Click for the entire series.

Everybody makes mistakes. But not every mistake is forgiven. In our capitalist society, mistakes with money are carefully logged, categorized and entered into a formula that controls your financial future -- your credit score.

But what happens when the companies that keep this list make mistakes? After all, the credit bureaus -- which keep the list of who's been naughty and who's been nice -- are staffed by people who are just as fallible as the rest of us. Theirs is a complicated business. They keep track of billions of pieces of information. Mistakes do happen.

Unfortunately, complaining about mistakes on your credit report can be one of the most maddening experiences a consumer can have. Erasing an unfair black mark on your credit history after a bout with identity theft or a run-in with a malicious company can turn into an odyssey worthy of a Kafka novel. That's why the first installment of our "How to Complain About" series takes on this most vexing of consumer issues.

The credit report is composed of voluntary submissions by companies that you do business with. Those companies are called "furnishers." A credit card company is a furnisher. So is a furniture store where you bought a living room set from on credit; so is a car dealership. As you might imagine, your credit report is only as accurate as the furnishers who contribute information about you. Their quality control measures vary widely.

There are many reasons a mistake might find its way onto your credit report. Perhaps a furnisher forgot to give you credit when you paid your final bill. Perhaps someone impersonated you, and didn't pay their bills. Perhaps a furnisher made a data entry error when submitting updates, and accidentally blamed you for someone else's unpaid bill. Or perhaps you and a creditor have a real difference of opinion about a debt it says you owe.

In most arenas of life, if someone makes false statements about you that cost you money or reputation, you can sue for libel. That's not true in the credit reporting system, however. Decades ago, Congress granted furnishers general immunity from libel lawsuits. That gives them less incentive to be impeccably accurate when they send data to the credit bureaus.

Credit report mistakes range from inconsequential misspellings to wrongful reports of debt defaults that prevent the victim from ever borrowing money. Credit reports are notoriously inaccurate, though it's hard to say with precision how many reports have errors, as the credit bureaus keep that secret. But studies by third parties have found error rates as high as 25 percent. A small pilot study conducted by the Federal Trade Commission recently showed that 16 percent of consumer reports contained errors that would impact a consumer's credit score. The credit bureaus, which compile and sell the credit reports, told Congress in 2004 that the error frequency is much smaller -- only 3 percent -- but that would still impact nearly 6 million Americans.

So it's entirely possible you'll find yourself battling a credit bureau about a mistake at some point in your adult life.

Dispute process is born
Decades ago, it was almost impossible to see the contents of your credit report and to fix mistakes. In response to an avalanche of complaints, Congress set up a formal dispute process when it passed an update to Fair Credit Reporting Act in 1997. In that law , Congress mandated that consumers be given a fair trial when they believe something inaccurate is being reported. It requires the nation's credit bureaus -- Equifax, Experian, Trans Union and the smaller regional bureaus -- to take evidence from consumers, evidence from furnishers and decide who is right.

Unfortunately, this process has been turned into something of a kangaroo court. In a recent report called "Automated Injustice," the National Consumer Law Center described the disheartening procedures that are now in place.

Consumers who initiate disputes often send in pages of documentation supporting their claims. But in many cases, the paperwork is sent overseas to places like Mumbai, India, for cursory processing, the law center reported. There, employees work under tight quota and bonus systems. Subcontractors for Equifax, for example, must resolve more than 13 disputes every hour, or about one every four minutes, according to the report.

So, according to the report, the paperwork is almost always ignored and the complaint boiled down to a two-or three digit code. About one-third of the time, that code indicates simply that the consumers claims the credit blemish is "not his/hers." This code is then sent to furnisher, which is asked simply to affirm the original entry. If it does, the bureau will often decide that the case is closed.

The National Consumer Law Center doesn't mince words when describing this procedure.

"The FCRA dispute process has become a travesty of justice," it said in the report.

How can you get around this travesty? It's not easy. But as is typical of most consumer protection disputes, there are two keys: persistence and the threat of a lawsuit. If your dispute process hits a serious snag along the way, you'll probably have to consider filing a lawsuit. But to win, you have to prove more than a simple mistake occurred. You'll have to prove the bureau, or the furnisher, were negligent. The mere threat of a lawsuit might gain you satisfaction, but you'll have an empty threat if you don't have good records showing the bureau and furnisher ignored your repeated requests for justice.

Maintaining your rights to sue, and building a good case along the way just in case, are critical to a successful dispute with the credit bureaus, says attorney Chi Chi Wu, who authored the "Automated Injustice" report. Much of the advice she gives has a dual purpose: to win the dispute, but also to preserve legal rights and create a lawsuit-ready paper trail, just in case. Here are some of the steps she recommends.

1. Request a review in writing
All three credit bureaus allow you to dispute errors using online forms.

• EXPERIAN http://www.experian.com/disputes/
• EQUIFAX http://www.equifax.com/online-credit-dispute/
• TRANS UNION http://annualcreditreport.transunion.com/entry/disputeonline

Wu says using them is a big mistake. The forms only help the bureaus steer your issue into one of their dispute "buckets," helping the agency automate your claim. It also means you'll have less of a paper trail to demonstrate negligence later on. Wu strongly recommends that consumers use old fashioned U.S. mail to file their complaints and send the letter return-receipt requested. And naturally, keep good records of all contact with a credit bureau. At this point, buying a shiny new notebook for just this purpose is a good idea.

• EQUIFAX mailing address
• TRANS UNION mailing address
• EXPERIAN No link. Address will be on credit report.

And while all three companies provide a simple form to fill out with dispute information, Wu recommends adding narrative detail and supporting documents anyway – again, to prevent the bureaus from "bucketing" you. That will help a lawyer make a case later than the bureau didn't perform even the most basic investigation.

It's always good to send the dispute to all three bureaus. While the reports can differ, the reports generally overlap and a black mark on one report usually becomes a black mark on all three. So while there may only be one bill in dispute, you probably have three disputes on your hands.

2. Also notify the furnisher
It seems reasonable that the credit bureau would send a copy of your dispute to the company that's involved, but don't count on. Send a separate, return-receipt-requested letter to the company that claims you didn't pay your bill. A carbon copy version of your dispute letter to the credit bureau should be sufficient.

3. Be ready for surprising account numbers
When tracking a credit bureau entry, it's likely that your "bad debt" will have an unfamiliar account number next to it. Companies often assign new numbers to accounts that go into default. Also, when debts are sold to debt collectors, they usually give an account its own number. For example, a dispute involving a furniture store account No. 345234 might end up listed on your credit report as Joey's Collections No. 432432. When filing dispute letters, including all possible account numbers. That cuts down on possible confusion -- or legal squirming -- later on. For example, a consumer might send a letter saying, "Please delete account No. 345234, and the bureau might "agree" to the request while doing nothing, and leaving the unpaid bill under the other account number.

4. Tell them where to go
This step might sound presumptive, but Wu suggests that the consumer explicitly recommend the steps that the credit bureau should take to investigate the matter. For example, if you've spoken to an operator at a furnisher who admits an error, tell the credit bureau to call that furnisher and interview that operator. The bureau may not do this, but this inclusion could help a lawyer at a later date persuade a judge that the bureau didn't take even the most obvious steps to resolve the dispute.

5. Discredit the furnisher
A little legal legwork can help make your case, too. If there is evidence that the furnisher involved in your dispute has a reputation for complaints of inaccuracy, include that evidence in your letter. This will help build the case that the bureau should not have presumed the furnisher was accurate.

Other advice
It might seem natural to complain directly to the furnisher of the information rather than the credit bureaus. However, the original Fair Credit Reporting Act granted no legal rights for to consumers to do so, and steered all complaints to the credit bureau dispute process. That limitation is changing. The Fair and Accurate Transaction Act of 2003 includes provisions calling for "direct disputes" with furnishers, though the Federal Trade Commission has yet to issue formal guidelines for the process. They should appear soon; public commentary on proposed rules was entertained by the agency last year.

In the meantime, consumers can try a direct dispute, but should only do so after completing the dispute process with the credit bureaus and getting an answer. Skipping the bureau process would force a consumer to surrender their rights to sue the furnisher, Wu says.

