Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Security Privacy

Over Half a Million Bank Accounts Breached 450

Gone Phishing writes "CNN is reporting that about 676,000 bank accounts in at least four banks (Bank of America, Wachovia, Commerce Bancorp, and PNC Financial Services) have had personal information "illegally sold". Over 60,000 customers have been notified so far."
This discussion has been archived. No new comments can be posted.

Over Half a Million Bank Accounts Breached

Comments Filter:
  • by ari_j ( 90255 ) on Monday May 23, 2005 @03:33PM (#12615958)
    Oftentimes, I'll complain about Slashdot dupes. Why can't this be one of those times?
    • by NoTalentAssClown ( 623508 ) on Monday May 23, 2005 @03:45PM (#12616136)
      Great. So far this year I've received a letter from from LexisNexis and Choice Point. When my identity was stolen at the beginning of the year I thought "How could this happen? I have been so careful with my information." Apparently is doesn't matter how careful *I* am when everyone else just seems to be giving it away. Something has to be done to punish these people other than sending me a letter with how to PAY someone to watch my credit and alert me to "changes".
    • by Thud457 ( 234763 ) on Monday May 23, 2005 @04:27PM (#12616699) Homepage Journal
      If this keeps up, pretty soon we'll all be using the same identity!

      Quis custodiet ipsos custodes? -- aparently a blind drunkard that's easily bribed.

  • by Colin Smith ( 2679 ) on Monday May 23, 2005 @03:33PM (#12615962)
    Isn't there a US equivalent of the Data Protection Act? ttp:// []

    A few holes, especially principle eight, but overall it does what it's supposed to.

    • by jd ( 1658 ) <{moc.oohay} {ta} {kapimi}> on Monday May 23, 2005 @03:39PM (#12616042) Homepage Journal
      Not exactly. In fact, so not exactly that Europe has repeatedly warned the US that it is technically illegal for European companies to trade personal data with the US, due to a total lack of any privacy law.

      The closest the US has is the DCMA, which prohibits the reverse-engineering of encrypted data for the purpose of copying it, which essentially makes it a crime to steal encrypted personal data, but I've yet to hear of anyone actually prosecuted this way and it is extremely unlikely to ever happen.

      Largely because commercial companies often don't encrypt personal data for customers.

      • the DCMA, which prohibits the reverse-engineering of encrypted data

        I thought it was encrypted copyrighted data. (IANAL)

        • by jd ( 1658 )
          It is, but any authored organized data is automatically copyright, which means that by creating a database entry with your name, address, SSN, ccard info, etc, in a structured and organized manner, where that structure and organization is preserved by the system, you have created a copyrighted work. Unless, by entering the data, you sign an EULA with the company that the data belongs to them. At which point, you're screwed but the company may be able to claim they have obtained the copyright from you.
          • by arkanes ( 521690 ) <arkanes@gma i l . c om> on Monday May 23, 2005 @04:20PM (#12616575) Homepage
            This is not true. In fact, it is the opposite of true. Mere aggregation of data (like phone books, famously) are *not* copywritable. There is some wiggle room, especially if you have good lawyers - again famously, the annotations and numbers added by Lexis to court rulings are considered copyrightable, thus giving them a defacto control over large chunks of legal documents.

            Because databases are not protected, many large personal-information companies have been pressuring Congress to pass special protection laws for them, but so far none have passed.

    • by paranode ( 671698 ) on Monday May 23, 2005 @03:40PM (#12616057)
      If an individual or group intentionally leaked or sold this information it is most certainly a crime. Laws are a punishment, not a absolute way to prevent crimes. If the perpetrator is convinced they can get away with this and profit from it, then they are not going to be worried about the fine print of the numerous laws they are breaking.
    • by bigtallmofo ( 695287 ) on Monday May 23, 2005 @03:41PM (#12616077)
      Based on forensic examination of Lembo's computers, it was determined that he had employed upper-level bank employees to access and identify individual accounts in their respective banks," the police statement said.

