November 22, 2007

WSJ: Home invasions target wealthy

The Wall Street Journal reports that the higher-profile rich are being targeted for home invasion robberies:

One reason for the rise in home invasions is demographic: The numbers of rich people with homes to plunder has risen fast in recent years. But police and security experts say robbers are hitting homes more because their traditional targets -- banks, stores and offices -- have been hardened with closed-circuit video surveillance, alarms and guards. By comparison, security at many private homes remains lax, they say.

Increasingly, wealthy and high-profile individuals must step up security at home and be vigilant in their cars to avoid becoming victims, security experts and police say. They may also need to reduce the amount of information they reveal about themselves on the Internet in places like Facebook, and in the media. And perhaps most importantly, they should thoroughly investigate the background of anyone who has access to their home, because many robberies are inside jobs.
Several security and alarm experts say crimes like these can be prevented with a perimeter motion-detection system that sounds whenever someone drives or walks onto a property. Many alarm systems wire only the doors and windows of a home; the problem with that, security experts say, is that by the time someone trips the alarm, it can be too late. Moreover, any alarm system has to be armed to work, and often, they aren't.

Home-invasion robbers also pick their victims by staking them out in public and following them home.

Police and security experts say that to avoid this type of robbery, people should be alert to whether they are being followed before driving onto their property, and if they are, to call the police or drive to a police station. Houses should be well-lighted with automatic exterior lights. Additionally, security experts advise clients to avoid drawing attention to money and possessions while they're out and about. They also recommend reducing the amount of detailed personal information that can be found on the Web.

While at home, it is a mistake to open the door without verifying the identity of a visitor first and to accept unscheduled deliveries. Security experts say homes should be equipped with a voice-video intercom system with cameras trained on the doors and the grounds, and deliveries should be sent to a post-office box or family office instead of to the residence.

October 8, 2007

Keep your smartphone in your sight

Another reason why your mobile smartphone shouldn't be out of your sight:

FlexiSPY Pro is tracking software that can be installed on a "smart" mobile phone by anyone who has access to the phone for a few minutes. After installation, it copies the smartphone's SMS text messages, call history and other data to FlexiSPY's server four times a day to be accessed by the party who installed the spyware. The phone's microphone can even be activated remotely so the smartphone can be used remotely as a passive bug.

I haven't tried the product, but Airscanner for Windows
claims to detect threat spyware programs such as Mobile-spy and FlexiSPY.

So far, this software can only be installed if someone has physical access to the Windows Mobile (or other type) smartphone. Regular cell phones that can't run third-party programs are not vulnerable to this backdoor software.

August 16, 2007

"Dietrich" tracked by medical bills

(CBS) LOS ANGELES A 26-year-old man was in custody Friday after being on the run for more than a year following a high-speed crash in Malibu that left a rare $1 million Ferrari Enzo in pieces.

The driver of the Ferrari, Swedish national Stefan Eriksson, had previously claimed that a mysterious German man named "Dietrich" had been driving when the collision with the utility pole occurred. Eriksson failed two alcohol breath tests at the scene of the crash, and was later charged with embezzlement related to leased car exports and his video game firm Gizmondo.

Irish native Kearney, who was a passenger in the Ferrari Enzo during the crash, fled the country after the crash but was smuggled back into the U.S. a year later from Tijuana, Mexico.

Authorities tracked him down this week, thanks to medical bills generated after his return to California and sent to a Marina del Rey address, the source said.

Kearney was charged with perjury and obstructing, both misdemeanor crimes. Why would police track this man via medical bills for two misdemeanors? In order to force him to testify against Eriksson in a media-frenzy drunk driving case, undoubtedly.

Medical records are an open book to anyone with a subpoena. All too often medical professionals allow access to records after only an informal request from a detective or investigator. More troubling is the ease with which private investigators and other outside parties seem to get medical records via bribery, pretexting, or court-ordered legal discovery.

If Kearney hadn't had his medical bills sent to his address of record -- the address he gave to police investigators at the crash site -- he might not be under indictment for two misdemeanors today.

Remember, also, that lying to police is usually a misdemeanor and lying to federal agents is a felony. Just ask Martha Stewart.

Read the Findlaw article "How to Avoid Going to Jail under 18 U.S.C. Section 1001 for Lying to Government Agents" for more information on lies within federal jurisdiction and how to decline a federal interview by invoking counsel.

August 15, 2007

Revenge website targets credit score reports yesterday that an illegal website offered to ruin the credit score of anyone for a small fee, and even to arrange to have them suspected of bank fraud.

