From britta at projectliberty.org Mon Oct 1 17:34:42 2007 From: britta at projectliberty.org (Britta Glade) Date: Mon, 1 Oct 2007 17:34:42 -0700 Subject: [SIG-IDtheft] MARK CALENDARS NOW: Follow up call on smart cards, strong auth, and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT Message-ID: We had a very interesting call with Gilles Lisimaque last Friday with the SIG, and decided the topic was of enough interest and we still weren't done with questions, so Gilles has agreed to join our call again on *FRIDAY, Oct. 19, 9:30 am PT.* Please think of questions you might have and shoot them to me or Gilles (copied) ahead of time. Michael Barrett, PayPal, and Mari Franks, IdentityTheft.org, have also confirmed they'll be able to attend, so I'm confident we'll have an interesting cross-section of folks participating, asking questions, and sharing experiences. We'll still be meeting this Friday--agenda for that to follow later--but wanted to get this on calendars now. Remember this is an open SIG, so feel free to invite anyone to attend. Thanks. *Gilles M. Lisimaque* Mr. Lisimaque is one of the leading US experts on Smart Cards and application of Smart Cards, working on various US government projects as technical advisor and smart card standard expert. Prior to joining IDTP Mr. Lisimaque worked at Gemplus, a company he founded with four other co-founders, and was part of the Business Development Group, responsible for special projects in North America. In this position, he contributed to various groups including prospects and customers, providing technical and business guidance for the design and application of Gemplus smart cards, hardware and systems, and customized services. Prior to joining the Gemplus team, Mr. Lisimaque was technical marketing director in SGS-Thomson's research and development group. He was the architect of the company's family of smart card components and helped develop the first chip operating system for smart cards. Additionally, he was MIS manager of the SGS-Thomson MOS facility called Eurotechnique, a joint venture between Saint-Gobain and National Semiconductor. There he developed an integration system connecting HP mini-computers, IBM mainframes and DEC semi-conductor test equipment. Mr. Lisimaque holds multiple patents on smart card security and smart card OS design and has high level seats with numerous Smart Card and Security Forums and Associations. Mr. Lisimaque is an honor graduate of the French engineering school, "Arts & M?tiers", where he specialized in automation and electronics. Questions we discussed: To what extent can smart cards aid in the reduction of identity theft? What are the reasons for slow adoption in the U.S.? What programs or industry efforts or events will trigger a more rapid deployment? What are the issues of mass adoption and deployment that linger? Why have European states and other nations been more aggressive in deployment and what have been the lessons learned? How can you fail to succeed, where have smart card programs faltered? What has been the traditional push-back by banks, telecoms, others in resisting or failing to move forward with smart cards? Future? Standards, key drivers, obstacles, legislation, public fears of poorly conceived deployments? Looking forward to our call and very much thank Gilles for joining us. Dial in is the usual: 800-504-8071 International: +1 303-248-0281 Code: 2544233 Thanks! -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071001/74cf7fdd/attachment-0001.html From britta at projectliberty.org Wed Oct 3 11:24:35 2007 From: britta at projectliberty.org (Britta Glade) Date: Wed, 3 Oct 2007 11:24:35 -0700 Subject: [SIG-IDtheft] Facebook article on default privacy settings.... Message-ID: On the social networking front, though the paragraph at the end referencing the research on the impact this makes on corporate networks is worth noting: http://www.informationweek.com/industries/showArticle.jhtml?articleID=202200395 Facebook Privacy Settings Putting Users At Risk A security company is calling on the social networking site to improve its default privacy settings so users' info isn't open to anyone on the site. *By **Sharon Gaudin* * InformationWeek * *October 3, 2007 06:00 AM * A security company is urging Facebook to tighten its default privacy settings after a study showed that a large majority of users are offering up far too much personal information to keep them safe from cybercriminals. Sophos researchers reported their recommendations Tuesday after they took a random snapshot of 200 users in the London Facebook network, which is the single largest geographic network on the site, with more than 1.2 million members. They said they found that 75% of the social network's usersallow their profiles to be viewed by any other member, regardless of whether or not they have agreed to be "friends" It's not just a concern for individual users, either. Sophos researchers noted that 25% of Facebook users revealed information relating to their work on their profiles, offering up details that could be used by cybercriminals to commit corporate ID fraud or infiltrate company networks. "You wouldn't yell out your personal information in Times Square, so why would you post it for all to see online?" asked Graham Cluley, senior technology consultant at Sophos, in an e-mailed interview with * InformationWeek*. "The danger is that they might be sharing too much information, which they don't want strangers to see -- for instance, date of birth, personal photos, addresses, and other contact details... The information may be all that a cybercriminal needs to construct a highly targeted phishing e-mail or identity theft." Cluley said they've seen evidence that the same amount of Facebook users in other geographic areas, such as the United States, expose their personal information to complete strangers. He added that with more than 421,000 members in New York, 866,000 members in the Toronto area, and 476,000 in Vancouver, the social networkingsite can be extremely enticing for cybercriminals looking for prey. The Sophos study showed that 54% of users in the London network show their full date of birth, which is key information for identity thieves. Approximately 12,000 Londoners even give out their phone number to more than a million strangers. Facebook is made up of thousands of networks around the world. Users are encouraged to join them in order to meet and make friends with people in their area. However, Sohpos pointed out that joining a network automatically opens a user's profile to every other member of the network. Representatives with Facebook couldn't immediately be reached for comment. "I was flabbergasted when I joined a network on Facebook using a profile which I thought was secure, only to find Facebook had changed a number of settings and was opening me up to millions of strangers," said Cluley. "Who was to say that cybercriminals weren't in that network, too? Is it right that Facebook works this way?" Cluley also noted that if users look at their privacy settings, they should be able to see that they are sharing their data with other network members. "However, our suspicion is that most Facebook members are having too much fun zombie-biting each other or sending each other virtual cocktails to check if Facebook has silently changed their settings," he added. He also said that Facebook should change the way the site handles profiles so they are hidden rather than visible by default. "While Facebook's privacy features are far more sophisticated than competing social networking sites, too many members still aren't getting the message about how to use them effectively to help protect against ID theft," Cluley added. "Facebook has ultimately put these privacy options in place to protect its flock, so perhaps it's time for the networking phenomenon to take the next step and change its default settings so that when members join a network, they have to actively click to leave their details on show, rather than automatically letting it all hang out online." In August, a study was released showing that workers at the office using social networking sites, like Facebook, are costing employers more than $5 billion a yearand are putting corporate networks at risk of attack. If one employee spends one hour of company time on Facebook every day, it potentially costs his or her employer more than $6,200 per year, according to security company SurfControl. Factored across 800,000 businesses, that one wasted hour a day adds up to a productivity loss of $5 billion annually. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071003/87fa7a8e/attachment.html From britta at projectliberty.org Wed Oct 3 17:53:05 2007 From: britta at projectliberty.org (Britta Glade) Date: Wed, 3 Oct 2007 17:53:05 -0700 Subject: [SIG-IDtheft] Call Reminder: FRIDAY, Oct. 5, 9:30 am PT Message-ID: Looking forward to gathering, debriefing on last week's call, and discussing current trends and issues of interest to members. Dial in: 800-504-8071 International: +1 303-248-0281 code: 2544233 -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071003/bff670d1/attachment.html From koneil at cyva.com Fri Oct 5 09:44:11 2007 From: koneil at cyva.com (Kevin O'Neil) Date: Fri, 5 Oct 2007 09:44:11 -0700 Subject: [SIG-IDtheft] Summary of State Security Freeze and Security Breach Notification Laws Message-ID: <018d01c8076e$f6cc24b0$4301a8c0@CYVA03> http://www.pirg.org/consumer/credit/statelaws.htm Summary of State Security Freeze and Security Breach Notification Laws Kevin O'Neil CYVA Research Corporation 3525 Del Mar Heights Rd., Ste. #327 San Diego, CA 92130 858 793 8100 (direct) koneil at cyva.com www.cyva.com Confidentiality Notice The information contained in this communication is confidential and may be legally privileged. It is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. CYVA Research is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071005/e6f94197/attachment-0001.html From britta at projectliberty.org Mon Oct 8 10:49:05 2007 From: britta at projectliberty.org (Britta Glade) Date: Mon, 8 Oct 2007 10:49:05 -0700 Subject: [SIG-IDtheft] Interesting NYTimes article on securing your own data...and Liberty's IGF is mentioned :)! Message-ID: Parallels many conversations we've had of late. BOB: the LLP may be of particular interest to you....KEVIN: some interesting data in here for your project and a journalist who'd be a prime contact point.... ** ** ** *Securing Very Important Data: Your Own* New York Times, Oct. 7, 2007, Denise Caruso As long as we are willing to relinquish some personal data, Web applications have long allowed us to create virtual identities that can conduct most of the social and financial transactions that typify life in the real world. But the newest generation of these services is starting to collect and store far more than just the standard suite of identity data ? name and address, phone, Social Security or credit-card numbers ? that populates the databases of banks and credit-card processors. They increasingly store information, generated by us, that is directly linked to those virtual identities. And users are loving them. For example, the start-up Mint.com won this year's TechCrunch award for its Swiss Army knife approach to personal financial management. In exchange for customers uploading their account information and allowing sponsors to offer them specialized services, Mint will connect nightly to their credit-card providers, banks and credit unions. Then it automatically updates transactions and accounts, balances their checkbooks, categorizes their transactions, compares cash with debt and, based on their personal spending habits, shops for better rates on new accounts and credit cards. A powerful project management and collaboration tool called Basecamp allows teams to store online entire project management plans, including performance targets, to-do lists, files, collaborative documents and messages. Provided by 37Signals L.L.C., based in Chicago, Basecamp has more than a million users around the world, including me. Another site, Dopplr, from a company of the same name based in Finland, is still in its beta-test phase. It lets users upload and share their travel itineraries with a group of "trusted fellow travelers." The site can connect with Facebook friend lists, and in September it announced that it had opened an invitation-only social network to business travelers from 100 leading companies and international organizations, including Google, I.B.M. and Nokia. This type of sensitive, sometimes proprietary information was once locked up on hard drives or in file cabinets far away from anything resembling a global or even a local distribution network. Yet none of the users flocking to these services seem perturbed that they have relinquished personal control over this data to companies that, even with the best of intentions, may not be able to keep it safe. The incidence of data theft ? from wallets to data breaches, computer viruses or Dumpster diving ? is soaring. This year alone, the security of nearly 77 million Americans' records has been breached, according to the Identity Theft Resource Center in San Diego, nearly a fourfold increase over 2006. Governments around the world are passing and enforcing laws that increasingly hold businesses financially accountable for avoidable data losses. Just last month, the TJX Companies, which owns T.J. Maxx, Marshalls and other retail stores, made a settlement offer, subject to court approval, to victims of a huge data breach, in which 45.7 million customers' credit- and debit-card data was exposed to identity thieves. As a result, some security experts are starting to ask whether the "identity data-for-services" business model, which is the engine for virtually all e-commerce companies, is a fair trade ? not just for consumers, but for business as well. In response, they are coming up with new protocols and frameworks for collecting, using and governing identity data. Given that virtually all businesses today collect and use these kinds of data, they aim to shift the status quo in ways that could help companies both improve their reputations with customers and avoid the mounting legal liabilities that now face companies that lose control of customer data. "The myth is that companies have to know all this information about you in order to do business with you," said Drummond Reed, vice president for infrastructure at Parity Communications, an identity technology company in Needham, Mass. "But from a liability perspective, the less I know about my customers the better." Parity is sponsoring a number of open software projects to shift more control to the users whose identity data is at risk. One of the most intriguing is called the CloudTripper Project, which is developing a way for individuals to "take their data with them" as they traverse the Web, just as they keep their wallets and checkbooks with them as they move around in the real world. Another project, the Identity Governance Framework, aims to help organizations comply with national and international regulations, including the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act. It establishes a new approach for securely sharing and auditing sensitive personal information, and has been widely embraced by major enterprise software vendors as well as providers of identity technology. While such projects are helping to close security gaps that should have been addressed long ago, at least one security expert says that such efforts are trying in vain to solve a social problem with technology. "We're in a situation where business holds all the cards," said Mike Neuenschwander, vice president and research director of identity and privacy strategies at the Burton Group, a technology research and advisory service based in Midvale, Utah. "Businesses put the deal in front of the consumer, they control the playing field and the consumer doesn't have any say in how the deal plays out." One way to change this, he said, is to make people more like organizations. To this end, Mr. Neuenschwander and his colleagues have floated the intriguing concept of the L.L.P.: the Limited Liability Persona. This persona would be a legally recognized virtual person in which users could "invest" the financial or identity resources of their choosing. Once their individual personas are created, consumers would be able to use them as their legal "alter ego," even in financial transactions. "My L.L.P. would have its own mailing address, its own tax ID number, and that's the information I'd give when I'm online," Mr. Neuenschwander said. Other benefits include the ability for "personas" to limit their financial exposure in ways that individuals cannot. "When you enter into a relationship with a company and give them your personal information, you're at tremendous risk ? and they aren't," he said. "In the U.S., certain kinds of personal information aren't treated like property at all. It's very difficult to sue someone for misuse of personal information. And even if you do, they can never give you back your mailing address, your Social Security number or your DNA, for that matter." But if a company loses or tampers with an L.L.P's data, "the law allows me to sue them because it's corporate information," Mr. Neuenschwander said. "It's digital-rights management," he added, referring to the access control technologies used by publishers and other copyright holders to limit use of digital media, "only you're acting on behalf of your own organization." Mr. Reed of Parity agreed. "Companies use digital-rights management technology to protect their data from us," he said. "But they'd be better off if we used it to protect our data from them." -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071008/46cb76ef/attachment.html From britta at projectliberty.org Mon Oct 8 10:50:42 2007 From: britta at projectliberty.org (Britta Glade) Date: Mon, 8 Oct 2007 10:50:42 -0700 Subject: [SIG-IDtheft] And WSJ on PCI... Message-ID: *Making Sure Your Stores Guard the Data* Wall Street Journal, Oct. 6, 2007, Robin Sidel *Credit-card companies regularly warn consumers about how to protect themselves from fraud when using plastic: scour statements for unauthorized purchases, shred paperwork that includes account numbers and don't leave bills or cards on the kitchen counter when people are in your home.