to think that I thought that other victims (non law enforcement) of data breaches are less important. You can read it here. 

My opinion is as follows: if someone's information is stolen and then released to the world and as a result some harm comes to them it's wrong. There are a lot of things wrong in our world, but they have to be scaled. A punch in the eye hurts, but murder is permanent. Loss of your credit card data is annoying, getting a replacement card solves it. Loss of your personally identifiable information is scary and creates worry, but there are ways to mitigate the potential damage. Being identified as a political dissident and then subjected to murder, torture or other physical harm is absolutely wrong on the highest scale.

You see, I draw a distinction between those harms that are able to be repaired or mitigated and those harms which are permanent. This is an important difference.

Moving on, Citi bank says that of the 360,000 plus cards numbers stolen, 3400 of them were used to the tune of $2.7 million for an average of about $800 each. What happened to the other 350,000 plus card numbers? Hopefully they turned them off because at these rates if it continued would have resulted in losses over $200 million (think the APR might go up next year?)

And in case you were wondering your chances of suffering a data breach...we have the Ponemon study that says being a victim of a data breach is "a statistical certainty". Dr. Larry Ponemon is THE standard for these things. I trust his numbers, they are based in significant research (his number showed that 90% of 583 respondents reported that they have had a breach in the last 12 months - this is a loss of data and in many cases was attributed to a rogue insider).

And helping along Dr. Ponemon's findings, (and probably why there are so many breaches), researchers have discovered a potentially "indestructible botnet". These are the tools needed to be an effective bad guy in the cyber world. Great, they created the TERMINATOR of cyber space.... and I am sure that "they'll be baaack".

And to bring it back home to Boston, Massachusetts... where our country started... Yes, it started here. Have you heard about the Suffolk Resolves? Sure, Philly played a role, but really it started here... And so did a class action lawsuit against AOL for violating numerous federal privacy based statutes*. Why I think it's "newsworthy" is because the lawsuit also alleges violation of the Massachusetts Privacy Act and a violation of the Massachusetts Consumer Protection Act. This is a first, but we'll have to wait and see if it's even a real case. The plaintiff lives in Mississippi, her lawyers work in Boston (classic!).

If allowed to proceed it would mean that a private citizen is seeking to "enforce" the Mass Data Privacy law before the State Agency obligated to do so, has done so. I say "enforce" because a citizen cannot "enforce" the data privacy law, rather they can claim that a company in violation of the data privacy law is also in violation of our consumer protection laws which is "enforceable" by private citizens.

Happy Birthday America !!!

*The suit charges that the companies violated the Electronic Communications Privacy Act (Wiretapping Act); the Computer Fraud and Abuse Act; the federal Video Privacy Protection Act; the Massachusetts Privacy Act; the Massachusetts Consumer Protection Act; and based on tort claims of Trespass to Chattel; and equitable claims of Unjust Enrichment.

Last week I attended a conference sponsored by the International Association of Privacy Professionals. Their "Privacy Practical Series" is touring the nation and brings with it a wealth of information.

So, let's just check in and see what happened while I was away...

Oh, ADP confirmed their breach. Recall, they're the largest payroll company in the world.

We had another breach of a Internet based gaming system. SEGA announced the breach of about a million people's information including name, date of birth, e-mail address, and "encrypted" passwords. (Please tell me that they at least held some meetings after the Sony Situation)

And how about this one: There is a virtual currency called "Bitcoin" that is "traded" on an exchange called "Mt. GOX". No, I am not kidding... I spent an hour trying to find a way to explain to you how you earn "bitcoins" and where you "spend" them.  I still don't know exactly how you "earn" them, but if I want a piece of software or a game, someone will trade bitcoins for them. I get the basic premise, anything can have "value" within a subset of humans.

For example, there is an island in the South Pacific called YAP, whose money supply was based on rocks. The bigger the rock, the more valuable. Of course, if you take that rock to say, Hawaii, it's just a rock. These are "special" rocks and there are a fixed number of them and the inhabitant of YAP can get "stuff" because of their particular rock, but really, they're still rocks, except on Yap (PS - they switched to the US dollar - probably wanted to vacation in Hawaii).

Apparently this "exchange", called "Mt. GOX", was recently hacked (the name has a story too, it stands for "Magic The Gathering Online eXchange" you gotta read that stuff). Mt Gox will value the bitcoins against real currency, say the US Dollar. Before the hack, one bitcoin was worth $17.50 USD ($). After the breach one bitcoin was worth as little at $0.01 USD - kind of like taking that rock to Hawaii, right?

Someone or someones hacked into Mt Gox, got a hold of the account information for a lot of accountholders of bitcoins and dumped (sold) them, devaluing the rest of bitcoins in existence. Many others who were watching this took advantage of the situation by buying low and selling a little higher, and followed the market all the way to zero. The people who run Mt. GOX say that they're going to "rollback" those transactions. I say good luck. You think the profiteers didn't "exchange" their profits for real money and then withdrew it?