Making numerous credit applications with the victim's SSN and DOB and invented addresses and names will cause the person's credit to be put on hold, claims the website.

The UK-centric web-based service also offered to create false bank documents, identity cards, automobile registry papers, paychecks and tax forms.

Such fraudulent services are doubtless short-lived when discovered by the public and law enforcement agencies, but this report is illustrative of the types of financial and bureaucratic vulnerability most people have in modern society. You can imagine the potential ramifications in your life if your credit cards, credit line and bank account were suspended, even if only temporarily, and the trouble and costs to have the situation resolved.

Let this threat serve as a another reminder to shred documents, jealously guard your financial privacy and personal information, check your credit report, and avoid situations that could compromise personal data.

August 8, 2007

Irish Grandparent? Irish Passport

Many people who can document that one of their grandparents was an Irish citizen, can apply for Irish citzenship via entry in the Register of Foreign Births, and then apply for an Irish passport. Children of those foreign-born Irish citizens with Irish grandparents are eligible too, as long as the child was born after the parent's citizenship was recorded by an Irish Consulate.

Before applying, I investigated and verified that Ireland had no military draft law and did not tax citizens living abroad, thereby making it safe to proceed. What were the advantages beyond maintaining a link to our ancestral homeland being a conversation piece? The idea of having an EU passport that allowed me to travel and work in the, now 27, nations of the EU without having to hassle with visas and work permits that are usually required to travel, live or work in a foreign nation was appealing. Also, being familiar with the bloody history of the 20th century as well as having worked in both aviation and IT, two areas where backup systems are standard operating procedure, I felt that a costless backup citizenship might make sense for my descendants. The biggest reason was probably the potential advantages it would offer to my children and me in the global economy which, even then was the apparent trend for the future.

U.S. citizens can become dual citizens as long as the alternate citizenship is granted after their U.S. citizenship, as the U.S. citizenship process requires an applicant to renounce all other citizenships. Ireland, by contrast, does not require an applicant to renounce other citizenships.

July 30, 2007

Check your assets every year

The San Francisco Chronicle on "unclaimed assets" seized under California state law, unbeknownst to its owners:

Years ago, Carla Ruff stored her grandmother's jewelry and a file of personal documents in a safe-deposit box at her bank in San Francisco's Noe Valley, thinking they would always be there when she wanted them.

Not so. Without giving her notice or acting on evidence that she'd forgotten about her cache, the bank's staff, under the auspice of the state, determined the contents of her box to be unclaimed property.

In July 1997, bank records show, the pearl necklace and diamond-encrusted pin, real estate and insurance documents as well as her birth certificate were all removed. The paperwork was shredded and thrown away. Her jewelry was auctioned off on eBay -- for a fraction of its $80,000 value.

Ruff said she didn't know what had happened until January 2006, when an illness in the family sent her to the Bank of America branch looking for the deed to her house. Weeks later, the bank manager told Ruff that her property had been seized by the state under a law that requires the government to take control of lost or abandoned assets.

Elaborate privacy arrangements can discourage us from checking up on our assets as frequently as we should. Sometimes it's difficult to verify financial arrangements while maintaining strict privacy procedures such as mail drops, or depositing cash into accounts in person in lieu of automated transfers (to avoid creating a paper trail linking the accounts together through the transaction).

Nonetheless, it behooves anyone with assets held by an outside institution or with agreements with business associates to check their status occasionally. It's something we should plan for when setting up privacy arrangements:

  • U.S. Post Office box fees can usually only be paid a year in advance -- a renewal notice should come 30 days before payment is due.
  • Safe deposit boxes should be visisted at least yearly.
  • Financial accounts should be checked monthly for evidence of unauthorized access or identity theft.
  • Many types of insurance contracts must be renewed yearly.
  • LLC costs may be due after the first three years depending on provider.
  • Trusts and attorneys should be contacted yearly or more frequently.
  • Financial accounts with tax implications must be verified at the required tax intervals.

June 13, 2007

How Insurance companies price your Car Insurance

Insurance can be an adversarial business relationship, unfortunately. In some circumstances, the more your insurer knows about you, the higher the rate they will charge you. This gives them every incentive to ferret out information pertinent to your insurance risks -- or what they believe affects your insurance risks, anyway.

A Consumerist article gives insight into the privacy implications and pricing strategy of auto insurance.

