The Identity Theft Assistance Center (ITAC) reports that two out of five identity theft victims surveyed know how their personal data was stolen, providing valuable insight about how identity theft occurs.

“This information is important because the more we know about the sources of identity theft the more successful we all will be in fighting this crime,” said ITAC Executive Director Anne Wallace. “These documented cases provide real world perspective on identity theft.”

ITAC surveyed 275 identity theft victims who used the ITAC’s free service over a one-month period. Of the 275 cases, 115 consumers (42%) knew how their information was compromised. Here are the top culprits:

• Friends, relatives, in-home employees: 22.61%

• Computer hacker/virus/phishing: 21.74%

• Mail (stolen or fraudulent address change): 20.87%

• Lost/stolen wallet, checkbook or credit card: 13.04%

• Corrupt business or employee: 10.43%

• Data breach: 6.96%

• House burglarized: 3.48%

Someone recently brought this little banner ad to our attention, jokingly suggesting that it reminded them of our new service, StolenID Search. While it made us chuckle, it also highlights the most important thing about our service – we never ask for any information other than the credit card number itself. Without some combination of a date of expiration, a billing address or a CVC2 (the security code on the back of your card) a credit card number has little value.

According to Sarah Cooke of the Associated Press, Montanans should be allowed to freeze access to their credit reports to block criminals from stealing their identity. Last week, the Senate Business, Labor and Economic Affairs Committee voted 10-1 to send the measure to the full Senate for further debate.

The bill states that consumers in Montana would pay credit agencies (Experian, Equifax and Transunion) a $3 fee to freeze their information. Identity theft victims could do it for free with proper documentation. The freeze would go into effect within 24 hours for identity theft victims, and into effect in five days for others, and could be lifted within 15 minutes when consumers want to take out a loan or open a line of credit.

If approved, the bill would go into effect in July, although the 15-minute lift on credit freezes wouldn’t apply until Jan. 31, 2009.

Police departments in Santa Ana, Costa Mesa and Newport Beach served warrants Thursday as part of Operation Fashion Fraud, a 10-month identity theft investigation. NBC4 News reports that the cops busted a group of identity thieves who stole credit card information, made purchases at high-end clothing stores, and then returned the goods for cash. The case involved about 90 cases at Orange County department stores.

“We believe that they were involved in over 90 incidents,” said Commander Baltazar De La Riva of the Santa Ana Police Department. “The total value was over $200,000 worth of merchandise that was charged using these fraudulent credit cards.”

In many of the cases, the victims knew the thieves but had no idea that their credit card information was stolen. For example, one victim rented a home to the thieves, who stole a credit card application that was mailed to the victims. They simply filled out the application and went shopping when the card arrived.

The case started in March when detectives posed as mail carriers and delivered items to the thieves. Over the course of the investigation, they delivered more than $15,000 in goods from Saks Fifth Avenue.

Police said there are at least 12 victims. Five arrest warrants were served this week and more arrests are planned, including that of the alleged ringleader.

In the past few days, we’ve seen thousands of people make comments about our StolenID Search service. We appreciate everyone who sees value in the service as well as those who have questions.

We feel that it makes good sense to help address all those questions in one common forum. So, we’ll use the TrustedID blog, which usually focuses just on news related to identity theft, as a venue to answer your questions/concerns related to our new service. Please post all your future questions and concerns about StolenID Search here, as comments. We’ll answer as many as we can.

Here, then, are the top questions people have expressed in recent days:

Why did you create StolenID Search?

Early detection is vital in preventing identity theft. That’s where StolenID Search comes in. A simple and secure search tells you if your data has been compromised, so you can take control and act quickly against fraud or identity theft. StolenID Search is intended as consumer-empowering, free service.

We’re a trust-worthy company with a strong consumer advocacy thread in our corporate DNA. Last year, we launched another consumer activist site, which increased awareness and enlisted support for more sensible federal consumer protection policies in Congress.

We thought carefully about offering this service before launch, and consulted with experts, including The Identity Theft Resource Center, before concluding it strongly served the public good. There is nowhere else where consumers can get the kind of insight we’re offering for free.

Is entering the data into www.stolenidsearch.com safe?

Yes, for three reasons:

First we save no personal information that goes into the search box at www.stolenidsearch.com . We do retain information about the issuing bank of the credit card (we can tell that from the first 6 digits of a credit card) but we do not retain the sensitive part of the card – the last 8 numbers which are your account number. As soon as we finish the search we immediately purge your sensitive data.

