A story in a national news source earlier this month about freezing your child’s credit file to preempt ID thieves prompted many readers to erroneously conclude that all states allow this as of 2016. The truth is that some states let parents create a file for their child and then freeze it, while many states have no laws on the matter. Here’s a short primer on the current situation, with the availability of credit freezes (a.k.a “security freeze”) for minors by state and by credit bureau.

A child’s Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts, apply for a loan or utility service, or rent a place to live. Why would ID thieves wish to assume a child’s identity? Because that child is (likely) a clean slate, which translates to plenty of available credit down the road. In addition, minors generally aren’t in the habit of checking their credit reports or even the existence of one, and most parents don’t find out about the crime until the child approaches the age of 18 (or well after).

A 2012 report on child identity theft from the Carnegie Mellon University CyLab delves into the problem of identity thieves targeting children for unused Social Security numbers. The study looked at identity theft protection scans done on some 40,000 children, and found that roughly 10 percent of them were victims of ID theft.

The Protect Children from Identity Theft Act, introduced in the House of Representatives in March 2015, would give parents and guardians the ability to create a protected, frozen credit file for their children. However, GovTrack currently gives the bill a two percent chance of passage in this Congress.

So for now, there is no federal law for minors regarding credit freezes. This has left it up to the states to establish their own policies.

Credit bureau Equifax offers a free service that will allow parents to create a credit report for a minor and freeze it regardless of the state requirement. The minor also does not have to be a victim of identity theft. Equifax has more information on this offering here.

Experian told me that company policy is not to create a file for a minor upon request unless mandated by state law. “However, if a file exists for the minor we will provide a copy free to the parent or legal guardian and will freeze it,” said Experian spokesperson Susan Henson.

Henson added that depending on state law, there may be a fee ranging from $3 to $10 associated with the minor’s freeze. However, if the minor is a victim of identity theft and the applicant submits a copy of a valid police or incident report or complaint with a law enforcement agency or the Department of Motor Vehicles (DMV), the fee will be waived.

Trans Union has a form on its site that lets parents and guardians check for the presence of a credit file on their dependents. But it also only allows freezes in states that reserve that right for minors and their parents or guardians, and applicable fees may apply.

Innovis, often referred to as the fourth major consumer credit bureau, allows parents or guardians to place a freeze on their dependent’s file regardless of state laws.

According to Eva Casey Velasquez, president and CEO of the Identity Theft Resource Center, there are currently 23 states that have regulations that provide some kind of protective mechanism for parents and guardians when it comes to children’s credit reports.

“Some allow you to create and freeze a report, others allow for some kind of ‘flag’ on the Social Security number,” Velasquez said. “Kentucky has proposed legislation and it will go for a hearing, probably this month.”

Here’s a list of the states that have minor freeze laws on the books, and the status of pending state legislation from the National Conference of State Legislators (NCSL). That list currently includes Arizona, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Michigan, Montana, Nebraska, New York, North Carolina, Oregon, South Carolina, Tennessee, Texas, Utah, Virginia and Wisconsin. These states are reflected in the map above as the lighter-colored states.

Many of these states will only allow parents or guardians to request a freeze if the child is 16 or younger. Others allow 18 years of age or younger, and some — like New York — are debating legislation to increase the age from 16 to 18.

According to the U.S. Federal Trade Commission (FTC), several signs can tip you off that someone is misusing your child’s personal information to commit fraud. For example, you or your child might:

-be turned down for government benefits because the benefits are being paid to another account using your child’s Social Security number

-get a notice from the IRS saying the child didn’t pay income taxes, or that the child’s Social Security number was used on another tax return

-get collection calls or bills for products or services you didn’t receive

The FTC has published a comprehensive set of resources that parents and guardians can use to check for the presence of a credit file on their child or dependent, including a checklist of what to do next if a file is found.

Readers have asked whether signing kids up for identity monitoring services might be a better solution than a freeze. As I explain in How I Learned to Stop Worrying and Embrace the Security Freeze, identity monitoring services are great for helping to recover from identity theft, but they are not so effective at blocking thieves from creating new accounts. The most you can hope for in that regard is that the service will alert you when a new account is created.

