Slashdot Mirror

← Back to Stories (view on slashdot.org)

Big Data Breaches Give Credit Monitoring Services a Boost

Posted by timothy on from the glaziers-love-broken-windows dept.

Hugh Pickens DOT Com (2995471) writes "As attacks like the one on Target have exposed up to 40 million customer payment card accounts and the names, addresses and email addresses of as many as 70 million shoppers, Tiffany Hsu and E. Scott Reckard report in the LA Times that increased activity by data hackers has produced millions of victims but there has been one big winner: credit monitoring businesses. "It's almost a terrible thing to say, but these kinds of situations raise awareness of the need to protect yourself and to be more vigilant in checking your transactions," says Yaron Samid. Meanwhile services with names such as BillGuard and Identity Guard report a surge in sign-ups from people anxious to be protected. For example, the number of AAA Southern California members opting in for the club's identity theft monitoring service — whether for free or for an extra charge — boomed in January, up 58% from December." (More below.) "I have to believe part of it was these different data breaches that have been occurring, people being concerned about that," says Jeffrey Spring. The BillGuard credit monitoring application, launched in July, uses crowd-sourced reporting from its members to issue alerts about possible payment card security concerns. Since the Target breach, the app's user base has ballooned by nearly half a million participants and identified $1 million in fraud. "We have built a crowd-source system of identifying fraud on debit or credit cards," says Samid. "The system will ask others if this charge is OK or not OK, and if system see a few people saying this is not an unauthorized charge, we alert others that it is potentially fraudulent. The more people that join the network, the more effective it gets." Card issuers and transaction processors have spent hundreds of millions of dollars dealing with electronic fraud in the last three years says Michael Moebs and consumers can soon expect increased annual fees to recoup the costs. "The view is data breaches and hacking have become a way of life, and the industry must get used to it.""

48 comments

  1. Consumers always pay by Anonymous Coward · · Score: 1

    Got to love consumers having to pay for the weakness of credit bureau's security and the need for a social security number and easily searchable public data "being secret".

    1. Re:Consumers always pay by contrapunctus · · Score: 1

      I got a letter from Target that they (not me) will pay for 1 year of monitoring.

    2. Re:Consumers always pay by Sporkinum · · Score: 1

      I did too, and signed up online. It went into a black hole as far as I can tell. Nothing has been done.

      --
      "He's lost in a 'floyd hole"
    3. Re:Consumers always pay by gnick · · Score: 1

      ...Nothing has been done.

      As far as you know. Any info you provided has been logged "somewhere". Recently, I needed to set some stuff for my wife - Completely innocent, but it could have been anything. She was at work so I couldn't really bug her with stuff I could do on my own. Starting with nothing but her name and date of birth (I had a lot more info, but it would have meant a long drive to retrieve - Her name and DOB I can actually remember without a hint), I came up with her SSN, a list of past addresses, credit inquiries, and the list goes on.

      As a side note: Annoyingly, I could have easily set up several credit card accounts in her name using whatever address I chose, but obtaining her alien registration ID (that she's had for 35 years), meant she had to drive 100+ miles to show ID.

      --
      He's getting rather old, but he's a good mouse.
    4. Re:Consumers always pay by Sporkinum · · Score: 1

      They screwed up my year of birth for my SSAN for a few years. I found out when I tried to efile my taxes several years ago. Rather than go through the hassle of digging up birth certificate and spending lots of time at the social security office, I figured out what they wanted and gave it to them on my tax form. They had one of the digits as a 7 and it should have been a 1. Probably an OCR error I would guess. I eventually went in and got it fixed. Had to waste a 40 mile round trip, and 3 hours of my time to fix their fuck up.

      --
      "He's lost in a 'floyd hole"
    5. Re:Consumers always pay by gnick · · Score: 1

      My wife's was at least quick in the office - I made the appointment for her and she made the 200 mile round trip for about 5 minutes in the office. Then took a nap in the van waiting for the pizza place to open where we met for lunch.