Note that insurance companies access the following databases to actuarially determine liklihood of an insurance claim: CLUE report, credit report, and driving history.

As with credit reports, a critical source of information is what you tell the insurance company:

Driving histories go back 36 months, except in New York (which is 40 months). Your history is composed from three reports; your MVR or Motor Vehicle Report, the state database of your ticketed driving history; your CLUE report, a collection of previous insurance companies reports stating the numbers of claims you've had, and YOU. If you say you got in an accident, were never sited for it and never claimed it on your insurance, but you still tell us, it'll be put on your record with an approximate date.

Credit score and insurance rates

It is illustrative how your credit report affects your insurance score, and thus your insurance rates. By 2001, 92% of insurers were considering credit scores when quoting insurance.

Remember that information you give to an insurance company may well end up on your credit report. Along with the usual distinguishing characteristics (name, date of birth, SSN or other national number), insurers will likely report your submitted information to the credit reporting bureay. This could happen even if you're just getting an insurance quote, and needs to be taken into account if you're keeping your street address confidential.

Complete truthfulness doesn't always pay when it comes to dealing with insurers who will collect every personal detail to accurately assess you with their actuarial tables.

Bermuda to track road vehicles with RFID

RFID Journal reports that the Caribbean nation of Bermuda plans to tag registered cars and trucks with RFID transponders to increase road registration compliance and revenues.

The ISO 18000-6B standardized, 915 MHz tags will be embedded in tamper-resistant windscreen stickers, and are made by 3M. The laser readers placed by the side of the road are made by Transcore.

Sabotaging the RFID tag is ineffective because the RFID interrogation is combined with an ANPR system:

If a car arrives at an intersection and no interrogation of an RFID tag can be performed, the system will take a picture of the car's license plate. Using optical character recognition software, the system will read the vehicle's plate numbers and input them into a database so a citation can be automatically issued. The same system will be employed to detect commercial vehicles operating in restricted areas during rush hour without permits.

Bermuda's Transport Control Department expects that all of the island nation's registered cars should be RFID tagged by June 2008. Motorcycles will be exempt from the RFID tagging requirement, though authorities may later decide to being them into the program.

The privacy implications of the mandated RFID transponders are profound. It is very feasible for groups unassociated with Bermuda's Transport Control Department to develop the ability to read the RFID tags and track specific automobiles by their electronic ID. In fact, an older version of this technology was used by a United States intelligence agency during the Cold War to track Soviet attaches whenever they crossed one of a handful of Washington, D.C. bridges and passed outside the 20-mile unrestricted transit limit.

June 12, 2007

Confessions of a Money Launderer

Money launderer Kenneth Rijock kept a low profile and
avoided creating a paper trail despite constant financial entanglements
for his clients:

"I maintained absolutely no bank accounts in the US, operating on a strict cash payment basis to ensure that no records of any business transactions for criminal clients existed. This is much harder that it sounds, for though one might use third-party accounts that don't alert law enforcement investigators, it is more prudent to avoid it all together. I had no US bank accounts for five years, using an overseas tax haven account to obtain cashier's cheques drawn on a New York correspondent account very sparingly, and only for totally innocent personal transactions."

"Own nothing in your own name: rent your home and office, either lease an automobile or place it in the name of a third party. In short, make enquiries of your assets more difficult to discover, and information about your operation more difficult to link to you or your clients. If possible, reduce your profile even more by closing out legitimate business, whilst maintaining a fictitious facade that legitimate business is ongoing. return all telephone calls, but decline new business due to purported schedule overload."

April 23, 2007

Fake Credit Report Sites

If you're an American looking to get one of the free credit reports guaranteed by the Fair Credit Reporting Act (FCRA), the site you want is Their phone number is 877-322-8228.

Ignore all other sites or offers unless you're looking for high-pressure inducements for pricey add-on services, or even flat-out fraud. Do you really want to be giving out your vital information, like SSN and DOB, to a potential scammer or some random unscrupulous type who would portray themselves as an official source for data as private as a credit report?

For more information about the reputability of credit report websites, read the FTC report on fake credit report sites.

April 3, 2007

Keep those grandfathered bank accounts

Remember the proposed "Know Your Customer" (KYC) rules, where the U.S. government was going to force banks and related financial institutions to develop a profile on each of the insitution's customers?

But Know Your Customer was defeated, right? Not so fast.

Know Your Customer rules have been quietly resurrected as two separate programs, with other benign-sounding names.

Meet Customer Identification Program (CIP) and Enhanced Due Diligence (EDD).