      It doesn't matter what laws you enact. If you RTFA, you'll see that this was an inside job done by corrupt upper-level employees. Setting aside security-Utopia for a second, at some point you have to trust your own employees, especially "upper level" ones. When that trust turns out to be misplaced, there's not a lot one can do to prevent malfeasance.
      • True, but you can make the companies who have the DBs liable for some the damage they cause. (but not take away from the liability of the actual thief at all)
      • Actually, a lot of UK companies don't realise this yet either.

        But the DPA requires:

        "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

      • If you RTFA, you'll see that this was an inside job done by corrupt upper-level employees.
        Setting aside security-Utopia for a second, at some point you have to trust your own employees, especially "upper level" ones.
        Nope. It shouldn't be that hard to have every employee's access to every account logged.

        Then, you have those logs checked by another person, not at that location. Was there a legitimate reason for the access (withdrawl/deposit)? Was that access initiated by the customer?

        The people monitoring the logs will not have access to the personal information of the accounts.

        Now, if the logs are checked on a random basis (Joe is NOT the only person who checks all of Seattle's logs) then that activity is much easier to spot.
        When that trust turns out to be misplaced, there's not a lot one can do to prevent malfeasance.
        The key is to build a system where individuals are NOT allowed unchecked access to personal information.

        The reason we don't have systems like that is because there isn't any financial incentive to implement them.

        The US does NOT have the same privacy laws that other countries have so this kind of activity is MUCH easier to get away with.
        • by Anonymous Coward on Monday May 23, 2005 @04:36PM (#12616828)
          Nope. It shouldn't be that hard to have every employee's access to every account logged.

          I worked at a large financial institution (life insurance, in a branch of a bank. Hell what I'm saying is 100% accurate so let me say that I'm talking about RBC Insurance - Life, whose offices are in Mississauga, Ontario) a while back, and had full access to hundreds of thousands of customer's data, including specially separated "high net worth" clients. I looked around and realized that on any of the developer PCs (where the user was admin. Actually these morons set DOMAIN\Users as admins, which meant that there was no PC to PC security and any hack could occur by co-opting a coworker) a USB key or PDA could siphon off everything.

          Realizes how insanely loose the controls were, I proposed initiative after initiative to tighten up the system, and to add some sort of read logging, but I learned firsthand that financial institutions, presuming this one was par for the course, are 95% politics, and 5% actual concern about customers. The only way any sort of checks and balances were going to be implemented is if it properly gave a handjob to every useless mid-level manager planning their next Machiavellian maneuver (and successfully ensured that I didn't look good out of it, as a shop like RBC is configured in such a way that only the mediocre persist. If you look good, the next time a management churn occurs some clueless twit will purge the clueful). It really was eye opening, and the status quo was maintained and everyone acted like nothing was wrong.

          Of course you really have to work in a place like that to fully appreciate how terribly incompetent such organizations are, and to maek it more fun they churn their management around with no logic or thought. Remarkable stuff.
        • by soft_guy ( 534437 ) on Monday May 23, 2005 @05:03PM (#12617106)
          The reason we don't have systems like that is because there isn't any financial incentive to implement them.

          The reason we don't have this is because, in the USA, the crooks are writing our laws.
    • In a word, no.

      We have several laws that apply to personal data. There are gaps you can drive a truck through, and the industry has spent decades doing just that. (I particularly like the part about how the laws specify that they only apply to "authorized uses" of personal data--so if it's not an authorized use, you can do anything. No, I'm not kidding.)
    • by neverkevin ( 601884 ) on Monday May 23, 2005 @03:43PM (#12616099) Homepage
      I don't know if the US government has any specific policies reguarding PPI and financial data, but the HHS has HIPAA [] for personal medical data. The state of California has SB1386 to protect Californians personal financial data. However, neither go far enough and I am supprised more incidents are not made public. I suspect there are many more security breaches that companies are quiet.
    • For Banks, we do (Score:4, Informative)

      by TykeClone ( 668449 ) * <> on Monday May 23, 2005 @03:49PM (#12616180) Homepage Journal
      It's called the Gramm-Leach-Bliley act.