* But shoppers are pretty much left in the dark if they want to know if a store is keeping their credit-card and debit-card transactions secure. There are a few things savvy consumers can do to check up on a retailer's security practices before plunking down their plastic. The card industry itself is cracking down on merchants who don't follow industry guidelines known as the Payment Card Industry Data Security Standard, or PCI. Starting this month, Visa Inc. will start levying fines of $25,000 a month for noncompliance. Merchants who accept plastic must install firewalls and take other measures to keep computer systems safe from hackers. They aren't allowed to store certain sensitive data that hackers can use to make phony purchases or produce fraudulent cards. Merchants, unfortunately, have been slow to respond. Of the 327 largest merchants, just 44% of them have validated their compliance, according to Visa. The card companies won't tell you who's still breaking the rules. "Disclosing the name of compliant merchants would be like drawing a road map for the thieves," says a Visa spokeswoman. Cardholders aren't liable for unauthorized purchases. Merchants also tend to be tight-lipped for similar reasons. That pretty much leaves it up to the consumer to figure out. It's not easy: Shoppers can't see inside a merchant's computer system. But there are a few things to watch for. First, industry rules and federal law prohibit merchants from printing more than the last five digits of an account number on a customer receipt. So the first clue: If a merchant is printing too much data on receipts, chances are that's not the only hole in its system. Look at the equipment. If the cash register has one of those old-fashioned green computer screens, chances are its security is also from a bygone era. Card-swipe devices should be enclosed in tamper-proof plastic. And as silly as it sounds, if the swipe device "looks old, dusty and dirty, it probably hasn't been retrofitted," says one security expert. Some online merchants have seals on their Web sites that provide security credentials. Designersreplica.com, which sells sunglasses, has a small "credit card guard" insignia on its Web site that identifies it as a "PCI Tested Website." "We believe that merchants enjoy more sales because they show they are PCI-compliant," says Michael Johnson, chief executive of ComplyGuard Networks, a New York company hired by merchants to test their systems. Next month, ComplyGuard will start providing "no-fraud zone" stickers to brick-and-mortar customers who comply with the rules. The fact is, there are still too few guarantees when it comes to card security. Except, of course, for the foolproof method: Pay with cash. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071008/f08f7e86/attachment-0001.html From britta at projectliberty.org Thu Oct 11 09:44:18 2007 From: britta at projectliberty.org (Britta Glade) Date: Thu, 11 Oct 2007 09:44:18 -0700 Subject: [SIG-IDtheft] NO CALL TOMORROW; Reminder on Follow up call on smart cards, strong auth, and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT Message-ID: Hey all. No call tomorrow, but please do plan to participate in next Friday's call with Gilles. You can send any questions for Gilles through to me (thanks for your's, Abhilasha) and I can compile and forward to Gilles. Also, very happy to announce that our group has a new chair--Bob Pinheiro has agreed to run our SIG going forward. I'll still be participating, but happy to see member leadership now :). Thanks, Bob! Have a good weekend, all. Dial in for next Friday at 9:30 PT will be: 800-504-8071 International: +1 303-248-0281 code: 2544233 ---------- Forwarded message ---------- From: Britta Glade Date: Oct 1, 2007 5:34 PM Subject: MARK CALENDARS NOW: Follow up call on smart cards, strong auth, and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT To: sig-idtheft at lists.projectliberty.org Cc: Gilles Lisimaque We had a very interesting call with Gilles Lisimaque last Friday with the SIG, and decided the topic was of enough interest and we still weren't done with questions, so Gilles has agreed to join our call again on *FRIDAY, Oct. 19, 9:30 am PT.* Please think of questions you might have and shoot them to me or Gilles (copied) ahead of time. Michael Barrett, PayPal, and Mari Franks, IdentityTheft.org, have also confirmed they'll be able to attend, so I'm confident we'll have an interesting cross-section of folks participating, asking questions, and sharing experiences. We'll still be meeting this Friday--agenda for that to follow later--but wanted to get this on calendars now. Remember this is an open SIG, so feel free to invite anyone to attend. Thanks. *Gilles M. Lisimaque* Mr. Lisimaque is one of the leading US experts on Smart Cards and application of Smart Cards, working on various US government projects as technical advisor and smart card standard expert. Prior to joining IDTP Mr. Lisimaque worked at Gemplus, a company he founded with four other co-founders, and was part of the Business Development Group, responsible for special projects in North America. In this position, he contributed to various groups including prospects and customers, providing technical and business guidance for the design and application of Gemplus smart cards, hardware and systems, and customized services. Prior to joining the Gemplus team, Mr. Lisimaque was technical marketing director in SGS-Thomson's research and development group. He was the architect of the company's family of smart card components and helped develop the first chip operating system for smart cards. Additionally, he was MIS manager of the SGS-Thomson MOS facility called Eurotechnique, a joint venture between Saint-Gobain and National Semiconductor. There he developed an integration system connecting HP mini-computers, IBM mainframes and DEC semi-conductor test equipment. Mr. Lisimaque holds multiple patents on smart card security and smart card OS design and has high level seats with numerous Smart Card and Security Forums and Associations. Mr. Lisimaque is an honor graduate of the French engineering school, "Arts & M?tiers", where he specialized in automation and electronics. Questions we discussed: To what extent can smart cards aid in the reduction of identity theft? What are the reasons for slow adoption in the U.S.? What programs or industry efforts or events will trigger a more rapid deployment? What are the issues of mass adoption and deployment that linger? Why have European states and other nations been more aggressive in deployment and what have been the lessons learned? How can you fail to succeed, where have smart card programs faltered? What has been the traditional push-back by banks, telecoms, others in resisting or failing to move forward with smart cards? Future? Standards, key drivers, obstacles, legislation, public fears of poorly conceived deployments? Looking forward to our call and very much thank Gilles for joining us. Dial in is the usual: 800-504-8071 International: +1 303-248-0281 Code: 2544233 Thanks! -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071011/78f90184/attachment.html From britta at projectliberty.org Mon Oct 15 13:09:57 2007 From: britta at projectliberty.org (Britta Glade) Date: Mon, 15 Oct 2007 13:09:57 -0700 Subject: [SIG-IDtheft] Fwd: CA Privacy Bill 779 - Veto by Governor Schwarzenegger In-Reply-To: <002401c80f63$db499270$3d0110ac@EricLaptop> References: <002401c80f63$db499270$3d0110ac@EricLaptop> Message-ID: Of interest from Eric.....comments from the group? Governor Kills California Data Protection Law By Evan Schuman October 15, 2007 *Schwarzenegger claims the proposed data breach security law would have driven up costs for small businesses.