Second, our search is anonymous. We never ask you who you are. Your credit card number or social security number alone has little value. It’s when these numbers become associated with a name, an address, a date of birth, a expiration date, or a CVV2 number, that things start to get dangerous. We never know any of this information; therefore, searching for a number with StolenID Search is unlikely to harm you, even in the worst case scenario.

In some cases, a SSN alone may help a fraudster perpetrate tax id theft or employment id theft. This happens because today few employers verify to see that a name and social security number match. In fact, until recently, it was impossible for an employer to even check that they matched. This is now changing because of headlines like this. Employers can now do verifications here. But there are dozens of ways to get a valid SSN today, from online services, from private investigators, even from the SSA itself. But again, because we save none of the data entered into our search box, even in the worst case, your risks are extraordinarily limited.

Finally, our site is built using the highest levels of security available on the Internet. It’s not appropriate to explain details, but suffice to say that we spend our days thinking about security, and we’ve been collecting far more sensitive information from our customers over the years. We have never experienced any data breach at TrustedID.

It’s highly unlikely that StolenID Search is going to be the next best asset for credit card thieves. Just because a credit card number doesn’t show up in our database doesn’t mean it works. And just because it does show up in our database doesn’t mean it’s been cancelled by the issuer. So what would the real value of our service be to a fraudster? It’s not clear.

In the long run, StolenID Search could diminish the potential marketplace for stolen data if we are successful in creating a single clearinghouse for this type of information. This would benefit everyone except the criminals, as we’re able to quickly alert consumers to the compromise of their information. That’s our goal, but it will take time to get there. Therefore, it’s so important to understand our big vision behind this advocacy effort, which is to help empower the consumer to protect themselves from identity theft.

Will StolenID Search encourage a new breed of phishing sites?

We certainly hope not. But any successful site breeds the potential for copy cat phising sites. We see that everyday in our inboxes with scams related Ebay, Amazon, Bank of America, Citibank, etc. In fact, we encourage more dialogue on educating people on “phisihing” scams on the blogs and in the media.

We are employing cutting edge technologies to ensure that phishing sites with names similar to StolenID Search or misspellings of StolenID Search do no lead to phishing attacks.

In this case, we believe the good that can be done by a site like StolenID Search is far greater than the potential risk of a would-be phishing site. Just as we believe the good done by online banking is greater than the bad done by phishing sites that mimic them.

We recommend that everyone today use some form of anti-spyware and anti-virus protection software. The risk is simply to great not to. It’s worth the $50. Do it. And do it before you get to our site, please.

If you have key logging software, it’s highly likely that the damage is going to be done before you get to StolenID Search. You’re going to create the real problems when you’re at your online bank, logging into an investment account. Again, risks exist, but we suggest that the potential benefits outweigh the potential bad.

Can we trust StolenID Search like other search engines we know?

We believe the answer is yes! Our service was built in consultation with industry experts, including Identity Theft Resource Center, the country’s leading organization for identity theft protection. TrustedID is an established company committed to consumer advocacy and the prevention for identity theft.

But more broadly, yes, consumers need to be very vigilant when they do anything online, especially providing personal information. They should always look for secure sites (shown by HTTPS:// in the url). They should make sure that URLs of sites they are visiting are not misspelled. They should not click on links in emails, but rather type the URL into a web browser themselves. They should look for “HackerSafe” and “Verisign Secured” logos on websites. And they should be running anti-virus and anti-key logging software on their PCs. I also personally recommend free services like SiteAdvisor. These suggestions, plus a little common sense, will keep 99% of consumers safe online

It is also important to note that StolenID Search is an anonymous service. We know nothing about the hundred thousand plus people who have used our service in recent days. Even if we were fraudsters, not knowing anything about you (ie: name, address, date of birth, expiration date, security code, etc) makes it much harder to use this information in a fraudulent way. Also, please keep in mind that we save NONE of the personal data that goes into our search engine. That information is purged immediately.

StolenID Search is unique in its ability to give ordinary people free access to valuable information. There is no other way to do this today. If individuals want this benefit, we encourage them to use our service.

As always, we really appreciate your feedback. You’re welcome to respond though comments on this blog, or send me your thoughts directly.

Scott Mitic
CEO, TrustedID

Scott |at| trustedid |dot| com