      It has two purposes - the first purpose is to have financial institutions adopt measures to protect consumer data. The second purpose is to add a great deal of paperwork and extra compliance steps that bank staff must accomplish without adding any extra safety to the information.

      I believe that in health care, HIPPA or HIPAA (which ever one it was!) accomplished much the same thing.

    • I don't know, but this could just as easily happened in the UK. Bank employees knowingly sold the data. The staff at your local Barclays could do the same thing, too.

      Two points to remember: 1. No law (and there are laws against this in the U.S.) will prevent crime if the criminal believes he can get away with it; 2. The only techbical aspect of this crime is the way the data were stored. The same crime could have occured in 1905, except the info would have been passed in ledger books.

    • by DogDude ( 805747 ) on Monday May 23, 2005 @04:16PM (#12616496)
      Exactly. It's in place. Everybody who has had data stolen should sue their banks. A bank that I just got a mortgage through sold my information, even though I explicity told them not to. Hence, I'm suing them. It's very simple, actually.
  • by kcornia ( 152859 ) on Monday May 23, 2005 @03:34PM (#12615973) Journal
    I'm sure the answer will be higher fees though, so in the long run the banks will be fine.
  • by mrcrowbar ( 821370 ) on Monday May 23, 2005 @03:34PM (#12615975)
    Fortunately, my account should be safe. I got a email from Bank of America telling me about their problem, and I filled out their form to resecure my account. Such at great company to take care of their customers like that!
  • by Anonymous Coward
    Good thing i've opted out of having my bank share information with other parties. Opting out of information sharing is a wise thing for everyone to do.
  • by __aaclcg7560 ( 824291 ) on Monday May 23, 2005 @03:35PM (#12615984)
    This is why I switched to a local credit union a few years ago. Seems like the bigger the bank, the bigger the security breach. Worse... they nickel-and-dime you on everything else.
    • I don't see anything about it at wikipedia but it was my understanding of credit unions that they do rely on banks for certain things. In that case, are credit unions as a whole exposed to this problem? Can anyone clarify?

      • They are by law supposed to be barred from commercial accounts (I believe) - Credit Unions are supposed to be financial institutions for people of modest means bound by a common bond and because of that are tax exempt and much less stringently regulated than banks.

        So some services are supposedly barred from being offered by credit unions, but for consumers they should be fine.

    • funny you should say that,

      right on the front page of the university of michigan credit union

      Member Alert - Phishing Scam
      Some of our members have received a fraudulent email from a source pretending to be University of Michigan Credit Union. In this email you are asked to click on a link to provide personal information to "confirm your identity." THIS EMAIL IS NOT FROM YOUR CREDIT UNION. WE WOULD NEVER ASK YOU TO CONFIRM YOUR IDENTITY IN THIS MANNER. Please delete the fraudulent ema

    • This is why I switched to a local credit union a few years ago. Seems like the bigger the bank, the bigger the security breach. Worse... they nickel-and-dime you on everything else.

      Credit unions are no panacea []

      Of course, with a building looking like that, and the name "Need Action Credit Union", maybe nobody should be all that surprised.
    • Don't count on it. Credit Unions often outsource a lot of their operations to third-party groups to save on costs. Of course, the way the laws work, one doesn't often have to tell the customer that they are dealing with a third party.

      I used to work for a collection agency that specifically did third-party collections for credit unions across the country. We just had an 800 number for each credit union, and we'd answer with the name of the CU depending on which line rang. Same with sending out letters- just
    • Actually I prefer the big guys over the one credit union I was with, never had a single problem with Citi or HSBC, but Visions Federal Credit Union (IBM's credit union based out of Endicott area) I've had no end of troubles with.