Some fans of my series explaining why I recommend that all adults place a freeze on their credit files have commented that one reason they like the freeze is that they believe it stops the credit bureaus from making tons of money tracking their financial histories and selling that data to other companies. Let me make this abundantly clear: Freezing your credit will not stop the bureaus from splicing, dicing and selling your financial history to third parties; it just stops new credit accounts from being opened in your name.

Incidentally, it appears many more consumers are starting to get the message about the efficacy of and/or need for security freezes. Bob Sullivan, an independent investigative reporter and editor of BobSullivan.net, recently polled the major credit bureaus and found a considerable uptick in new applications for security freezes in 2015. According to data Sullivan obtained from Credit.com, between 2011 to 2014 freeze users ranged from 130,000 to 160,000 annually. During that same period, about 600,000 consumers requested initial fraud alerts be placed on their credit files, Experian said.

“But that might have changed in 2015,” Sullivan wrote. “In February 2015 alone — the same month as the high-profile data leak at health insurer Anthem — nearly 160,000 consumers asked Experian for a credit freeze. Through October, the yearly total was 434,000, meaning about triple the consumers used freezes in 2015 than 2014.”

A Texas manufacturing firm is suing its cyber insurance provider for refusing to cover a $480,000 loss following an email scam that impersonated the firm’s chief executive.

At issue is a cyber insurance policy issued to Houston-based Ameriforge Group Inc. (doing business as “AFGlobal Corp.“) by Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but that the insurer nevertheless denied a claim filed in May 2014 after scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.

According to documents filed with the U.S. District Court in Harris County, Texas, the policy covered up to $3 million, with a $100,000 deductible. The documents indicate that from May 21, 2014 to May 27, 2014, AFGlobal’s director of accounting received a series of emails from someone claiming to be Gean Stalcup, the CEO of AFGlobal.

“Glen, I have assigned you to manage file T521,” the phony message to the accounting director Glen Wurm allegedly read. “This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.”

Roughly 30 minutes later, Mr. Wurm said he was contacted via phone and email by Mr. Shapiro stating that due diligence fees associated with the China acquisition in the amount of $480,000 were needed. AFGlobal claims a Mr. Shapiro followed up via email with wiring instructions.

After wiring the funds as requested — sending the funds to an account at the Agricultural Bank of China — Mr. Wurm said he received no further correspondence from the imposter until May 27, 2014, when the imposter acknowledged receipt of the $480,000 and asked Wurm to wire an additional $18 million. Wurm said he became suspicious after that request, and alerted the officers of the company to his suspicions.

According to the plaintiff, “the imposter seemed to know the normal procedures of the company and also that Gean Stalcup had a long-standing, very personal and familiar relationship with Mr. Wurm — sufficient enough that Mr. Wurm would not question a request from the CEO.”

The company said it attempted to recover the $480,000 wire from its bank, but that the money was already gone by the 27th, with the imposters zeroing out and closing the recipient account shortly after the transfer was completed on May 21.

In a letter sent by Chubb to the plaintiff, the insurance firm said it was denying the claim because the scam, known alternatively as “business email compromise” (BEC) and CEO fraud, did not involve the forgery of a financial instrument as required by the policy.

“Federal disagrees with your contention that forgery coverage is implicated by this matter,” the insurer wrote in a Oct. 9, 2014 letter to AFGlobal. “Your August 12 letter asserts that ‘[t]he Forgery by a Third Party in this incident was of a financial instrument.’ Federal is unaware of any authority to support your position that the email you reference qualifies as a Financial Instrument (as that term is defined by in the Policy).

According to Chubb, to be a financial instrument, the subject email must be a check, draft, or a similar written promise, order or direction to pay a sum certain in money that is made, drawn by or drawn upon an Organization or by anyone acting as an Organization’s agent, or that is purported to have been so made or drawn.

“Your August 12 letter appears to argue that ‘[t]he email constituted an order or direction to pay’ because Mr. Shapiro’s May 21, 2014 email contained wire transfer instructions as to where the funds (apparently discussed in a separate phone conversation between ‘Mr. Shapiro’ and Mr. Wurm) were to be sent,” the insurance firm told AFGlobal. “This argument ignores the fact that what defines a Financial Instrument under the Policy is not merely the existence of a written promise, order or direction to pay, but a written promise, order or direction to pay that is ‘similar’ to a ‘check’ or ‘draft.’