Why do I bother you with such drivel?   To point out how a data breach can cause real damage. What if they got into the New York Stock Exchange? Or NASDAQ (which they did, but in a different way) The results would be absolutely disastrous. Imagine a concerted effort to devalue our currency, or any real currency for that matter. One day your $4 buys a loaf of bread, the next day you need $40. You don't have to be a math major to see how bad it would be...

Which leads me to the final story of the weekend - the "merger" or "re-merger" as it may be of LulzSec and Anonymous. They have teamed up and declared "war"on the governments and banks of the world. They even named it: "AntiSec" for anti-security, I presume. Could this "dream team" somehow affect the world's various currencies?

I usually question businesses for their lack of attention to security, today I am asking the Governments of the world to find these punks. LulzSec took down the CIA's website, THE CIA!! LulzSec has a website (lulzsecurity [dot] com) where they post the stolen information. Now, I know that they can move the site from server to server around the world to avoid detection, but are we (see: Governments) admitting that we can't find them? Can't find the site?

I have met some federal agents who are fairly talented in the cyber world. I know that our Government has the resources to search the entire World Wide Web. Let's put those two together and find these criminals.

BUT WAIT!!! THEY DID FIND ONE!!!

Police in London arrested a 19 year old and are saying that he is a "leader" of LulzSec.

Of course, the LulzSec group is saying that some "poor soul" was "taken down" by the police, but they're still up and running.

Threatpost is also reporting the arrest in more detail.

I am very glad to hear that the FBI and New Scotland Yard are all over this. Of course, with such a decentralized group, they'll never disappear completely, but if the punishment is meted out appropriately perhaps it will deter the next 19 year old from thinking this behavior is "fun."

I suggest we all make a note to see how the justice system handles this individual.

Citibank, Citigroup, Citi, whatever you call it, it's huge! Obviously a great target for the bad guys of the world. Much like a nuclear power plant may be a great target for terrorists. Don't we have the ultimate security around such facilities? I believe we do. Wouldn't you think that one of the world's largest banks would also have the "ultimate" security?

Apparently they don't. After repeated inquiries by the Financial Times, Citigroup disclosed that as many as 1% of their North American customer's data had been accessed by "hackers". How many is 1% you ask? About 210,000 seeing as they have about 21 million card holders.

Click here to get a list of the latest 400 plus stories on the breach.

OK, is "data breach fatigue" setting in? Are you getting tired of hearing about yet another data breach?  Too bad. This year has produced some staggering data breaches, no doubt, but in reality it's a wake up call.

WAKE UP!  Technology is a fabulous tool, like the first sword. A sword, wielded properly, can defend a kingdom, but in the hands of an untrained person, it will likely result in his own demise, and subsequently the kingdom. We must respect our amazing technology by not only making it work, but also making it secure. I have repeatedly talked about this concept. Our own technology is being wielded by apparently untrained persons, I fear the demise of our kingdom.

I find it increasingly hard to believe that the cybercriminals of the world can consistently outwit our largest corporations and now banks. Didn't we create the Internet? Are we now letting it be used against us? Are you telling me that Citi can't lock down their data? Really? That's sad.

Just maybe we have to look back at the breach of RSA. Remember that one? They are the security specialists who provide "tokens" to the major institutions in America. I am fairly confident that Citi is one of their customers. I wrote about it back in March and April.

The Citi breach happened at least a month ago according to reports. That puts it in early May. The RSA breach happened in March. During those 2 months what happened? Didn't RSA figure out whose tokens may be compromised? Didn't Citi get nervous about still using those potentially compromised security tokens? Maybe I am all wet and this has nothing to do with RSA.

Maybe Citi had an insider assisting the bad guys, maybe not. Maybe this was an exploit of a "known vulnerability" as we hear so often. Maybe an employee opened an e-mail marked "DON'T OPEN ME IF YOU WANT TO KEEP YOUR JOB".

I don't know how it happened, and quite frankly, I don't care. I just hope that this string of data breaches makes everyone realize that the digital world is very very real. It's not a keyboard and computer screen, it's become part of human existence.

We, as individuals, can learn how to lock our doors, avoid bad situations and try to stay safe. Unfortunately, as participants in the digital world our security is in the hands of others and right now they're not doing such a good job, are they?

PS - I would like to see your WISP, Mr. Citi.........

My first cell phone came with a bag. The "bag" carried the battery and transmitter. The bag had a shoulder strap and everything. A friend one time made a call to his "friend", he was on the phone for 45 minutes and that callcost me $60. My second phone was basically a brick with a keypad from Nextel (remember those direct connect phones, thought that was cool).

Since then I have had 8 different cell phones. Yes, I remember each one. I am not a guy who has to have the latest technology. In fact, only a year ago I finally switched to a BlackBerry (a lot late and there is far superior technology on the market).

I used to use the phone for calling someone. Then it was for calling and texting. Then it was for calling, texting, and e-mailing, while also surfing the mobile web. Of course, never while driving, right  (ah officer, I wasn't texting, I was, ah, dialing my phone - winner everytime).