      --
      He's getting rather old, but he's a good mouse.
    6. Re:Consumers always pay by mjwx · · Score: 1

      I got a letter from Target that they (not me) will pay for 1 year of monitoring.

      You have to wonder where Target gets the money to do that from.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  2. Here's a Better Read by Anonymous Coward · · Score: 2, Insightful

    Are Credit Monitoring Services Worth It?

    In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.

    [...read the rest on the blog...]

  3. Writing's on the wall: credit is a scam by Anonymous Coward · · Score: 1

    What other industry has done so much damage to the economy? Whether it's parasitic fees for retailers, the ready availability of debt to anyone who can produce a social security number (a number that is not supposed to be used as a form of ID), likely-to-default mortgages traded in a shell game to retirement funds, or the great myth of the credit score running your life, you can be sure if there's something wrong going on it originated in the financial industry.

    1. Re:Writing's on the wall: credit is a scam by Phreakiture · · Score: 2

      What other industry has done so much damage to the economy?

      Mortgage lending, to name the most obvious one . . . .

      --
      www.wavefront-av.com
  4. If you're not part of the solution... by generic_screenname · · Score: 1

    ... then there's money to be made prolonging the problem!

  5. Freeze Your Credit by Jason+Levine · · Score: 5, Informative

    I was a victim of identity theft. Someone obtained my name, address, date of birth, and social security number and opened up a credit card in my name. (Apparently, Capital One doesn't care if you get Mother's Maiden Name wrong. So much for that being a "security question!") My only saving grace was that the criminals paid for rush delivery of the card and THEN changed the address. The card got sent out before the change of address was processed and it came to me instead of to them. Otherwise, I would have found out when the collection agencies banged on my door demanding I pay the thousands of dollars that I would have "owed."

    Unfortunately, the thieves weren't caught. The local police were woefully undertrained on technology. (They had an IP address of the web form filled out and the time submitted and I needed to show them how to find the ISP and what the next step should be.) They also weren't highly motivated. After all, I didn't lose any money and chances are they would do some legwork and then the case would need to be transferred to some agency out of state. The feds were completely uninterested as this was too small-time to warrant their attention.

    Even if the thieves had been arrested, though, who knows how many other people have my information. I did research on how to keep this from happening again and turned up three things:

    1) The Fraud Alerts are garbage. They are a voluntary note on your credit that credit issuers are supposed to check but sometimes don't. Plus, they only last 90 days. Once your information is out there, it's out there for good. Thieves aren't going to delete it after 90 days, why should the fraud alert end there.

    2) You can freeze your credit. It can be a pain because you'll need to pay to thaw it if you want to get a loan/credit card/etc, but it means that no thief can add a line of credit in your name. Period. Of course, credit agencies hate it when you freeze your credit since this means you won't be opening tons of store cards and the like which means they can't make money off of you by selling your name to those "you've been pre-approved!" card issuers. To a consumer, though, this is an additional benefit.

    3) Get your free credit reports and closely examine them, but don't get them all at once. You get one from each of the three major credit agencies each year, but for the most part they'll be the same. For maximum coverage, stagger them. For example, you could get Experian in January, Transunion in May, and Equifax in September. Then you could start back at Experian once January rolls around again.

    None of this is fool-proof, of course. No security ever is. But this does offer as good of a protection as you can get and there's no reason to make it easy on the criminals. Trust me: Even if you catch it before any damage is done, having your identity stolen is EXTREMELY stressful!

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    1. Re:Freeze Your Credit by neilo_1701D · · Score: 1

      We use Zander Insurance's Identity Theft plan (http://www.zanderins.com/idtheft/idtheft.aspx). In the event of identity theft, they assign a case worker to do the legwork of cleaning up the mess. A credit freeze is only good IF the company issuing credit actually checks.

      So, disclaimers: I am not a Zander employee; I do not work for any affiliate of Zander. I heard about this on the Dave Ramsey show, so for the cost we thought it was a no-brainer.

    2. Re:Freeze Your Credit by Chris+Mattern · · Score: 1

      A credit freeze is only good IF the company issuing credit actually checks.