* California Gov. Arnold Schwarzenegger on Oct. 13 vetoed?and effectively killed?one of the nation's most stringent proposed e-tail data breach security laws, saying that the bill would have "driven up the costs of compliance, particularly for small businesses." The proposed California law?AB 779?would have required retailers to protect data in a manner more demanding than the current PCI DSS (Payment Card Industry Data Security Standard) requires. The bill included a ban on sensitive consumer data information except when the merchant has a payment data retention and disposal policy, "which limits the amount of payment related data and the time that data is retained to the amount," according to the bill. But it also outright prohibited much data being stored at all after a purchase is authorized by banning a retailer from storing "sensitive authentication data subsequent to authorization, even if that data is encrypted." [image: Pointer]*Read here about TJX's data breach. * Schwarzenegger, in his veto message explaining why he killed the bill, left the door open to possibly signing a reworked version of the bill. "I encourage the author and the industry to work together on a more balanced legislative approach," he said. However, the current version of the bill, Schwarzenegger said, "attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information." The governor argued that "the industry"?presumably a reference to credit card companies and the PCI Council?is in a better position to know what is realistic and reasonable for credit card security." Also, he said, signing such a bill could actually create a conflict. "This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace," he said. "This measure creates the potential for California law to be in conflict with private sector data security standards." Schwarzenegger also said that he objected to ambiguities in the bill's phrasing. "While I support many of the provisions of this bill, it fails to provide clear definition of which business or agency 'owns' or 'licenses' data," the governor said, "and when that business or agency relinquishes legal responsibility as the owner or licensee." But the Democratic author of the bill suggested that the Republican governor caved in to pressure from the retail community. "Big business, hackers and ID thieves won today, and consumers and common sense lost," said Assemblyman Dave Jones of Sacramento, the bill's author. "I'm shocked and disappointed that the governor thinks our personal information should be left out in the open for identity thieves and hackers to pilfer. If your slack security leads to a data breach, then you ought to pay for what you caused. 'You broke it, you bought it,' as retailers like to say. How could anybody disagree with this, let alone the governor?" The bill had passed so easily through both chambers in California?it passed the 40-member state senate last month in a 30-6 vote and had earlier unanimously passed the assembly 73-0?that it is theoretically possible bill supporters could try for a veto override, which would need two-thirds majorities in each body. But as of Oct. 14, no one had publicly said they were going to try to do that. The concerns about the cost of compliance for smaller retailers has scuttled other state attempts at mandating strong data security rules, including Connecticut, where an initial supporter of such a law backed off as being lobbied by smaller merchants. Federal efforts to pursue national standards on retail data have also gone nowhere, with hearings on the TJX data breach?which has been seen as a catalyst for state and federal data protection legislative efforts?repeatedly postponed and now tentatively scheduled for November. In January, TJX announced a data breach where the credit card data of some 46 million consumers fell into unauthorized hands, a move widely regarded as the worst retail data security breach ever reported. *Retail** Center** Editor Evan Schuman can be reached at * Evan.Schuman at ziffdavisenterprise.com. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071015/972fcd3f/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 439 bytes Desc: not available Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071015/972fcd3f/attachment.gif From britta at projectliberty.org Tue Oct 16 11:23:14 2007 From: britta at projectliberty.org (Britta Glade) Date: Tue, 16 Oct 2007 11:23:14 -0700 Subject: [SIG-IDtheft] Cost of data breaches rising.... Message-ID: http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=5633 *Cost of data breaches 'to increase 20% a year'* Targeted attacks are biggest threat, says Gartner By Leo King ------------------------------ Financially motivated data breaches are set to cost businesses 20% more each year until 2009, according to Gartner. John Pescatore, VP at Gartner, said the biggest risk to organisations came from targeted attacks. He said that "phishing and identity theft attacks have caused the rise of 'credentialled' attacks, in which the attacker uses the credentials of a legitimate user". Malicious software attacks allowed internal executables to be used to forward information to an external attacker, Pescatore warned. "Being aware of 'inside out' communications and being able to block those as effectively as 'outside in' is becoming increasingly important," he said. It was important to make sure that security strategies reduced the cost of dealing with mass attacks, Gartner advised, in order to free up budgets for the next generation of security attacks. The analyst group reckons the average business is spending more than 5% of its IT budget on security, and another 7% on disaster recovery. But it said 90% of targeted attacks could be avoided without an increase in firms' security budgets, and said the investments that enterprises had made in intrusion prevention, vulnerability management and network access control had largely paid off. At the same time, however, it warned that there was currently little or no correlation between organisations that spent the most on security and those that are most protected, it said. It said the most effective way to become increase the efficiency of security spending was to avoid vulnerabilities by ensuring that security was a top requirement for every new application, process and product. It was also important to establish security metrics to measure spending efficiency, it added. *Now read:* Mac OS and Linux 'may have web security problems too' Financial institutions spending on security and governance Severity of security breaches worsens -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071016/4ec72686/attachment-0001.html From britta at projectliberty.org Wed Oct 17 15:26:10 2007 From: britta at projectliberty.org (Britta Glade) Date: Wed, 17 Oct 2007 15:26:10 -0700 Subject: [SIG-IDtheft] Study of IDTheft Cases--Presentation next week Message-ID: Anyone going to this conference? Center for Identity Management and Information Protection to Release Landmark Study Study of Closed U.S. Secret Service Cases Reveals New Findings on Crime, Victims, Offenders WASHINGTON and UTICA, N.Y., Oct. 17 /PRNewswire-USNewswire/ -- On Monday (Oct. 22), Utica College's Center for Identify Management and Information Protection (CIMIP) will release the results of a landmark study of closed U.S. Secret Service cases involving identify theft. The study, which will reveal new findings about identity theft perpetrators, victims, and methods, marks the first time the U.S. Secret Service has allowed review of its closed case files on identity theft and fraud. The research will be of particular value to government, law enforcement and corporate entities whose mission is to prevent, detect, investigate or prosecute identity theft crimes, said Gary R. Gordon, executive director of CIMIP and professor of economic crime at Utica College. Information on insider threats, points of compromise, and vulnerabilities will be of specific interest to chief security and chief information officers across many industries, including financial services and retail corporations, Gordon said. The results will be released at the 18th annual ECI Conference. This year's event, "Identity Management and Information Protection: Research to Action" will be held October 21-23 at the Ritz-Carlton Hotel, Tysons Corner, McLean, Va. The Economic Crime Institute of Utica College and CIMIP will present the conference; for more information, visit the ECI Web site at * http://www.utica.edu/academic/institutes/ecii/conferences/* . CIMIP, the first-of-its-kind partnership of leading corporate, government and academic institutions, drives an aggressive research agenda that focuses on critical issues in identity management, information sharing, and data protection. CIMIP partners include LexisNexis, IBM, and TransUnion from the corporate sector; as well as the U.S. Secret Service, Federal Bureau of Investigation, and the U.S. Marshals Service from the government. In addition to UC, academic partners are Carnegie Mellon University Software Engineering Institute, Indiana University's Center for Applied Cybersecurity Research, and Syracuse University's CASE Center. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071017/d08fd7cc/attachment.html From britta at projectliberty.org Thu Oct 18 17:04:36 2007 From: britta at projectliberty.org (Britta Glade) Date: Thu, 18 Oct 2007 17:04:36 -0700 Subject: [SIG-IDtheft] Reminder: Follow up call on smart cards, strong auth, and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT Message-ID: > > REMINDER on our call tomorrow....dial in below. Thanks! > > > We had a very interesting call with Gilles Lisimaque last Friday with the > SIG, and decided the topic was of enough interest and we still weren't done > with questions, so Gilles has agreed to join our call again on *FRIDAY, > Oct. 19, 9:30 am PT.* Please think of questions you might have and shoot > them to me or Gilles (copied) ahead of time. Michael Barrett, PayPal, and > Mari Franks, IdentityTheft.org, have also confirmed they'll be able to > attend, so I'm confident we'll have an interesting cross-section of folks > participating, asking questions, and sharing experiences. > > We'll still be meeting this Friday--agenda for that to follow later--but > wanted to get this on calendars now. Remember this is an open SIG, so feel > free to invite anyone to attend. Thanks. > > > *Gilles M. Lisimaque* > > Mr. Lisimaque is one of the leading US experts on Smart Cards and > application of Smart Cards, working on various US government projects as > technical advisor and smart card standard expert. Prior to joining IDTP Mr. > Lisimaque worked at Gemplus, a company he founded with four other > co-founders, and was part of the Business Development Group, responsible for > special projects in North America. In this position, he contributed to > various groups including prospects and customers, providing technical and > business guidance for the design and application of Gemplus smart cards, > hardware and systems, and customized services. Prior to joining the Gemplus > team, Mr. Lisimaque was technical marketing director in SGS-Thomson's > research and development group. He was the architect of the company's family > of smart card components and helped develop the first chip operating system > for smart cards. Additionally, he was MIS manager of the SGS-Thomson MOS > facility called Eurotechnique, a joint venture between Saint-Gobain and > National Semiconductor. There he developed an integration system connecting > HP mini-computers, IBM mainframes and DEC semi-conductor test equipment. Mr. > Lisimaque holds multiple patents on smart card security and smart card OS > design and has high level seats with numerous Smart Card and Security Forums > and Associations. Mr. Lisimaque is an honor graduate of the French > engineering school, "Arts & M?tiers", where he specialized in automation and > electronics. > > Questions we discussed: > > To what extent can smart cards aid in the reduction of identity theft? > > What are the reasons for slow adoption in the U.S.? > > What programs or industry efforts or events will trigger a more rapid > deployment? > > What are the issues of mass adoption and deployment that linger? > > Why have European states and other nations been more aggressive in > deployment and what have been the lessons learned? > > How can you fail to succeed, where have smart card programs faltered? > > What has been the traditional push-back by banks, telecoms, others in > resisting or failing to move forward with smart cards? > > Future? Standards, key drivers, obstacles, legislation, public fears of > poorly conceived deployments? > > Looking forward to our call and very much thank Gilles for joining us. > Dial in is the usual: > > 800-504-8071 > > International: +1 303-248-0281 > > Code: 2544233 > > Thanks! > > -- > Britta Glade > Liberty Alliance > 925-254-4233 > -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071018/59d250b9/attachment.html From Contact at IdentityTheft.org Fri Oct 19 10:34:14 2007 From: Contact at IdentityTheft.org (Mari Frank) Date: Fri, 19 Oct 2007 10:34:14 -0700 Subject: [SIG-IDtheft] Reminder: Follow up call on smart cards, strong auth, and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT In-Reply-To: References: Message-ID: <016e01c81276$44628f90$671ca8c0@PP> Britta and Gilles- Thanks so much for bringing Gilles back- I would love to have him on my radio show- Privacy Piracy www.kuci.org/privacypiracy. Please send me the contact info- thanks, Mari Contact at identitytheft.org 28202 Cabot Road, Suite 300 Laguna Niguel, Ca. 92677 Phone :949-364-1511 Fax: 949-363-7561 www.identitytheft.org www.MariFrank.com www.kuci.org/privacypiracy E-mail contact at identitytheft.org To order Mari's books: Call Porpoise Press 800-725-0807 This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or by phone at 949-364-1511) immediately. Thank you. _____ From: sig-idtheft-bounces at lists.projectliberty.org [mailto:sig-idtheft-bounces at lists.projectliberty.org] On Behalf Of Britta Glade Sent: Thursday, October 18, 2007 5:05 PM To: sig-idtheft at lists.projectliberty.org Cc: Gilles Lisimaque Subject: [SIG-IDtheft] Reminder: Follow up call on smart cards, strong auth,and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT REMINDER on our call tomorrow....dial in below. Thanks! We had a very interesting call with Gilles Lisimaque last Friday with the SIG, and decided the topic was of enough interest and we still weren't done with questions, so Gilles has agreed to join our call again on FRIDAY, Oct. 19, 9:30 am PT. Please think of questions you might have and shoot them to me or Gilles (copied) ahead of time. Michael Barrett, PayPal, and Mari Franks, IdentityTheft.org, have also confirmed they'll be able to attend, so I'm confident we'll have an interesting cross-section of folks participating, asking questions, and sharing experiences. We'll still be meeting this Friday--agenda for that to follow later--but wanted to get this on calendars now. Remember this is an open SIG, so feel free to invite anyone to attend. Thanks. Gilles M. Lisimaque Mr. Lisimaque is one of the leading US experts on Smart Cards and application of Smart Cards, working on various US government projects as technical advisor and smart card standard expert. Prior to joining IDTP Mr. Lisimaque worked at Gemplus, a company he founded with four other co-founders, and was part of the Business Development Group, responsible for special projects in North America. In this position, he contributed to various groups including prospects and customers, providing technical and business guidance for the design and application of Gemplus smart cards, hardware and systems, and customized services. Prior to joining the Gemplus team, Mr. Lisimaque was technical marketing director in SGS-Thomson's research and development group. He was the architect of the company's family of smart card components and helped develop the first chip operating system for smart cards. Additionally, he was MIS manager of the SGS-Thomson MOS facility called Eurotechnique, a joint venture between Saint-Gobain and National Semiconductor. There he developed an integration system connecting HP mini-computers, IBM mainframes and DEC semi-conductor test equipment. Mr. Lisimaque holds multiple patents on smart card security and smart card OS design and has high level seats with numerous Smart Card and Security Forums and Associations. Mr. Lisimaque is an honor graduate of the French engineering school, "Arts & M?tiers", where he specialized in automation and electronics. Questions we discussed: To what extent can smart cards aid in the reduction of identity theft? What are the reasons for slow adoption in the U.S.? What programs or industry efforts or events will trigger a more rapid deployment? What are the issues of mass adoption and deployment that linger? Why have European states and other nations been more aggressive in deployment and what have been the lessons learned? How can you fail to succeed, where have smart card programs faltered? What has been the traditional push-back by banks, telecoms, others in resisting or failing to move forward with smart cards? Future? Standards, key drivers, obstacles, legislation, public fears of poorly conceived deployments? Looking forward to our call and very much thank Gilles for joining us. Dial in is the usual: 800-504-8071 International: +1 303-248-0281 Code: 2544233 Thanks! -- Britta Glade Liberty Alliance 925-254-4233 -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071019/8c8cc60b/attachment-0001.html From britta at projectliberty.org Fri Oct 19 10:39:52 2007 From: britta at projectliberty.org (Britta Glade) Date: Fri, 19 Oct 2007 10:39:52 -0700 Subject: [SIG-IDtheft] Reminder: Follow up call on smart cards, strong auth, and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT In-Reply-To: <016e01c81276$44628f90$671ca8c0@PP> References: <016e01c81276$44628f90$671ca8c0@PP> Message-ID: It was a good call--sorry it had to end. Gilles, I'll let you close out the loop with Mari on that great opp. Thanks, Gilles, for