I read today that coming soon to a city near you... a phone that you can buy stuff with. I don't mean text Help Japan to 12345 and have a one time $10 donation charge on your phone, I mean, "I'll have a venti iced  cafe mocha, no whipped, extra ice, and tap-a-roni with my phone on the cash register and I'm out the door."

Google announced a new product called Google Wallet. It basically embeds a credit card in your phone and you tap it or zap it to pay for stuff. The technology behind it is called, N.F.C. or Near Field Communications. Have you seen the video of the electronic pickpocket? That video involves a different technology, RFID, which is used to transmit credit card data from the card to the machine by tapping, or getting really close - watch the video, it's enlightening. The guy uses a small book sized machine that reads your credit card while still in your pocket! Can he read your phone?

They also announced a coupon project. Apparently Google is going to send these Google Coupons to your phone just as you're walking by Macy's. "50% off if you come in right now."

Geez, how did they know I was walking by Macy's... how awesomely cool. No silly, they're tracking you - remember those news stories... (next up: tractor beams on your phone to make you go where Google wants you to).

Also this week, Bank of America, JP Morgan Chase, and Wells Fargo announced a product called "ClearXChange". It's a process by which you can send money to someone via e-mail or mobile phone.  I haven't seen the full details on this one, but apparently you can logon to your account wherever it is online and then click some clicks and your Mom gets a text message that says "Jimmy just sent you the $50 he's owed you since 1992, click here to retrieve it. Mom then puts in her credit card number and the money is magically transported to her account (BIG PS here: Bank of America was apparently taken for $10mil by a rogue employee who along with the other 94 people arrested by the Secret Service, were siphoning money out of approximately 300 high value accounts, very quiet story right now, not sure why just yet).

Not to be outdone, VISA is also releasing a very similar payment process. They are saying that you can use your credit card to pay a person, via e-mail or mobile phone... and that person can choose how to receive the money (on his/her card, in their bank acct, via a check, or even cash).

One funny twist: if you log on to retrieve the money and you use a Debit card, it's a deposit. If you log on using a credit card, it's considered a payment - your CC company gets the dough, not you. I had to think about this for a while, it's the only way to do it. Presumably if you have zero balance on your credit card you'd get a credit balance? But wouldn't you rather have that $50 in cash than $50 off your credit card balance? Especially if it's a 19 year old debt being paid off.

Anyway, as technology advances, we can do amazing things. The primary focus of Research and Development groups is to Make It Work. Or as Bob the Builder likes to say when asked  " can   we   build   it ?    YES WE CAN! "     TJX really wanted to make use of the wireless technology, and they did, and at the same time let Albert Gonzales steal 45 million credit card numbers. Their wireless system definitely worked... it just wasn't secure.

This "mobile payment" technology will definitely work, but is it secure?

Also this week, a timely release of a whitepaper by Vest Corporation (may ask for registration to access, if you want a summary, click here).  According to their survey, 25% of Mobile Network Operators (See: cell phone companies) are NOT PCI-DSS compliant. 33% of the companies surveyed did not know that they could be fined for non compliance. In addition the survery revealed:

• The average cost of initial PCI compliance was approximately $700,000.00
• The average cost of maintaining PCI compliance was over $1,390,000.00

Remember what PCI compliance is? PCI-DSS compliance is a security standard set by the global credit card brands. It is complicated, has numerous steps and is obviously expensive. But, according to the PCI people, a PCI-DSS compliant merchant has never been breached. So, 25% of mobile network operators are not PCI compliant, but they will almost certainly be processing credit card transactions in the near future.... hmmm.

The conversation in the board rooms may go like this:

CEO: So, does this new technology work?

R&D: Yes, we are fully operational.

CEO: Do we have a vehicle to get it to market?

R&D: Yes, we have a new mobile device that will knock your socks off.

CEO: Is it secure?

R&D: You only asked me to make it work, sir. I mean, ah, ya, it's secure.

CEO: Ah, that's ok. We'll make so much money on this, it really won't matter...

I have never been in the boardroom, so I don't know what is actually said. I know that since the inception of cell phones, there have been ways to "affect" them. Remember "cloning", it was when you could basically duplicate someone's phone, redirect calls, all without them knowing.  If there is a way to hack a phone, and there always is, then it'll get hacked. And now, by putting financial resources of an individual on the phone, there is strong incentive to hack them.

I like technology, I really do. I understand it, see it's usefulness, but at the "end of the day" its always about the Benjamins and not about the security. Whatever these companies lose in costs associated with hacking and breaches will eventually be passed along to consumers in increased prices or bank fees. I sincerely hope that as these new technologies are deployed, security is as important as sales.

OK, it's time to head home. Long weekend ahead.... can't seem to find....

Where the heck is my phone?

Oh dear....

Because I am the sole author here, I am taking this opportunity to write about something that is really bothering me... and has nothing to do with Massachusetts Data Privacy law. Call it a "digression."

 The US Goverment recently said that they will not release the photos of Bin Laden's body.

Over the weekend, I read an article that said pornography was found on Bin Laden's computer. Actually, I read about 40 of them. They were prominently featured in almost every major publication.

