From bob at bobpinheiro.com Thu Nov 1 18:57:47 2007 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Thu, 01 Nov 2007 21:57:47 -0400 Subject: [SIG-IDtheft] REMINDER: ID Theft SIG Call, Friday November 2, 12:30 ET Message-ID: <0JQU00M9KW583731@vms046.mailsrvcs.net> On the last ID Theft SIG call, we continued the conversation with Gilles Lisimaque, who spoke about Smart Cards. As we focused specifically on how Smart Cards can help to prevent identity theft, the conversation turned to the challenges that impede the widespread adoption of Smart Cards as authentication devices. It soon became clear that the major challenges were not technical, but business-related. One prerequisite for widespread adoption of authentication technologies that could help to prevent identity theft is sufficient justification by the business community to spend the money to deploy these technologies for use in the consumer space. Although deployment of large-scale authentication systems that could help to prevent identity theft has been slow in coming, some recent activities of Liberty Alliance may help to move that effort forward. Specifically, the recently created Identity Assurance Expert Group has completed work on Version 1.0 of the Liberty Identity Trust Framework, which is based on the work of the Electronic Authentication Partnership and the government's e-Authentication initiative. Such a Trust Framework could potentially serve as the basis for an authentication system that could allow service providers/relying parties to authenticate the identity claims of those seeking identity-related services (such as new credit card accounts). However, it's one thing to have a specification for such a system, and another thing to actually get it implemented. This gets back to the business justification. It's unlikely that preventing identity theft, by itself, would provide that justification. But if large-scale authentication systems did exist, they could provide a way for service providers/relying parties to verify the identities of people presenting credentials issued by a wide range of identity providers. So let's devote the next call to begin a discussion of some of the things that Liberty Alliance could do that specifically would help to eliminate identity theft. Defining the Liberty Trust Framework and helping to bring it to reality might be one such thing. But how to do that? And are there other Liberty initiatives involving privacy or anything else that might help? Friday, November 2 12:30 PM ET / 9:30 AM PT 800-504-8071 International: +1 303-248-0281 code: 2544233 ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC bob at bobpinheiro.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071101/2f454186/attachment.html From britta at projectliberty.org Mon Nov 5 17:41:32 2007 From: britta at projectliberty.org (Britta Glade) Date: Mon, 5 Nov 2007 17:41:32 -0800 Subject: [SIG-IDtheft] Handling Goofs Cause Many Data Leaks In-Reply-To: <002d01c81fd3$5dbbfa20$cb23fea9@EricLaptop> References: <002d01c81fd3$5dbbfa20$cb23fea9@EricLaptop> Message-ID: Of interest from Eric, relevant statistic as it relates to our conversation last call. http://www.eweek.com/article2/0,1895,2211531,00.asp By Lisa Vaas eWeek November 2, 2007 A sizable chunk of business data is being lost electronically in simple misconfiguration mistakes. Since January 2005, there have been 167.7 million records containing sensitive personal information exposed by security breaches, according to a running total kept by the Privacy Rights Clearinghouse. The question is, How does this information get out there? Loss or theft of a physical object forms by far the largest hole in data security. According to an analysis (PDF) done recently by David Litchfield of Next Generation Security Software, based in Surrey, England, 43 percent of records lost since Jan. 1 slipped out of organizations on paper, computers, laptops, disks or backup media. Other researchers put the figure higher for records that were exposed due to lost or stolen computers or mediasecurity expert Chris Walsh has analyzed New York data sets and puts the figure closer to 99 percent. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071105/690c260e/attachment-0001.html From shin at adachi.us Mon Nov 12 09:27:53 2007 From: shin at adachi.us (Shin_ADACHI) Date: Mon, 12 Nov 2007 09:27:53 -0800 Subject: [SIG-IDtheft] Of your possible interest Message-ID: <47388D19.6060304@adachi.us> >From the San Jose Mercury News. They started this series since yesterday and this is the second of that. <> Shin -- Shin_ADACHI, CISSP, PMP shin at adachi dot us PGP_Key_ID:0xF9EAD9DF +1-650-331-0604 From bob at bobpinheiro.com Tue Nov 13 17:09:37 2007 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Tue, 13 Nov 2007 20:09:37 -0500 Subject: [SIG-IDtheft] Next ID Theft SIG Call: Friday November 16 Message-ID: <0JRH00DFJ1ZAQGO4@vms042.mailsrvcs.net> On our last call, we discussed some ideas about how better authentication and privacy of personal information can help prevent identity theft. The challenge is to determine what role Liberty Alliance can play in enabling stronger authentication, as well as better privacy and security of personal information. We'll continue that conversation. Friday, November 16 12:30 PM ET / 9:30 AM PT 800-504-8071 International: +1 303-248-0281 code: 2544233 ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC 908-654-1939 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071113/338ba5cd/attachment.html From Jeff.Hodges at neustar.biz Fri Nov 16 07:20:22 2007 From: Jeff.Hodges at neustar.biz (=JeffH) Date: Fri, 16 Nov 2007 07:20:22 -0800 Subject: [SIG-IDtheft] "synthetic" identity fraud Message-ID: <473DB536.9060101@neustar.biz> The Borrower Who Never Was Synthetic-Identity Fraud Hits Credit Bureaus, Banks; A Night at the Ritz-Carlton By CHRISTOPHER CONKEY October 29, 2007; Page B1 http://online.wsj.com/article/SB119362045526074445.html From Jeff.Hodges at neustar.biz Fri Nov 16 07:21:39 2007 From: Jeff.Hodges at neustar.biz (=JeffH) Date: Fri, 16 Nov 2007 07:21:39 -0800 Subject: [SIG-IDtheft] identity theft study. Message-ID: <473DB583.1040706@neustar.biz> from the most recent crypto-gram: Interesting identity theft study. (It's long, but at least read the executive summary.) http://www.utica.edu/academic/institutes/cimip/publications/index.cfm?action=form&paper=6 or http://tinyurl.com/2y225d http://www.siliconvalley.com/security/ci_7248917 From britta at projectliberty.org Fri Nov 16 09:55:10 2007 From: britta at projectliberty.org (Britta Glade) Date: Fri, 16 Nov 2007 09:55:10 -0800 Subject: [SIG-IDtheft] NYTimes article on new IDTheft prevention company Debix Message-ID: *Same suggestion Bob has made....* ** *In ID Theft, Some Victims See Opportunity* New York Times (11/16/07) Brad Stone * * *GIDEON YU, the former chief financial officer of YouTube and current chief financial officer of Facebook, is one of the most notable new executives in Silicon Valley. But while Mr. Yu operated in high-tech's highest circles over the last two years, an impersonator was quietly using his name and credit card number to make fraudulent purchases.* *** * *Mr. Yu and his wife did not spot the identity theft for months, until a spending spree in Reno, Nev., got their attention.* * * *In the unpleasant aftermath ? ineffectual police reports, endless phone calls with banks ? Mr. Yu delved into the world of identity theft prevention, looking for tools to protect himself and the estimated 15 million Americans who have been touched by the crime. The average loss of funds in a case of identity theft was $3,257 in 2006, according to a study by Gartner, a research firm.* * * *"It felt like a problem that was really ripe for solving with technology," Mr. Yu said.* * * *He is trying to make that happen. This week, a young company called Debix, which places automated calls to its customers every time someone opens credit in their name, will announce that it has raised a round of financing from private investors like Mr. Yu and Launny Steffens, a former vice chairman of Merrill Lynch.* * * *Other individual investors and venture capital firms also see opportunity in the business of combating identity theft. The big three credit agencies ? Equifax, Experian and TransUnion ? offer several tools for preventing ID theft, but generally make putting such measures in place difficult for consumers ? requiring them to send requests by certified mail, for example, and making them renew fraud alerts every 90 days.* * * *A raft of new companies like Debix, LifeLock and TrustedId say they can make it easier for consumers to protect themselves ? for a monthly fee of about $10. "We take a miserable and painfully confusing process and make it as easy as we can, given the constraints the credit agencies put on us," said Scott Mitic, chief executive of TrustedID, which is based in Redwood City, Calif.* * * *Debix, based in Austin, Tex., will begin widely marketing its service this month. Subscribers pay $99 a year and give the company their cellphone number and two backup numbers. Whenever new credit is opened in a subscriber's name, Debix's automated network calls the customer and plays a message that the customer prerecorded in his own voice. Customers then must enter a four digit PIN code to approve the transaction or press the star button to decline it.* * * *Debix has signed up 275,000 customers in the last two years by offering the service through companies and state governments that have lost their customers' or citizens' private data and now want to extend an additional layer of identity protection to victims.* * * *Bo Holland, the company's chief executive, said that modern payment and credit networks did an incomplete job on commercial transactions. "What is missing," he said, "is a common switch to allow two parties with no prior relationship to confirm each other's identities."* * * *LifeLock, based in Tempe, Ariz., has about 400,000 customers and raised $6.85 million last spring from three venture capital firms, including the prominent Kleiner Perkins Caufield & Byers. For $10 a month, or $110 paid annually, LifeLock places and preserves fraud alerts on a customer's credit reports with the big three credit companies and several smaller credit firms. It says it also keeps customers' names off junk mailing lists and can clean up a credit history if thieves do manage to steal an identity.* * * *Among its peers, LifeLock has attracted the most attention ? much of it negative. In radio and television ads, Todd Davis, chief executive of LifeLock, gives out his Social Security number to demonstrate his faith in the service. As a result, he has been hit with repeated identity theft attacks, including one successful effort this summer in which a check-cashing firm gave out a $500 loan to a Texas fraudster without ever checking Mr. Davis's credit report.* * * *Last summer, The Phoenix New Times, an Arizona paper, reported that LifeLock's co-founder, Robert Maynard, had a criminal past. Mr. Maynard later resigned.* * * *LifeLock's venture capital backers say they knew about Mr. Maynard's problems and that the company is doing well, despite the reports.* * * *"Not one investor or board member was unaware of the issue," a partner at Kleiner Perkins, Ted Schlein, said. "LifeLock is executing very well and growing fast."* * * *In October, a third player, TrustedID, raised $10 million from the venture capital firms Opus Capital and Draper Fisher Jurvetson. The company says only that it has "hundreds of thousands" of customers. It charges $12.95 a month and sets not only fraud alerts but freezes ? a more draconian measure that makes it impossible for creditors to grant credit until a freeze is lifted.* * * *Like its rivals, TrustedID's business is vulnerable if Congress succeeds in pressuring the three major credit agencies to make these theft-fighting measures cheaper and more accessible to consumers. Senator Charles E. Schumer, Democrat of New York, criticized the credit companies last month for making identity theft freezes too cumbersome to set and lift. Each of the three credit agencies recently bowed to public pressure and made freezes available in all 50 states.* * * *Many consumer advocates say that no one should have to pay anything to defend against identity theft. "Having to renew a fraud alert every 90 days is a pain, and I can see why there's demand for these services," said Gail Hillebrand, a senior lawyer at Consumers Union. "But the ultimate solution is not for consumers to pay someone extra. It's for the credit agencies to make this an easier process and to extend fraud alerts for a year."