If you're over 65, you're one of the 44 million people who are easy targets for ID thieves. Why? Because Uncle Sam emblazons your Social Security number -- in full -- right on your Medicare card. And it's not the kind of card that you're supposed to leave at home.

Don't Leave Home Without It?
Medicare tells you to "carry your card with you when you are away from home." It's written right on the back of the cards that some 44 million of us take with us wherever we go –- or our parents or grandparents do.

Yet the FTC says, "Protect your Social Security number. Don't carry your Social Security card in your wallet."

And the Social Security Administration is even more specific: "Show your card to your employer when you start a job so your records are correct. Provide your Social Security number to your financial institution(s) for tax reporting purposes. Keep your card and any other document that shows your Social Security number on it in a safe place. DO NOT routinely carry your card or other documents that display your number."

Two recent and excellent articles point out the absurdity of this situation: one in The New York Times, by Robert Pear, and the other is an AP story by Larry Margasak. As they show, the FTC and SSA worry about putting the identities of millions of Americans at risk -- while the Medicare people talk about not wanting to scare seniors with new cards and how expensive it'll be to come up with new cards for everyone.

Are They Nuts?!
Its hard enough to prevent identity theft without Uncle Sam making it easier on the crooks, by sending every senior citizen in the country out there with their Social Security numbers in their wallets! (My partner, Marc, just got his. Oy!)

It'd be great if we didn't have to get the whole federal government involved in rectifying this problem … but we do. The "Medicare Card Security Act of 2008 (S. 2908)" calls for the elimination of the use of Social Security numbers on new Medicare cards. It won't totally solve the problem, but at least it's a first step.

Consumers Union, which is calling on government to "be the solution, not the problem,"  has made it easy to contact your Senators in support of this bill. Click here.

What Should Seniors Do Now?
One of the bigwigs at Medicare say to leave the card home unless you know you'll need it. That sounds too extreme to me, given all the What Ifs out there. While I don't like the idea of Marc leaving his Medicare card home, I don't want us to have to deal with the consequences of his identity being stolen, either.

So I'm going to recommend he punt to prevent thieves from getting his Social Security number, by copying and cutting, as the Privacy Rights Clearinghouse recommends:

"You can make a photocopy of your Medicare card. Take a black marker and cross out the last 4 numbers of your Social Security number. Or take a scissors and remove the last 4 digits. Then cut it down to card size and carry that with you instead of the actual card that has your full SSN on it."

Until this gets straightened out in Washington, he'll still need to bring his original Medicare card with him whenever he goes to a doctor for the first time, and the hospital will no doubt want to see it if he's being admitted. But I prefer this punt to leaving the card home or going everywhere with the card that has the full Social Security number on it.

Do you agree? If so, tell everyone in your life who is 65 or older to start copying and cutting!

Nancy Castleman – Co-author of "Invest in Yourself: Six Secrets to a Rich Life" and founder of Good Advice Press. Nancy has spent the last 23 years teaching people how to get out of debt, save money, and live better on less. She writes on all these subjects for CreditBloggers.com.

The FTC issued a consumer alert the other day about the latest phishing expedition: "Extra! Extra! Count on Scammers and Schemers to Follow the News." It seems the fact that more than 130 million rebate checks will be coming our way in May, has gotten the attention of crooks, and they're baiting their traps to catch as many of our checks as they can.

Phishing is when a scammer calls or emails you, claiming to be from your bank, credit card company, a government agency, or an online merchant, and tries to get you to reveal personal information that would be useful in stealing your identity.

The Latest in Phishing
Be on the lookout for a call from someone who claims to be from the IRS. You'll be asked to verify some information so your rebate check can be deposited directly into your account. You might be asked for your checking account or Social Security number, for example. Don't bite!

As the FTC puts it:

"The IRS does not gather information for rebates by telephone. Nor does it send unsolicited e-mail to taxpayers about tax account matters. Filing a tax return is the only way to apply for a tax refund; there is no separate application form."

Do's and Don'ts

• Don't give out personal information to callers.
• Don't respond to emails or pop-ups requesting personal information.
• Don't click on any links in an email or pop-up that might be spam.
• Don't take any chances. It's sometimes hard to tell if an email is from your bank or a scammer.
• Do install spam, virus, spyware, and firewall protection on your PC, and update them regularly.
• Do click here for more of Credit.com's phishing tips.

If you do get an email from someone claiming to be from the IRS, the FTC advises you to forward it to phishing@irs.gov, and then delete it. If you think you may have already been a victim of this or any other scam, file a complaint with at the FTC or call toll-free, 1-877-FTC-HELP.

What's in Your Inbox?
Although I haven't received a call or message about my tax rebate, I do get my fair share of phish in an inbox that I keep just to stay on top of the latest schemes. Here's hoping no one is trying to phish for information from you. But if you do get a suspicious call or email, resist the bait and give us a head's up. We'll help spread the word.

Nancy Castleman – Co-author of "Invest in Yourself: Six Secrets to a Rich Life" and founder of Good Advice Press. Nancy has spent the last 23 years teaching people how to get out of debt, save money, and live better on less. She writes on all these subjects for CreditBloggers.com.

A CreditBloggers reader and financial planner recently wrote in with this question:

A client of mine just called me.  His wallet was stolen while he was in Las Vegas (maybe they did him a favor….kidding).

Anyway, he does NOT have any credit cards, but I told him to contact the three bureaus and implement a security freeze or fraud alert on his accounts.  It appears that it must be done in writing. 

