From Robin.Wilton at Sun.COM Thu Jun 19 06:19:19 2008 From: Robin.Wilton at Sun.COM (Robin Wilton) Date: Thu, 19 Jun 2008 14:19:19 +0100 Subject: [SIG-IDtheft] Help...?! Message-ID: <485A5CD7.1050306@sun.com> An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080619/1ec262ef/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3351 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080619/1ec262ef/attachment.bin From britta at projectliberty.org Thu Jun 19 06:46:23 2008 From: britta at projectliberty.org (Britta Glade) Date: Thu, 19 Jun 2008 06:46:23 -0700 Subject: [SIG-IDtheft] Help...?! In-Reply-To: <485A5CD7.1050306@sun.com> References: <485A5CD7.1050306@sun.com> Message-ID: These were never fully developed. As you'll recall, Michael Aisenberg had proposed docs for #1 and #2, but concensus was never achieved when these docs were advanced to PPEG so those docs did not advance further (I do still have those drafts if there is any interest in resurrecting them--I think our aim was good). #3 the beginnings of that doc are on the wiki, driven by Abhilasha. It was never completed, but the structure and some substance is there for use. On 6/19/08, Robin Wilton wrote: > > Folks, > > I know I ought to have as good an idea as anyone of where to find the > doocuments Allan is looking for (see attached email), but I could use > some help... To be honest, I can't actually remember whether we ever got > around to writing the 3 detailed papers referred to in the initial Primer. > > Anyone else know better...? > > Many thanks, > Robin > > > > Hi Robin, > > > > I'm looking for three documents which have apparently been produced by the > Identity Protection Group (IDTheft SIG?) within the Liberty Alliance. The > documents were referenced in "Liberty Alliance Whitepaper: Identity Theft > Primer", 05 Dec 2005, ( > www.projectliberty.org/liberty/content/download/376/2687/file/id_Theft_Primer_Final.pdf > ) > > I tried searching the web site but I can't seem to find them. I was > wondering if you might be able to help me acquire these! > > > > The documents are: > > > > 1) The Data Custodian's Guide to Stopping Identity Theft > > > > 2) The Policy-Maker's Guide to Stopping Identity Theft. > > > > 3) The Technologist's Guide to Stopping Identity Theft. > > > > The background to this is that we are working with the University of > Strathclyde to prepare to bid for funding for some research in security for > sensor networks. We have a number of proposals in mind, and privacy features > quite significantly in these. Our intention is to submit our proposals to > EPSRC for funding. Perhaps you could have a look at our proposals once they > are ready? If you are interested we'd be happy for you to get involved with > some of this work. > > > > Cheers > > > > Allan T. > > Information Security Group > > Royal Holloway, University of London > Egham, Surrey TW20 0EX, UK > > > > > _______________________________________________ > This is a public mailing list. Content is NOT confidential. > > Sig-idtheft mailing list > Sig-idtheft at lists.projectliberty.org > > http://lists.projectliberty.org/mailman/listinfo/sig-idtheft_lists.projectliberty.org > > > -- Britta Glade Liberty Alliance 925-254-4233 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080619/7fdd3e92/attachment.html From bob at bobpinheiro.com Wed Jun 25 22:57:59 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Thu, 26 Jun 2008 01:57:59 -0400 Subject: [SIG-IDtheft] Potential Liberty Alliance Deliverables Related to Identity Theft Message-ID: On an Identity Theft SIG call earlier this year, we discussed the Liberty Identity Assurance Framework, and especially its potential as an enabler of a large-scale authentication system that could help to prevent identity theft. There was also a suggestion that maybe the Identity Theft SIG (and other groups within Liberty) might have a role in putting together some White Papers that could provide a more complete picture of how a LIAF-enabled authentication system could help to prevent identity theft. Although the "identity" that is stolen in identity theft could refer to the identity of a business or even a government entity, identity theft is mainly of interest to us and others as it refers to an individual consumer's identity that is misused by imposters to gain various identity-related services. For this reason, the ability of LIAF-enabled authentication systems to prevent identity theft is closely tied to the viability of high assurance identity trust services offered by Identity Providers for use by individual consumers. Here's a tentative list of possible White Papers and Specifications that address ways in which Liberty products can help to prevent identity theft. We are soliciting your opinion about the usefulness of these potential deliverables, your comments and suggests for modifications or changes to this list, as well as your interest in acting as a subject matter expert on any of these potential deliverables if there is sufficient interest to proceed. White Papers 1. White Paper that compares identity proofing methods used by financial institutions, motor vehicle bureaus, and REAL ID, to Liberty IAF identity proofing requirements at the appropriate assurance levels. 