I expect the President of the United States and the adults who serve along with him to act like adults. These two decisions are inconsistent and only one is correct.

Not releasing the photos of Bin Laden with a bullet hole over his left eye is the correct decision. That image would be plastered all over every blank wall in the cities of the Middle East for the next 30 years. (at least) It would be their rallying call for all that is wrong in THEIR world. Don't give them the imagery to fool young impressionable minds. Be an adult, make the statements necessary to confirm his death but never, under any circumstances, release those photos. Nothing good can or will come of it.

Telling the world that you found XXX rated material on computers found at Bin Laden's hideout is a juvenile decision made by short sighted people. I can only hope that the President is as dismayed as I am by the decision. And if he ok'd it... then shame on you, Mr. President.

One of the major problems in our world in the misunderstanding between cultures. No where in the world is like America, and a lot of Americans think that our society is the best. We are not the best, there is no "best". We are better than most because we are arguably an "open society" that accepts a certain amount of public disagreements to foster our growth. The Arab societies are completely different than our own in many ways. There are things about their society that we'll never understand and things about our society that they'll never understand. We will all need to accept those differences if we are to have a peaceful future.

How does telling the world that we found smut on computers found at his house help the future. Has the US Government decided to "spin" this? Do they somehow think that by showing inconsistencies between his public persona and the "real Bin Laden" that his legacy will be lost? We already knew that Bin Laden was full of inconsistencies. Islam does not advocate flying planes into buildings for the purpose of killing 3,000 innocent people.

The release of this information will have the exact opposite result in the world. Many will not believe it, and claim that we are only saying it to try to make out Bin Laden as someone he was not. On that point, you either know the truth, that he was an evil man, or you will never accept the truth. They will add it to the myriad of lies that they think we already propagate.

Pornography in that world is treated a whole lot different that it is here. On the streets of main stream America, we may hear: "ah ha, see, that Bin Laden guy was a pervert and an evil man." On the Arab street we will be accused of lying to suit our needs. It's not like we haven't done that before. The claim is so outrageous to them that it's easier not to believe than to believe. This is the cultural misunderstanding issue playing out. People in different cultures react differently to different situations.

I don't need to know what is/was on those computers. I don't need to see Bin Laden's body to know he's dead.  We are supposed to have adults in charge and not a bunch of juveniles who may have thought to themselves... "oh wow, wait til the world finds out what we got"... followed by "tee hee hee". This was an easy one to get right, if you're an adult, and they got it wrong.

The world cried out to see a picture of his body. Do you think they want to see the other pictures as well?

 ** Remember, the opinions here are the opinions of the author and do not represent the opinions of The McCormack Firm, LLC, or any of its' employees, attorneys, etc. This opinion also does not represent the opinion of any government, local, state, or federal - although I wish it did.

 If you have shopped at this store recently, you should read this blog post and all the available press releases issued by Michaels.

May 4th press release

May 10th press release

According to the company's May 10th press release, Michaels stores located in Burlington, Braintree, Everett and Danvers have had their machines compromised. They are saying that their "PIN pads" have been "tampered with".

Bank of America has reached out to some customers and informed them that they are replacing their cards. According to the Chicago Tribune, 2 "staffers" at the LA Times were contacted by Bank of America and asked to call them at an "800" number. When they called, they were allegedly told by the B of A representative that their "card was part of a mass compromise". A Bank of America spokesperson is now saying that the rep on the phone is "mistaken" about the "mass compromise" and no further comment.

The news of problems with Michaels credit/debit card PIN pad machines was first disclosed by them on May 4, but appeared at that time to have been limited to the Chicago area. It is now being reported that at least 90 individual PIN pad machines have been "tampered with" in 20 states.

Michaels last listed 80 different stores in 20 states where they have confirmed that the machines have been tampered with.

Brian Krebs over at his blog, KrebsOnSecurity.com, reported yesterday that a named police officer told him that withdrawals from the compromised accounts are taking place in Las Vegas and other West Coast locations, and exceed a million dollars. The withdrawals are in the $500 range and are made at ATMs. That means that the bad guys are making new cards with the stolen information, and are probably frustrated by the $500 per day limit on the accounts.

Please allow me to put this in context... The machines involved here may look like the ones pictured here:

I don't know the exact type that Michaels uses (happy about that right now), but what I do know is that if the device was physically tampered with then the bad guys either have a very very fast car or there are a whole lot of them. 20 states? 80 different locations?

What may come out is that the bad guys actually swapped out the real machine with a fake one. The fake one has been redesigned to copy all the credit card/debit card and PIN information being transmitted on the machine. In the old days the bad guys had to come back for the machines. I am aware of certain technology that now allows the information to be transmitted from the compromised device to the bad guys location "wirelessly." Usually they have to be somewhat nearby, say 1000 feet or so. For this one, I have no idea how the scam works.