joining again! On 10/19/07, Mari Frank wrote: > > Britta and Gilles- > > Thanks so much for bringing Gilles back- I would love to have him on my > radio show- Privacy Piracy www.kuci.org/privacypiracy. Please send me the > contact info- thanks, > > > > Mari > > > > Contact at identitytheft.org > *28202 Cabot Road, Suite 300* > *Laguna Niguel, Ca. 92677 > Phone :949-364-1511 > Fax: 949-363-7561 > www.identitytheft.org > www.MariFrank.com > www.kuci.org/privacypiracy > E-mail contact at identitytheft.org > > * > *To order Mari's books: > Call Porpoise Press 800-725-0807 > *This e-mail may be privileged and/or confidential, and the sender does > not waive any related rights and obligations. Any distribution, use or > copying of this e-mail or the information it contains by other than an > intended recipient is unauthorized. If you received this e-mail in error, > please advise me (by return e-mail or by phone at 949-364-1511) immediately. > Thank you. > > > > ------------------------------ > > *From:* sig-idtheft-bounces at lists.projectliberty.org [mailto: > sig-idtheft-bounces at lists.projectliberty.org] *On Behalf Of *Britta Glade > *Sent:* Thursday, October 18, 2007 5:05 PM > *To:* sig-idtheft at lists.projectliberty.org > *Cc:* Gilles Lisimaque > *Subject:* [SIG-IDtheft] Reminder: Follow up call on smart cards, strong > auth,and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT > > > > REMINDER on our call tomorrow....dial in below. Thanks! > > > > We had a very interesting call with Gilles Lisimaque last Friday with the > SIG, and decided the topic was of enough interest and we still weren't done > with questions, so Gilles has agreed to join our call again on *FRIDAY, > Oct. 19, 9:30 am PT.* Please think of questions you might have and shoot > them to me or Gilles (copied) ahead of time. Michael Barrett, PayPal, and > Mari Franks, IdentityTheft.org, have also confirmed they'll be able to > attend, so I'm confident we'll have an interesting cross-section of folks > participating, asking questions, and sharing experiences. > > > > We'll still be meeting this Friday--agenda for that to follow later--but > wanted to get this on calendars now. Remember this is an open SIG, so feel > free to invite anyone to attend. Thanks. > > > > *Gilles** M. Lisimaque * > > Mr. Lisimaque is one of the leading US experts on Smart Cards and > application of Smart Cards, working on various US government projects as > technical advisor and smart card standard expert. Prior to joining IDTP Mr. > Lisimaque worked at Gemplus, a company he founded with four other > co-founders, and was part of the Business Development Group, responsible for > special projects in North America. In this position, he contributed to > various groups including prospects and customers, providing technical and > business guidance for the design and application of Gemplus smart cards, > hardware and systems, and customized services. Prior to joining the Gemplus > team, Mr. Lisimaque was technical marketing director in SGS-Thomson's > research and development group. He was the architect of the company's family > of smart card components and helped develop the first chip operating system > for smart cards. Additionally, he was MIS manager of the SGS-Thomson MOS > facility called Eurotechnique, a joint venture between Saint-Gobain and > National Semiconductor. There he developed an integration system connecting > HP mini-computers, IBM mainframes and DEC semi-conductor test equipment. Mr. > Lisimaque holds multiple patents on smart card security and smart card OS > design and has high level seats with numerous Smart Card and Security Forums > and Associations. Mr. Lisimaque is an honor graduate of the French > engineering school, "Arts & M?tiers", where he specialized in automation and > electronics. > > Questions we discussed: > > To what extent can smart cards aid in the reduction of identity theft? > > What are the reasons for slow adoption in the U.S.? > > What programs or industry efforts or events will trigger a more rapid > deployment? > > What are the issues of mass adoption and deployment that linger? > > Why have European states and other nations been more aggressive in > deployment and what have been the lessons learned? > > How can you fail to succeed, where have smart card programs faltered? > > What has been the traditional push-back by banks, telecoms, others in > resisting or failing to move forward with smart cards? > > Future? Standards, key drivers, obstacles, legislation, public fears of > poorly conceived deployments? > > Looking forward to our call and very much thank Gilles for joining us. > Dial in is the usual: > > 800-504-8071 > > International: +1 303-248-0281 > > Code: 2544233 > > Thanks! > > -- > Britta Glade > Liberty Alliance > 925-254-4233 > > > > > -- > Britta Glade > Liberty Alliance > 925-254-4233 > -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071019/4b0a3ffa/attachment.html From britta at projectliberty.org Fri Oct 19 10:45:41 2007 From: britta at projectliberty.org (Britta Glade) Date: Fri, 19 Oct 2007 10:45:41 -0700 Subject: [SIG-IDtheft] Reminder: Follow up call on smart cards, strong auth, and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT In-Reply-To: References: <016e01c81276$44628f90$671ca8c0@PP> Message-ID: I have Gilles' direct contact info for anyone interested--ping me, and I'll send it to you separately (hate putting personal info out on a public list serve :)): Gilles Lisimaque Partner Work +1-301-320-5146 Cell +1-240-731-4585 GLisimaque at IDTP.com On 10/19/07, Britta Glade wrote: > > It was a good call--sorry it had to end. Gilles, I'll let you close out > the loop with Mari on that great opp. Thanks, Gilles, for joining again! > > On 10/19/07, Mari Frank wrote: > > > > Britta and Gilles- > > > > Thanks so much for bringing Gilles back- I would love to have him on my > > radio show- Privacy Piracy www.kuci.org/privacypiracy. Please send me > > the contact info- thanks, > > > > > > > > Mari > > > > > > > > Contact at identitytheft.org > > *28202 Cabot Road, Suite 300* > > *Laguna Niguel, Ca. 92677 > > Phone :949-364-1511 > > Fax: 949-363-7561 > > www.identitytheft.org > > www.MariFrank.com > > www.kuci.org/privacypiracy > > E-mail contact at identitytheft.org > > > > * > > *To order Mari's books: > > Call Porpoise Press 800-725-0807 > > *This e-mail may be privileged and/or confidential, and the sender does > > not waive any related rights and obligations. Any distribution, use or > > copying of this e-mail or the information it contains by other than an > > intended recipient is unauthorized. If you received this e-mail in error, > > please advise me (by return e-mail or by phone at 949-364-1511) immediately. > > Thank you. > > > > > > > > ------------------------------ > > > > *From:* sig-idtheft-bounces at lists.projectliberty.org [mailto:sig-idtheft-bounces at lists.projectliberty.org > > ] *On Behalf Of *Britta Glade > > *Sent:* Thursday, October 18, 2007 5:05 PM > > *To:* sig-idtheft at lists.projectliberty.org > > *Cc:* Gilles Lisimaque > > *Subject:* [SIG-IDtheft] Reminder: Follow up call on smart cards, strong > > auth,and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT > > > > > > > > REMINDER on our call tomorrow....dial in below. Thanks! > > > > > > > > We had a very interesting call with Gilles Lisimaque last Friday with > > the SIG, and decided the topic was of enough interest and we still weren't > > done with questions, so Gilles has agreed to join our call again on *FRIDAY, > > Oct. 19, 9:30 am PT.