Electronic Fraud Newsletter #9

[mea culpa <jericho () DIMENSIONAL COM>]

From: Edentify2000 () aol com

ELECTRONIC 
IDENTITY FRAUD 
NEWSLETTER

Volume 2, Issue 5
July 14, 1999 

From:        e-DENTIFICATION, Inc.
Voice:       (717) 859-2430
Fax:          (717) 627-5454
Email:       Edent99 () aol com  
Web Site:  www.e-dentification.com 

John F. Ellingson, Madison, WI - editor 
Principal in e-DENTIFICATION, Inc.
Email Address: ellingson () e-dentification com

IDENTITY FRAUD & PRIVACY CONCERNS

Electronic commerce, or ".com", has tremendous currency in the investment 
community. It is spawning new business every day and capturing the 
imagination of investors, shoppers, bankers, and thieves. Two recent studies 
addressed the problem of credit card chargebacks (charges made on credit 
cards that are disputed by the card holder). In the normal point-of-sale 
world chargeback transactions are less than 1% of the volume. In the ".com 
"world chargebacks are from 15% to 37% of the volume.

This is an indicator that there is something seriously wrong in the way we do 
business on the Internet and has serious implications for identity fraud and 
privacy concerns. Nearly every time you attempt to use a credit card to make 
a purchase on the Internet you are assured you are using a "secure server." 
There are secure sockets and digital certificates and there is weak and 
strong encryption. Yet with all of these technologies credit card 
transactions fail at rates that are more than an order of magnitude greater 
than transactions conducted outside of ".com".

As the two stories reported in this newsletter indicate, personal information 
about anyone and everyone is available to anyone who knows how and where to 
ask for it. The security systems employed on the Internet are dependent on 
that same information. This dependency cannot help but result in a seriously 
flawed system.

I would suggest that the paradigm that Internet security is based upon is the 
one of the postal service; and why not, we call our Internet communications 
email? Let's take a minute and examine that paradigm. The mission of the 
postal service is to deliver a package from sender to receiver as safely, 
promptly and accurately as possible. As far as it goes, this is a good 
paradigm. However, it does not go far enough. The postal service does nothing 
to check the identity of the sender and with rare exceptions even inquires 
about the identity of the recipient. The postal service delivers from place 
to place -- not person to person.

The postal service delivers hate mail, birthday greetings, bills, junk mail 
and the occasional bomb all with the same efficiency. So does the Internet. 
Neither the security at the post office, nor the Internet concerns itself 
with content or the identity certainty of those sending and receiving the 
message. This is the heart of the problem. It is manifest in the very human 
behavior of lying. People lie to one another. Because the Internet is largely 
anonymous it promotes lying by making it easy. It is not surprising that the 
proliferation of lying results in transactions that fail because they are 
based on lies.

In the chargeback situation there may be two kinds of lies. The first kind is 
someone who lies about their identity. They may be using a credit card that 
doesn't belong to them and lie to say they are the person it belongs to. The 
second lie is in some ways more insidious. This is the previous lie, but in 
reverse. The person whose credit card was used is the person who made the 
purchase, but because an identity is not verified at the time of purchase the 
person can now deny making the purchase and avoid paying for it.

In a nonscientific survey conducted by a television station in Southern 
California 61% of those asked indicated that they would steal services from a 
utility or the phone company if they were sure they could get away with it. 
It would seem they are getting away with it on the Internet.

Until we come up with a different paradigm that secures more than the 
transmission of messages and can confirm identities on the Internet, the 
".com" dream will continue to be tainted with a bit of a nightmare.

e-Dentification, Inc. assures identities and privacy on the Internet, 
Securing Business, Securing You.  

John F. Ellingson, Madison, WI - editor 
Principal in e-DENTIFICATION, Inc.
Email Address: ellingson () e-dentification com

NEWS ITEM

INVESTIGATOR ARRESTS SPUR CONCERN

The Associated Press 
AP-NY-07-06-99 0242EDT
By Steven K. Paulson

GOLDEN, Colo. (AP) - James and Regena Rapp were arrested and indited as the 
result of a sting operation by the Colorado Bureau of Investigation. Their 
company DBA "Dirty Deeds Done Cheap" and "Phantom Investigations", brokered 
information to private investigators and media companies investigating their 
competition.

The sting was set up to recover detailed personal information, bank and 
telephone records and credit-card bills that James and Regena Rapp and their 
employees lied and schemed to get, in the JonBenet Ramsey murder 
investigation, for possible publication in the tabloids.

According to a Jefferson County grand jury indictment, the Rapps and their 
employees telephoned companies to ask for copies of the Ramsey's personal 
records, claiming to be the Ramseys. The copies were faxed to a phone number 
that routed the documents to the Rapps, including court case file information.

In the sting, an agent set herself up as a target to see what company could 
find out about her. "We thought we'd run it up the flagpole. She was 
surprised by the details they found,'' Brown said. "It came back exactly what 
her phone bill was and bank balance statement was.''

The Rapp's recent indictment for racketeering has again created concern over 
the ease in which personal information may be obtained. 

"It's a question of identity and privacy,'' said Tara Lemmey, president of 
the Electronic Frontier Foundation, a nonprofit organization that tracks the 
Internet and privacy issues. "In this case, it's a case of fraud. We already 
have good fraud laws on the books. The larger question is, should people have 
the right to get information on another person."

Lemmey said " that with the proliferation of computers and databases, 
personal information given in confidence isn't always kept private…people 
assume the information they provide will only be used for a driver's license 
or to buy a dishwasher…they need to know that the information is now being 
used for other things.''

Pam Russell, a spokeswoman for Jefferson County prosecutors, said "There are 
certain things in our lives that are personal and private - our finances, who 
we call, who we talk to…I can't even get this information without a warrant.''

NEWS ITEM

Minnesota Attorney General Hatch Sues U.S. Bank for Disclosing Customers

 ST. PAUL, Minn., June 8 /PRNewswire/ -- Minnesota Attorney General Mike 
Hatch announced a lawsuit today against U.S. Bank for allegedly releasing 
customers' private banking information to a telemarketing company in exchange 
for a fee of $4 million plus commissions, some of which Hatch said were 
generated through bogus, unauthorized charges by the telemarketing company. 
Defendant US Bancorp (NYSE: USB) is a multistate bank holding company and the 
parent of U.S. Bank. Hatch alleges that U.S. Bank violated the federal Fair 
Credit Reporting Act and engaged in consumer fraud and deceptive advertising 
by providing the telemarketing vendor with such private information as Social 
Security numbers, account balances and transactions and credit limits.

"People are appropriately careful about protecting their Social Security 
number, checking and credit card information," said Hatch.  "When a bank 
hands out this information to the highest bidder, it has to answer to its 
customers and to the Attorney General's Office."

Specifically, U.S. Bank provided Member Works Inc. with the following 
information for its customers: name, address, telephone numbers of the 
primary and secondary customer, gender, marital status, homeownership status, 
occupation, checking account number, credit card number, Social Security 
number, birth date, account open date, average account balance, account 
frequency information, credit limit, credit insurance status, year to date 
finance charges, automated transactions authorized, credit card type and 
brand, number of credit cards, cash advance amount, behavior score, 
bankruptcy score, date of last payment, amount of last payment, date of last 
statement, and statement balance.

Since November 1996 U.S. Bank has received over $4 million plus commissions 
3/4 commissions equal to 22 percent of each sale Member Works made 3/4 from 
the provision of its customers' private information to Member Works. Member 
Works used the U.S. Bank customer data to sell memberships in a health 
program that allowed members to get discounts on dental and health care 
visits.

Hatch also alleges that in addition to providing confidential customer 
information, U.S. Bank approved telemarketing scripts that contained 
deceptive information.  For example, if a customer asked a telemarketer if 
U.S. Bank had given the customer's credit card or checking account number to 
the telemarketer, the script instructed the telemarketer to answer "No, I 
personally do not have your account number."

Hatch alleges that U.S. Bank violated federal law and banking rules by 
allowing the telemarketing company to automatically withdraw payments from a 
checking account without written authorization from the consumer.

Federal and state regulatory agencies require banks to publish privacy 
policies telling consumers how their personal information will be used, who 
has access to the information and if the bank intends to give its personal 
information to non-affiliated third parties.  U.S. Bank has a privacy policy 
printed in its U.S. Bank Customer Agreement that says "We share your concerns 
about the privacy of your personal information and strive to maintain its 
confidentiality."  Nothing in the bank's agreement reveals that personal, 
confidential information is being sold to companies that are not affiliated 
with U.S. Bank.  Hatch also said at the press conference that none of U.S. 
Bank's consumer brochures disclose to customers that their names and account 
information could be sold to a third party.

Hatch is asking that the court prohibit the bank's exchange of customers' 
personal information and order the bank to pay civil penalties to consumers. 
Hatch also called upon Congress to enact legislation to protect consumers' 
rights to financial privacy.

On Monday, U.S. Comptroller of the Currency John Hawke condemned practices 
like those described above as "seamy," unfair and deceptive. (Wall Street 
Journal, June 8, 1999.)

PRESS RELEASE

e-DENTIFICATION NAMES NEW CHIEF OPERATING OFFICER

Madison, Wisconsin...July 9,1999…John Ellingson, president and founder of 
e-DENTIFICATION announced today, effective immediately the appointment of J. 
Rick Ingram as Chief Operating Officer. 

Mr. Ingram will be responsible for the day-to-day operations including 
research, finance, investment banking, sales, administration and will chair 
the Internal Operating Committee. "Rick Ingram is an outstanding manager who 
as Chief Operating Officer brings many years of experience and expertise to 
the company and can assist the company in reaching the next level of growth 
with without compromising our focus on quality and service." said John 
Ellingson, President and founder. 

Prior to joining e-DENTIFICATION, Ingram was a 20 year veteran of the 
software industry, formerly with Platinum Technology, in an Executive Sales 
position specializing in Fortune 500 Companies, with Boole & Babbage in 
Executive Operations dealing with Fortune 50 Outsourcers, and as a Senior 
Sales Executive for Fischer International. 

Email John Ellingson at: ellingson () e-dentification com 
Email Rick Ingram at: ingram () e-dentification com 


ABOUT THIS NEWSLETTER

Free...OK to Copy or Remail
Subscribe/Unsubscribe to:                                           
Edent99@ aol.com 

ISN is sponsored by Security-Focus.COM