Category Archives: identity theft

Getting Under Employees’ Skin

No, this story isn’t about a new and unpopular workplace policy sweeping through the nation’s workplaces.

At least not yet.

The Associated Press is reporting today on a Swedish company that turns its willing employees into “cyborgs” by inserting microchips into them:

What could pass for a dystopian vision of the workplace is almost routine at the Swedish startup hub Epicenter. The company offers to implant its workers and startup members with microchips the size of grains of rice that function as swipe cards: to open doors, operate printers, or buy smoothies with a wave of the hand.

Epicenter’s co-founder and CEO Patrick Mesterton told the AP the move will bring a heightened sense of ease for workers:

“The biggest benefit I think is convenience,” he said. “It basically replaces a lot of things you have, other communication devices, whether it be credit cards or keys.”

According to the AP, the small implants use Near Field Communication technology, the same as in contactless credit cards or mobile payments: “When activated by a reader a few centimeters (inches) away, a small amount of data flows between the two devices via electromagnetic waves. The implants are ‘passive,’ meaning they contain information that other devices can read, but cannot read information themselves.”

The technology is not new, of course, but it has never been used to tag employees on a broad scale before, and the AP says Epicenter and a handful of other companies “are the first to make chip implants broadly available.”
Way back in 2006, however, colleague Mark McGraw tackled the topic of tagging workers:

Cincinnati-based private video-surveillance company CityWatcher.com recently embedded silicon chips in four of its employees, as the company tested the technology in an effort to control access to a room where it holds security video footage for government agencies and police.

The dime-sized chips, manufactured by Delray Beach, Fla.-based VeriChip Corp., were implanted into the employees’ arms, says Sean Darks, CityWatcher CEO, after the company explored various types of biometric applications such as fingerprint and handprint identification systems. CityWatcher turned to radio-frequency identification chips, a less costly alternative to typical biometric systems, to “make security improvements,” he says, and eliminate the possibility of employees losing or misplacing proximity cards or other forms of identification.

RFID chips are inexpensive radio transmitters that emit a unique identifying signal. The chips are commonly used for tracking merchandise in transit, but they can also be implanted in pets to identify them in the event they’re separated from their owners and can be used in humans for medical purposes — to link patients to their medical records in emergency situations, for instance.

However, CityWatcher’s implementation of RFID is the first known case in which U.S. workers have been “tagged” electronically as a way of identifying them, and is likely to add to a growing controversy surrounding RFID , predicted as one of the next big growth industries.

Not everyone McGraw talked to for the piece was excited at the prospect of having more workers walking around with chips inserted under their skin.

“Whether or not implanting  … chips in humans becomes a common workplace security measure remains to be seen,” said Liz McIntyre, a critic of the technology and the communications director of Consumers Against Supermarket Privacy Invasion and Numbering, a nonprofit group focused on consumer privacy issues.  “This is just the beginning,” says McIntyre.
Eleven years later, though, that trend is apparently still in its beginning stages, as the only progress seems to be in the chip’s size shrinking from a dime to a grain of rice, not in expanding the number of companies using such technology.

 

Scam Artists’ Latest Target: HR!

A story appearing earlier this week on the Milwaukee Journal Sentinel website—about a series of phishing incidents that targeted and successfully scammed corporate HR departments into sharing confidential personnel information—recently caught my attention.ThinkstockPhotos-487606535

It serves as a  reminder, in the event one is required, that HR departments need to be much more vigilant in their efforts to protect against such attacks—which continue to become more frequent and sophisticated—or suffer the consequences.

As the MJS story explains, the scam, involving fake emails purportedly sent by top company officials, convinced HR staffers to “send out W-2 tax forms that are ideal for identity theft.” Among the employers featured in the story falling victim: disk-drive-maker Seagate Technology and messaging-service Snapchat.

On March 1, the Internal Revenue issued an alert to payroll and HR professionals to beware of an emerging phishing email scheme that purports to be from company executives and requests personal information on employees.

“The IRS has learned this scheme—part of the surge in phishing emails seen this year—already has claimed several victims as payroll and human resources offices mistakenly email payroll data including Forms W-2 that contain Social Security numbers and other personally identifiable information to cybercriminals posing as company executives,” the alert said.

IRS Commissioner John Koskinen noted that …

“This is a new twist on an old scheme using the cover of the tax season and W-2 filings to try tricking people into sharing personal data. Now the criminals are focusing their schemes on company payroll departments. If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS alert explained that this “phishing variation is known as a ‘spoofing’ email. It will contain, for example, the actual name of the company chief executive officer. In this variation, the ‘CEO’ sends an email to a company payroll-office employee and requests a list of employees and information including SSNs.”

The MJS article reports that both Snapchat and Seagate have “notified federal authorities” about the incidents and are offering affected workers two years of free credit monitoring.

Risa Boerner, a partner in Fisher & Phillips’ Radnor, Pa., office and the chair of its Data Security and Workplace Privacy Practice Group, told me yesterday that scam artists are becoming much more sophisticated in their efforts.

Today, she explained, they can clone a CEO’s email account and make it look like it’s coming from him or her, as was the case here. While that was possible 10 years ago, she added, it wasn’t very common for the messages to look as polished and believable as they often do today.

She noted that these incidents speak to the need for employers to not only thoroughly train their employees, but also update their training regularly to keep up with changing tactics. “What was current two years ago may not be current now,” she said.

Prudent advice, I’d say, considering the level of sophistication of the perpetrators. I’m sure no one reading this would like to see his or her company join the ranks of those falling victim to such a ploy—and then having to deal with the aftermath.

Red Flag on a Red Flag You Might Not Know About

I’m only sharing this because one of the sources of the information says most businesses aren’t even aware of the recently passed Red Flag Program Clarification Act of 2010.

Mind you, this one alert from FreeFromIDTheft.com is a bit hard to read and grammatically challenging, not to mention promotional, but it does cut to the chase about the law and which businesses will be affected — including financial institutions, schools, credit-card firms, insurance companies, lenders, car dealerships, realtors … basically any entity that offers or maintains accounts that pose a reasonably foreseeable risk of ID theft.

President Obama signed the law on Dec. 18 to amend the Fair Credit Reporting Act’s “Red Flags Rule” in order to clarify which organizations are required to develop and implement written identity-theft-prevention programs and which are not.

Thanks to the bill’s passage, enforcement of the Red Flags Rule effectively began on Jan. 1.

So what does this mean for employers? In essence, says Carl Clifford, head of FreeFromIDTheft, “with fines extending from $1,000 to several hundred thousand dollars or more per incident, companies and corporations are now mandated to be more conscientious and vigilant in their security practices on how they handle and dispose of non-public and sensitive information.”

“If you’re a human resource … executive, I truly understand,” he says. “Not only do you wish to protect your place of employment, but your obligation to keep up to date on all the laws and regulations that affect your company.”

Perhaps the good news for some out there is that some professions will now be exempt from having to scramble to get such programs up and running, and policed, thanks to the clarification. Those professions include doctors, accountants, lawyers and similar service providers.

For further explanation, here’s what the Kroll Fraud Solutions Blog had to say about the bill just before Obama signed it into law. And here’s a post-Obama-signature post from Hunton & Williams’ huntonprivacyblog.com.