Customer Identification Program, or CIP, requires that financial institutions (including casinos, pawnbrokers, insurers and money transmitters) positively identify the individual or organization with which they have a formal business relationship. The actual CIP procedure will vary by institution, but will be documented.

CIP requires the following information on each customer: legal name, date of birth (DOB), street address, and taxpayer identification number. Taxpayer Identification Number, or TIN, is usually a Social Security Number for U.S. citizens, or a Social Identification Number, or SIN, for Canadians. For addresses, P.O. boxes and accomodation addresses are explicitly disallowed for accounts opened after October 1, 2003.

Almost all financial institutions require goverment-issued ID for the CIP process, although many banks are accepting the Mexican matricula consular card in an effort to garner the business of Mexican nationals who may not have identification documents issued by U.S. agencies.

Enhanced Due Diligence is a program where banks monitor their customer's activity on an ongoing basis for illegal activity or suspicion of illegal activity. Bank compliance officers are looking for evidence of terrorist financing, transactions with blacklisted entities, fraud, check kiting, identity theft, tax evasion and money laundering.

Enhanced Due Diligence screening is usually done by data mining account transaction records, looking for patterns that might be indicative of these crimes. Many firms offer software packages to help automate the data sifting, but similar results can be obtained with basic data analysis tools like a spreadsheet, as long as criteria are previously defined. It's worthwhile to keep grandfathered bank accounts that date from before the Patriot Act. These accounts, and accounts at the same institution, are not subject to Customer Identification Program requirements.

In other words, if you are a long-time customer of a bank, but that bank doesn't already have a full CIP profile on you, they are not required to collect all of the CIP information for you to open additional accounts or financial products with them. Sometimes bank procedures encourage account representatives to collect the information, but most do not.

Be aware that this only applies if you are a grandfathered, existing customer of the bank. If you have previously closed all of your accounts with that institution, you're classified as a new customer for purposes of the Customer Identification Program and will have to supply all of the ID and documentation required of a new customer. Accounts opened after October 1, 2003 cannot be opened with P.O. box or commercial mailbox, as many people used to do to preserve their privacy.

Keeping those grandfathered accounts around, with minimum balances if necessary, can save you from having to provide information that you'd rather not provide to open an account in the future. This includes keeping your old accounts open when you move, especially if you are going to open a new account at the local branch of the same institution at your new home or office.

Remember, though, to keep old account checkbooks and paperwork in a very secure location with the rest of your financial documents.

March 25, 2007

Residential WiFi mapping database revealed

Skyhook Wireless has been scanning American neighborhoods for WiFi access points and putting them into a database
. So far they've got 16 million detected wireless access points, covering the majority of the U.S. and Canadian population.

Remember again, if computer privacy and security are more important to you than convenience, don't network without wires. Information is out of your control once it hits the airwaves.

February 21, 2007

Prescription Records for Sale

In January 2007, the new National ePrescribing Patient Safety Initiative (NEPSI) debuted with a high-profile article in Time magazine.

This web-based system is supplied free of charge to physicians, ostensibly to reduce prescription error rates. Revenue to pay for the information system comes from the participating pharmacies and insurers who save time and money.

Now there are accusations that this database has been developed to give drug marketers, insurance risk assessors, and employers access to patients' private prescription records.

According to a Government Health IT article, all the prescription records stored in the new NEPSI database are for sale:

Security makes little difference because every identifiable prescription in the country is data mined and sold daily. Nobody needs to break into pharmacies to steal our prescriptions; they are for sale. For example, market intelligence firm IMS Health reported revenues of $1.75 billion in 2005 solely from the sale of prescription records, primarily to drug companies.

In another article, Dr. Peel says that NEPSI sells data to large employers:

In 2006, the national Blue Cross and Blue Shield Association announced its Blue Health Initiative to aggregate and sell the claims, medical and prescription data of all 79 million enrollees to large employers. This database will include far more detail than e-prescription records, making the sales of Blues data worth far more than the billions in revenue from selling e-prescription records alone.

But Allscripts CEO Tullman denies that prescription data will be misused:

Patients and physicians will have unique access to all the information. It's not our data. We don't claim it's our data. [...] Google will have no access to data we receive as part of the electronic prescribing process.

What can you do?