      Nickel-and-dime is all they did, right now I owe them over 40$ to close my 20$ account and the number just grows year after year, I get statements from them, but I just shred them.
    • by Reverend528 ( 585549 ) on Monday May 23, 2005 @04:28PM (#12616732) Homepage
      Seems like the bigger the bank, the bigger the security breach.

      Well, duh. You're certainly not going to see 600,000 peoples accounts stolen from a credit union with only 20,000 customers. That doesn't mean it's any more secure.
  • by tofucubes ( 869110 )
    I'm glad to know that about 1 in 10 people were notified
    I have a feeling that most people's social security numbers have been harvested by people who shouldn't have them
  • Conflict of interest (Score:5, Interesting)

    by __aaitqo8496 ( 231556 ) on Monday May 23, 2005 @03:38PM (#12616032) Journal
    Customer account numbers and balances were allegedly sold to a man who then sold the information to collection agencies, the Hackensack police department said in a statement. Reuters reports that the information has not been found to have been used in any identity theft schemes.


    The case has led to criminal charges against nine people, including seven bank employees and alleged ring leader Orazio Lembo, who operated DRL Associates, a company that advertised as a skip-and-trace collection agency.

    Hmmm... working for a bank and a "collection agency". Sounds like a conflict of interest banks might want to look out for and possibly stipulate that working for a collection agency is not permitted while working for a financial institution.
  • Hackensack? (Score:5, Funny)

    by screwballicus ( 313964 ) on Monday May 23, 2005 @03:39PM (#12616047)
    The data-theft ring may have perpetrated the nation's largest ever banking security breach, a Hackensack, N.J., police statement quoted a Treasury Department representative as saying.

    I only hope that Hackensack don't lack the knack to track this crack attack.
  • by stomv ( 80392 ) on Monday May 23, 2005 @03:39PM (#12616053) Homepage
    So, the people at the banks will face charges, as will the Lembo, the "mastermind".

    But, what about the 40 collection agencies and law firms? Will they face civil charges? Criminal charges? Both? Surely they knew they were up to no good, and they were the ones funding the information theft in the first place -- all so that they could illegally harass debtors.

    Will the Feds follow the money?
  • by Racter ( 804902 ) on Monday May 23, 2005 @03:40PM (#12616055) the police intend to track down the information to and "reclaim" it from the collection agencies, advertisers, etc.?
  • by tofucubes ( 869110 ) on Monday May 23, 2005 @03:41PM (#12616069)
    according to the article at least 108000 customers were notified that's about a fifth

    Bank of America (up $0.10 to $46.67, Research), the nation's No. 2 bank, has notified 60,000 customers of the problem. Wachovia (Research) has notified 48,000 customers.

  • Makes you wonder (Score:2, Insightful)

    by TykeClone ( 668449 ) *
    why so many people use the largest of the nation's banks. They aren't inherently more secure than smaller banks and are larger targets because of the number of customers that they have.

    There are several thousand smaller banks in the United States and many smaller banks have lower fees than those giants and a customer actually means something to those banks.

    • Because their ATM machines are everywhere? I like my local credit union and they are generally good about fees but when I'm out of town and need to use an ATM I get jacked with fees from both the ATM and my credit union.
    • by mOoZik ( 698544 )
      Because the bigger banks offer me services that others probably would not be able to. For example, on-line bill paying. For example, 24/7 customer support. For example, an anti-fraud team that helped to rid $600 of fake charges from my account in ONE day after ONE call. For example, branches just about everywhere you go. For example, even with FDIC, knowing your bank is not going to close for whatever reason. For example, knowing that even with such breaches of security, they are a thousand times better tha
    • Re:Makes you wonder (Score:5, Interesting)

      by Zed2K ( 313037 ) on Monday May 23, 2005 @04:02PM (#12616353)
      Probably because the larger banks have more of a presence in the towns people live in. I hate getting charged a fee to get to money that is mine from ATM's. Here there are Bank of America machines everywhere. No atm fees, no having to request atm fees reversed.