* Please think of questions you might have and > > shoot them to me or Gilles (copied) ahead of time. Michael Barrett, > > PayPal, and Mari Franks, IdentityTheft.org, have also confirmed they'll > > be able to attend, so I'm confident we'll have an interesting cross-section > > of folks participating, asking questions, and sharing experiences. > > > > > > > > We'll still be meeting this Friday--agenda for that to follow later--but > > wanted to get this on calendars now. Remember this is an open SIG, so feel > > free to invite anyone to attend. Thanks. > > > > > > > > *Gilles **M. Lisimaque * > > > > Mr. Lisimaque is one of the leading US experts on Smart Cards and > > application of Smart Cards, working on various US government projects as > > technical advisor and smart card standard expert. Prior to joining IDTP Mr. > > Lisimaque worked at Gemplus, a company he founded with four other > > co-founders, and was part of the Business Development Group, responsible for > > special projects in North America. In this position, he contributed to > > various groups including prospects and customers, providing technical and > > business guidance for the design and application of Gemplus smart cards, > > hardware and systems, and customized services. Prior to joining the Gemplus > > team, Mr. Lisimaque was technical marketing director in SGS-Thomson's > > research and development group. He was the architect of the company's family > > of smart card components and helped develop the first chip operating system > > for smart cards. Additionally, he was MIS manager of the SGS-Thomson MOS > > facility called Eurotechnique, a joint venture between Saint-Gobain and > > National Semiconductor. There he developed an integration system connecting > > HP mini-computers, IBM mainframes and DEC semi-conductor test equipment. Mr. > > Lisimaque holds multiple patents on smart card security and smart card OS > > design and has high level seats with numerous Smart Card and Security Forums > > and Associations. Mr. Lisimaque is an honor graduate of the French > > engineering school, "Arts & M?tiers", where he specialized in automation and > > electronics. > > > > Questions we discussed: > > > > To what extent can smart cards aid in the reduction of identity theft? > > > > What are the reasons for slow adoption in the U.S.? > > > > What programs or industry efforts or events will trigger a more rapid > > deployment? > > > > What are the issues of mass adoption and deployment that linger? > > > > Why have European states and other nations been more aggressive in > > deployment and what have been the lessons learned? > > > > How can you fail to succeed, where have smart card programs faltered? > > > > What has been the traditional push-back by banks, telecoms, others in > > resisting or failing to move forward with smart cards? > > > > Future? Standards, key drivers, obstacles, legislation, public fears of > > poorly conceived deployments? > > > > Looking forward to our call and very much thank Gilles for joining us. > > Dial in is the usual: > > > > 800-504-8071 > > > > International: +1 303-248-0281 > > > > Code: 2544233 > > > > Thanks! > > > > -- > > Britta Glade > > Liberty Alliance > > 925-254-4233 > > > > > > > > > > -- > > Britta Glade > > Liberty Alliance > > 925-254-4233 > > > > > > -- > Britta Glade > Liberty Alliance > 925-254-4233 > -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071019/9f9afff6/attachment-0001.html From britta at projectliberty.org Fri Oct 19 10:46:25 2007 From: britta at projectliberty.org (Britta Glade) Date: Fri, 19 Oct 2007 10:46:25 -0700 Subject: [SIG-IDtheft] Reminder: Follow up call on smart cards, strong auth, and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT In-Reply-To: References: <016e01c81276$44628f90$671ca8c0@PP> Message-ID: Of course....I'm a bonehead and just did....sigh! Fridays.....be good to Gilles. On 10/19/07, Britta Glade wrote: > > I have Gilles' direct contact info for anyone interested--ping me, and > I'll send it to you separately (hate putting personal info out on a public > list serve :)): > > Gilles Lisimaque > Partner > Work +1-301-320-5146 > Cell +1-240-731-4585 > GLisimaque at IDTP.com > > > On 10/19/07, Britta Glade wrote: > > > > It was a good call--sorry it had to end. Gilles, I'll let you close out > > the loop with Mari on that great opp. Thanks, Gilles, for joining again! > > > > On 10/19/07, Mari Frank wrote: > > > > > > Britta and Gilles- > > > > > > Thanks so much for bringing Gilles back- I would love to have him on > > > my radio show- Privacy Piracy www.kuci.org/privacypiracy. Please send > > > me the contact info- thanks, > > > > > > > > > > > > Mari > > > > > > > > > > > > Contact at identitytheft.org > > > *28202 Cabot Road, Suite 300* > > > *Laguna Niguel, Ca. 92677 > > > Phone :949-364-1511 > > > Fax: 949-363-7561 > > > www.identitytheft.org > > > www.MariFrank.com > > > www.kuci.org/privacypiracy > > > E-mail contact at identitytheft.org > > > > > > * > > > *To order Mari's books: > > > Call Porpoise Press 800-725-0807 > > > *This e-mail may be privileged and/or confidential, and the sender > > > does not waive any related rights and obligations. Any distribution, use or > > > copying of this e-mail or the information it contains by other than an > > > intended recipient is unauthorized. If you received this e-mail in error, > > > please advise me (by return e-mail or by phone at 949-364-1511) immediately. > > > Thank you. > > > > > > > > > > > > ------------------------------ > > > > > > *From:* sig-idtheft-bounces at lists.projectliberty.org [mailto:sig-idtheft-bounces at lists.projectliberty.org > > > ] *On Behalf Of *Britta Glade > > > *Sent:* Thursday, October 18, 2007 5:05 PM > > > *To:* sig-idtheft at lists.projectliberty.org > > > *Cc:* Gilles Lisimaque > > > *Subject:* [SIG-IDtheft] Reminder: Follow up call on smart cards, > > > strong auth,and IDTheft with Gilles Lisimaque, OCT. 19, 9:30 am PT > > > > > > > > > > > > REMINDER on our call tomorrow....dial in below. Thanks! > > > > > > > > > > > > We had a very interesting call with Gilles Lisimaque last Friday with > > > the SIG, and decided the topic was of enough interest and we still weren't > > > done with questions, so Gilles has agreed to join our call again on *FRIDAY, > > > Oct. 19, 9:30 am PT.* Please think of questions you might have and > > > shoot them to me or Gilles (copied) ahead of time. Michael Barrett, > > > PayPal, and Mari Franks, IdentityTheft.org, have also confirmed > > > they'll be able to attend, so I'm confident we'll have an interesting > > > cross-section of folks participating, asking questions, and sharing > > > experiences. > > > > > > > > > > > > We'll still be meeting this Friday--agenda for that to follow > > > later--but wanted to get this on calendars now. Remember this is an open > > > SIG, so feel free to invite anyone to attend. Thanks. > > > > > > > > > > > > *Gilles **M. Lisimaque * > > > > > > Mr. Lisimaque is one of the leading US experts on Smart Cards and > > > application of Smart Cards, working on various US government projects as > > > technical advisor and smart card standard expert. Prior to joining IDTP Mr. > > > Lisimaque worked at Gemplus, a company he founded with four other > > > co-founders, and was part of the Business Development Group, responsible for > > > special projects in North America. In this position, he contributed to > > > various groups including prospects and customers, providing technical and > > > business guidance for the design and application of Gemplus smart cards, > > > hardware and systems, and customized services. Prior to joining the Gemplus > > > team, Mr. Lisimaque was technical marketing director in SGS-Thomson's > > > research and development group. He was the architect of the company's family > > > of smart card components and helped develop the first chip operating system > > > for smart cards. Additionally, he was MIS manager of the SGS-Thomson MOS > > > facility called Eurotechnique, a joint venture between Saint-Gobain and > > > National Semiconductor. There he developed an integration system connecting > > > HP mini-computers, IBM mainframes and DEC semi-conductor test equipment. Mr. > > > Lisimaque holds multiple patents on smart card security and smart card OS > > > design and has high level seats with numerous Smart Card and Security Forums > > > and Associations. Mr. Lisimaque is an honor graduate of the French > > > engineering school, "Arts & M?tiers", where he specialized in automation and > > > electronics. > > > > > > Questions we discussed: > > > > > > To what extent can smart cards aid in the reduction of identity theft? > > > > > > What are the reasons for slow adoption in the U.S.? > > > > > > What programs or industry efforts or events will trigger a more rapid > > > deployment? > > > > > > What are the issues of mass adoption and deployment that linger? > > > > > > Why have European states and other nations been more aggressive in > > > deployment and what have been the lessons learned? > > > > > > How can you fail to succeed, where have smart card programs faltered? > > > > > > What has been the traditional push-back by banks, telecoms, others in > > > resisting or failing to move forward with smart cards? > > > > > > Future? Standards, key drivers, obstacles, legislation, public fears > > > of poorly conceived deployments? > > > > > > Looking forward to our call and very much thank Gilles for joining > > > us. Dial in is the usual: > > > > > > 800-504-8071 > > > > > > International: +1 303-248-0281 > > > > > > Code: 2544233 > > > > > > Thanks! > > > > > > -- > > > Britta Glade > > > Liberty Alliance > > > 925-254-4233 > > > > > > > > > > > > > > > -- > > > Britta Glade > > > Liberty Alliance > > > 925-254-4233 > > > > > > > > > > > -- > > Britta Glade > > Liberty Alliance > > 925-254-4233 > > > > > > -- > Britta Glade > Liberty Alliance > 925-254-4233 > -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071019/9735932e/attachment.html From britta at projectliberty.org Wed Oct 24 15:12:42 2007 From: britta at projectliberty.org (Britta Glade) Date: Wed, 24 Oct 2007 15:12:42 -0700 