Anna Gorman of the L.A. Times reports that illegal immigrants are increasingly using stolen Social Security numbers to get jobs. As a result of increased demand from federal authorities to verify their workers’ legal status, more employers are checking the validity of Social Security numbers. This has caused many illegal immigrants to use stolen rather than made-up numbers to get jobs, immigration officials said.

More employers are using the Department of Homeland Security’s Basic Pilot program, which checks the validity of Social Security numbers online. However, Basic Pilot doesn’t detect identity theft. As long as the name and Social Security number are legitimate, the online system will indicate the person using them is authorized to work. Illegal immigrants and the document theft rings that cater to them are taking advantage of this loophole.

“It used to be that we would only see people come in with purely bogus documents,” said Julie L. Myers, assistant secretary for U.S. Immigration and Customs Enforcement. “More and more we are seeing real people, real victims.”

While the agency does not break out identity theft statistics, Myers said, “we are definitely seeing a trend.”

According to IDG News Service, most large data breaches don’t appear to lead to identity theft, and proposals that would require companies to notify customers of most breaches may lead to increased costs.

A report from the U.S. Government Accountability Office (GAO), said only four of the 24 largest data breaches between January 2000 and June 2005 appear to have resulted in identity fraud.
The U.S. Congress is considering several breach notification bills, including some that would require notification for all data breaches. Instead, the report recommends that Congress consider a notification rule based on the potential for the risk of identity theft.

The reports says that a data breach law would create costs for businesses, including the cost of developing incident response plans and notifying customers. The GAO researched 24 large data breaches reported in the media between 2000 and 2005, and found that 18 of them had no identity theft or fraud identified. Three of the breaches, at CardSystems Solutions Inc., DSW Inc, and CD Universe, had reports of fraud associated with existing customer accounts. And a breach at ChoicePoint Inc. had reports of unauthorized new accounts opened. In the remaining two breaches, GAO was unable to determine if there had been ID fraud.

However, it is hard to track identity theft resulting from data breaches, the report said. In some cases, thieves do not attempt to use the data until a year or more after the breach, the report said. A breach notification law could be beneficial because it would encourage organizations to improve data security, the report said. “Care is needed in defining appropriate criteria for data breaches that merit notification,” the report said. “Because breaches vary in the risk they present, and because most breaches have not resulted in detected incidents of identity theft, a notification that is risk based appears appropriate.”

Identity Theft Daily reports that there is a higher risk of identity theft among individuals who frequently use wireless technology in the form of BlackBerrys and cell phones. The French government is so concerned about the lack of security provided by wireless technology that it recently banned the use of BlackBerrys in government offices and at the presidential residence.

According to Townsend, author of “Information Technology and the World of Work”: “Much of the problem with modern communications systems is the fact that no communication is momentary. In a classic face-to-face or telephone conversation, your comments, your voice and the meaning of what you were saying only existed in the moment of the communication. With modern communication, most systems of communication – including email, instant messaging, and some telephones – create some degree of persistence of their content. Add to this increasing use of wireless communication for cell phones and laptops – which creates the potential for message intercepts – and you might as well be posting everything you say onto YouTube.”

According to CNET, scammers are taking advantage of the excitement over Apple’s newest smart phone, the iPhone, by sending malicious e-mails that try to dupe recipients into thinking that they have won an iPhone of their own. These e-mails contain a link which, if clicked on, will attempt to connect to a Web site and install malicious software designed to take control of the victim’s computer.

Paul Henry, vice president of technology evangelism for Secure Computing, says: “Because of the popularity of the iPhone brand, this is the first in what’s bound to be a series of scams involving the iPhone.”

The criminals behind this scam are using sophisticated techniques to thwart security firms. For example, the Web site is loaded with more than 10 pieces of malicious code, each targeting a potential browser vulnerability. In addition, users who attempt to visit the site more than once are redirected to another, “safe” Web site.

According to SC Magazine, a dishonest IT specialist, lack of encryption and insufficient physical security controls may have contributed to the disappearance of a U.S. Department of Veterans Affairs (VA) external hard drive that contained the personal information of 1.8 million people.

According to an Office of Inspector General (OIG) report, the hard drive, reported missing in February from the Birmingham VA Medical Center in Alabama, was believed to contain about 48,000 personally identifiable records. However, the report shows that the IT specialist responsible for the hard drive provided inaccurate information.

According to James O’Neill, assistant inspector general for investigations: “After being confronted with the results of the OIG computer forensic analysis, he stated that he panicked and admitted deleting and encrypting the files in an attempt to hide the extent, magnitude and impact of the missing data.”

The report also criticized the director of the VA hospital’s Research Enhancement Award Program department, where the IT specialist worked, for not mandating the deployment of encryption software, thereby violating organization policy.