Interview with John Vacca, information technology consultant and internationally known author

John Vacca is an information technology consultant and internationally known author based in Pomeroy, Ohio. Since 1982, John has authored of 30 books and more than 390 articles in the areas of Internet and Intranet security, programming, systems development, rapid application development, multimedia and the Internet. John was also a configuration management specialist, computer specialist, and the computer security official for NASA’s space station program (Freedom) and the International Space Station Program, from 1988 until his early retirement from NASA in 1995. John was also one of the security consultants for the MGM movie titled “AntiTrust“.

How long did it take you to write “Identity Theft” and what was it like? Any major difficulties?

It took me approximately 6 months to write the book. Furthermore, it turned out to be quite a learning experience during the process of doing research for the book. What I found out was that despite my best efforts to manage the flow of my personal information or to keep it to myself, skilled identity thieves may use a variety of methods (low- and hi-tech) to gain access to my data. There were no major difficulties in writing the book.

Why did you decide to write this book?

The idea for the book was based in part on an article that I did for Business Security Advisor Magazine – October 2001 – “Protect Yourself from Identity Theft”.

What is the most interesting identity theft case you’ve become aware of while researching for this book?

This was the case of a major credit card company selling accounts to another credit card service company without telling their customers of the sale. The customers eventually found out about the sale when they tried to use their credit card and found that the card transaction was declined. Upon contacting the initial credit card company to inquire about why they couldn’t use the card, they were told then about the sale of their account. Eventually, they received a letter from the credit card company that bought the accounts, and were told that their old account was closed and that they had to pay the complete balance “upon receipt of this letter,” or legal action would be taken against them; as well as, reporting the uncollected debt to all of the credit bureaus. If that wasn’t bad enough, the cancelled account holders received a statement from the credit card company that bought the accounts, showing new charges (purchases and cash advances) that the holders of the cards supposedly had made before the accounts were closed. The problem here was that none of the card holders had made any of these charges. Apparently what happened, was that just before the accounts were closed, several customer service representatives within the company that purchased the accounts, decided to run up charges on the credit cards for their own personal use; and, then sold the account numbers and social security numbers to other criminal elements. These criminals used that information to charge up the cards some more, and open up new accounts in the card holders’ names through the use of the stolen social security numbers. I really can’t comment any further on this case, it is still pending in the courts. But, what I can say is, that more and more credit card companies are selling your accounts to other unscrupulous financial organizations without your knowledge. And, by the time you find out, your identity has already been stolen.

What is the most important thing people can do to protect them from identity theft on the Internet?

You can stop doing business on the Internet as an individual. But, it’s really what your ISP can do for you that’s most important.

The following are ID Theft prevention methods for ISPs:
1. Limit the access to your customer’ information within your organization.
2. Practice due diligence to ensure those who do have access are trustworthy (background checks).
3. Make sure your online transaction forms are as secure as you can make them.
4. Have one member of your staff, your Privacy Officer, responsible for your customer’s data.
5. Educate your customers to the possible dangers of giving out personal information and make sure your staff is ready to help in the event they are victims of such an attack.
6. Know the law. When the Feds come knocking, it will be helpful for you to know exactly what to give them and why.

In your opinion, what should a bank do if they realize one of their customers has become a victim of identity theft?

Banking organizations should provide their customers with information about how to prevent identity theft and necessary steps to take in the event a customer becomes a victim of identity theft. An excellent source of information for consumers is the Federal Trade Commission’s website.

Banking organizations should also assist their customers who are victims of identity theft and fraud by having trained personnel to respond to customer inquiries, by determining whether an account should be closed immediately after a report of unauthorized use, and by prompt issuance of new checks or new credit, debit or ATM cards. If a customer has multiple accounts with the institution, it should assess whether any other account has been the subject of potential fraud.

What are your plans for the future? Any exciting new projects?

I am presently working on a book for Prentice Hall that is tentatively tiled “The World’s 20+ Greatest Unsolved Problems In Science” It should be out in December.