Identity Theft Protection

Practical Measures to Prevent Identity Theft (Con'd)

• Take steps to prevent people from getting a driver’s license under your name. The Driver’s Protection Act (DDPA) of 2000 required that all state DMVs close records to the public. This stemmed from several well publicized road rage incidents where people were gunned down after raging maniacs simply went to the DMV and, using the victims’ license plate numbers, obtained their addresses. This Act is a good start, but you can also provide a “request for verification letter” to the DMV, which requires that you be notified by phone or in writing before a driver’s license can be issued in your name. Contact your state DMV for more information.
• Beware of “phishing,” the latest scam used by ID thieves and account thieves. They will often send you phony e-mails that look like the real deal, posing as a bank, Paypal, or any other company to gain access to your personal data and/or money. Figure 11 shows a phishing example I just received as I was preparing this book:

To: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it Subject: PayPal eCare department. Unusual activity in your account ! From: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it Date: Sun, 1 May 2005 15:10:03 +0800 (HKT)

PayPal, an eBay company Encrypted Key: wm-101g/mgxa4fhv54nmzl

Dear PayPal, Inc. member,
PayPal, is committed to maintaining a safe environment for our customers. To protect the security of your account, PayPal, employs some of the most advanced security systems in the world and our anti-fraud teams regularly screen the PayPal payment system for unusual activity.

We are contacting you to remind you that on May 01, 2005 our Account Review Team identified some unusual activity in your account. In accordance with PayPal’s User Agreement and to ensure that your account has not been compromised, access to your account was limited. Your account access will remain limited until this issue has been resolved. We encourage you to log in and perform the steps necessary to restore your account access as soon as possible. Allowing your account access to remain limited for an extended period of time may result in further limitations on the use of your account and possible account closure. Visit the login page and perform verification process:

Log On for Online Services

Thank you for your prompt attention to this matter. Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.

Sincerely,

PayPal, Inc. Account Review Department Copyright ?1999-2005 PayPal. All rights reserved.

Figure 11a.

The hyperlink to “Log On for Online Services” actually points to http://www.paypalcs.com/cgi/webscr.php?cmd=LogIn.

As you can see by the URL, this isn’t PayPal.com. When people go to this fraudulent site, it is basically a clone of the real PayPal, and once the victim enters his or her user name and password onto the form, the scammer gains access to that account.

Keep in mind that many PayPal users have the service connected to several if not all their bank accounts and credit cards, which practically gives the scammer carte blanche power over financials.

I’ve seen even better phishing scams, where the links appear real and then redirect, among other things. And until Congress acts to do something about this, it will continue to be a major problem.

Although some high profile arrests and convictions will certainly help curb the problem, many of the scammers are overseas and are well disguised and insulated from U.S. justice. They set the computer servers up in a remote location (in Asia, for example), then spoof (hide) their IP address (using a false computer number that makes it harder to track), and then take the phishing server down after a short time. By the time the authorities are notified, the scammer’s Web site—and the ability to track the perpetrator—is long gone.

If you receive any e-mail from a company, be sure to check the URL to ensure that it is the correct company. Even www4.paypal.com can possibly be wrong, so it’s up to you to type in the URL as www.paypal.com. (Scammers also like to use a URL with a PayPal in it, such as www.paypal.payup.com; the URL is actually for payup.com, the last entry before .com.) If you receive an e-mail from a site that contains some kind of offer or request, the safe bet is to avoid clicking anything, open a new Web browser window and type in the URL of the site directly.