      I've NEVER paid a fee with my BoA account. I don't know how so many people have problems. Free bill pay, free online banking, free bank transfers, overdraft protection, free checking. Hell I even get free checks, not that I write checks anymore though. Only thing I don't like is the horrible interest rate, but thats why I've got a ING account in addition to my BoA accounts.

      I've noticed with the small banks (and yes I've looked into them) the online banking sucks, bill pay is a pain in the ass to use and the tellers aren't too bright.
    • Re:Makes you wonder (Score:3, Informative)

      by gcatullus ( 810326 )
      One of teh biggest reasons is that these large national banks have become large national banks by buying up the smaller ones. An account that I opened about 20 years ago, has gone through 4 banks. I have never had to change account numbers or anything and I think many people just don't liek change, so they stick with what they have.
    • I don't know about the rest of the country, but up in Boston I imagine it often happened something like this:

      1. Sign up for an account at Arlington Trust Co., a local bank (1987);
      2. Arlington Trust Co. merges with Shawmut (1988);
      3. Shawmut merges with Fleet (1995);
      4. Fleet merges with BankBoston (itself the result of serial mergers) to become FleetBoston (1999);
      5. FleetBoston merges with Bank of America (2004).

      In other words, these are the world's largest banks because of a series of mergers and absorptio
  • Be thankful. (Score:5, Informative)

    by jd ( 1658 ) <{moc.oohay} {ta} {kapimi}> on Monday May 23, 2005 @03:44PM (#12616116) Homepage Journal
    It is only very recently that States - like California - require the publishing (even to victims) of this kind of information. Had this happened even a few years back, we'd be none the wiser until we'd all been ripped, and even then the banks would likely claim innocence.

    (Those from the UK may recall the curious scandal of "Phantom Withdrawls" from ATM machines, where mysterious, large withdrawls were taking place, even though nobody was apparently present to make those withdrawls. It was unimaginably difficult to prove the vitim was a victim, and even then it was next to impossible to get the bank to repay the money.)

  • Why is there no link to Bank Of America [] in the summary?
  • I sure am glad that I did *some* time in the service. One would hope that this type of thing wouldn't happen with a bank that serves the armed forces.
    • Re:USAA (Score:3, Interesting)

      by Politburo ( 640618 )
      One would hope that this type of thing wouldn't happen with a bank that serves the armed forces.

      In a sane world yes. However in a sane world one would also hope that our armed forces could act as prison guards without torturing and humiliating their wards.
  • check your accounts (Score:4, Informative)

    by lambent ( 234167 ) on Monday May 23, 2005 @03:46PM (#12616144)
    /me scans article ... wachovia, pennsylvania ... shit.

    Wachovia says that they sent out letters to everyone they know to be affected. My mail service is spotty at times, so I gave them a call. 1-800-WACHOVIA (1-800-922-4684). Just keep pressing 0 till you get an operator. Their customer service workers were able to tell me over the phone if my account was compromised. It's not. w00t! Took them about five minutes, but I think everyone should double check.
    • by MarkGriz ( 520778 ) on Monday May 23, 2005 @04:06PM (#12616400)
      "Wachovia says that they sent out letters to everyone they know to be affected"

      Sent out letters?
      Welcome to the 21st century, Wachovia.

      My bank promptly sent me an email alerting me to the problem, and allowing me to log in (via a secure server) and check my account status immediately. Fortunately my account wasn't hacked.
      • Sucka! (Score:5, Funny)

        by Grendel Drago ( 41496 ) on Monday May 23, 2005 @04:23PM (#12616630) Homepage
        You would trust any email with a link to go log in to your account? Man, I'm amazed you have any money left to check on!

        --grendel drago
      • And fortunately you were technologically savvy enough to check that the link they sent was a legit one, leading to Vachovia's servers. Many do not know where to even begin to do that.

