Tag Archives: ID theft

How New Medicare Cards Deter ID Theft

There are big changes Medicare has planned in 2018 that will help protect the identity of seniors and continue proper health benefits. The biggest and best change will be the new Medicare ID cards.

When Medicare recipients receive their Medicare card, they are typically shocked to see that their Medicare Identification number is the same as their Social Security number. Medicare beneficiaries run the risk of identity theft when they have their Medicare card in their wallet or purse; it would be comparable to walking around with their Social Security card in their possession.

Identity theft is a major issue; when someone has the Social Security number of another person the thief can apply for loans, open bank accounts and possibly gain employment. When someone has your Social Security number, the person has the key to your credit and identity.

The Social Security administration and the Federal Trade Commission have been urging the Centers for Medicare and Medicaid Services to change the Medicare Identifier for years.

Finally, after years of requesting that changes be made, CMS has made the decision to move to updated cards that do not have a Social Security number as the Medicare identifier. These updated cards were sent via mail in the beginning of April 2018. CMS anticipates all Medicare beneficiaries will have a new, updated card by April 2019.

What to Expect from the New Medicare Cards

The updated Medicare cards will feature a new Medicare Beneficiary Identifier (MBI) number. The card will display a randomly assigned number for all Medicare recipients.

Healthcare providers and Medicare beneficiaries will be able to securely access tools that will allow them to look up MBIs as needed.

During the 21-month transition period, it will be possible for providers to use a patient’s Social Security number or the new MBI number. The transition period was put in place to help things run smoothly for providers and patients across the nation. The issuance of a new card will not affect Medicare benefits.

The new MBI number will have 11 characters, with a combination of numbers and uppercase letters. These new numbers will have no special meaning, making it safe to keep in your wallet or purse.

The new cards will be mailed to you based on your geographical location; however, it is possible that you and your neighbor will get a new card at different times.

See also: Identity Theft Can Be Double Whammy

The Transition Period

CMS is trying to make the transition smooth for caregivers, patients and others who need accurate Medicare information. The transition period will allow beneficiaries and providers to exchange Medicare information with CMS using MBI or a Health Insurance Claim Number; this period is scheduled from April 1, 2018, until Dec. 31, 2019.

On Jan. 1, 2020, beneficiaries and caregivers will be required to use an MBI for most situations. It is suggested that beneficiaries keep an eye out for their updated Medicare card, and when it comes they should get into the habit of using their new MBI early.

Obtaining an Updated Card

Beneficiaries should destroy their old cards immediately after receiving their updated Medicare card. Once the new card is in possession, you can start using it at once. It is important that you keep your new MBI number confidential and watch the mail carefully so that you are aware when the new card is delivered.

The new cards are going to be made of paper, making it easier for providers to use and copy. If you are enrolled in a Medicare Advantage Plan, the Plan ID card is the main card you show to your providers, although a healthcare provider may ask to see your MBI card, so keep it with you.

How to Protect Your Identity Now

Identity thieves have noticed seniors as ideal victims for identity fraud. Seniors typically have more money in their checking and savings accounts, and they have paid off their major financial obligations.

Because seniors usually receive Medicare benefits, the door for identity theft in the medical industry is wide open. Because most seniors are not purchasing a new home or taking out a large loan, they have no reason to stay informed and therefore check their credit score less often.

How to Keep Important Documents Safe:

  • Make copies of your insurance cards
    • Make a copy of your insurance card and remove the last four digits of your Social Security number.
    • Leave the original at home.
    • If you do need to take an original, remove the card from your wallet after the appointment and store it in a safe place.
  • Keep important documents safe:
    • A home safe can allow you to store important documents; if you have highly important documents, you might want to consider a bank safety deposit box for documents you do not need often.
    • Never carry around extra bank cards, credit cards you don’t frequently use, any health insurance card or your Social Security card.
  • Protect computer and internet access:
    • Be sure you use anti-virus, anti-spyware and firewall software to combat hacking programs that are designed to steal personal information.
    • Be creative with passwords and never use the same passcode for multiple accounts. Changing passwords regularly can ensure privacy.
    • Never send personal or financial information through an email, no matter the situation or company.
    • Be sure to have your Wi-Fi network password protected and secure. Your internet installation service rep can help make sure your wireless network is protected.
  • Check your credit frequently: Per the Fair Credit Reporting Act (FCRA), every 12 months a free credit report can be provided for you from each of the nationwide credit reporting agencies.
  • Destroy old documents:
    • Some documents need to be stored safely; others can be destroyed.
    • You should be destroying credit card statements, receipts, bank statements, tax documents, canceled checks and old driver’s licenses.

The Reason Behind a New Medicare Number

The current Medicare number for many beneficiaries is their Social Security number. The U.S. Railroad Retirement Board, state Medicaid agencies, Social Security, healthcare providers and health plans all use this number.

There are great dangers that can occur when a Social Security number is in the hands of a criminal. The Medicare Access and CHIP Reauthorizations ACT of 2015 is requiring CMS to replace the old numbers with a new updated Medicare Beneficiary Identifier.

These cards are being released for one primary reason, to better prevent seniors from being the victim of identity theft.

See also: 8 Questions on Medicare Set Aside

Be Aware of Scams

The reason for new Medicare ID cards was to prevent seniors from being the victims of identity fraud. Unfortunately, the change has inspired criminals to take a new approach. There have been attempts to mislead Medicare recipients, and more attempts are likely to be made through the transition. It is important that beneficiaries be aware of possible scams.

The new Medicare ID does not cost beneficiaries money. The new card has the same benefits as the current card. Do not give the new card to anyone other than a healthcare provider. Many identity thefts are committed by friends and family.

Medicare will not ask you to give personal information to obtain your new number and card. Nobody should contact you about the new Medicare card, your new number or any personal information.

Medicare does not make uninvited calls to beneficiaries. If you think you are a victim of medical identity theft, contact the Federal Trade Commission about what to do next.

Advantages of Change

Because the new cards will not have a Social Security number, scammers will find it more difficult to commit fraud. Beneficiaries need to keep MBI numbers confidential and treat the numbers like personal identifiable information.

If a beneficiary forgets the new card at home, healthcare staff can search the new Medicare ID number on a secure site. All existing Medicare information will continue to be available to your doctor.

More than 57 million Americans will be provided with greater identity protection from the new Medicare ID cards. CMS intends a successful transition to the MBI for all people with Medicare and for their doctors.

Employee Benefits: ID Theft Coverage

Employers looking to dial up the correct mix of benefits to retain valued employees are increasingly including identity theft protection services as a perk.

Research firm Willis Towers Watson predicts identity theft protection, offered by 35% of employers in 2015, could double to nearly 70% by 2018, making it the fastest-growing type of employee benefit over the next couple of years.

See also: Identity Theft Can Be Double Whammy  

ThirdCertainty recently sat down with Joel Ray, the CEO of New Benefits, a Dallas-based employee benefits solutions provider, to discuss the drivers — and the arc — of this trend. The following text has been edited for clarity and length:

3C: Identity theft has become part of the lexicon of the world we now live in.

Ray: With all the hacking of corporations, health plans and government, there is a myriad of ways people can get their identities stolen and misused, whether it’s medical fraud, tax return fraud, stealing a Social Security number or a credit card information scam.

To me, not protecting yourself with an identity theft protection service is commensurate with not locking your door and setting an alarm when leaving home or not buying life insurance to protect your family. It just makes all the sense in the world, when you have the ability and a product is available to address identity theft, to include this as an employee benefit.

3C: So how do employers view this?

Ray: Employers were the first ones decades ago to offer health insurance to their employees, and early adopters have added other types of benefits over the years. The idea, of course, is to attract and retain good people . … Research shows an employee’s financial health is every bit as important as physical and mental health. If anything goes wrong (financially), they are not going to be a productive worker. Meanwhile, identity theft happens every two seconds in the U.S. to quite a large number of Americans. So, identity theft protection is something that, in today’s digital world, makes perfect sense to provide employees, either on an employer-paid or payroll deduction basis.

3C: How much of a challenge is public awareness?

Ray: The hard part is the education. Yet the almost daily reports about breach events have gotten employers more interested. We’ve had many (benefits) brokers representing our products say that, for the first time, employers are asking for identity theft protection.

It really is the brokers in today’s world who act as consultants regarding the latest and greatest new products. And, typically, identity theft is toward the top of the list — if not at the top of the list.

See also: ID Theft: A Danger Even After Death  

3C: How does improved productivity factor in?

Ray: Identity theft protection is like any other benefit. Basically, anything you can do to provide financial security to your employee is a good thing. It’s a primary reason employers provide 401Ks. A lot of voluntary benefits, like cancer disability, critical illness and dental, charge a lot more for family coverage. This one charges a little bit more, but you get financial security and protection, not only for the employee but for the entire family, as well. It’s a very inexpensive benefit relative to the protection it offers, and I think it will become a staple of the industry in the very near future. The early adopters who provide this benefit to their clients now are going to have market advantage over those who wait.

3C: Sort of like supplying peace of mind as a benefit?

Ray: Yes. For example, employees buy life insurance for peace of mind so the family is protected in case of an untimely death. With identity theft protection, employees and their families are protected from something that happens every day from thieves who always seem to be one step ahead and out of reach from the law. If you’re an employer, wouldn’t you rather offer your employees a benefit that will meaningfully protect them from financial harm versus other benefits that, based on the historical record, may not add any real value?

More stories related to identity theft insurance:
As threats multiply, cyber insurance and tech security industries start to merge
Cyber insurance industry could face turf war, report warns

NAIC sets model standard for consumer rights, cybersecurity

This article originally appeared on ThirdCertainty.

Why Credit Monitoring Doesn’t Work

Chances are you have received a letter stating that your personal data may have been compromised. Perhaps you were one of the 80 million people with an Anthem health insurance plan. Maybe you were one of the 21 million current or former employees of the federal government, or you could have been one of the 40 million who shopped at Target. There are countless examples where organizations failed to protect sensitive data and then were required to notify the affected individuals.

These notifications typically reveal how the breach happened, what steps are being taken to prevent another incident and what a company is doing to protect you from identity theft. Most organizations offer some form of credit monitoring and ID theft remediation services. Some states are beginning to mandate at least one year of credit monitoring under certain circumstances.

The Limits of Credit Monitoring

Offering credit monitoring seems to be a necessary post-breach strategy, and the very least a company would do. However, a deeper dive into what it does – and what it does not do – is long overdue.

Credit monitoring immediately notifies an individual that an attempt was made to obtain some form of credit in her name. Credit restoration services are usually offered when identity theft occurs. This is a valuable service that restores a victim’s good credit, saves time and alleviates stress.

Credit monitoring does not prevent identity theft. The only way to prevent an identity thief from accessing a victim’s credit is to either place a 90-day fraud alert on a credit file or freeze credit lines.

  • Fraud alerts require potential creditors to contact individuals before opening lines of credit. To activate a fraud alert, individuals are required to notify one of the three bureaus (Equifax, Experian or Trans Union) and to repeat the process every 90 days to maintain the fraud alert status.
  • ƒFreezing credit can be accomplished by contacting all three credit bureaus and requires each one to place a freeze on an individual’s credit file. Each bureau provides a PIN # that can be used to lift the freeze later. There may be a nominal fee based on state of residence, which typically ranges from $5 to $15. Some states may require an additional fee to lift the freeze. A credit freeze may cost less than credit monitoring and identity theft restoration services. In fact, it has been widely reported that the Office of Personnel Management spent $133 million for three years’ credit monitoring for the 21 million individuals affected by their 2015 data breach.

Legal Ramifications of Offering Credit Monitoring

Offering credit monitoring can cost an organization even more than the dollars spent. In Remijas v. Neiman Marcus, the plaintiffs alleged that 350,000 payment cards were affected when hackers gained access to Neiman Marcus networks. Even though a small fraction of the cards were affected by fraudulent activity, the Seventh Circuit Court of Appeals granted the plaintiffs legal standing, allowing the class action to proceed, because card holders had a legitimate fear of future identity theft. Because Neiman Marcus offered credit monitoring to the card holders after the breach, the court concluded that it was conceding that future identity theft was entirely possible.

The state regulatory environment, coupled with recent appellate
court decisions, leaves organizations in a difficult position. States
are beginning to require credit monitoring following a data breach. Organizations that do not offer credit monitoring face scrutiny by attorneys general, potential fines for non-compliance and a public relations fiasco. Yet those that offer credit monitoring will incur significant costs and, as evidenced in Remijas v. Neiman Marcus, may actually hurt their defense in a class action lawsuit.

A Better Way to Protect Your Identity

A more rational approach is needed to identity protection. Organizations and state regulators reacting to data breaches involving sensitive data elements need to address ways to prevent identity theft. As of this writing, organizations cannot legally freeze a consumer’s credit for him, and have little means to prevent identity theft on his behalf. However, with the full support of state officials, a more efficient process to freeze credit can better protect identities and mitigate costs.

Identity Theft Can Be Double Whammy

When it comes to data security and the real-life impact of identity theft, public awareness is at an all-time high. But there is still great confusion and ignorance about what it is, how it happens and what can be done to avoid the pitfalls of life after a data breach or personal compromise.

Most of us still feel flummoxed–and perhaps a bit panicked–when we get a phone call, an email or a letter saying our data or identity has been compromised. Even if it’s a situation that can be easily remedied, like a compromised credit card, where the problem is relatively small, it’s still frustrating. Even if the only real-life consequences are a day or two’s wait for a replacement card and the need to notify a few creditors that your billing information has changed, you feel violated. You wonder if it’s going to happen again. And depending on the source of the compromise and what’s been taken, it may well happen again. So, you stew and wonder some more.

The unfortunate part is that identity thieves understand this. In the mad dash to understand the full ramifications of what’s happened to you, you may expose yourself to further trouble–for instance, by providing your information to a phony identity theft resolution expert, only to be guided through a process of information shedding that brings about further compromise by the very data wolves in sheep’s clothing who ran the scam in the first place.

Taking a few simple steps will help you avoid crooked “helpers” like these, as I explain in my book Swiped.

Be Prepared

If you don’t subscribe to an identity theft resolution service or lack a plan of action before you suffer a personal compromise (other than the theft of a payment card, which can be solved with a couple of phone calls), you will need to spend more time and more money than you are probably prepared to spend. Then, after you have worked your way through the maze of law enforcement, credit bureau, creditor and record-keeping requirements necessary to put yourself back together again, you will almost assuredly spend additional time–more than you thought possible–rearranging the way you make your information available both online and in your everyday transactions.

For this to really work, you need to be willing to make a few adjustments in the way you approach your identity and your data hygiene.

The Best Defense Is a Good Offense

What the great majority of current and future identity theft victims fail to understand is that they really must be their own first line of defense. Because identity thieves can’t realistically be completely stopped, you can instead focus on making yourself a harder target, and on being readier when the attack comes.

A simple practice like shredding your personal documents can help, but it’s not a solution. Identity thieves can be anyone from a dental hygienist pilfering patient files to small-time crooks breaking into mailboxes or stealing unshredded garbage or tax-related documents during filing season. The more you know what the bad guys want and need, the better you can practice proactive data hygiene.

The fact of the matter is that when it comes to international crime syndicates that breach the databases of multibillion-dollar international corporations and sell the liberated information, deploying a paper shredder is like bringing a knife to a gunfight.

The above is an adapted excerpt from Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves, which hits bookstores everywhere Black Friday.

Scammers Taking Advantage of Google

Some 500 million people use Gmail and Google Drive. I’m one of them.

Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.

Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.

This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.

Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.

Flying under the radar

Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.

Video: Viral Gmail, YouTube alerts spreading via email

Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.

Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.

Keys to the (data) kingdom

“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”

These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.

“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”

Gmail more widely used

In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.

No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.

Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.

In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:

“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”

Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.

These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.

“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”