Having your wallet stolen while on vacation is the pits. Just the process of going through the airport's secondary screening line without an ID is a hassle. Moving quickly to report the crime can help mitigate the stress. 

Luckily, the theft of a wallet rarely leads to a serious identity theft case. You only have to be really concerned if you had your Social Security card was also stolen. Otherwise, you just need to be cautious about credit card, debit card and insurance fraud.

Your first step should be to call your debit card companies to have the cards canceled and re-issued. If you've left photocopies of the front and back of all your cards at home, you'll be ahead of the game. If not, you can look up the bank's fraud contacts online.

After this is done, you should call one of the three credit bureaus to place a 90-day fraud alert on your report. You're basically done with the urgent steps now and can work on getting home. A fraud alert is different than a file freeze. A file freeze completely locks your credit records and requires either writing the bureaus or buying their monitoring programs.

Once you're at home, you'll need to talk to your insurance companies about getting new cards. Pay especially close attention to your medical insurance. Since hospitals don't check IDs, it is fairly easy for a thief to use your medical insurance and stick you with the bill.

Keep a close eye on your financial statements for the next couple months. If you spot any fraudulent transactions, immediately contact the bank to report the incident.

Emily Davidson – A former TransUnion insider and a member of Credit.com's expert team. Emily writes about credit reports, credit cards, loans and personal finance as the CreditBloggers.com editor.

It's Girl Scout cookie time again.

I love their cookies (Thin Mints and Tagalongs in particular), and the Girl Scout organization. Between my daughter's friends and the sales at the local supermarket, I usually end up with a freezer full of cookies.

But I was appalled recently when I went to write a check for the cookies I ordered and was told in no uncertain terms that I had to write my Driver's License number on my check! When I refused, I was told I couldn't pay by check.

What are they thinking??

My good friend is a Girl Scout troop leader, and the training she receives is rigorous. She's been through many hours of classes -- many designed to ensure the girls who participate are safe. Yet the same organization is putting their supporters at risk by insisting that driver's license numbers be recorded on checks.

How many hands do those checks go through? How are they secured before they reach the bank where they are cashed? What happens if even one identity is stolen as a result of this policy?

Maybe along with the cookies, Girl Scouts should also sell identity theft resolution services.

Gerri Detweiler – Personal finance author, radio host and credit expert. Gerri contributes budgeting, debt recovery and savings information online.

Identity thieves love the start of a New Year. Not only are there lots of juicy bills ready to steal from the mail, but those lucrative tax forms are going to start appearing too. For identity thieves, Christmas starts in January!

Recently, I sat down recently with Marc Perlman from Your Money Matters Radio to talk about identity theft. Click here to listen to the hour long interview where we covered:

• Common types of identity theft
• What you can do to protect yourself
• How fraud alerts work
• Identity theft within families
• Avoiding theft while traveling

And much more! Click here to listen today!

Emily Davidson – Credit.com credit expert and former TransUnion insider. Emily writes about credit reports, credit cards, loans and personal finance as the CreditBloggers.com moderator.

The Federal Trade Commission just released the results of a survey that shows a whopping 8.3 million of us - 3.7 percent of all American adults - were victims of identity theft in 2005. About half of the time, the thieves made off with goods or services that cost $500 or less. Ten percent of the time, they got at least $6,000 worth.

Here are the FTC's five main findings about the victims:

1. About 3.2 million cardholders found unauthorized charges on their credit cards, while some 3.3 million had their non-credit card accounts misused.
2. About 1.8 million found that new accounts were opened in their names, or that their personal information was used to commit other frauds. Almost one-quarter of these victims didn’t find out about the misuse of their info until at least six months after it started.
3. Over 50% incurred no out-of-pocket expenses as a result of their identity theft, but 10% reported costs of $1,200 or more. The sooner people found out about the crime, the less it cost them and the less the thieves got.
4. Half said they spent four hours or less straightening out their accounts, which says to me that these folks must have found out about the problem right away, before new accounts were opened in their names. The other half reported spending more than four hours, which seems more in line with the horror stories we’ve all heard. Ten percent spent at least 55 hours resolving their problems. Of that 10%, half spent at least 130 hours on them. Ugh!
5. Sadly, more than one-third had credit problems over time. For example, some were: bothered by debt collectors, denied new credit or loans, and/or unable to use their existing credit cards or bank accounts. Some people even had their utilities cut off, while others ended up in jail.

What You Can Do to Protect Your Identity
Given these findings … and this time of year … when so many of us are whipping out the plastic at ATMs and in places where our wallets may get stolen, it's crucial to do what we can to protect our identities. For starters, be sure to check your credit reports regularly, and here are some of the other key precautions Credit.com recommends:

• Do not carry your Social Security with you; instead, store it somewhere safe, such as in a safe      deposit box.
• Buy a shredder and destroy sensitive documents, receipts, and mail.
• Select complicated passwords that combine numbers and letters (i.e. 5ps98xw).
• Don't include your Social Security number or driver's license number on your checks.
• Memorize your passwords and pin numbers; never write them down!

For more of Credit.com's advice on what you can do to keep your identity safe, click here. And if you are in the unfortunate position of having an identity theft emergency, click here, with my sympathies.

Do you have an identity theft horror story that you care to share? We'll be happy to commiserate with you and offer suggestions where we can.

Nancy Castleman – Co-author of "Invest in Yourself: Six Secrets to a Rich Life" and founder of Good Advice Press. Nancy has spent the last 23 years teaching people how to get out of debt, save money, and live better on less. She writes on all these subjects for CreditBloggers.com.