        And you're right. Welcome to the 20th century, where requests to "confirm everything," to "update your personal information," or to change your ATM's PIN number because of an information breach can be sent to thousands of mailboxes in an instant, at no cost at all. Sending out a legitimate looking letter via mail, and tryi
  • whew (Score:5, Funny)

    by Himring ( 646324 ) on Monday May 23, 2005 @03:46PM (#12616152) Homepage Journal
    Luckily, I don't use banks. I keep all my money in a thermos under a combination lock. I then tether the combination to a string in a mylor bag and swallow it tying it off on a rigged bicuspid that will send a charge to the bag signaling an incendiary device which will destroy the note unless the tooth is first properly removed. But the bicuspid is fake -- threaded backwards with a one-way screw head. Of course, an anal probe might easily by-pass the oral security, but I recently had my sphincter sewn shut and I only consume nutrient drinks which, by chance, I keep in the thermos....
  • Stop using big banks (Score:4, Interesting)

    by Figz ( 217203 ) on Monday May 23, 2005 @03:46PM (#12616153) Homepage
    My bank offers:

    1. Higher interest rates
    2. Interest-bearing checking accounts
    3. No fees ever
    4. Free online billpay
    5. ATM fee refunds (since they don't have their own ATMs)
    6. Postage paid envelopes for deposits
    7. 24/7 Customer Service with almost 0 hold time
    8. No BS

    I switched to an internet bank a long time ago and I'll never look back. But I'm not going to tell you what the bank is because I don't want it to turn into a "big bank". Go find your own.
    • I wonder about those online banks though... are they insured, or are they located in some island nation of a few hundred people where the local police won't care when the bank shuts down and pockets all the money?
    • Big Bank Leach (Score:3, Interesting)

      I am a big bank "leach".

      I use a "big bank", but as far as I can tell, they make no money off me.

      Everything I do with them is "free" - free checking, atm use, etc.

      Whenever I have excess money in the bank, it gets swept into an online bank account that pays decent interest, or I send it off to my brokerage account where I gamble it away on bad stock picks ;-)

      I buy my checks from random cheapo check printers.

      As far as I can tell, I get the benefit of the big bank (lots of atms, grocery store loca

  • 10 is a good start (Score:5, Interesting)

    by Nom du Keyboard ( 633989 ) on Monday May 23, 2005 @03:48PM (#12616170)
    Account information on the customers was illegally sold by bank employees to a man identified as Orazio Lembo

    Everyone involved in this should be in jail Now! Ten years apiece is a good start.

    And I don't mean Club Fed either.

  • I really feel like that these security breaches are criminal negligence. So far it's been 'All of our customer info has been stolen, we're really sorry."

    Holders of mass amounts of critical info need to learn that if they lose it, or mismanage it, that they will be held liable for hundred of millions of dollars in civil penalties, and years in prison for the most egregious cases of negligence.

  • I use a small, regional Credit Union. I had nothing but trouble when I was with Bank of America and Sun Trust (system outages, errors in reporting, etc.) and now this. I think using smaller credit unions or regional banks, while limiting in some cases, is better, because they don't get so big that they forget who their customers really are.
  • by loggia ( 309962 ) on Monday May 23, 2005 @03:52PM (#12616216)
    How much are these guys getting?

    Like, can I sell my personal information before someone else does?

  • by Amoeba ( 55277 ) on Monday May 23, 2005 @03:53PM (#12616234)
    This is similar to the Choicepoint breach where account information was sold to an illegitimate company posing as a real customer. The main difference here is that there were "inside guys" who knew the selling of the data was to a bogus firm. What I find most interesting is that the main clients that the perpetrator (Orazio Lembo) sold to were.. wait for it... law firms and collection agencies! Talk about a vicious hive of scum and villiany.

    I say it will only get worse because the Sarbanes-Oxley Act is coming into effect which requires companies to put into place access controls to monitor/audit who has access to what information (among other things). The SOX, in conjunction with the Gramm-Leach-Bliley Act are forcing corporations to get their financial house in order in such a way that this type of malfeasance is getting much harder to hide. Expect to see more of the same for quite some time.