The insurer continued:

“In the context of a commercial crime policy, ‘checks’ and ‘drafts’ are widely understood to be types of negotiable instruments. They represent unconditional written orders or promises to pay a fixed amount of money on demand, or at a definite time, to a payee or bearer, and they can be transferred outside of the maker or drawer’s control. The email at issue in this matter — which is not negotiable — is in not way similar to these types of instruments.”

Chubb’s claim in this case and its definition of a financial instrument would seem to be dated enough that they also might discount transfers from e-checks or deposits scanned and sent over the phone — although the documents in this case do not touch on those instruments. Chubb’s definitions of what constitutes a financial instrument are laid out in this document (PDF).

The complaint lodged by AFGlobal is here (PDF).  The insurance company’s response is here.

Law360 notes that this is actually the second time in the past year that Chubb Corp. unit Federal Insurance was taken to court over coverage after its policyholder was fraudulently swindled out of money.

“Research technology company Medidata Solutions Inc. sued Federal in February for denying reimbursement of $4.8 million after a company employee, also contacted by a fake CEO and fake attorney, instructed him to also wire the money to a Chinese bank,” wrote Steven Trader for Law360. “Though Medidata argued that the imposter changed the email code to alter the sender’s address and include the CEO’s forged signature, thereby constituting a “fraudulent” change in data that triggered coverage, Federal fought back in New York federal court that its policy only covered hacking, not voluntary transfers of money.”

BEC or CEO Fraud schemes are an increasingly common and costly form of cybercrime. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.

CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.

In these cases, the fraudsters will forge the sender’s email address displayed to the recipient, so that the email appears to be coming from example.com. In all cases, however, the “reply-to” address is the spoofed domain (e.g. examp1e.com), ensuring that any replies are sent to the fraudster.

On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.

The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.

If you stayed, ate or played at a Hyatt hotel between Aug. 13 and Dec. 8, 2015, there’s a good chance your credit or debit card data was stolen by unknown cyber thieves who infiltrated many of the hotel chain’s payment systems. Its its first disclosure about the scope of a breach acknowledged last month, Hyatt Hotels Corp. says the intrusion likely affected guests at 250 hotels in roughly 50 countries.

In a statement released Thursday, Hyatt said the majority of the payment systems compromised by card-stealing malware were at restaurants within the hotels, and that a “small percentage of the at-risk cards were used at spas, golf shops, parking and a limited number of front desks.” The list of affected hotels is here.

Chicago-based Hyatt joins a crowded list of other hotel chains similarly breached in the past year, including Hilton, Starwood, Mandarin Oriental, White Lodging (twice) and the Trump Collection.

ANALYSIS/RANT

U.S. banks have been transitioning to offering chip-based credit and debit cards, and a greater number of retailers are installing checkout systems that can read customer card data off the chip. The chip encrypts the card data and makes it much more difficult and expensive for thieves to counterfeit cards.

However, most of these chip cards will still hold customer data in plain text on the card’s magnetic stripe, and U.S. merchants that continue to allow customers to swipe the stripe or who do not have chip card readers in place face shouldering all of the liability for any transactions later determined to be fraudulent.

The United States is the last of the G20 nations to enact this liability shift, and many countries that have transitioned to chip card technology have done so through government fiat. Those nations also almost uniformly have seen card counterfeiting fraud go way down while thieves shift their attention to targeting e-commerce providers.

Although cyber thieves still steal card data off the magnetic stripe from customers of banks in nations that long ago shifted to chip-cards, that card data is typically shipped to thieves here in the United States, who can counterfeit the cards and use them to steal merchandise from U.S.-based big box retailers.

What’s remarkable about the U.S. experiment with moving to chip cards is that the discussion about whether and when to move to more physical security (chips) in credit and debit cards has played out almost entirely apart from the move to impose expensive and increasingly labyrinthine compliance regulations (PCI) on merchants that wish to process or accept card transactions.

Instead of just mandating that banks and retailers shift in lockstep on a to handling chip cards, U.S. lawmakers and regulators have for years delegated (abdicated?) accountability for credit card security to a booming industry of auditors and assessors who’ve been trying to secure a technology (magnetic stripe-based cards) that is 60 years old and is about as secure as mailing your credit card number on a postcard.

For all the attention given to sophisticated new ATM and card skimming devices, for example, the technology included in skimmers to steal card data from the magnetic stripe need be no more sophisticated than the components of a 35-year-old Sony Walkman. I should note here that while the chip-based liability shift for retailers went into effect in October 2015, that same shift doesn’t extend to ATM machines until October 2016 and for unattended payment terminals (e.g. gas pumps) until October 2017.

As chip card adoption picks up here in the States and counterfeiting cards becomes more expensive for cyber thieves, we will start to hear about far fewer of these retail breaches. E-commerce providers will no doubt feel the brunt of this shift because the thieves don’t just go away when you make things harder on them — they  go where there are more plentiful victims and fewer up-front costs. And for cybercrooks, there is a great deal of low-hanging fruit in the e-commerce sector (and there are plenty new businesses coming online for the first time every day).

There is another big shift in fraud that’s coming but that is probably not getting enough attention from the banks, retailers and e-commerce providers: It’s a safe bet that we can also expect a giant spike in account takeovers and in new account fraud. Both forms of fraud are closely linked to static consumer identity data (SSN, DOB, etc.) that is widely available in the cybercrime underground. Banks and retailers alike have a lot of work ahead of them to improve the reliability and scalability of systems for authenticating and really knowing their customers.

Instead, many financial institutions have squandered a great deal of their resources trying to figure out which retailers are exposing their customers’ cards. That’s because Visa, MasterCard and the other card associations won’t tell banks which retailers have been hit; they just send them incessant updates about specific card numbers that were suspected to have been compromised in a breach somewhere. It’s then up to the banks to work backwards from the breached cards and triangulate which merchants show up most frequently in a batch of given cards.

All of this probably explains why on any given week I’m contacted by anti-fraud personnel at various banks across the country, asking if I can help them divine the source of some card fraud pain they’re experiencing. As a journalist, this is a bit of a surreal situation, but I can’t complain much: It has allowed this author to break story after story about card breaches in the retail sector over the past two years.

Ransomware — malicious software that encrypts the victim’s files and holds them hostage unless and until the victim pays a ransom in Bitcoin — has emerged as a potent and increasingly common threat online. But many Internet users are unaware that ransomware also can just as easily seize control over files stored on cloud services.

Toni Casala found this out the hard way. Casala’s firm — Children in Film — works as an advocate for young actors and their families. The company’s entire operations run off of application hosting services at a managed cloud solutions firm in California, from QuickBooks to Microsoft Office and Outlook. Employees use Citrix to connect to the cloud, and the hosting firm’s application maps the cloud drive as a local disk on the user’s hard drive.

“We were loving that situation,” Casala said. “We can keep the computers here at work empty, and the service is very inexpensive when you compare it the cost of having more IT people on staff. Also, when we need support, they are very responsive. We don’t get farmed out to some call center in India.”

They were loving it, that is, until just before New Year’s Eve, when an employee opened an email attachment that appeared to be an invoice. Thirty minutes later, nobody in Casala’s firm could access any of the company’s 4,000+ files stored on the cloud drive.

“Someone in my office was logged into Outlook and opened up invoice attachment and BAM!, within 30 minutes, every single file on our Q drive had ‘vvv’ added as file extensions,” she said. Every single folder -had a file that said “help.decrypt,” essentially the attacker’s’ instructions for how to pay the ransom.

The cloud provider that Casala’s company is using was keeping daily backups, but she said it still took them almost a week to fully restore all of the files that were held hostage. She said the hosting service told her that the malware also disrupted operations for other customers on the same server.

Casala said her company got lucky on several fronts. For starters, the infection happened right before her firm closed down operations for the New Year’s break, so the outage was less of a disruption than it might normally have been.

More importantly, the malware that scrambled their files — a strain of ransomware called TeslaCrypt, contained a coding weakness that has allowed security and antivirus firms to help victims decrypt the files without paying the ransom. Users over at the computer help forum BleepingComputer have created TeslaDecoder, which allows victims to decrypt files locked by TeslaCrypt.

Casala said the hosting firm had antivirus installed on the server, but that the ransomware slipped past those defenses. That’s because the crooks who are distributing ransomware engineer the malware to evade detection by antivirus software. For more on how cybercriminals achieve that, see Antivirus is Dead: Long Live Antivirus.

The best defense against ransomware is a good set of data backups that are made each day — preferably to a device that is not always connected to the network. Unfortunately, this is often easier said than done, especially for small businesses. For many ransomware victims who do not have backups to rely upon, the choice of whether to pay comes down to the question of how badly the victim needs access to the ransomed files, and whether the files lost are worth more than the ransom demand (which is usually only a few hundred dollars in Bitcoin).

Many readers may have a hard time believing that ransomware peddlers will actually return the encrypted files to their original state if the ransom is paid. But cyber criminals who run these schemes have a vested interest in making sure the transaction is a relatively seamless one: They understand that if word gets out that victims aren’t getting their files back after paying, fewer victims will pay. What’s more, the amount demanded in ransom is about hitting that sweet spot: Thieves know that if they demand too much from each victim, they’ll have fewer victims who end up paying.

That said, ransomware is computer code, and even malware coders make mistakes. Every so often, crooks will release a new version of ransomware that contains critical programming errors, effectively rendering the victim’s files unrecoverable even if they do pay the ransom.

One big reason that ransomware scams are becoming more prevalent has to do with the proliferation of plug-and-play tools and services that make it simple to start your own cybercrime syndicate. Earlier this month, security firm Emsisoft published a fascinating look at a crimeware-as-a-service product being marketed in the underground called Ransom32, which allows anyone to start their own ransomware campaign just by providing a Bitcoin address to which victims will be asked to send the funds.

“After you type in your Bitcoin address, you will get access to the rudimentary administration panel,” the company explained. “In the admin panel, you can get various statistics, like for example how many people already paid or how many systems were infected. You can also configure your “client”, which is their term for the actual malware. It is possible to change the amount of Bitcoins the malware will ask for, as well as configure parameters like fake message boxes the malware is supposed to show during install.”

According to Emsisoft, the Ransom32 crimeware service also includes a feature that offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the encryption.

It seems to me that ransomware attacks have a great deal of room for growth. I would expect criminals who have the skills to construct and manage their own ransomware campaigns eventually to begin doing a better job targeting victims — that is, taking the extra time to get a better idea of how much the ransomed files are worth, and then adjusting the ransom demand accordingly.

If you or your company is hit with ransomware, resist the temptation to pay up, which just perpetuates these scams. Take a deep breath, head on over to BleepingComputer’s ransomware removal section, which includes resources that may allow you to recover files without rewarding the crooks.

Adobe and Microsoft each issued updates today to fix critical security problems with their software. Adobe’s patch tackles 17 flaws in its Acrobat and PDF Reader products. Microsoft released nine update bundles to plug at least 22 security holes in Windows and associated software.

Six of the nine patches Microsoft is pushing out today address flaws the software giant considers “critical,” meaning the vulnerabilities could be exploited by malware or miscreants to break into vulnerable computers remotely without any help from users. The critical updates tackle problems with Internet Explorer, Microsoft Edge, Office and Silverlight, among other components. Links to all of the updates are available here.

As noted by security firm Qualys, several versions of Internet Explorer will get their last security updates this month, including IE 11 on Windows 7 and 10; IE 8, 9 and 10; IE 10 on Server 2012; IE 9 on Vista Service Pack 2 and Server 2008; and IE7 and IE8. If you’re using one of these older versions of IE, consider switching — either to a newer, supported version of IE, or to something less tightly bound to the Windows operating system, such as Google Chrome.

It appears that Microsoft pulled one of the updates (MS16-009) at the last minute, probably due to issues in testing the fix to make sure it won’t interfere with other programs. In any case, if you use Microsoft’s products, take a moment this week to make sure that you’re up to date with these and other available security patches from Redmond.

Separately, Adobe has released critical updates for Adobe Acrobat and Reader. Adobe said it was not aware of any active attacks against the vulnerabilities fixed in this month’s release. Adobe also is phasing out older versions of Acrobat and Reader: As the company notes in this blog post, Adobe Acrobat X and Adobe Reader X are no longer supported.

Adobe Reader comes bundled with a number of third-party software products, but many Windows users may not realize there are alternatives, including some good free ones. For a time I used Foxit Reader, but that program seems to have grown more bloated with each release. My current preference is Sumatra PDF; it is lightweight (about 40 times smaller than Adobe Reader) and quite fast.