Author Archives: Jeremy

RFID Passports Allow Remote ID of Holder’s Nationality

Well flipping duh.

Most newly issued passports carry an embedded RFID containing digitally signed biometric information. Access to this chip is wireless, which introduces a security risk, the possibility that an attacker might be able to access data on a person’s passport without the owner knowing.

It's this reason that putting RFID in passports was such a stupid idea to begin with. Put wireless into any system that protects private information and watch the world come crashing down around you.

I'm not saying that it's impossible to secure a system using wireless, but it takes a whole hell of a lot more effort that was put into the passports system.

Anyway, now that someone has proven this is viable, those fears that someone can just scan a crowd and find the Americans to target have been entirely validated.

Georgia Credit Freeze Bill in the Works

Though the credit reporting companies scrambled to allow freezes in all states most likely to prevent each state from enacting their own laws with lower fees and more restrictions than they wanted, many states are still pursuing their own legislation (as they should).

Georgia's proposed law would allow freezes for only $3 and would automatically be free for anyone 65 and up (the first state I've heard of to have such a provision). Though it's not law yet, this is one of the better ones I've seen.

Arizona is also busy on a credit freeze law, but I wasn't able to find any details on how well their law is written.

Lifelock Adds a REAL Service!?

According to Businesswire.com, Lifelock will be adding a real bon-a-fide service to their program.

Effective immediately, LifeLock will begin rolling out eRecon(TM), a regular patrol of the Internet in search of the social security numbers, credit card numbers, driver’s license numbers and email addresses of LifeLock members to protect against the information being illegally traded or sold online.

What is not explained is what parts of the Internet will be "scoured" or what they will do when they find this information. But in either case, a service that actually monitors your online profile is hinting at becoming actually useful. I wonder if the lawsuits had anything to do with this.

Shortlist for Checking Out A Company Online Before You Give them Money

Not too long ago, I put an item on my Christmas wishlist that my wife bought, but I put a link to a fraud company as a place to buy it. If I had bothered to check it out first, I would have quickly realized as much and saved us both a lot of trouble.

So before you pull out your credit card, you should check them out.

Class Action Suit Against Lifelock

This was faster than I thought.

The Arizona Department of Insurance has reviewed LifeLock's service and does not believe it is an insurance product, department spokeswoman Erin Klug told the Arizona Republic.

There are people filing class action suits against Lifelock stating that because of fine print and loopholes, most people won't be able to get any money even if they were victims of ID theft.

That's pretty interesting since I determined it's nothing but insurance. If what Arizona has said is true, well then I guess Lifelock is nothing at all.

An Odd Trend in Mario Webcomics

I like webcomics particularly those involving video games (because it just so happens that I like video games too). However, I've noticed a bit of a trend concerning our beloved Nintendo character Mario. For posterity (and because it makes it easier to show these to other people this way), I've collected all the relevant comics here (warning, these are probably NOT safe for work (NSFW)):

http://comicswithoutviolence.com/d/20030906.html
http://www.vgcats.com/comics/?strip_id=114
http://www.duelinganalogs.com/comic/2005/12/01/mr-toads-wild-ride/

If I find more, I'll post them. If you know of more, post them in the comments.

Wikileaks Retaliates Against Scientology Threats

Wikinews has learned that The Church of Scientology has warned the documents leaking site Wikileaks.org that they are in violation of United States copyright laws after they published several documents related to the Church. Wikileaks has no intentions of complying, and states that in response, they intend to publish thousands of Scientology documents next week.

Good for them! It's heartening to see that now that one well publicized organization has stood up to their bully tactics, others are following.

(H/T to Digg.com for the link)

Your Internet Service Provider Tracks and Sells You

Some marketing research firms are working with ISPs to track all data transmitted over your Internet connection to build profiles of you by which to advertise more junk. On the question of how they'll protect your privacy, the companies said:

First, every user in the NebuAd system is identified by a number that the company assigns rather than an Internet address, which in theory could be traced to a person. The number NebuAd assigns cannot be tracked to a specific address. That way, if the company's data is stolen or leaked, no one could identify customers or the Web sites they've visited, Dykes said.