    While I think it's nice that these laws are having their desired effect I still envy those wacky europeans and their data protection laws.

  • by Pedrito ( 94783 ) on Monday May 23, 2005 @03:53PM (#12616243)
    I have an account with Wachovia. About 6 months ago, I started putting rather significant sums in it. Enough that were the account to get robbed, I'd be seriously upset. What concerned me at the time was that I had used my check card for online transactions, though.

    The thought that someone could wipe me out financially by cracking an online system got me worried enough that I opened a checking account at a local bank where I now keep a majority of my funds. I move enough into the Wachovia account for paying bills and stuff that are connected to it, but there's never enough in there to completely wipe me out anymore.

    And obviously, with the new bank, I won't be using the check card online. It looks like mine wasn't affected and it doesn't look like the account info was being used for robbery, I still feel more secure with the new account.
  • I was just told that because I live in California and opened my account in this state, my account information should not be affected by a breach in New Jersey, where the incident occured. Can anyone corroborate this?
  • by judmarc ( 649183 ) on Monday May 23, 2005 @03:57PM (#12616289)

    Customer Protection

    Guard yourself against fraud and identity theft. Wachovia provides the highest levels of protection and stands ready to assist you should you become a victim.

    Irony, anyone?

  • "That information was then sold to his clients, which included more than 40 law firms and collection agencies."

    I don't know whether the 40 law firms and collection agencies are criminally liable but if they ain't, they oughta be. An example should be made of them. Yes, those taking the data bear the brunt of the blame but the ones purchasing it have some culpability too.
  • A simple solution (Score:4, Informative)

    by Anita Coney ( 648748 ) on Monday May 23, 2005 @04:05PM (#12616383) Homepage

    Some states [] allow citizens to block use of their credit report. Thus, even if someone steals your SSN, your birth certificate, and your drivers license, they're unable to obtain any new credit in your name, because no one is going to give credit without first getting a credit report.

    Sure, it doesn't solve all problems with ID theft, but it certainly helps.

  • by The Angry Mick ( 632931 ) on Monday May 23, 2005 @04:15PM (#12616493) Homepage

    A while back I got a call at around 4:30 P.M. from a credit card company requesting that I verify I had applied for a Home Depot card via one of those "just sign the line below" forms. I hadn't, so I immediately began the tedious process of requesting credit reports and contacting my bank to check up on unusual activity.

    Later, at about 7:00 P.M. the same night, I got an pre-recorded call requesting that I call an 800 number and reference a specific "case code". I wrote down the telephone number and the code, and the next day spent a few minutes on Google shagging down the number. Turns out it was for a law firm in Utah that specialises in handling collection cases (unfortunately, I cannot remember their name). I remember thinking, a) "I don't owe anyone any money" and b) "how in the hell did they get my number?".

    Now, I guess I know.

    The story ended well for me - there were attempts to steal my identity, but they were all apparently stopped. I never did call the collection firm, so I have no idea what they may have wanted to chat about - seems to me if it was important, they would have used a human instead of a tape. The links I followed from Google were mostly to blogs and forum entries relating to how other folks had recieved similar calls from this agency, and upon returning them had been informed by the collection agency that they owed some form of money to an bank/credit card company they were representing. The kicker was that they also tried to add an additional fee (some as high as $275 US), payable to the collection agency alone. Other links mentioned how this same company had been banned from business in a lot of states for trying to add this extra fee, and, in essence, refusing to clear the original debt until their extra fee had been paid.