2. White Paper describing the concept of a large-scale identity network / authentication system consisting of Liberty-accredited Identity Providers, and Relying Parties who agree to honor credentials/tokens issued by any accredited Identity Provider. This network could enable any Relying Party that is a member to authenticate the identity claim of anyone presenting credentials/tokens (at the appropriate Assurance Level) issued by any Liberty-accredited Identity Provider that is also a member. This identity network / authentication system may result from the inter-federation of different identity federations, so that Relying Parties and Identity Providers belonging to different federations are able to trust each other. 3. White Paper describing possible business models that would make high assurance trust services economically viable for use by consumers. One potential model might require Relying Parties to pay Identity Providers for identity assertions. This could be akin to credit grantors paying consumer credit bureaus for information about a consumer's credit history. Such a model might be viable in the context of allowing Relying Parties to satisfy the recently-issued Red Flag Rules that require credit grantors to have written identity theft prevention programs. Another possible business model might focus on individual consumers themselves paying a fee to an Identity Provider for identity theft protection, similar to what people pay today for credit monitoring services and other identity theft prevention services (based on fraud alerts or credit freezes) that have emerged recently. 4. White Paper describing how an identity network / authentication system can be extended so that identity claims made to Relying Parties on the basis of personally identifiable information can be authenticated, if the personal information is associated with the identity of someone who has been issued credentials/tokens as part of a high assurance trust service from an accredited Identity Provider. This extension would involve a Discovery Service that can discover the appropriate Identity Provider on the basis of personally identifiable information. Background: Even if a LIAF-enabled identity network / authentication system were to exist, it is assumed that a person whose identity is to be authenticated needs to present some sort of credentials or tokens to the service provider / relying party. But many cases of identity theft result when stolen personal information is used by an imposter to claim someone else's identity. In that situation, the stolen personal information itself acts as a "credential", and the service provider / relying party has no corresponding token to authenticate the claim of identity. Is there any way that someone who possesses Liberty-accredited credentials/tokens can still be protected against identity theft, if the identity theft occurs by means of stolen personal information? 5. White Paper that explores the usefulness and viability of a range of potential LIAF-enabled high assurance trust services for consumers. As one example, online banking and bill payment services pose high degrees of risk to consumers if unauthorized persons can gain access to these accounts, or are able to drain money from these accounts. Will Relying Parties such as financial institutions and others be willing to accept high assurance credentials for access to these accounts that have been issued by other, Liberty-accredited Identity Providers? Would financial institutions or other business entities be willing to act as Identity Providers for authentication of their consumer customers to other entities? Another example could involve the Identity Providers that issue managed Information Cards. These managed Information Cards, unlike self-issued cards, essentially provide high assurance trust services to Relying Parties on behalf of the "owners" of these Information Cards, many of whom may be individual consumers. The recently formed Information Card Foundation, which is concerned with the use of electronic ID cards on the Internet, is also a new Liberty Alliance member. Might the LIAF play a role in establishing the trust relationships between the Relying Party users of Information Cards, and the Information Providers that issue managed cards? 6. White Paper that discusses the characteristics of authentication tokens most likely to be used in high assurance consumer authentication applications, and compares these characteristics to authentication token requirements defined by NIST 800-63 "Electronic Authentication Guideline", at various assurance levels. Specifications / Best-Practices 1. Specifications for a Discovery Service that identifies the specific accredited Identity Provider that is able to authenticate an identity claim using credentials/tokens issued by that Identity Provider, on the basis of personally identifiable information presented to the Discovery Service that is associated with the holder of those credentials/tokens. Such a Discovery Service is necessary to prevent identity theft when stolen personal information is used to make claims of identity. Request for Comments / Call for Participation We would greatly appreciate your comments on this list of potential White Papers and Specifications. At this time, there is no commitment by Liberty to produce any of these deliverables. We are interested in determining whether there exists sufficient interest among various Liberty interest groups (ID Theft SIG, IA-SIG, IAEG) to consider proceeding with any of these. Do these seem appropriate and useful for Liberty to produce, given that identity theft is a subject of sufficient importance to Liberty Alliance that it has created an Identity Theft Prevention SIG? Would you suggest any changes, modifications, or