Today I opened my mail to find a letter from Renz Nichols, President of Certegy Check Services. Renz tells me that a rogue Certegy employee sold data from numerous checking accounts -- likely including mine -- to a data broker who in turn sold that data to a subset of direct marketing organizations. According to the letter, that data may have included my name, address, telephone number, account number, expiration date for check and debit cards, checking accounts, transactional data and date of birth.

The letter goes on to talk about all the things Certegy has done in light of this theft, such as notifying the credit bureaus and law enforcement.

What has me seeing red is the advice to monitor my credit report by going to the free credit report site AnnualCreditReport.com!

I have already requested my free annual credit reports within the past twelve months, so I am not entitled to another copy, unless I am a victim of identity theft or live in a state that gives me extra copies. Neither apply to me -- yet. You should be providing me with a year of free credit report monitoring from all three credit bureaus, along with identity theft detection and resolution services.

Sorry, Renz, the apology doesn't cut it. This is not a case of a lost tape that probably hasn't been compromised. In this case, you know an employee was selling information -- maybe mine -- for illicit gain.

You need to do better.

Gerri Detweiler – Personal finance author, radio host and credit expert. Gerri contributes budgeting, debt recovery and savings information online.

If you stumbled across the Brookfield Lending website while searching for a loan, you probably wouldn't think twice.

It's nicely designed, with flash navigation and lots of photos. There's all sorts of warm and friendly text, including a reference to them being "one of the fastest growing credit brokers in North America."

But if you were to apply with this seemingly authentic lender, it would be a nightmare. Brookfield Lending is a cover for an advanced-fee loan scam. If you contacted them, they supposedly approve your loan and would ask you to wire a deposit or insurance payment. After you sent your hundreds or thousands of dollars, you'd never hear from them again.

We heard about this latest loan scammer directly from a branch manager with the Better Business Bureau. He had called our offices to warn us about this particularly convincing scam. A quick Google search turns up the real story of Brookfield lending. The Ripoff Report has 13 reports from consumers about these fraudsters. 

The Brookfield website offers a rare opportunity to study an advanced-fee loan scammer up close. When you start digging around the site in more detail, it is easy to spot some warning signs:

• No VeriSign or Trust-e security seals at the bottom of the page. Check out the bottom of E-loan or Credit.com for an example. Nearly every authentic online retailer posts these important online security certification.
• No physical address. They don't even refer to being in one state or area.
• Typos in the text of the website.
• Not compatible with Firefox internet browser.
• No meta tags on the website. The page has no title in the top left of your browser window, a basic web marketing element used by established companies.
• No application. Most online lenders have actual online applications to process your request. Always check to see that these applications are on secure (https) pages.
• Only email contact. A real lender would offer multiple ways to contact them, not just an online email form.
• Better Business Report. Brookfield has a report with the BBB. It is only when you read the details that you realize the BBB is trying to warn you that they're a fake company. A closer reading shows that "It is the position of the Bureau that Brookfield Lending Service's advanced fee loan offer is deceptive and misleading."

Take a look at the Brookside Lending website for yourself. Hopefully, it can help you learn how to avoid other scam lenders in the future. And tell your friends and family about this dangerous loan fraud. If you want to read more about advanced-fee loan fraud, this FTC article is a great place to start.

And if you are contacted by a lender asking you to send money in exchange for a loan, DON'T DO IT! Instead, immediately report your case to the Federal Trade Commission, Consumer Affairs and Phone Busters in Canada (usually where the funds are sent). You may also want to share your story with your political representatives, state attorney general, local news media, friends and family.

Update: Here's another bad lender to add to the list: Kennedy Advantage Plus. We received a call from a customer who had sent these fraudsters $1,600 for a $10,000 loan.

I hate these advanced-fee loan scammers. For the past year, there has been a dramatic increase in this particular type of loan fraud. Unfortunately, I haven't seen any law enforcement action to stop it and Chris Hansen from Dateline's "To catch an ID thief" hasn't returned my messages.

Advanced-fee loan scams are pretty simple. Basically, a fraudster posing as a lender contacts a person and offers them a loan. We think they are using spyware in some occasions to target people who have recently applied for loans and some have official looking loan applications set up online as well. The catch is that they require the "borrower" to wire hundreds or thousands of dollars to Canada under the guise of a downpayment or insurance expense. When the customer sends their money, they never hear from the fake lender again.

A lot of victims have contacted our team looking for help in reporting or undoing the crime. And they've sent us copies of the seemingly-official letters, loan applications and contracts. In the past, the thieves say they are from a made-up company like FairView Financial, Longway Financial, Royal Oak Financial or  Kaitland Insurance Group.

But recently the scammers have been saying that they are from established, authentic banks. Here's one case we received by email this week:

I received a call from a Donald White. He said he is from Lending Tree and that I would have to pay the first month and last month payment in order to receive a loan. Is this true? They are asking for $250 sent by Western Union.

This is definitely not true. Lenders will never ask you to send this sort of money before getting a loan and they certainly will never ask you to wire those funds via Western Union. You can read more about advanced-fee loan scams online.

If you are contacted by a lender asking you to send money in exchange for a loan, DON'T DO IT! Instead, immediately report your case to the Federal Trade Commission, Consumer Affairs and Phone Busters in Canada (usually where the funds are sent). You may also want to share your story with your political representatives, state attorney general, local news media, friends and family.