  • by RayMetz100 ( 886277 ) on Monday May 23, 2005 @04:21PM (#12616592)
    My old bank fired me for reporting that all daily loan applications including first and last names, social security for borrower and co-borrower and full addresses were wide open on an unsecured windows fileshare with everyone/full control access. All 50,000+ bank employees plus contractors with any windows domain login had full access to view all daily loan applications. These poor people weren't even our customers yet. I knew my manager would do nothing about it, so I started with a standard IT helpdesk call. At least then my report would be logged. Nothing happened. I then tried several other channels and after a few days, I found the "dept in charge of keeping us off CNN". They immediately secured it and were very thankful of my report. Since I had also noticed many other unsecure servers in my time there like daily intra-bank mortgage trade activity and others, I proceeded to report over 15 servers to this group. They fixed everything I reported and were thankful. They advised me not to scan their network because that would be considered hacking, but if I came across unsecured servers over the course of my normal work, I should report it. All was fine until some other managers got back to my manager asking who was the busy-body in his department causing them this extra security work? At bonus review time, my manager all of a sudden gave me poor ratings, disqualifying me from my $6000 bonus. He had given me an out-of-cycle raise just 5 months earlier for good performance. Go figure. After no raise and no bonus, I was pretty ticked and started escalating the issue with his manager and the nice security group. No response. I then put in for a transfer. My manager then writes me up for a written performance issue, listing security as one of the issues, and made my transfer ineligible for 90 more days. I continued to escalate but a few weeks later, he fired me for not addressing the "performance" issues. I've thought about finding a lawyer, but I'm much happier with my new employer now and try to just let it go. Ray
  • by DunbarTheInept ( 764 ) on Monday May 23, 2005 @05:23PM (#12617328) Homepage
    Allegedly the affected customers have been notified by their banks. This leads to a question I have - with phishing being so common, when anyone receieves an e-mail from their bank, do they believe it's really from their bank anymore? Especially when it says it's about an alleged comprimise of their account?

    One of the wost things about spammers is that they generate a "boy who cried wolf" problem for people sending legitimate e-mails.
  • by WindBourne ( 631190 ) on Monday May 23, 2005 @06:19PM (#12617849) Journal
    Normally, the break ins involve Windows (in fact, Windows has some 40% of https space, Yet, has more than 95 % fo the thefts). But here windows is only 1 out of the 4. Solaris accounts for the other 3.

    That assumes that they really are on the these sites. With the big break-in that occured with Visa/MC/Discover about 1-2 years ago, it took awhile, but they found a Nebraska clearing house running windows had been broken into, not the CC sites.
  • by Senor_Programmer ( 876714 ) on Monday May 23, 2005 @07:33PM (#12618560)
    It's plain old fraud and the onus should be on the merchants and lenders who fail to verify the identity of the person they are extending credit to.

    But no, this is too costly, so they try to put it back on the person who's information is used in the fraud.

    It's NOT RIGHT! If someone else borrows money in your name, it's the lenders problem, not yours. Your identity was not stolen. You are still you. The lender is at fault because he failed to exercise due diligence in a climate where fraud is rampant.

    Just think about it for a minute. You are NOT the victim of identity theft. You are still you and the other guy screwed some third party. Why should it cost you any money or any time... Instead, the idiots who carelessly or out of greed failed to verify that it was indeed you and not someone else requesting a credit report and credit should pay.

    There's a simple solution too.

    The credit reporting companies need to stop selling information to anyone other than the person who owns the information. Mainly you if it's your information. You want a loan, you request the information. Hell, if it takes a photo ID and a visit with a rep from the reporting company, then that's what it takes... But it's their problem to solve, NOT yours.

  • by funk49 ( 416343 ) on Monday May 23, 2005 @08:07PM (#12618873)
    Wells Fargo has *THE* worst security of all the large financial institutions.

    Last year, I received a notice that my personal info was on a system of theirs that was compromised. I called the customer support number given and inquired about what happened. Turns out, a laptop at a billing facility (yeah, i know...a laptop) was stolen along with a few others in a physical security breach.

    On that laptop was the personal info (SS numbers, addys, everything) of 300,000 account holders. Yes, that's right...300,000! Worse part is that this same scenario has occurred 3 times in the last 2 years!

    Wells Fargo's CSO and CISO should be flipping friggin' burgers instead of providing security as they are
    setting the standard for how bad you really can be.

    Hey Wells Fargo asshats, ever heard of getting some kind of policy and compliance audits going?

Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun