Monday, December 31, 2007

Seasons Greetings

At the start of the holiday season this year my friend Moses Whiffington of Boston, Mass went to fill his car with gas and his credit card was refused. His wife Wilhelmina was turned down at Walgreens Pharmacy an hour later and could not buy Robitussin for little Benjamin – “Sorry, mam, your credit card has been frozen”. The credit card company said they were over their limit in the last hour because of the $6 K charges they had made in Boston at Bonwitt Teller. Moses was at home filling his snowplow with gas when those charges were made. The Whiffingtons had not mail ordered six gold Christmas gift bracelets to be sent by currier to an address only 2 blocks from the store.

The next day they got the notification from the famous MM Kean Outdoor Wear Catalog Company in Pawamatuxet, Maine that, as per application, a business account had been activated and the first shipment of Wully Pully cashmere sweaters in the amount of $12,000 had been shipped, as per instructions, to Whiffington Outlet Bazaar in Amarillo, Texas. And, MM Kean proudly announced “We are pleased to tell you that you’ve been authorized for the Platinum Credit Line of up to $60k. Congratulations and Happy Holidays!”

Moses and Willy are typical of millions of Americans whose credit information is stolen by cyber crooks. Then the long, frustrating, and angry process of trying to recover credit ratings and their good name begins. What a way to spend Christmas!

Moses was innocent and had mostly ignored news stories and reports about ID Theft. His company, Vizagnez Pharmaceutical Packaging had never run an employee training program on Identity Security and Moses who is VP of Marketing had never had alarm bells go off when customers complained that after doing business with Viz (as the company is known) they suddenly had unauthorized charges in the tens of thousands on their company accounts. Little did Moses know that the marketing web site had been hacked, spyware installed, and vital, confidential information leaked out on customers accounts.

Moses called me on my cell and I authorized a download of our book on ID Theft as my Christmas present to him and his family. He followed the check-list of ten steps and is now spending New Years applying for new and more secure credit cards. He also has ordered a complete security review of all customer data. My associate and I are flying out to Boston to do a one-day training seminar for all employees at Viz Packaging. This seminar will be archived and available for all new Viz employees who are required to take it and pass the certification testing of our ID Secure CompanyÔ training program.

Meanwhile, preoccupied with cutting the size of the federal government and “getting government off your back”, the Congress and the Executive Branch have still not stepped up fully and robustly to enact much tougher and proactive identity theft legislation.

Last week Moses got a package from DHL Delivery Services that his corporate account for package delivery and small business credit had been approved. He expects to get approved for many more unsolicited business accounts and the charges that come with those as the thieves continue their spending spree.
Happy Holidays, Merry Christmas, and we hope that your New Year 2008 is free of these hassles.

Labels: , , , , , , , ,

Wednesday, December 12, 2007

The archeological deposit of trillions of data rats

Here we go again! The use of Social Security numbers for every random, routine activity has left an archeological deposit of trillions of data rats nests scattered all over the landscape of the United States.

Until a few years ago professors at a major US University reported that they had to fill out a new form every semester with all their info INCLUDING SOCIAL SECURITY NUMBER to obtain an activated key so they could access the multimedia cabinet in their classrooms. Most of these forms were faxed top the office where this was done and were stuck in cabinet somewhere.

The announcement of the data breach below follows the industry standard phrase “We want to assure you that there is no evidence that the computer intruder accessed the files containing Social Security numbers.” Usually the lawyers also add “There is no evidence that any of the information has been used in any identity thefts.”

All we can say is “Yeah, right!”

Here is the latest case study for you to study.

DATE: Dec. 11, 2007

TO WHOM? Iowa State University Faculty and Staff:

WHAT? “A security breach recently was discovered on a server in the Office of
Sponsored Programs Administration. Old files found on that server contained the names and Social Security numbers of approximately 2,900 faculty and staff who submitted proposals through the OSPA GoldSheet process prior to Jan. 1, 2006.

“We want to assure you that there's no evidence that the computer intruder accessed the files containing Social Security numbers. Our technical experts believe the primary motive was to store movies and hacker-related software.”

Two servers at OSPA were breached by the intruder, but only one computer contained files with Social Security numbers. The security breach was reported to Information Technology Services staff on Monday, Nov. 26. The server had already been removed from the campus network. A thorough examination of the server over several days yielded files containing names and SSNs.

Over the past couple of years, Social Security numbers have been removed from all central systems and business processes, except where the SSN is required. This incident points to the urgency to inspect old files and remove Social Security numbers that once were a routine part of university reports. If you need assistance in finding protected information on your computer or would like to know more about securing your computer, please contact …………., ITS security.

We regret any inconvenience or distress this security breach may cause.
We do not think it is likely your information was accessed, but if you are concerned, please see the resources below.

If you have concerns or comments on this security incident, please feel
free to contact either of us.

Michael McCoy @
Dr. Steffen Schmidt @


What should I do if I am concerned about possible identity theft?

1. Place a fraud alert on your credit report. This tells creditors to contact you before opening any new accounts or making changes to current accounts. The Federal Trade Commission offers more information on how to place a fraud alert at

2. Get a copy of your credit report from the three major credit bureaus
(Equifax, Experian, and TransUnion) and make sure all accounts on that report belong to you. You're entitled to a free annual credit report from the three major credit bureaus. See:

Labels: , , , , , , ,

Monday, December 10, 2007

Headline – “Tennessee: Lab Reports Cyber Attack”

When was this revealed: December 7, 2007

Who did it happen to: The Oak Ridge National Laboratory “Originally known as Clinton Laboratories, ORNL was established in 1943 to carry out a single, well-defined mission: the pilot-scale production and separation of plutonium for the World War II Manhattan Project. From this foundation, the Laboratory has evolved into a unique resource for addressing important national and global energy and environmental issues. Today, ORNL pioneers the development of new energy sources, technologies, and materials and the advancement of knowledge in the biological, chemical, computational, engineering, environmental, physical, and social sciences.”

What Happened: Oak Ridge Lab reported a “sophisticated cyber attack” over the last few weeks might have allowed personal information about thousands of laboratory visitors to be stolen.

“The attack appeared “to be part of a coordinated effort to gain access to computer networks at numerous laboratories and other institutions across the country,” the laboratory’s director, Thom Mason, said in a memorandum to the 4,200 employees of the facility, part of the Department of Energy. Laboratory officials said hackers might have infiltrated a database of names, Social Security numbers and birth dates of every laboratory visitor from 1990 to 2004.”

“Officials have sent letters to about 12,000 potential victims. The assault was in the form of phony e-mail messages containing attachments, which when opened allowed hackers to penetrate the laboratory’s computer security.”

What are the Potential Consequences? If you go to the Oak Ridge web site there is NO MENTION of this attack against their data base. Can YOU start speculating about how this particular information could be abused? Think who “visitors” to this very specialized and high security facility might have been? Grade school students? NO! Tourists from Norway? Hardly!

How about people who themselves have massive amounts of highly sensitive information on nuclear and other processes that are crucial to US national security?

Now whoever stole this information can launch attacks against these 12K visitors web sites, e-mail, data-bases and computers.

Maybe they can even create false ID’s with the information they obtained and maybe they can now become “visitors” to Oak Ridge!

Is there no end to the incompetence, laziness, and data leaking behavior of our government organizations?!

  • All Material is Copyright © 2009 Michael McCoy and SEAS, L.L.C
  • Deter. Detect. Defend. Avoid ID Theft -