Subject: [SIG-IDtheft] Too funny not to share: ID Thief has his own info leaked by the courts Message-ID: All of our mother's warned us....what goes around comes around! http://www.networkworld.com/news/2007/102307-court-leaks-info-of-alleged.html *Court leaks info of alleged ID thief* By Robert McMillan , IDG News Service, 10/23/07 Things just aren't going well for Timothy Scott Short. Just days after a pair of tech support calls he made to printer manufacturer Digimarc resulted in his arrest, he now finds himself on the receiving end of a data breach with his Social Security number and birth date accidentally made public via the federal court's Electronic Case Files (ECF) system. It's an ironic development, because Short, 33, was arrested in connection with the Oct. 5 theft of a Missouri Department of Revenue printer and a PC containing data on as many as 500 state residents. Short's personal information was discovered by the *IDG News Service*, listed on a court document called a Criminal Case Cover Sheet, which was publicly available to users of the ECF system. Normally, this document should only be accessible to those involved in the case, but it appears to have been inadvertently made public, according to a clerk with the U.S. District Court for the Eastern District of Missouri, who asked not to be identified because she was not authorized to speak with the press. "It's something on our side," she said, adding that technical staff is now looking into the problem. The U.S. Judicial Conference, which sets policy for U.S. courts, has saidthat this kind of information should be removed from publicly available electronic court records, but actually removing all the sensitive information has proved difficult. "If you went online to various court systems, you could find social security numbers of many individuals," said Paul Stephens, director of policy and advocacy with the Privacy Rights Clearinghouse. "It's a really, really difficult question to answer, just because you're dealing with so many jurisdictions." Social Security numbers are the building blocks of identity theft crime because they can be used to secure credit cards. "Any time you are placing Social Security numbers online, your are subjecting that person to identity theft," Stephens said. With the push to make public documents available online, other government databases have had similar problems. Earlier this year, the states of California and Colorado were forced to take their Uniform Commercial Code (UCC) databases offline after privacy advocates pointed out that the Social Security numbers and other data they contained could be misused by identity thieves. Short, however, may have bigger problems to worry about. He's facing $250,000 in fines and 10 years in prison on charges of possession of "document-making implements" in connection with the theft. He was arrested after U.S. Secret Service Special Agent John Bush recognized his voice in calls placed to a tech support line of the company that makes the stolen printer. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071024/e9d8a5dc/attachment-0001.html From britta at projectliberty.org Wed Oct 24 15:14:47 2007 From: britta at projectliberty.org (Britta Glade) Date: Wed, 24 Oct 2007 15:14:47 -0700 Subject: [SIG-IDtheft] HITSP proposes standards to keep patient medical info secure Message-ID: Given recent conversations in both groups, thought this to be of interest. http://www.healthcareitnews.com/story.cms?id=7995 *Panel proposes standards for medical data security* By Bernie Monegain, Editor 10/24/07 WASHINGTON ? The Healthcare Information Technology Standards Panel has identified a set of standards aimed at keeping patient medical information secure in an electronic environment. Called the "security and privacy constructs," the standards address common data protection issues in a broad range of subject areas, including electronic delivery of lab results to a clinician, medication workflow for providers and patients, quality, and consumer empowerment. "Privacy and security are fundamental to health information exchange," said John Halamka, MD, HITSP chairman. Halamka also serves a CIO and associate professor of emergency medicine at Harvard Medical School. "At HITSP, we will be incorporating all of these security standards into our past, present, and future interoperability specifications." The HITSP's work on an overarching security and privacy architecture is the latest in a series of steps to assure the interoperability of electronic health records in the United States. It follows ? coincidentally ? escalating concern over patient privacy after 27 hospital staff members took a sneak peek at movie star George Clooney's medical records. The standards developed by HITSP are designed to ensure that medical information will be used by authorized personnel solely ? and only for official purposes. Identified by the Office of the National Coordinator for Healthcare Information Technology (ONCHIT) as a primary prerequisite for the exchange of clinical information between authorized healthcare organizations, the constructs are expected to help improve coordinated quality care, reduce errors, and control unnecessary costs, Halamka said. The panel approved the constructs on Oct. 15. They include input received during a recent public review and comment period. HITSP operates under contract to the U.S. Department of Health and Human Services. The panel is administered by the American National Standards Institute. -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071024/f72cae0c/attachment.html From bob at bobpinheiro.com Thu Oct 25 05:01:33 2007 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Thu, 25 Oct 2007 08:01:33 -0400 Subject: [SIG-IDtheft] Next ID Theft SIG Call: Friday November 2 Message-ID: <0JQG008Q4UWM2WK5@vms046.mailsrvcs.net> On last week's ID Theft SIG call, we continued the conversation with Gilles Lisimaque, who spoke about Smart Cards. As we focused specifically on how Smart Cards can help to prevent identity theft, the conversation turned to the challenges that impede the widespread adoption of Smart Cards as authentication devices. It soon became clear that the major challenges were not technical, but business-related. One prerequisite for widespread adoption of authentication technologies that could help to prevent identity theft is sufficient justification by the business community to spend the money to deploy these technologies for use in the consumer space. Although deployment of large-scale authentication systems that could help to prevent identity theft has been slow in coming, some recent activities of Liberty Alliance may help to move that effort forward. Specifically, the recently created Identity Assurance Expert Group has completed work on Version 1.0 of the Liberty Identity Trust Framework, which is based on the work of the Electronic Authentication Partnership and the government's e-Authentication initiative. Such a Trust Framework could potentially serve as the basis for an authentication system that could allow service providers/relying parties to authenticate the identity claims of those seeking identity-related services (such as new credit card accounts). However, it's one thing to have a specification for such a system, and another thing to actually get it implemented. This gets back to the business justification. It's unlikely that preventing identity theft, by itself, would provide that justification. But if large-scale authentication systems did exist, they could provide a way for service providers/relying parties to verify the identities of people presenting credentials issued by a wide range of identity providers. So let's devote the next call to begin a discussion of some of the things that Liberty Alliance could do that specifically would help to eliminate identity theft. Defining the Liberty Trust Framework and helping to bring it to reality might be one such thing. But how to do that? And are there other Liberty initiatives involving privacy or anything else that might help? If you have any thoughts on this prior to the next call, please post them to the list. Thanks. Friday, November 2 12:30 PM ET / 9:30 AM PT 800-504-8071 International: +1 303-248-0281 code: 2544233 ------------------------- Bob Pinheiro Robert Pinheiro Consulting LLC bob at bobpinheiro.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071025/8b8151fb/attachment.html From Robin.Wilton at Sun.COM Fri Oct 26 06:32:03 2007 From: Robin.Wilton at Sun.COM (Robin Wilton) Date: Fri, 26 Oct 2007 14:32:03 +0100 Subject: [SIG-IDtheft] Next ID Theft SIG Call: Friday November 2 In-Reply-To: <0JQG008Q4UWM2WK5@vms046.mailsrvcs.net> References: <0JQG008Q4UWM2WK5@vms046.mailsrvcs.net> Message-ID: <4721EC53.9010408@sun.com> An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20071026/6f232841/attachment.html