The scope of this thing is scary. How long would it take to visit the 80 stores in 20 states? Just for fun, I used Google Maps... I put in 2 locations that I know are connected by one highway: Kirkland, WA and Braintree, MA - the highway is Interstate 90 and the distance is 3,086 miles. They say you can drive is in about 2 days and 2 hours, guess Google doesn't sleep.

Seriously, either there are a lot of bad guys in on this operation or the data has been available to the bad guys for a long time at some locations. Unraveling this will take a significant amount of time, thankfully the United State Secret Service have been alerted and are likely running the show now. This is in their wheelhouse. Hopefully when it's all over the USSS will tell us the whole story. Ya right.

This is the nightmare scenario for Michaels. I hope they had a "data breach scenario binder ready." They have to:

1) stop the bleeding, end the breach

2) figure out which numbers were swiped

3) notify VISA, MasterCard, American Express, Discover, Bank of America, Bank of -------, Fred's Credit Union, you get the picture (remember, 20 states, 80 locations)

4) read the applicable statute in the 20 states and make the associated notifications

5) contact their insurers, who are circling their wagons

6) hire a public relations firm

7) call Sony, Epsilon, RSA, TJX, Heartland for advice

8) contact their lawyers - fellas, over here in Boston I know a guy who knows this stuff

As this whole thing gets unraveled, I will see what Michaels' obligations may be under Massachusetts Data Privacy Law, and let you know my results. I will then have to figure out a way to put up a "pay wall" for members of Michaels legal team who will certainly try to read it...

Sony has put out a statement about what happened. I would like to put this in context... Epsilon lost what, 40 million email addresses? The whole nation heard about that, either on TV, radio, Internet or via an email from the myriad of companies who sent out "notifications".

Sony may have lost 75 million people's information. There are a little over 300 million documented people in the United States. That means that 25% of the population of the United States had information on Sony's network? And now who has it?

Sony has been calling this an "outage", as if it were an electric company after a big storm. Excuse me, the fact that your video game operations are offline is not the problem here, it's the fact that 25% of the United States citizens now are worried about identity theft, or should be.

Let's get to the specifics: Sony has said the following:

"...we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained... WHILE THERE IS NO EVIDENCE AT THIS TIME THAT CREDIT CARD DATA WAS TAKEN, WE CANNOT RULE OUT THE POSSIBILITY. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained."

From the statement posted by Patrick Seybold, Sr. Director, Corporate Communications & Social Media.

I have been reading words written by lawyers for fifteen years and pride myself on being able to tell when they are riding the razor's edge. I don't know if Mr. Seybold wrote it, I doubt it, nor do I know if a lawyer wrote it, but I am sure that Sony's legal counsel had a look at this statement before it went out.

Note that they are fairly certain that a bunch of your information was "stolen", but they're not quite sure that the credit card info was taken. A very convenient conclusion. Losing the credit card number would certainly make matters worse, but those could be changed... your name, address, etc cannot be changed.

Everyone stays focused on the credit card number... oh dear, they have my credit card number.. oh dear... LOOKIT, (as my grandmother used to say) with one simple phone call that "credit card" is a piece of plastic, nothing more. Of course, in order to make that happen, you'd have to know that it was missing... and Sony seemed to have waited at least a week to finally tell us that "hey, maybe, well, possibly, ahhh, out of an abundance of caution, let's assume its missing."

I find it hard to believe that they can't figure this out. This isn't some small restaurant group in Boston who was tech-ignorant... this is freakin' SONY.  I know, they want to be sure before they go public. Not just "sure" but what I would call "no-other-choice sure." (as in, we have no other choice fellas, we have to tell mom we broke the lamp playing ball in the house)

I took a hard look at the Massachusetts Law, MGL 93H, and it's definition of "personal information". Name and driver's license number; name and social security number; name and:

 "...financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account" MGL c.93H s.1(a)(iii)(c)

If Sony lost the credit card number, and the person is from Massachusetts, bingo - our law applies. If not, well, it's not clear. Could the rest of the information that Sony lost allow access to someone's financial account? Can't tell.

But let's revisit Sony's statement: recall they said that they can't say for sure if the credit card number was lost. (no evidence, but can't rule out the possibility - remember?)

MGL c.93H s.3(b)(1)(2) says: "...(1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired..."

There we have it ladies and gents, the razor's edge. They're willing to say to the public that "out of an abundance of caution, presume your card's been compromised." But they don't affirmatively say that they "know" the card info has been compromised. Can you see why?

There are 46 different state laws regarding data breaches. I hereby offer my hourly services to Sony Corporation in assisting them comply with them, in the event they have to...

And as I like to do in situations like this, figure out who did it, I think that the perps here are cybercriminals. This one's in their wheelhouse and now 25% of American citizens' personal information is in Eastern Europe being analyzing for future use.

A great story almost slipped by me... With all this "Epsilon" business happening, the disclosed cause of the RSA breach almost went unnoticed. Remember the data breach of the security company, RSA? They're the company who provide computer security apparatus used by Government agencies, hospitals, and lots of corporations with extremely sensitive data.  I wrote about it a couple weeks ago and gave you five possible theories.

Guess how the RSA breach happened? Think hard about our aquatic friends...

Yes, spear phishing.

A lonely email makes its way to the inbox of an unsuspecting employee who opens the "excel spreadsheet" and BAM - game on ladies and gentlemen.

On April 1, Uri Rivner, a key RSA boss, posted "Anatomy of an Attack." You have to give RSA credit for telling the world what happened. Mr. Rivner tells us that there were two "phishing emails" sent to a small group of RSA employees. Apparently the email ended up in their "junk" box, but one employee retrieved it and in the end opened the attachment that released the "malcode" (as our AG calls it) and the rest is history. RSA doesn't hide much, they lay out quite a bit of detail. I won't bore you here, but it is fascinating, and their disclosure does a service for the rest of us.

Today, I want to tell you about "social engineering". My definition is "getting someone to do something that they either don't want to do or don't know why they're doing it". Wikipedia defines it in the context of "security" fairly well.

How did the "villains" know who to send the "phishing" email to? According to Mr. Rivner's blog, the employees were defined as follows:

...you wouldn't consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”

 So, the employees were not "high value targets", but they were employees of RSA. A couple of basic facts to consider:

• The bad guys had to know the employees email addresses
• The bad guys had to know at least something about the employees - meaning they knew that the targeted employees were not janitors
• The bad guys had to get the employee to open the infected file

Where is information like this available?...   Facebook, LinkedIn, social media sites, that's where. Some people have basic information on their social media sites and some update it so often you know what they had for breakfast. You can tell a lot about a person from reading their social media website. You may even be able to tell what they might do in a given situation... that, my friends, is "social engineering."

Why would only one of the "targeted" employees retrieve an email from the junk mail box and open an attachment. You work at RSA, you work for a security company and you open an attachment on an email that your spam filter caught? Something just doesn't make sense here.

Was it something about the name of the attachment that caught that employee's eye? "2011 Recruitment Plan" was the subject line of the email. Why did the bad guys chose to name it that? Maybe because they had been watching the various employees' social media sites and knew that RSA had an ongoing recruitment plan. That's just a guess, a pure guess, but if you're the bad guy and you want to successfully "spear phish" you need some good intel. What's going to make the employee open this attachment? That, as the bad guy, is your operational goal.

We, as digital citizens, put a lot of information about ourselves in the public domain. (oh, I'm sorry did you think that the privacy settings on Facebook keep the bad guys out? How many "friends" do you have and how many of those "friends" have "friends"... and can your friends' friends see your page?)

As a quick aside, I used to use Facebook regularly as an investigative tool. We would "friend" our suspects' friends and then just sit back and read. It was oh so simple to get access to a guy's site - use a pretty girl. She's not real, she's the police, silly. Plus most of the time the privacy settings were non existent and their info was public.

Social engineering is made easier the more public we are about ourselves. Spear phishing works. And the combination of social engineering and spear phishing has worked in the most dramatic way in this case resulting in the breach of one of the world's leading security firms.

But what about my five "theories"?

1. Conspiracy - technically still viable, but I sincerely doubt it now.
2. Foreign Government Action - gaining ground based on the complexity of the incident
3. Corporate Espionage - still possible, but unlikely. The same type of attack has been launched against many other corporations leading me to believe that it's from outside the corporate world.
4. Criminal Organization - I stand by my assertion that this is too complicated for them to pull off. Prove me wrong Eastern Europe, I dare you.
5. It never happened - It did. This one is out.

One final note: If I was a bad guy and had the EPSILON email data, here's how I would use it:

I would send an email purporting to be from the affected company apologizing for the inconvenience and in the same email offer to have them removed from our email list by clicking "this" link. Would you click that link?

A recently disclosed “massive data breach” has affected some seriously large companies. Epsilon is a company who will manage e-mail communication for your company. They will maintain a list of your customers and arrange for direct e-mail communication on behalf of your company.

Epsilon is also a company who provides a lot of different "marketing" programs with names like "Abacus" that scare me...and try decyphering their privacy policy, or at least figuring out which one applies to you.

Apparently Epsilon has lost a lot of email addresses that they were holding on behalf of some significant companies. Their "press release" is awfully short, but that's because they're probably still figuring out what the heck happened.

Epsilon has been breached by entities unknown. I found a list of companies with whom Epsilon was / is doing business and whose customers are involved in the breach: (provided by Mike Lennnon of SecurityWeek )

• TiVoJpMorgan Chase
• Capital One
• Citi
• LL Bean Visa Card
• Best Buy
• Walgreens
• Brookstone
• Marriot Rewards
• Ritz-Carlton Rewards
• Home Shopping Network
• The College Board
• Disney Destinations
• US Bank
• Kroger Supermarkets
• McKinsey & Co.
• Barclays Bank

So what, it’s just your e-mail address, right? Wrong. It’s more than you e-mail address, it’s a trusted relationship that has been breached. The customers involved here had “requested” to receive e-mails from the companies that Epsilon worked for… meaning that you might expect the email or, at least, wouldn’t assume any email from these companies to be “spam”.