      I would think you'd have legal recourse against a creditor dunning you for debts issued while you had a credit freeze in place.

    3. Re:Freeze Your Credit by Jason+Levine · · Score: 1

      A credit freeze means that nobody is allowed to access my credit file at all without the file being thawed. (Unless they have a pre-existing line of credit and even then they can only update that line, not open a new one.) If Experian, Transunion, or Equifax allowed someone to access the file without me thawing it, they could get in some serious legal trouble.

      The Fraud Alert is the item that's only good if the issuing company checks. Credit agencies like to bill it as a "solution" but it prevents identity theft about as well as a "Beware of Dog" sign (with no dog backing it) prevents burglary.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    4. Re:Freeze Your Credit by gnick · · Score: 1

      You'd think and you'd be right. But burning a couple of hours of vacation & $400 in lawyer's fees to recoup a $180 fraudulent charge doesn't really balance out.

      --
      He's getting rather old, but he's a good mouse.
    5. Re:Freeze Your Credit by Anonymous Coward · · Score: 0

      Did anyone think to send someone to the address in the "change of address" form?

      Or am I asking too much?

    6. Re:Freeze Your Credit by mjwx · · Score: 1

      Um, yeah.

      The number 1 way to protect yourself from having your card details stolen is to use it sparingly.

      I keep my credit card sitting in a safe at home, I never take it out with me unless I intend to use it for something (pre-meditated) because it's a huge vulnerability (especially if it has paywave/pass). An ounce of prevention is worth a pound of cure, that's more like a ton of cure when it comes to your money.

      People who have a dozen store cards and hand over their CC at the first opportunity always wonder why they're the victims of identity theft and always ask "what can others do to save/protect me". Well the short answer is nothing if you cant be bothered to protect yourself.

      The two most popular ways card details are stolen.
      1. Compromised web sites.
      2. Compromised POS terminals.

      I believe the Target breach was number 2.

      In most cases 1 and 2 are combined under 0. User stupidity. I'm still surprised the number of people who let their CC out of their sight, this is where unscrupulous service staff copy your details or are willing to plug their credit card details in to any public/unsecured machines (including your work machine, in my tech support days I saw a few of keyloggers installed by other staff members).

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    7. Re:Freeze Your Credit by Anonymous Coward · · Score: 0

      You weren't a victim of identity theft because there is no such thing. It isn't like you woke up in the morning and found that your wife, dog and mother no longer recognized you because your identity was missing. You still had your identity very much in your possession.

      The term identity theft is a term made up by the banking industry to shift responsibility from the banks to the consumers. The pure and simple truth of the matter is that Capital One was tricked into issuing a credit card in your name to somebody else. But instead of owning up to the responsibility they turn around and want to put the blame back on the consumer.

    8. Re:Freeze Your Credit by Jason+Levine · · Score: 1

      My case wasn't one of my card details being stolen but of my name/address/SSN/DOB being stolen and used to open a new credit card in my name. How the thieves got my personal information I'll never know. It could have been from some credit agency, a doctor's office, my employer, or a dozen other places. It could have been a breach or an inside job. The identity thieves who opened the card in my name could be the ones who stole my information or the person who stole my information could have sold the information to the thieves. The only thing I know for sure is that these people got my information somehow and opened a card in my name.

      Honestly, having your credit card number stolen isn't a big deal. You report it as soon as you figure it out and you aren't responsible for any of the fraudulent charges on it. Your credit card company will issue you a new card and cancel all the bad charges. (Yes, we've had this happen too. My wife's card was compromised in the Target breach though no bad charges went on it.)

      Having your identity stolen, like I had, is much worse. You can't just "cancel" your SSN* and DOB. Instead, you need to fight with the credit agencies to prove you actually didn't open that account ten states over to purchase a ton of electronics. They start from the position that all the information they have on you is accurate no matter how ridiculous it is and you'll need to spend a lot of time and money to fix your credit file. And then the thieves can take your information, open a loan somewhere else, and mess it up all over again.

      Don't confuse "my card number was leaked" with "a credit card was opened in my name with my personal information." They are definitely not the same.

      * You actually can get a new SSN but it's a horribly complicated process.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  6. How long until the credit monitors are breached? by scorp1us · · Score: 2

    I figure they would be an even bigger treasure trove of account information than the original sites that were breached?

    --
    Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
  7. Today; my bank! by nextgens · · Score: 3, Interesting

    No later than today I've blogged about another example of that: to make a long story short, my bank has "shared" my details with some 3rd party... whether they're 0wned or selling the data is yet to be answered. http://florent.daigniere.com/p...

    1. Re:Today; my bank! by nitehawk214 · · Score: 1

      From the bayesian avoidance text in your spam:

      We can kill you if you try to run when we attack you

      Spammers are getting serious these days.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
  8. Limited use for credit monitoring by mprindle · · Score: 3, Interesting

    The problem with most of the credit monitoring companies is the little they do can be done by the consumer for a lot less. The real work comes when your identity has been stolen and the hundreds of hours it takes to clean up the mess. This is where you need a company that will do the legwork for you. I use Zander Insurance's ID theft program. I look at it as one more insurance that I pay per year. If/When I need them they are there and I won't have as much pain to endure and the massive learning curve to cleaning up ID fraud on your own.

  9. In probably much the same way by cyberchondriac · · Score: 1, Troll

    ..that Anti Virus corporations such as Symantec and McAfee benefit from virus and worm outbreaks. Make of that what you will, you either believe there's a conspiracy or that they're just filling a needed niche. *shrug*

    --

    Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    1. Re:In probably much the same way by cyberchondriac · · Score: 1

      ..that Anti Virus corporations such as Symantec and McAfee benefit from virus and worm outbreaks. Make of that what you will, you either believe there's a conspiracy or that they're just filling a needed niche. *shrug*

      Why would any moron have modded this as a troll? I simply pointed out the parallel that there's a market for the AV service sector and they fill it, and that you can either just accept that, or be paranoid about it, just the same as the credit monitoring business. I made no judgement of my own. Looks like I made an enemy somewhere recently.

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
  10. We need to solve this problem already by Anonymous Coward · · Score: 1

    Fraudulent credit monitoring services are not the answer to the problem of fraud. What we need is a simple credit card size device that lists the company, the date/time, and the amount and has a keyboard for authenticating the owner built right into it. That would ensure only the money authorized by the card holder could be transferred out.

    Such a device should be fairly simple technologically. The register would simply send the store number, the amount, and date/time. The user would check these with the cashier and enter there pin onto the credit-card device. That information would then be encrypted with something like GPG and sent to the financial institution issuing the card. The cards could use the register itself to send that information. Once the card holder's financial institution received this they could approve (to the merchant) the transaction and send a receipt to the merchant indicating payment was received.

    Then the customer can't claim it was unauthorized and the merchant doesn't have to worry about charge backs. There may still be avenues for fraud here if control over a register is obtained, but it's a risk that the store owners would be in a position to harden against. Failure to maintain security updates, locked registers (physically inaccessible USB ports for instance), etc would be the liability of the store.

    The same device could work for online web sites by simply having wifi built-in. In fact you could probably even do traditional mail catalog based orders and offline sales (although an offline merchant wouldn't know for sure if the transaction was valid until later, and thus fraud could occur with a modified device) simply by having the user be able to enter the store # onto the device and then having a unique # appear on the screen that is attached to an amount and a store number. There wouldn't be anything to steal then as the merchant would be the only one technically able to capture the funds.

    A thoroughly well designed, tested, and attacked design by security researchers I think this would go a long way to ensuring future-proofing too. While the device wouldn't be a never-need-to-upgrade again thing (most likely) it would likely increase the time span between merchants and consumers not being vulnerable and being vulnerable.

    1. Re:We need to solve this problem already by dgatwood · · Score: 1

      You're on the right track, but that implementation is way more complicated than it needs to be. Any PIN should be handled by the device itself, and should be easy to change to any arbitrary PIN. Or you might even use a fingerprint reader.