American Express, Discover, MasterCard and Visa reported a 9.3% increase in credit card fraud losses from 2005 to 2006. Setting a new record, the issuers lost $1.24 billion to credit card fraud according to The Nilson Report. This number doesn't include debit cards or fees passed on to merchants.

This major increase is somewhat surprising given that credit card fraud losses had actually been on a decline between 2001 and 2004. In 2001, fraud losses equaled roughly $1 billion a year. By 2004, this figure had dropped to $.8 billion. 2005, saw a huge 37% increase and 2006 continued that upward growth.

What is behind this spike in credit card fraud? There could be several factors at work. The increased use of credit cards has certainly contributed. Also the growth of credit card fraud that involves fast-moving international crime rings. Consumer awareness about fraud and enthusiasm for reporting it could have contributed as well.

Another significant factor is the credit card issuer's general policy of accepting credit card fraud losses as a cost of doing business. Translated: They don't care about fraud losses.

Consider that $1.24 billion in fraud losses only equals $0.06 for every $100 in transactions. And that the majority of fraudulent transactions are billed back to the merchant. Credit card fraud hasn't become a large enough issue to impact the credit card issuers' bottom line. Consumers don't mind it much either, since one simple phone call cancels the fraudulent charges.

When was the last time you got one of those phone calls from a creditor checking to see if a suspicious purchase is authentic? It appears that accepting fraud has become more popular than combating it among credit card issuers. Do you agree?

Amid the whirring of pigs' wings and crackling of ice from the underworld comes another unexpected noise: the sound of someone in government actually taking charge. Believe it or not, federal agencies across the board have been given 120 days to go through their files, track down every unneeded SSN, and put a plan into place to "eliminate the unnecessary collection and use of Social Security numbers within 18 months."

These long overdue marching orders arrived in a memo from Clay Johnson III, deputy director for management of the Office of Management and Budget, which he sent to the heads of every federal department and agency. The agencies were also told to review all information that could be used to identify an individual citizen or employee, make sure those records are accurate, and "reduce them to the minimum necessary" for the agencies to do their job.

Never mind the inevitable chorus of whining bureaucrats. Johnson's line in the sand will be tough to retreat from, and that's all to the good.

This welcome change is based on the common-sense premise that "the federal government should not unnecessarily collect or maintain personally identifiable information," according to an OMB spokesperson. That may sound obvious to the ordinary mortals among us, but bureaucrats are a breed apart. That being so, this realization has taken a little time.

Too much time, if you ask the 26.5 million military personnel whose SSNs and other personal data were on a laptop stolen from a Veterans Affairs Department employee. (To make matters worse, 2.2 million of those people were on active duty — not the folks you want to saddle with an extra set of problems.) In the wake of that scandal, an investigation by a House committee found that 19 federal agencies had suffered a total of 788 data breach incidents just since the beginning of 2003, putting hundreds of thousands more Americans' personal information in jeopardy in the process.

The OMB spokesperson said the memo "formalizes the recommendations" of the President's Identity Theft Task Force, which were made public on April 23. "Agencies will reduce the unnecessary use of the Social Security number, thus reducing the potential for loss of personal data and the potential for identity theft."

Provided the federal government actually follows through on this call to action, we'll have taken a major step forward in the fight against identity theft by early 2009. Will that undo the sorry record of breaches, inaction, and doubletalk? To do that would require a time machine — but maybe that's the next miracle up Johnson's sleeve.

Did you catch the Dateline special a few weeks ago featuring Chris Hansen tracking down identity thieves? That's right, the famous hunter of sexual predators turned his cameras toward the worst phishers and credit card fraudsters.

In Dateline's To Catch and ID Thief, they baited scammers online with credit card accounts. In under 10 minutes, the baited cards were charged to the limit by identity thieves in 16 countries around the world You can watch the entire special online by clicking on the image below:

Pretty scary stuff. Of course, personal finance industry insiders know that credit card fraud is pretty small peanuts for a lot of identity thieves. The real money and damage comes from larger scams.

I'd love to see Dateline start pursuing those terrible advanced-fee loan scammers. Victims of these loan scams lose thousands of dollars of their own money, money that can't be recovered by a credit cards zero liability policy. Law enforcement, government agencies and business organizations haven't found a way to stop them...we need Chris Hansen on this case!

Writers love irony — the more layers, the better. So despite its sometimes sodden prose, the report issued by the President's Identity Theft Task Force should have been a red-hot love fest for the wordsmiths among us.

After all, with the possible exception of world-class breachmeisters like the TJX Companies, the feds can pump out sensitive data with the best of them. From the VA to the USDA, federal agencies have exposed the identities of hundreds of thousands of U.S. citizens to loss, theft, or other abuse over the past decade. To tell you the truth, when I first heard that a federal task force had been formed to address the identity theft crisis, I had an unworthy thought: "Physician, heal thyself!"

In the best of all possible worlds, this report would have been a step in that healing process, offering a rigorous diagnosis, an unflinching prescription, and a definitive cure. In this world, not so much. It's not that it sets the wrong goals. It has no shortage of excellent intentions. But it's tough to imagine its mostly vague, high-minded recommendations even being heard, much less followed, in the pandemonium of real-world government agencies, each tending its own garden in happy bureaucratic isolation.

Let's take just one example: the report's recommendation to "reduce the unnecessary use of Social Security numbers by federal agencies," which the official press release calls "the most valuable commodity for an identity thief." Of course, there's no news value here — privacy gurus and consumer advocates have been decrying the dangers of rampant SSNismo for years. But what this recommendation lacks in freshness, it makes up in ironic timeliness: One business day before the report was released, the U.S. Department of Agriculture revealed that the Social Security numbers and other sensitive information of some 38,700 recipients of USDA grants had been posted to a government web site since 1996. (That number was subsequently bumped up to 63,000 — but who's counting?)

Now, you might be thinking, "Good for them! They found the problem, fixed it, and came clean about it." Unfortunately, that's not what happened. In fact, the exposed data had been discovered a week earlier by an insomniac farmer doing a vanity search on Google, who stopped counting SSNs at 30,000 (including her own) and called the agency with the bad news.

Maybe you're inclined to let the government off the hook for an accidental oversight like that — even if it did go unnoticed for more than a decade. Fine. Let's move on to deliberate policy decisions.

It's a truism that seniors are more vulnerable to (and more often targeted by) identity thieves and other scammers. So why would a government agency systematically increase their exposure?

Sounds crazy, but that's exactly what the Medicare program has done. You see, every Medicare card — including the one in your grandmother's purse — has the cardholder's SSN printed on it. Get mugged or lose your wallet and you suddenly have a lot more to worry about than your grandchildrens' school pictures. Yet the agency in question isn't rushing to change this idiotic practice — in fact, it currently has no plan to change it at all.

Honestly, this is a no-brainer. Any marginally intelligent person can see this needs to change. But it won't — at least, not anytime soon, and not without lighting a substantial fire under some decision maker. And frankly, for all its good intentions, a lukewarm report like this one — with or without a presidential seal — isn't going to light a fire of any description under the average government bureaucrat.

In fact, all signs point to the President's Identity Theft Task Force report, having had its 15 minutes in the sun, drifting into that muddy dead zone where so many pro forma reports end up. Mind you, I'd love to be wrong about this. But as recent history should have taught us, the only thing that's likely to put an end to the mindless abuse of our data by our government is people like you and me waking up, getting very angry, and getting very, very loud about it. So let's get this party started. And bring the noise.

Amid the ongoing flood of computer thefts, network hacks, and other breaches of personal data comes a sign that businesses and government agencies can actually be held accountable, more or less, for putting people's identities at risk. To wit: New York Attorney General Andrew Cuomo has announced a settlement with CS Stars, a Marsh Inc. affiliate, which the AG had accused of violating New York's breach notification law in a case involving some 540,000 New Yorkers.

The story started almost exactly one year ago. On May 9, 2006, a computer disappeared from a secured facility of the Chicago-based claims management company. The missing computer contained the personal information of more than half a million New Yorkers, most of them recipients of workers' compensation benefits — including their names, addresses, and Social Security numbers.

This was bad, but what the company allegedly did next made matters even worse. According to the New York AG, CS Stars failed to notify the state that the data was missing until June 29, some seven weeks after the theft. At that point, CS Stars also brought in the FBI — which asked the company to delay notifying consumers even further to protect its investigation.

The egregious result: the 540,000 New Yorkers whose information had been stolen on May 9 first learned of the theft on July 18, more than two months later.

We should note for the record that under the terms of the agreement, the company admits no violation of any laws, and that it has noted in a statement that "there is no assertion of guilt leveled by the New York attorney general's office."

But let's be honest: The company had a clear obligation under the law, and no good excuse for not knowing it — especially given that it operates in a highly regulated industry. Under New York's Information Security Breach and Notification Law, any business that maintains personal information that it doesn't own must notify the data's owner of any security breach "immediately following discovery" and notify all affected consumers in the most "expedient time possible." The attorney general, the Consumer Protection Board, and the New York Office of Cyber Security also must be notified.

Now, I'm no lawyer. But tell me, in what universe does seven weeks after the breach count as "immediate"?

Here's where everyone involved got extremely lucky. On July 25, the missing computer was found, and forensic investigators concluded that the sensitive information had not been accessed. It's a good thing, too, because two months with the names, addresses, and SSNs of half a million unsuspecting consumers would have been a field day for identity thieves — and could have left their victims cleaning up the mess for years and watching their backs for decades.

"CS Stars is pleased that no customer data was used inappropriately by the individual who stole the computer from our premises," the company said in a statement on the settlement, "and that there is no assertion of guilt leveled by the New York attorney general's office. We are pleased to now have [sic] this matter behind us and have no further comment."

It's no wonder CS Stars is "pleased" to have this near-disaster in the rear-view mirror. In light of the bullet they dodged, the company got off easy: CS Stars has agreed to implement precautionary procedures, comply with New York's notification law in the event of another breach, and pay the AG's office $60,000 to cover the costs of the investigation.

While it's always a pleasure to see a company promise to obey the law, it's not much of a concession. And 60 grand is chump change compared to the identity theft nightmare that CS Stars — and half a million New Yorkers — might have faced. As for those "precautionary procedures," encrypting sensitive data would be an obvious place to start — but wasn't that just as obvious before the breach?

Meanwhile, for all its shortcomings, this agreement is a baby step in the right direction. The problem is that baby steps are no longer enough — which brings us to next week's topic: the President's Identity Theft Task Force report. See you then.

The response to last week's massacre at Virginia Tech ran the emotional gamut, from stunned compassion for the victims and their families to anger at the shooter and perplexity at the school's slow response. Now comes a warning to temper our compassion with a measure of suspicion. The U.S. Computer Emergency Response Team (CERT) and other security experts are sounding the alarm that phishers and other scammers have moved quickly to exploit the tragedy, just as they did in the wake of Hurricane Katrina.

Within 24 hours of the shootings on Monday, at least 28 domain names had been registered that were clearly related to the tragedy, according to the US SANS Internet Storm Center. In fact, the Second City CEO blog reported that virginiatechshooting.com and three similar domains were bought within 20 minutes.

Some of this heartlessness is just the usual domain squatters and other speculators looking to make a quick buck, either by flipping a momentarily hot domain or by stuffing it full of ads. But it's a virtual certainty that some of these domains will be used to mine visitors' sympathy by soliciting donations "for the survivors" — then keeping the donors' money and stealing their credit card and identity data.

The good folks at the SANS Internet Storm Center summed up the risk very well:

Be on the lookout for a rash of spam and phishing coming from these leeches. If you receive a plea for donations, check the organization out closely before opening up your e-gold, PayPal, Visa or other account or providing any personal information. In some cases the phishers may use voice, fax, email and websites to dupe generous and thoughtful victims into disclosing valuable information.

This is not to say that every one of these sites was spawned by a phisher, fraudster, or other identity-thieving bottom-feeder. As a comment posted to Second City CEO by one domain's new owner explained:

When people look back at this tragedy they will find all of the sensational articles written by the media, the books, movies, etc. But the actual thoughts and feelings of real people around the world don't have a single, coherent place to be found. So I put up a forum on that domain last night in the hopes that real people will find it useful. When my father was battling cancer last year he found a lot of benefit in the group he belonged to who were in the same position.

And perhaps, just maybe, there is a tiny possibility that some future person who is contemplating an act such as this might come across this site and see not the sensationalism of the mainstream media, but rather the human side and feelings that their potential actions could cause. And just possibly they might change their minds.

It's pretty hard to argue with that — especially since the poster declined the opportunity to publicize the newly bought domain by including it in the comment. It's also quite possible that some of these domains were snapped up pre-emptively by Good Samaritans to keep them out of scammers' hands.

That said, however, it's a good rule of thumb that any fly-by-night web site asking for donations is simply not to be trusted. The same goes for email appeals, which are even more likely than web sites to be out-and-out scams. (If you do receive an email that you believe to be a phishing attempt — whatever the topic — please report it to the Anti-Phishing Working Group.)

If you're feeling the urge to help, there are plenty of established organizations out there — though even when you know the name and the logo, you should keep a sharp eye out for phishing emails and clone web sites designed to dupe you and engineered to rob you blind. By all means, feel what you feel and give if the spirit moves you. But don't let your sympathy and generosity be exploited — and your identity stolen — by a few sick, criminal freaks seeking to profit from someone else's pain.

Credit freezes and identity theft are at the center of a hot debate in the sunny state of Arizona, where a bill to let Arizonans block fraud attempts by freezing their credit files has been tripped up by the head of the House Rules Committee, Arizona Representative Bob Robson. Residents of 27 other states can freeze their credit files already — and given that Arizona's rate of identity theft is one of the worst in the United States, I called Robson to ask him why he's against it.

In case you're unclear on the credit freeze concept, you need to realize just how easy it is to get "instant credit" (with a reasonably healthy credit record) just by providing a few items of personal information. Sadly, it's just as easy for an identity thief who has your personal information — unless you've put a freeze on your credit file to prevent it.

Which brings us to SB 1345, a bill sponsored by Arizona State Senator Amanda Aguirre to allow all Arizona consumers to do just that. Currently, only Arizonans who have suffered identity theft or a security breach can freeze their credit files. Aguirre's bill would extend that tool to any Arizonan who wanted to use it, giving them greater control over their personal information and their credit.

Of course, if getting and using a department store credit card on the spot is a basic element of your shopping M.O., you might not want to use this tool — and there are plenty of retailers and other credit providers who don't want you to have it for exactly that reason. (Big surprise — between your security and an easy sale, they'll take the sale.) But the process isn't really all that cumbersome: basically, consumers could use a secret code to unblock credit requests, paying a "reasonable" fee each time.

Given the nightmarish alternative, I'd say the slight inconvenience and small expense are well worth the added peace of mind. Given that all 30 Arizona state senators voted for Aguirre's measure, that it sailed through the Arizona House Judiciary Committee with unanimous approval, and that 27 states already have something like it on the books, it would seem that plenty of people agree.

Is Bob Robson one of them? Not being his confessor, it's hard to know for sure. Robson began our conversation with the astonishing statement that the credit freeze bill "is a credit issue, not an identity theft issue" — though he backed away from that oxymoronic position when I pointed out that no fraud expert on Earth would agree.

When pressed, Robson also acknowledged that, in principle, credit freezes are a useful tool against identity theft, and one he can support. So what's the hangup with the Aguirre bill — as well as a similar bill by Arizona Representative Marian McClure, whose progress Robson is reportedly also impeding? Robson says he wants to nail down that "reasonable" fee, provide regulatory oversight and support for people who are victimized, and take a hard look at how this is working in those 27 other states.

In written comments to Aguirre, Robson also noted that "just as a credit freeze stops identity thieves, it can also stop consumers," adding that a credit freeze can delay transactions by several days. As it turns out, this isn't true: Aguirre's bill actually requires that a freeze be lifted within 15 minutes of notification — a provision included by Aguirre at the insistence of Arizona auto dealers.

"If this is worth doing, it's worth doing right," Robson told me. That, in his view, means addressing the issue in a comprehensive way — and, apparently, not in any particular hurry. Does he have a hidden agenda? Have business interests asked him to drag his feet? He told me no. But he also said Aguirre's bill will have to wait until next year.

For her part, Senator Aguirre told me she still plans to meet with Robson in hopes of getting the bill through sooner. "We worked hard on this bill," she said. "The people of Arizona need it, and they should have it now. Let's move it. Let's get it done this year. We can't afford to wait."

Aguirre was nonplussed (as I had been) by Robson's notion that her bill must be comprehensive to be ready for prime time. "Giving the people of Arizona the ability to freeze their credit files if they so choose is just one safeguard among many, but it's an essential safeguard. We're not going to solve identity theft with a single bill. Creating a bill like that would be an endless job."

Aguirre also feels a special urgency, given the aggravated identity theft risk that Arizonans face. "On Monday, when President Bush was in Yuma, I spoke with Ralph Basham, the Commissioner for U.S. Customs and Border Protection, about this very issue. There is a relationship between identity theft and illegal immigration." In fact, the traffic in illegal immigrants is arguably one reason the  Phoenix-Mesa-Scottsdale metropolitan area — which includes Representative Robson's constituents in Chandler — has the worst identity theft numbers of any in the U.S.

Let me be honest: I don't expect Representative Robson (or anyone else in the Arizona legislature) to deliver a comprehensive solution to identity theft, this year or next, any more than I expect to drive a hydrogen fuel cell car to Chandler, Arizona to congratulate Robson and company for doing it. In my view, this problem is so huge and so immediate that we'd be idiots — or, at the very least, disingenuous — to make consumers wait for a "perfect" solution in lieu of giving them imperfect but practical help in the here-and-now. Those with the power to do something should do it, and do it without delay. In my possibly skewed opinion, anything less is an ethical lapse and a breach of the public trust.

Call me biased if you like (Robson has already flung that tag at straight-shooting journalist Howard Fischer, whose excellent reporting first alerted me to this story), but I think Arizonans deserve whatever weapons we can give them — including credit freezes — to help them fight off identity thieves. Do you agree? Let us know in the comments below. While you're at it, let Representative Robson know, too: brobson@azleg.gov or 602.926.5549. You can express your thoughts to Senator Aguirre at aaguirre@azleg.gov or 602.926.4139.

Let's say you did the smart thing and bought yourself a shredder so no identity thief could dig your personal information out of the trash. Wouldn't it be funny if the store then tossed your transaction record in the dumpster out back — without shredding it?

That's exactly what happened to one woman who bought a shredder at a Texas RadioShack — and I don't think she's laughing.

She's also not alone. Yesterday Texas Attorney General Greg Abbott charged RadioShack with tossing thousands of customer records — hers included — into a trash can in an alley behind a RadioShack store near Corpus Christi. We're talking names, addresses, telephone numbers, Social Security numbers, and credit and debit card information — an identity thief's dream.

The Texas AG is now investigating whether the dumped records have been used to defraud RadioShack customers. In the meantime, he's charged the company with violating Texas identity protection laws by exposing thousands of customers to identity theft.

RadioShack hasn't returned my calls. (I'm trying not to feel too bad about that — they wouldn't talk to the Washington Post, either.) But in an official response, a RadioShack VP did acknowledge the breach: "Our Northshore Plaza store in Portland, Texas, is part of a shredding program we have in place throughout the state for the secure disposal and destruction of such documents as required by Texas law. In this isolated instance, the store did not act in accordance with this program."

The mea culpa from RadioShack — and, for that matter, the charges brought by the Texas AG — will be cold comfort for any RadioShack customer who has his or her identity stolen thanks to some clueless employee's poor judgment. Frankly, it also fails to inspire confidence. Will I ever use a credit card at RadioShack again? Not likely.

Then again, thousands of other businesses are just as careless, and I'm sure I do business with some of them. Even in places with strong laws to protect your identity and account information, major data breaches happen on an almost daily basis at businesses, schools, hospitals, and government agencies. It's enough to make you stick to cash — or just stay home.

Unfortunately, most people don't consider that a practical option. So how can you protect yourself when making a purchase or applying for credit from a retailer? Here are a few suggestions:

• Insist that the people you do business with take your security as seriously as you do. Ask how they handle, protect, and dispose of sensitive data. If they don't know, they probably aren't doing it right.

• Pick one credit card for routine retail purchases and stick to it. That makes closing accounts simple in case of a compromise, while reducing your exposure.

• Trust your intuition. If you feel funny about a clerk or a business, think twice before handing over your data.

• Know the laws that protect customer data where you live. If a business doesn't follow the law, call them on it, and don't stop until they comply.

• Don't be afraid to tell business people about the risks of identity theft. The fact that you're reading this blog means you know and care more about this than most people do. Share that knowledge — it will mean more coming from a customer, and you'll be doing a good turn to every customer who comes after you.

• If you think you've been put at risk, monitor your bank, credit card, and similar statements carefully for evidence of theft, and consider obtaining copies of your credit reports.

• Got suggestions of your own? Share them by clicking on "Comments" below.

By the way, if you don't have a shredder, you really should buy one. Just don't forget your receipt.

How would you feel if you found out your state was selling your name, address, and Social Security number to anyone with an Internet connection, a credit card, and six bucks?

Well, if you live in California, that's exactly what's been happening. If you don't, don't assume you're in the clear — plenty of other states are doing the same thing.

In 2004, a website run by the California Secretary of State's office began selling public documents containing names, addresses, Social Security numbers, and in some cases even the signatures of people who had applied for secured loans — in other words, people who put up collateral as part of their loan application process. Tens of thousands of Californians are in that category.

That finally came to an end just last week when California Assembly member Dave Jones blew the whistle on the practice and demanded it stop. "For the past three years, the state has been in the data broker business," said Jones. "This is a gold mine for identity thieves."