 Oh look honey, an offer from the Ritz… we are such good customers that they sent us a special deal… I just have to click here………………………………

Who knows where that click will take you, but I thought that I would take this opportunity to define “PHISHING” for you in case you don’t know how it works.

Wikipedia defines it for us: http://en.wikipedia.org/wiki/Phishing as does probably a half million other websites.

Fish in water

Phish in cyberspace

Let me see if I can distill it down to a simpler concept. Someone sends you an email with a link that you may be expecting, you click on the link and you are taken to what appears to be what you expected, except it’s not. The bad guys went “phishing” for someone. If the bad guys have a solid email address for you and know that you have a trusted relationship with a particular company, it’s called “spear phishing” because it’s actually targeted for you in particular.

You fish for anything swimming by, you throw your spear at one fish in particular, see?

In this breach, one potential outcome may be an email from the Ritz-Carlton Rewards or Marriot Rewards offering a special deal because you are such a good customer. If you haven’t been there in a while or ever, you may suspect something is amiss. If you are a regular customer, and unaware of this data breach,  you may follow the link to the “deal”.

The bad guys around the world sit around all day thinking up ways to “trick” us into giving them certain information. How do you get someone’s social security number? Oh, I know, let’s pretend to be the IRS sending a “confirmation of tax return” email. How do you get their bank login information? I know, send them a link that takes them to a page that looks identical to the real bank…and then the unwitting person give us their account number and password… wow, that was easy.

This is no joke, the bad guys will actually make a fake website that looks just like the real one. There are ways to figure out that it’s a fake, but these are not commonly known. If I told you about security certificates would you know what I was talking about? How about “shortened urls”? Or how about just looking at the address bar at the top of your browser? Things that aren’t commonly known or done.

There are many of us out there who know about these scams and there are a lot more people who have some familiarity with these scams. There are also a significant amount of people out there, certain relatives of mine for example, who have no idea about all this “stuff”. Those are the people who can be tricked by a “copy” of a bank website.

Having your email address lost to “spammers” is not the end of the world. I used to, and still do, create email addresses for the purposes of making purchases online. Sure, send me whatever you want, I’m never going to read it anyway. If you are in a business relationship with a company and communicate with that company via email, it is a completely different situation.

Remember snail mail? An actual paper letter is delivered to your house; amazing concept, I know. There are thousands of people in the United States who after receiving an offer for something that was never going to come true, were tricked into providing some bad guy with something. You think that’s over? Try again… the United States Postal Service Investigators are actively pursuing fraudulent schemes – see the latest ones here.

 “There’s a sucker born every minute” is a quote attributed to P.T. Barnum, but even that fact is in dispute. (see here)

What is not in dispute is that even the most obvious scams will work on a certain percentage of the population and this fact is why this massive data breach should be of major concern to the population.

P.S. Will the new Federal Data Privacy law apply to Epsilon? That answer is not as clear as you may think.

P.P.S. if you really want to know about online crime and current schemes, you have to read Brian Krebs' blog - www.krebsonsecurity.com He is very knowledgable and easy to read - plus has a ridiculous network of "sources". Of course, he's not a local guy, so you'll need to come back here for the local spin.

UPDATE: (thanks to databreaches.net for an updated list of affected companies, WOW!)

• Kroger
• JPMorgan Chase
• Capital One
• Citi
• New York & Company
• US Bank
• Barclays Bank of Delaware (and Barclay’s L.L. Bean Visa card)
• Brookstone
• McKinsey Quarterly
• TiVo
• College Board
• Walgreens
• Ameriprise
• Marriott Rewards
• Ritz-Carlton Rewards
• Disney Destinations (The Walt Disney Travel Company)
• Benefit Cosmetics (see below)
• Home Shoppers Network (HSN)
• AbeBook
• Best Buy
• Best Buy Canada Reward Zone
• Robert Half International (copy of email sent to DataBreaches.net by recipient)
• Borders (reported by Brian Krebs, but haven’t seen confirmation yet)
• City Market (Kroger)
• Dillons (Kroger)
• Food 4 Less (Kroger)
• Fred Meyer (Kroger)
• Fry’s (Kroger)
• Hilton Honors (reported by Brian Krebs, but haven’t seen confirmation yet)
• Jay C (Kroger)
• King Soopers (Kroger)
• QFC (Kroger)
• Ralphs (Kroger)
• Smith Brands (Kroger)
• Verizon (reported by Brian Krebs, but haven’t seen confirmation yet)
• Visa (Barclays Bank of Delaware)

So, it was St. Patrick's Day and I was in sunny Florida enjoying a round of golf with family when my phone buzzed with a "data breach" story... I thought about blogging... but like golfing more.

On Thursday March 17th, RSA, a division of EMC Corp, announced to the world (my world) that their computer system had been breached. EMC Corp. is a Massachusetts Corporation and the Boston Globe followed up with an article by Hiawatha Bray stating that the company had not filed a report with the Massachusetts Attorney General under our data breach law.