      You should be able to basically eliminate any additional risk from a modified device or payment terminal (except perhaps the risk of someone physically stealing the device and using it) by doing the crypto as follows:

      • The business generates the transaction receipt and signs it with its public key.
      • The user pushes the button on the card to initiate the payment handshake. This causes the device to broadcast a Bluetooth Low Energy beacon.
      • The payment terminal (computer, POS terminal, cell phone) detects the beacon and sends the transaction receipt to the card.
      • The device shows the business info, dollar amount, etc. on its screen.
      • The user presses a button to authorize the transaction.
      • The device signs the transaction using its private key and sends its response back to the payment terminal.
      • The payment terminal sends the doubly signed receipt back to a payment processor.
      • The payment processor verifies the signatures using public keys stored in the business's account and the user's account and verifies whether funds are available.
      • The payment processor sends back a signed response containing the transaction receipt and a status field that indicates whether the transaction was authorized or not.
      • The payment terminal provides the signed response to the device so that the user can verify that the payment was accepted or rejected. (This prevents double charging fraud.)
      • If the signatures are valid and funds are available, the payment processor automatically transfers the funds to the business.

      In an ideal world, the transaction would then be applied to the default credit card in your online account profile, but you should have the ability (up to a few days after the transaction) to redirect the transaction to a different card by logging in to your online payments account and saying "Bill it to X". Alternatively, you could have multiple PK pairs, one for each account, and you could choose the account on the device itself.

      The way you handle offline sales with this model is also pretty straightforward. You use either a mobile app on your phone or a website on your computer (requires browser support), as follows:

      • Enter the name of the business.
      • The payment app provides a list of matching businesses. Choose the right one.
      • Enter the amount of the payment.
      • The payment app generates a transaction.
      • You push a button on the device, and the payment app does the BTLE handshake.
      • You push another button to authorize the transaction, and the payment app sends it to the payment processor.
      • The payment app issues a funds hold against your account and gives you a unique transaction ID for that hold. You give that transaction ID to the store.
      • The store, upon accepting the order, uses that transaction ID to convert the hold into an actual charge.

      The existence of that transaction ID in the merchant's account is proof that the payment occurred. At most, the only thing the merchant would have to do to prevent fraud would be to ensure that nobody uses the same transaction ID to pay for more than one purchase. This is, of course, a trivial local database lookup.

      You would also need an app (mobile or desktop) that can download the public key from the device (if the device gets stolen, you'll need to associate the new device's public key with your payment account) and occasionally update its firmware to fix any bugs in the crypto code.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  11. Conspiracy Theory Alert! by DaMattster · · Score: 1

    So, I wonder if there are some sort of kickbacks and incentives shared between the credit bureaus and big data ....

  12. Krebs on Security... by Anonymous Coward · · Score: 1

    Just going to leave this here... http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/

    1. Re:Krebs on Security... by Anonymous Coward · · Score: 0

      Ok, but be sure to pick it up when you're done.

  13. It should be noted by Rambo+Tribble · · Score: 1

    There is also a significant increase in fraudsters posing as credit monitoring firms. People should be advised to be very, very careful when engaging such services.

  14. IF they work......Lifelock sucks by mschuyler · · Score: 2

    I had Lifelock when the Stratfor hack went down. Stratfor told us all Christmas Eve IIRC though the hack happened in early December. I and thousands of others verified our cards were in the wild, took action, cancelled cards, etc. Finally, in mid-January, Lifelock informed me that my card had been compromised with a single e-mail, long after I already had my new card.

    Totally useless.

    --
    How about a moderation of -1 pedantic.
  15. fix the problem, not the symptom by cellocgw · · Score: 1

    Screw credit monitoring: what we need is some CongressSockPuppets with enough nerve to pass restrictions on the credit bureaus. For starters, they could require all negatory information to be redacted upon receipt of a notarized sworn statement from the account holder (until the credit bureau can provide proof to the contrary, said proof not being based on random letters from banks or collection agencies, etc). The current situation, which is essentially "prove a negative," is worthy of the Courtroom of the King&Queen of Hearts.