deletions to anything on the list? Are there any other potential White Papers that you think might be useful but that weren't included here? If you do not think that Liberty should be pursuing any of this, that is also a useful piece of information as well. Would it be useful to schedule an ID Theft SIG call to discuss these potential deliverables further? Would you be interested in acting as a subject matter expert in helping to produce any of these deliverables, provided that someone else does most of the work, with your role mainly confined to providing expertise and guidance? You can respond by replying back to the list from which you received this (ID Theft SIG, IA-SIG, IAEG). Or if you prefer, you can respond to me directly. Thanks Bob Pinheiro, Identity Theft Prevention SIG Chair --------------------------------------------- Robert Pinheiro Consulting LLC bob at bobpinheiro.com (908) 654-1939 www.bobpinheiro.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080626/e30a4218/attachment.html From dweitzel at mitre.org Fri Jun 27 09:11:42 2008 From: dweitzel at mitre.org (Weitzel, David S) Date: Fri, 27 Jun 2008 12:11:42 -0400 Subject: [SIG-IDtheft] Emailing: 'Preying on Patients' - WSJ.com http://online.wsj.com/article_email/SB121433232110700537-lMyQjAxMDI4MTI0NTMyMzUyWj.html Message-ID: <48B2E21901088749A183DC0FB5238F3E02379F54@IMCSRV2.MITRE.ORG> June 24, 2008 2:53 p.m. EDT HEALTH WATCH DOW JONES REPRINTS Medical identity theft can imperil health care, insurance, job prospects By KRISTEN GERENCHER June 24, 2008 2:53 p.m. SAN FRANCISCO -- An imposter who takes over your financial life leaves a trail of harm -- and that harm can include changes to your health-care records in some cases. Identity theft in the health-care arena adds a layer of complexity because a thief can tap your medical information to get care or make false claims, potentially altering the course of your future treatments if you don't catch and reverse the damage, experts say. For example, a thief could have a different blood type or drug allergies than you do, and a doctor, nurse or hospital may not detect the mixed patient files before administering treatment based on the imposter's medical history instead of your own. Or victims may find they hit their insurance caps or become uninsurable or unemployable based on medical problems they never had. That's the scenario privacy experts are concerned about as hospitals and health-care providers increasingly exchange digital information or seek ways to do so. But it's not just high-tech developments that are sparking worries. A lost or stolen wallet with a health insurance card or other personal information can set the stage for fraud. The threat also comes from within as the health-care industry tries to prevent workers with access to patient files from selling them to identity-theft rings, said Pam Dixon, executive director of the World Privacy Forum 1, a nonprofit, public-interest research group in San Diego. "In the U.S. we have a serious and significant problem with medical identity theft," Dixon said. "With persistence and sometimes with legal help you can clear up the financial piece of this, but the changes to your health-care file, if you don't know those have been put in place you can get health care that's inappropriate or life-threatening in some cases." Lawmakers take notice To be sure, the most recent data available suggests medical ID theft affects a relatively small number of people. In 2005, more than 8 million Americans were victims of identity theft, and 3% of them, or about 249,000, had their personal information misused for the purpose of obtaining medical treatment, supplies or services, according to a 2006 study from the Federal Trade Commission 2. But state and national lawmakers are beginning to take notice. Starting this year, California extended its security breach law to require companies that handle medical and health-insurance information to notify people when the security of their medical data has been compromised. In May, the U.S. Health and Human Services Department's Office of the National Coordinator for Health Information Technology awarded a $450,000 contract to Booz Allen Hamilton to study the extent of the nation's medical identity theft problem. The last to know? Victims often realize they have a problem when they receive their insurer's explanation of benefits for services they never received, collections companies come calling for charges they didn't incur or their credit report shows changes, Dixon said. "Right now where we are with medical identity theft is where we were at the beginning of financial identity theft," she said. "We're starting at square one with this crime. The good news here is financial identity theft laws are going to help these victims for debt collection and credit report issues." Still, some victims have trouble getting collections agencies to believe their predicament, even with a police report in hand, she said. Getting access to and correcting health-care files falls under a federal law called the Health Insurance Portability and Accountability Act, or HIPAA, which is designed to protect privacy but often creates headaches for people who've had their medical IDs stolen. "Because of the fractured nature of the health-care sector, it's not so easy to get positive change moving for victims," she said. Lawrence Hughes, assistant general counsel for the American Hospital Association, which represents nearly 5,000 hospitals in Washington, said he isn't aware of hospitals that aren't giving patient-victims the records they need. "Under the HIPAA privacy rule, patients have a right to access their health information and they also have a right to request corrections to their information," he said. "Those rights are explained in the notice of privacy practices, which every patient receives." At Blue Shield of California, which has 3.3 million insured members, fraud investigators have seen about 10 medical identity theft cases over the last 18 months, said Michael Brandt, senior manager of the company's special investigations in El Dorado Hills, Calif. The incidents so far have been low-tech as opposed to organized criminal activity, he said. "In some of the cases we've had, it's people that were known to the member who took the card and got a service or got prescription drugs they were not entitled to." Blue Shield of California flags victims' insurance files to help them avoid further problems and restore their records, Brandt said. The company also encourages them to file a police report, check their credit rating and contact the Federal Trade Commission's investigative arm if necessary. "It really is traumatic to the person that is a victim to this, so we're sensitive to that," Brandt said. "We try to react and give them as much support as we can." On Thursday, the Blue Cross Blue Shield Association announced its anti-fraud investigators last year prevented $134 million from being spent on false or erroneous medical claims and recouped nearly $115 million that had been paid on fraudulent claims, including a small portion from medical identity theft. Blues members who believe they're victims are encouraged to call the national hotline at 1-877-327-2583. People commit medical identity theft for a variety of reasons, said Linda Foley, founder of the Identity Theft Resource Center 3 in San Diego, a nonprofit that assists victims and promotes best practices in preventing identity theft. Some perpetrators need health care and can't or won't pay for it. Others use a stranger's information so they can procure controlled substances such as prescription painkillers more easily. Some may want to conceal a chronic condition. Some health-care providers are starting to ask patients to authenticate their identities by showing their driver's license or other photo ID at the time of service, Foley said. Kaiser Permanente has made this a standard practice. Last year, 82% of identity theft victims discovered the problem after they were contacted by a collection agency or noticed money missing from their bank, she said. Making things right again can take a substantial amount of time and patience. In 2007, victims reported spending an average of 116 hours repairing damage done to existing accounts that were taken over by a thief. In cases where new accounts were created, the average correction time was 158 hours. Companies and consumers on the alert The federal privacy law requires health-care organizations to do ongoing security risk analysis to assess threats and fix vulnerabilities in information systems, said Lisa A. Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society in Washington. Spotting medical identity theft from outside hackers is increasingly part of that evaluation. "We do see larger institutions and more mature organizations are planning for it ... in the overall risk management process," she said. On an individual level, being alert to unauthorized address changes or strange entries on your insurer's explanation of benefits is essential to catching medical ID theft early, Dixon said. Consumers who receive a security-breach notice are wise to get credit monitoring and copies of their medical records. "You're not obligated to tell a health-care provider why you want your files," Dixon said. She advises people who know they're victims of medical ID theft to avoid disclosing the situation so they have a better chance of getting their records. "Gather all the information and then start taking action." Write to Kristen Gerencher at kgerencher at dowjones.com4 URL for this article: http://online.wsj.com/article/SB121433232110700537.html Hyperlinks in this Article: (1) http://www.worldprivacyforum.org (2) http://www.ftc.gov (3) http://www.idtheftcenter.org (4) mailto:kgerencher at dowjones.com Copyright 2008 Dow Jones & Company, Inc. All Rights Reserved This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com . Close -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080627/70abea6e/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 45 bytes Desc: image001.gif Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080627/70abea6e/attachment-0003.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 4923 bytes Desc: image003.gif Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080627/70abea6e/attachment-0004.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 53 bytes Desc: image007.gif Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080627/70abea6e/attachment-0005.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 167 bytes Desc: image008.png Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080627/70abea6e/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 167 bytes Desc: image009.png Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080627/70abea6e/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/png Size: 143 bytes Desc: image010.png Url : http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080627/70abea6e/attachment-0005.png