  • Ask your medical care providers if they use the web-based NEPSI electronic prescription system.
  • Consider refusing prescriptions for conditions that you would not want your employers or government to know about. Some doctors will give out samples to their patients, and this might be a sufficient quantity to forgo a formal prescription.
  • A cash transaction by itself won't keep you out of the NEPSI database because it contains patient information and the prescription itself, not just billing information like an insurer's database might.
  • February 9, 2007

    Laptop data searches at border checks

    U.S. courts have approved border agents' search of traveler's laptops without articulable probable cause.

    Indications are that U.S. and Candian customs officials are searching laptops for pornography and obscene material.

    Some travelers report being asked if the laptop they were carrying was a personal or company unit. Presumably, corporate laptops are less likely to be checked for obscene material than personal units are.

    Authorities also have the ability to conduct forensic computer searches at border crossings and have done so in the past.

    Data transmitted across national borders via the Internet is more strongly protected than data hand-carried through Customs checkpoints, because wiretaps must comply with the requirements of Title III, 18 U.S.C. §§ 2510-2522, or the Pen/Trap statute, 18 U.S.C. §§ 3121-3127. The few advantages of hand-carry are totally lost if one cannot be assured that the data hasn't been copied, or that software or hardware spying mechanisms haven't been implanted within it.

    Travelers with sensitive or legally privileged data will want to Customs-proof their laptop before crossing a controlled border. Strong encryption is the best tool to protect data that must be hand-carried through Customs instead of residing on a remote server. Some organizational IT departments are investigating hardware hard-disk encryption, sometimes combined with hardware biometric readers.

    It is unclear at this time whether a traveler can be forced to divulge a password. One privacy wonk has suggested wearable or concealable USB drives as a measure of protection.

    February 3, 2007

    The power of data mining

    An exercise in finding subversives through wishlists illustrates the power of data mining:

    It used to be you had to get a warrant to monitor a person or a group of people. Today, it is increasingly easy to monitor ideas. And then track them back to people. Most of us don't have access to the databases, software, or computing power of the NSA, FBI, and other government agencies. But an individual with access to the internet can still develop a fairly sophisticated profile of hundreds of thousands of U.S. citizens using free and publicly available resources. Here's an example.

    There are many websites and databases that could be used for this project, but few things tell you as much about a person as the books he chooses to read. Isn't that why the Patriot Act specifically requires libraries to release information on who's reading what? For this reason, I chose to focus on the information contained in the popular Amazon wishlists.

    January 5, 2007

    Medical Identity Theft

    From the January 8, 2007 issue of Businessweek, an article about medical identity theft and health care databases:

    But some privacy advocates fear that the rush toward digital health records could ironically create new nightmares for victims of medical ID theft. Rather than residing in a single doctor's paper files, fraudulent information—such as the erroneous diabetes diagnosis in Lind Weaver's records—could circulate in other medical databases across the country. Given that some medical ID thefts are "inside jobs," wherein rogue clerks sell patient data to fraudsters on the outside, privacy advocates believe that allowing data to flow more freely around a national network could make such thefts even easier. "We can expect [medical ID theft] to grow the more we move toward an electronic health-care system. It's going to be a disaster," says Dr. Deborah Peel, an Austin (Tex.) psychiatrist and founder of the Patient Privacy Rights Foundation.

    ...but, as usual, the weakest link is usually a human:

    In September, federal authorities arrested a scheduling clerk at the Cleveland Clinic's Weston (Fla.) hospital who allegedly had passed on the personal identification information of more than 1,100 patients to her cousin—who in turn submitted $2.8 million in false claims to Medicare. "Hospitals have done a poor job of implementing security procedures on their computer systems," says one federal investigator. "You'd be astonished how many people have access to your medical records."

    U.S. Mint Data Mining & Credit Card Privacy

    This article on U.S. federal government surveillance mentions the U.S. Mint's credit card data mining program:

    Unlike the NSA and Treasury spy programs, a U.S. Mint program that trawls through your credit card data when you make online purchases isn't aimed at terrorists. It was built to spy on ordinary Americans in an effort to "detect criminal activities or patterns" and "stop fraudulent activity involving stolen credit cards." Yet very little has ever been written or reported about it.

    The article also mentions the DIA's purchase of Verity K2 Enterprise software to search the databases of other intelligence agencies, and IRS's Reveal, and others from the GAO report on government data mining.

    January 1, 2007

    The Value of Privacy

    Cryptographer Bruce Schneier on the value of privacy:

    Cardinal Richelieu understood the value of surveillance when he famously said, "If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged." Watch someone long enough, and you'll find something to arrest -- or just blackmail -- with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies -- whoever they happen to be at the time.