Oh right. Because that worked so well before.

(H/T to Privacy.org for the link)

Bogus Lifelock Sites Litter the Web

Lifelock is that company run by the dude who boasts, "Here's my Social Security Number! I can't be hurt by ID Theft Man, I'm In-VINCIBLE!!!!" or some such nonsense.

First of all, he was robbed by some guy in texas which proves the point I've been trying to make all along: Lifelock doesn't PREVENT ID theft. But more important than that is how this company advertises. Besides having ads just damned everywhere on the web, I've found a wealth of fake sites that pretend to be 3rd party recommendations, but have little to no content other than Lifelock ads disguised as reviews. Whether this is the direct result of Lifelock marketing or the fault of over-zealous users of a Lifelock affiliate program, but either way, having sites like this really damage what little reputation Lifelock has.

http://sixfoldsecurity.com/financial/identity_theft.php

Created: Nov 2007 by Larry from Bothell WA

Though the site has a ton of links and categories, the only actual page I can load is the one under identity theft which contains lines like "I was skeptical at first" and "Lifelock does a lot more than I thought".

[+] Sixfold's only article

Here's their whole ''article'' (a.k.a. Lifelock ad)

http://www.lifelock4me.com

Created: Sept 2007 by Marketing Partners INC. St Joseph, MI

This site has no content other than a few pages explaining things about Lifelock.

http://www.igotmyidentitystolen.com

Created: Feb 2008 by Domains by Proxy, Scottsdale AZ

I found this site originally because the very first comment on my "Lifelock Sucks" article was from a guy who left this url with his comment. The comment appeared to be reasonable, if wrong, criticism of my position. But when I went to the site, I found out that it was a thinly disguised front site. Though there are a few articles on it not related to Lifelock, the page navigation consists only of "About Lifelock", "Features", "How Lifelock Protects You", and "Order".

I love their "About Us" page:

About Us

Here at IGotMyIdentityStolen.com we try to focus on protecting you from identity theft. Giving you tips and updating the site with the ever changing identity theft crisis changes. Criminals think of new ways every day to scam innocent people.

Identity Theft has been such a problem in the United States along with the world. So prevent yourself from identity theft.

If you have any questions, comments, or concerns. Please feel free to drop us an e-mail at support@igotmyidentitystolen.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it

– Trying to make your life easier,

Mr. Identity Theft Protector

Could you get more generic than that? Note that neither the domain registration information nor the comment left on my site has a name attached.

http://lifelockreviews.com

Created: April 2007 by Whoisguard (a company that shields the registrant)

You couldn't make a better search engine bait site than this. Lifelock is mentioned 55 times in 4 postings (the only four posts on the site) with titles like "A Review of Lifelock", "Lifelock Consumer Review", "Lifelock Million Dollar Guarantee", and "Lifelock – Identity Theft Security or Scam".

And of course, the first line in each "unbiased fair 3rd party review" is "LifeLock is the only Identity Theft Prevention Solution backed by a one-million dollar guarantee!Click here to get a 10% discount."

http://lifelockreviews.net

Created: April 2007 by Kurt from Tallahassee

Single page ad for Lifelock. No other content.

http://lifelockreviews.org

Created: March 2008 by Patty from Louisville

Four posts on a blog, all about Lifelock.

http://lifelockreviews.info

Created: Nov 2007 by Ken from Singapore

Single page ad for Lifelock.

http://lifelock-reviews.com

Started in April 2007, lifelock-reviews.com has put out a wealth of (sarcasm) useful unbiased information (/sarcasm)… into their only two categories "ID Theft" and "Lifelock". Of note, this site includes real news and videos unlike every other site I've seen so far, but the last line in EVERY post is something similar to this: "To purchase LifeLock or get more information please click here."

http://idtheftquiz.org

Created: Sept 2006 by Kurt from Tallahassee

There is nothing, nothing, on this site but a single page ad for Lifelock. I count is as a front site because of this:

We are proud to be working with Lifelock to offer the most comprehensive ID-Security programs available… blah blah blah

Correction: There is something besides the ad. If you look carefully through the ad, there are some links that go to other articles and such promoting Lifelock. There. Are you happy now George?

http://www.identitytheftlabs.com

Created: April 2007 by Domains by Proxy, Scottsdale AZ (another registrant shielding service)

This one is a bit curious. They have information about some other monitoring services as well and aren't as clearly a front site, but they've got the tell-tale signs. They were also started in April of '07 and their postings are heavily weighted towards Lifelock more so than the others they talk about (which, by the way, is only 2 other services).

http://lifelockworks.com

Created: Feb 2008 by Domains By Proxy, Scottsdale AZ

A single page ad for Lifelock. Most notable is that the normal links at the bottom of the page (Contact, TOS, Copyright, etc) all link straight back to lifelockworks.com. They're only there for looks.

This is getting dull so here are some more listed in no particular order

lifelock-promo.com
lifelocktv.net
safeidentityreview.com
getlifelock.net
identitytheftsecrets.com
reviewsonlifelock.com
www.f1racing.ws/
http://www.hillarybillary.com/

And the following are sites that have other posts, but at least one on lifelock that pretends to be a review, but isn't:

http://www.brokencode.us/finance/lifelock-scam/ (3 articles)
http://brinformatica.alojagratis.org/2008/04/06/lifelock/ (3 articles)
http://mbaonlinedegree.biz/2008/04/10/lifelock-review-for-the-id-prevention/ (1 article)
http://dmnewexpress.com/?p=128 (4 articles)
http://infinitum-media.com/ (4 articles)
http://www.drcopa.com/index.php?s=lifelock&x=&y= (1 article)
http://www.ginolopez.com/?p=43 (1 article)
http://abshome.blogspot.com/2008/04/value-of-life-lock_13.html (18+ articles)
http://msteenybopper.multiply.com/journal/item/146/Lifelock_Promo_Codes (1 article)

And a million more. Just do a search for Lifelock and you'll find them everywhere.

Using Gmail to Track Companies That Leak Your Data

Even though I've shown that bigger companies don't leak data (or didn't used to anyway), that doesn't stop smaller sites/companies. An easier way to see if someone is sharing your e-mail address when you don't want to is to use variations of your own e-mail address for each site. Google's e-mail service allows you to add data to your e-mail address and have it still successfully reach your inbox as described at this Makeuseof.com article. As of today, this tip does NOT work with Hotmail.

The short of it is that if you use your gmail name add a "+" sign and then write anything you want to remember a web service's name (usually just their name), the e-mail address will still work, but you'll have a code that lets you know if the company is selling your data.

For example, if I sign up with Yahoo, I might use gmailname+yahoo@gmail.com where gmailname is my gmail account name. Now if Yahoo sells their database without modification and another company uses it, I'll get an e-mail for Canadian meds or what-have-you with a "TO" address of gmailname+yahoo@gmail.com. When I get such an e-mail, it will be blatantly obvious who sold me out.

With help of a friend that uses Gmail, I was able to confirm that it works exactly as described in the article so I will definitely be using Gmail for all further account signups.

TJX Settles with FTC Over Biggest Data Breach In History

TJX has settled under charges that they had insufficient computer security protecting their systems, but the only thing TJX must do under the settlement is upgrade their security. Woo.

And this:

"By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure," said FTC Chairman Deborah Platt Majoras. "Information security is a priority for the FTC, as it should be for every business in America."

B.S.. Here's a clear message for you Chairwoman Platt Majoras, those words coming out of your mouth are nothing but hipocrasy.

My Verizon FiOS Install

As I said before, the only way to get a good deal with your telco is to switch services every now and then or at least threaten to. After checking what Comcast would give me to stay, it was clear that Verizon FiOS would be the better deal and I tried to set a date. Here is my story.