    After that, there are plenty of smaller things to fix. One example: I lost a few points because my monthly spending on one credit card was over 75% of my limit *on that card* . Never mind I always pay on time and in full, or that I happen to have another card with 5 times the credit limit. The lack of logic in the ratings algorithms is appalling.

    --
    https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
  16. Re:The real problem: using credit at all by Anonymous Coward · · Score: 0

    Governments (including ours) have been using credit for centuries to advance their power. Businesses also. Bankers thrice. Jesus railed at the moneylenders also.

  17. Make credit monitoring firms pay by Anonymous Coward · · Score: 0

    Just make credit monitors responsible for any charges made by ID thieves....

    That'll either put an end to the credit monitors or the thieves.

  18. Glass repair places shoot out car windows! by Anonymous Coward · · Score: 0

    Didja know that small companies that do windows repair and replacement periodically go around their community smashing car windows with hammers or shooting them with BB guns? It's a nice way to drum up business.

    Maybe throw a brick through a plate glass window.

    Tire repair places go around slashing tires in a way to make sure the tire must be replaced and not be repairable.

    There are no victims as far as they are concerned because insurance will cover the replacements. Kah Ching!

    Are the credit monitoring companies hiring people to break into retailer computers and copying off credit card information? Gee, it CAN'T be possible, is it?

    1. Re:Glass repair places shoot out car windows! by Anonymous Coward · · Score: 0

      And body repair shops comb neighborhoods gouging out the paint of parked cars so they can repaint them.

  19. Pet Peeve by dave562 · · Score: 1

    Banks and credit card companies should be monitoring accounts for fraudulent activities FOR FREE. They charge account holders monthly service fees to maintain the account. A basic tenant of maintaining the account is making sure that criminals are not racking up fraudulent charges / making fraudulent withdrawls.

    The whole "credit monitoring" industry is a system of a broken system.

    1. Re:Pet Peeve by Ravaldy · · Score: 1

      My bank and credit card company already do fraud detection. Maybe it's only in the US that its not standard.

      I don't pay extra for the features.

    2. Re:Pet Peeve by mjwx · · Score: 1

      Banks and credit card companies should be monitoring accounts for fraudulent activities FOR FREE. They charge account holders monthly service fees to maintain the account. A basic tenant of maintaining the account is making sure that criminals are not racking up fraudulent charges / making fraudulent withdrawls.

      Erm, if they're charging you a monthly account keeping fee, it's not for free.

      They do this in Australia (as well as guaranteeing your savings up do a $1,000,000) but fraud continues unabated because people don't take basic precautions against fraud (like not using your card everywhere). However banks are happy to continue doing this as they can push the cost of fraud onto the merchants (who raise their prices so you end up paying anyway) and if people stopped using their credit cards they cant charge fees to the merchants fro accepting them.

      You're right that the entire credit system is broken, but it's broken end to end and it starts with the flawed way people think about credit.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  20. Skip the credit monitoring; Just block it. by WindBourne · · Score: 1

    Seriously, want to stop the spam, or the ability of somebody else to get your information?
    Call all 4 credit agencies and put a block on your data.
    With this, nobody can access this. If you go for a loan or a CC, then you will need to unblock it, BUT, it is actually cheaper and safer than paying these monitors monthly.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  21. The root of the problem is the type of crime by Anonymous Coward · · Score: 0

    The root of this problem is that this has gone from "Fraud" to "Identity Theft". It is no longer the responsibility of the company that issues the credit/sells the item to determine if the person is who they say they are. As a result, there is no longer a financial incentive for companies to care. The responsibility has been shifted to the consumer who is often not even a part of the transaction (i.e. opening a bank account) but is still liable for lax policies of the issuing company unless they actively monitor their credit reports. They are liable because everything from cellphone contracts to mortgages are based on your credit score and if you have something on your report (even if you didn't do it) you will still pay the penalty by paying higher car insurance or by not being able to get a loan.