Many other media outlets have run stories on this breach but none have been able to say just what happened, what was taken, or who did it. (at least none of the 100 or so that I reviewed)

When investigating a crime, one of the key focus points is usually motive. "Why" did the bad guy do such and such. Financial gain is common, as is revenge. Establishing a motive can help investigators narrow their search for suspects and evidence. Of course getting the motive wrong can be a real problem. The best investigators let the evidence lead them to the suspect and then establish a motive to bring the whole thing together.

So, I asked myself the question: why would someone breach RSA's computer system? This company is a serious security outfit and the bad guys apparently pulled out all the stops by using what the company said was an "advanced persistent threat", which apparently in layman's terms means "they did everything they could to get in".

OK, so someone used a lot of time and energy to breach a major security company's computer system but why?

For those who don't know, a common application of RSA's security business, SecureID, is that they provide these little "tokens" that have a small screen with numbers on them. The numbers are constantly changing. If you have one that probably means you have access to some significant, sensitive information. I knew a doctor who carried one so he could log in to his hospital's computer system to review patients records and make changes, etc. I read that our government is also a customer. The customer uses a computer to go to the place where the information is, they then enter a memorized password and then enter the number that is currently showing on the "token". Somehow, that token's number can be confirmed by the location that the customer is trying to access and allows the access if the number matches.

Back to the question at hand, why... I have a few theories:

1. Conspiracy.Whoever did this never intended to take anything, they just wanted to put the world on notice that even the largest security outfits are not safe, causing the government to over legislate by passing a quick "overregulating" law thus giving other security companies tons of business and tons of money.
2. Foreign Government Action. Maybe the Chinese were just curious how the whole thing works and instead of creating one, they steal this one, reverse engineer it and now have their own version. Hey, just ask Google about that possibility.
3. Corporate Espionage. If I was a major corporation, and I mean a world power corporation, and I needed to get inside a competitors network who happens to use RSA's SecureID, wouldn't this be a great way to do that? If you were able to use real log in credentials to access a competitor's network, that network would have no defenses, none.
4. Criminal Organization. Even I think that this one is over their head. Sure, there are some smart criminals, but hacking into RSA? Really? I'd call that a stretch, but I have to include it until I eliminate it. (see generally Sherlock Holmes: "eliminate the impossible, and whatever remains, however implausible, must be the truth")
5. It never happened. Remember when Coke changed their formula, only to change it right back? It was a boon for their business. Everyone tried the new one and then wished for the old one and went right out and bought it again. Maybe RSA can re-invent themselves and their product to prove to the world that they are NOW the best and strongest security since they improved on an arguably solid product. - No, I don't like this theory either.

The problem with my theories are that they are based on no evidence, zero. That is no way to run an investigation. Our Attorney General apparently has no information either. This is an interesting question though... If what was taken was NOT PII (Personally Identifiable Information) but certain codes that in turn may give the holder access to information that IS PII... what is their responsibility, meaning RSA's responsibility? Are they required to tell the AG anything? I can't even suggest an answer without more evidence.

I wonder if RSA has a WISP? Probably the mother of all WISPs if you ask me... but I digress.

I guess we will have to stay tuned and see if EMC Corp, a Massachusetts Corporation, feels like telling someone, anyone, what happened. In the meantime I will keep working on my "theories".

A smart, sophisticated ID theft specialist will categorize and rate his stolen identities. Some identities are worth more than others when he sells them at online bazaars. Let's take the recent case of possibly stolen Wentworth Institute of Technology students' identifying information. In case that story ends up archived by the news source, I will summarize what happened: Wentworth accidentally posted over 1,300 students names, social security numbers and medical information on their website. According to the school, the "electronic file" was only accessible by a "targeted search" and not readily available on their site.

Now, back to the bad guy: think he knows how to conduct a "targeted search", sure does. If those identities end up in the smart sophisticated bad guy's hand, what are they worth? They may be worth more than the CEO of some large company's identity. Why? Well over time an individual who uses credit develops a pattern, and when something occurs in that person's "pattern" that is inconsistent with prior activities, flags go up, calls are made, and sometimes the fraud can be stopped before it gets too damaging to the individual.

Back to the students... most probably don't have developed credit, and may not have access to much more than a $1,000 limit. But they have no history that would allow creditors to see activity inconsistent with their "pattern", therefore most activity will go on unchallenged so long as the individual's credit history allows it.

Even more sinister is when the sophisticated bad guy stores that stolen information for a period of time, letting it mature. The bad guys know that right after a major breach, credit watches are put on the identities, so they wait, and wait and wait some more. After enough time has passed and no one is looking as hard, he makes his move. They'll test the ID by getting small limit credit cards, then bigger, and bigger. They will use one credit card's available balance to pay off the prior balance, which in turns will improve the identities' credit score, allowing for even bigger limits. If this goes on unchecked, it can be devastating to the individual. Before long there is $10K to $100K of credit used by the bad guys and left for the "victim" to deal with.

A young person's identity usually has limited or no history creating a pattern and can be groomed by the thieves for their own nefarious purposes and that's why university students make great ID theft targets.