* * * *Even if that happens, the identity theft companies, and their backers, say they can expand their services and offer consumers a greater array of protections from financial fraud.* -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071116/e150a16a/attachment-0001.html From bob at bobpinheiro.com Tue Nov 20 13:42:30 2007 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Tue, 20 Nov 2007 16:42:30 -0500 Subject: [SIG-IDtheft] Schedule for ID Theft SIG Calls Message-ID: <0JRT006ALR3BTYJ2@vms044.mailsrvcs.net> We will have NO Identity Theft SIG call this Friday, November 23. In the future, I will send out an announcement only if a call is to be held that week. If no announcement is made in any given week, please assume that there will be no call that week. I will try to announce future calls by Wednesday of the week in which a call is scheduled. Whenever a call is scheduled, I will also post that information to the ID Theft SIG's wiki, along with the call-in information. If you are in doubt at any time about whether an upcoming call is scheduled, please check the wiki: http://wiki.projectliberty.org/index.php/IdentityTheftSIG We are thinking about putting together some short position "papers" (2-3 slides) on various topics related to identity theft and Liberty's possible role. Two possible topics are large-scale authentication networks enabled by the Liberty Identity Assurance Framework, and enabling greater control over the use and distribution of personal information. If you have any ideas or suggestions, please email me or post them to the list. Thanks. ------ Bob Pinheiro Robert Pinheiro Consulting LLC 908-654-1939 From koneil at cyva.com Wed Nov 21 09:53:05 2007 From: koneil at cyva.com (Kevin O'Neil) Date: Wed, 21 Nov 2007 09:53:05 -0800 Subject: [SIG-IDtheft] Facebook's Tracking of User Activity Riles Privacy Advocates, Members Message-ID: <00f201c82c67$604753c0$4201a8c0@CYVA03> http://online.wsj.com/article/SB119560466428899897.html?mod=rss_media_and_ma rketing Kevin O'Neil CYVA Research Corporation 3525 Del Mar Heights Rd., Ste. #327 San Diego, CA 92130 858 793 8100 (direct) koneil at cyva.com www.cyva.com Confidentiality Notice The information contained in this communication is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. CYVA Research is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071121/e8731aba/attachment.html From shin at adachi.us Mon Nov 26 10:27:46 2007 From: shin at adachi.us (Shin_ADACHI) Date: Mon, 26 Nov 2007 10:27:46 -0800 Subject: [SIG-IDtheft] FYI: from 60 minutes on CBS on Sunday In-Reply-To: <00f201c82c67$604753c0$4201a8c0@CYVA03> References: <00f201c82c67$604753c0$4201a8c0@CYVA03> Message-ID: <474B1022.90701@adachi.us> For those in US who missed the program during the Thanksgiving holiday, and for those who could not see it wherever else. <> -- Shin_ADACHI, CISSP, PMP shin at adachi dot us PGP_Key_ID:0xF9EAD9DF +1-650-331-0604 From bob at bobpinheiro.com Tue Nov 27 12:33:19 2007 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Tue, 27 Nov 2007 15:33:19 -0500 Subject: [SIG-IDtheft] Next ID Theft SIG Call: Friday November 30 Message-ID: <0JS6008AUMG9HJ78@vms169133.mailsrvcs.net> Robin has suggested that the SIG might want to consider producing a small set of position papers (1-2 slides) on relevant topics. Two possible topics might be authentication and better information security for identity theft prevention, and the implications for Liberty's technical infrastructure. Let's discuss this idea further, and see if it might help to advance the goals of the SIG. ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC 908-654-1939 Friday, November 30 12:30 PM ET / 9:30 AM PT 800-504-8071 International: +1 303-248-0281 code: 2544233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071127/4eb519d8/attachment.html From Robin.Wilton at Sun.COM Fri Nov 30 06:57:02 2007 From: Robin.Wilton at Sun.COM (Robin Wilton) Date: Fri, 30 Nov 2007 14:57:02 +0000 Subject: [SIG-IDtheft] Next ID Theft SIG Call: Friday November 30 In-Reply-To: <0JS6008AUMG9HJ78@vms169133.mailsrvcs.net> References: <0JS6008AUMG9HJ78@vms169133.mailsrvcs.net> Message-ID: <475024BE.9010105@sun.com> An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071130/5e24fc85/attachment.html