First of all, there were flyers on our door and people going door to door several months before this began all advertising FiOS. When we actually tried to GET it though, they said it wasn't in our area. Song and dance, call after call, nothing. We were stuck. So we set up a DSL package because it was still better than Comcast.

They delayed install for weeks sending us only a cryptic message that they were checking into the possibility of giving us DSL (which is crap because we had it before). I suspect that they were delaying us on purpose until the FiOS became available, but whatever. We wanted FiOS anyway.

When it finally got "turned on" and we were able to do so, we canceled the DSL order and set up one for FiOS instead. Everything went fairly smoothly even down to them calling the day before-hand to remind us and confirm the install date. Then the tech comes out and says that he couldn't install it because they hadn't actually run the fiber from their box in the ground to our house. That and some switch down the street hadn't been set yet (whatever).

He said they'd call us to let us know when the diggers would be out and that he'd already set up the install for the cable for us. They didn't call, but a few days later we found the front lawn spraypainted all over the place (no big deal since we're renting). I called anyway to confirm that they were going to do this right and found out that part of the order was entered wrong. The guy promised to fix it and gave me a tracking number.

As I was writing this, some guy from a third-party fiber installer pulled up and left a note on my door. I caught him and he says that they'll be out to install next week (ugh). Hopefully I can get them to expidite the actual install after that's done.

Reactions

So far, this process has been far less painful than I thought. The incompetence is there, but less than I feared. Also, the customer service people were helpful, spoke English, and were polite. We'll see how this turns out in a week or so.

The Credit Freeze Process in Practice

So I got around to getting my credit filed a few weeks ago and now I'm sitting pretty with freeze letters from all three credit reporting companies. Here's a breakdown by company:

Equifax

They sent me a simple one page letter explaining that the freeze had been placed and giving instructions on how to lift it along with a 9ish digit pin. Simple enough. It's nice to note that you can lift the freeze by calling a phone number rather than having to mail something in. They also point out that you have the option to lift it for a specific party or for a period of time. So far so good.

They don't say how long it takes to lift the freeze so I called them to ask (but they were closed). Their hours kind of suck so I'll try again soon and post the results.

Experian

Like Equifax, they sent a single page description of the freeze and how it works with them. They even have a website I can log into to lift the freeze temporarily. Unfortunately, they say it could take up to 3 days to lift the freeze (which is crap since the computer system could lift the freeze in mere seconds). Otherwise, no issues.

Transunion

At first I had a little trouble because I piled all the mailings together and Transunion sent me a credit report along with my freeze. When I couldn't find the freeze data (in a separate mailing), I called them and had to navigate through their brutally hostile phone system (which insulted me and hung up on me once). Fortuneately the person who finally answers was polite and clearly a native English speaker. Once I sorted out the confusion, I opened the correct letter and found what I needed.

The freeze notification is 5 pages long and the PIN is a full 4 digits shorter than the other two companies. Amusingly, they seem to be chiding me for getting the freeze by reminding me how difficult it will be to get credit now (heh). Interesting note: they can't update my name and address information while the account is frozen. Bonus!

They are easily the most detailed in describing how lifting the freeze works though. They say that if you specify a specific entity to access your credit, you will be issued a custom number to give to whoever wants to run your credit. In other words, no one gets your PIN ever. Good.

Like Equifax, they have a phone number that I can call to lift the freeze, but because of their hours of operation (even worse than Equifax), I couldn't call to see how long it takes.

Washington State Passes RFID Privacy Law

Washington state passed an anti-RFID law that's unfortunately far weaker than it should be.

The Washington legislation outlaws the use of RFID "spy technologies" to collect consumer information without the owner's consent. The only problem is, heavy corporate lobbying narrowed the scope of the law (before Governor Gregoire signed it) to cover only criminal acts such as fraud, identity theft, or "some other illegal purpose" (making it a Class C felony to do so). Collecting information from consumer RFID chips for marketing purposes in Washington—with or without the owner's consent or even knowledge—is still fair game.

Oh well. I suppose it's a start.