Soren Tjernell, senior legislative assistant to Assemblyman Jones, had been hunting down breaches of personal information by public officials. Tjernell got a tip that the Secretary of State's website might be a good place to start, so he paid his six bucks and gave it a try. The first document he downloaded contained the names, addresses, SSNs, and signatures of two individuals — a real bargain at three dollars an identity. "It was wickedly easy," Tjernell told me.

The documents in question (known as Uniform Commercial Code, or UCC forms) are checked by lenders and title insurance companies to make sure secured loan applicants aren't using the same collateral for more than one loan. "The SSN is a way to distinguish among all the Dan Smiths out there," notes Tjernell. For their purposes, however, the last four digits of the SSN work just as well.

Jones has introduced California Assembly Bill 1168, which would let the Secretary of State's office reject documents submitted with SSNs and require local governments to black out the first five digits of SSNs on records released to the public. In the meantime, at Jones' prompting, California Secretary of State Debra Bowen has blocked online access to the UCC documents and will redact all but the last four digits of any SSNs before releasing them.

"We wanted to strike a balance between legitimate use of public records and personal privacy," says Tjernell. "We're not trying to block information on government decisions, or even personal transactions. But the right to privacy is in the Constitution."

All this matters to you for a couple of reasons. Obviously, if you've applied for a secured loan in California, it's one more reason to be vigilant against identity theft and fraud. That means checking your credit report regularly for signs of abuse, monitoring bank and billing statements closely for charges you can't explain, and protecting yourself against mail theft, mail redirection, and other favorite moves in the identity thief's playbook. Unfortunately, you have no way to know whose hands your data might be in or what they might do with it. That makes caution the only reasonable course.

This is also one more sign of how utterly broken the system is. The fact that we still use Social Security numbers as an identifier is appalling. Using knowledge of your SSN (or any portion of it) as authentication — that is, to give you access to things like bank, phone, and credit card accounts — is just plain stupid.

Which brings us to those last four digits. As long as Verizon, T-Mobile, and thousands of other companies accept them as proof of identity — and they do — revealing them to the public punches a hole in the wall protecting your accounts from abuse. They may not be enough to open a new line of credit in your name, but they can still compromise your accounts and enable identity thieves to build on the sensitive information they already have. Businesses that rely on them need another system, even if it's less convenient — one that doesn't expose their customers to the risk of identity theft.

Tjernell acknowledges that Jones' bill doesn't address the whole problem. "We have wrestled with this issue. Obviously we need to stop using those last four digits as an identifier. We haven't figured that part out yet." Meanwhile, if AB 1168 makes it harder for criminals to plop down six bucks and open a new line of credit in someone else's name, it'll be a big step in the right direction.

Have you applied for a secured loan in California? Does your state have your identity data up for grabs? Who should take responsibility when a data breach leads to a stolen identity? We'd like to hear from you in our comments below.

Cyber crooks are now collaborating and competing across the globe via their own vast online networks to buy, sell, and barter stolen information, including Social Security, credit card, and bank card numbers -– as well as passwords and PINs (personal identification numbers).

A U.S. credit card with a card verification number can now be bought and sold for as little as a buck. Personal identities, which include a U.S. bank account, credit card, date of birth, and Social Security number, can be had for anywhere between $14 and $18. Thieves no longer have to go to the trouble to steal our info –- they can simply buy it –- and then take our money and use our credit. 

These are some of the key findings from Symantec's new "Internet Security Threat Report," which covers the last six months of 2006. The data come from over 40,000 sensors in 180 countries, as well as from 2 million decoy email accounts. Symantec, which makes Norton anti-virus software, found more of all the things we don't want in cyberspace -– more information being stolen, more data "leaking" from government and corporations, more spam, and more code being written to steal confidential information.

More than 6 million computers worldwide were "bot-infected" during this time period, which means that they could be unwittingly used as robots (aka zombies), doing the dirty work for spammers, hackers, and identity thieves. That's a 29% increase over the first half of 2006. At the same time, the number of servers used to control these bots decreased by 25%, which tells the folks at Symantec that bot network owners are both consolidating and growing their networks.

Spam accounted for six out of ten emails during the second half of 2006, and 30% of them had to do with the financial services industry, including 166,248 "unique" phishing messages. That averages out to 904 separate messages a day that looked like they came from legit outfits but were really from crooks trying to get us to give up personal info.   

How’s Your Computer Security?
If you haven't taken a hard look at your computer security lately, use Symantec's findings to motivate you to get:

• A firewall to protect PCs from hackers and spoofers (who use unprotected email addresses to hide their identities).
• Anti-virus software to detect and remove viruses and worms.
• Anti-spyware to keep inquiring "eyes" out of tracking online behavior and using the info to their advantage.
• An Identity theft/credit monitoring service to make sure no one has stolen your identity

Click here for Credit.com's recommendations.

Four Important Reminders

1. Do NOT to click on attachments unless you know who sent it to you … and why!
2. Always think before you download … and get your kids to do likewise. If you aren't positive it's safe, don't do it!
3. Never provide financial or other personal info unless you initiated the email exchange. Otherwise, you could unknowingly help thieves who are "phishing" for ways to take advantage of you. Credit.com offers many other tips for safeguarding your identity.
4. Be careful with your equipment! One of the key findings from Symantec's "Internet Security Threat Report" is that over half of all data breaches happened because a computer, hard drive, or USB memory key got lost or stolen. We all need to pay closer atten