Even before the final rules are determined, Congress spelled out a few specifics in its 2003 law. Send a letter to the furnisher demanding a "reinvestigation" of the debt. Ask for all paperwork documenting the debt. Like the credit bureaus, the furnishers will be required to supply a response within 45 days. If none is forthcoming, the debt must be removed from the credit file. Even if a response arrives, it's entirely possible the company will not be able to produce detailed records documenting the debt, which would also enable a request for removal of information.

In advance of the FTC rules, consumers may not have the right to sue companies for non-compliance. But the process can work anyway, and stronger consumer rights should arrive soon.

Finally, if either the bureau or the furnisher isn't playing ball, a lawsuit is the consumer's last resort. Credit report dispute cases are highly specialized, and it's generally best to use a lawyer who specializes in these cases, Wu said. A list can be found at the National Association of Consumer Advocates Web site, www.naca.net.

There aren't nearly as many FCRA experts as there are credit report disputes, however, so some consumers may be frustrated by their inability to interest a lawyer in their case. That's why the previous five steps are so important. Lawyers love plaintiffs who are well-prepared with the right documentation and arrive with what amounts to an open-and-shut case. It's not necessarily fair, but it's true: Consumers who think like a lawyer from step one are much more likely to get justice, and a clean credit report, in the end.

If you want a head start on a dispute letter, you can see an example here.

Of all the axioms you'll read over and over in a consumer advice column like this, the most trite is: "If it sounds too good to be true, it is." The helpful rule of thumb, however, doesn't always apply. In fact, when it comes to unclaimed property, what sounds too good to be true is sometimes very much the truth.

It is entirely possible that you have money coming to you that you don't know about. It's true. Money that you or a family member left behind accidentally many years ago may be sitting in a state treasury account waiting for you to come and claim it. In fact, billions of dollars in unclaimed funds are right now waiting to be claimed. On Sunday night at 8 p.m. ET, Dateline NBC will air some heartwarming stories of Americans who discover they have thousands of dollars in surprise money on the way.

The problem is, many heartwarming stories are turning into heartaches, as con arists and manipulators are swarming around the missing money, sometimes tricking unwitting consumers into surrendering one-third of the funds for little or no work. Many would-be middlemen buy lists state offices then contact consumers offering to recover the funds for a sizable fee. While there are legitimate companies who do this, the industry is generally unsavory, says Shane Osborn, president of the National Association of Unclaimed Property Administrators.

'Even prisoners' getting in on the scams
"We even have prisoners requesting these lists (and making money)," he said. "They really target the elderly with this, tell them they'll lose the money if they don't act right away. They take advantage of people who aren't informed."

The problem is so bad that this week about 30 state treasurers sent a letter to the Federal Trade Commission asking it to investigate.

Osborn, who is also the state treasurer of Nebraska, is on a mission to return the money to as many consumers as he can.

"It's the people's money, not the government's. Government's already gotten enough of their money," he said.

But added publicity around unclaimed funds is a double-edged sword. While Osborn brags that he's returned $33 million to state residents in the past two years, the publicity surrounding the issue has opened the door to scam artists and middlemen.

So Osborn is speaking out to make sure taxpayers visit the right Web site to check for money. He's also spearheading efforts to initiate the federal investigation, and to pass legislation limiting the sale of unclaimed property lists to third parties.

Try this Web site
Here's the short version: It's easy to see if you have unclaimed money coming to you. Just visit free site unclaimed.org and follow the instructions. You shouldn't ever pay anyone for help in recovering your money, says Osborn.

If you receive a letter from someone saying you've got money to claim, don't respond. Just visit unclaimed.org -- type the URL carefully, because a flock of for-profit imitators have sprung up online-- and check.

How could this fairytale-like tale of free money be true? Why would any state government be holding money that belongs to you? Many states have what are called escheat laws, which require companies that owe money to consumers but can't find them to "escheat" the funds to the state government after a certain time period expires. Once there, the funds are still available to be claimed by the rightful owner. But states go to varying degrees of trouble to inform consumers. In fact, they have a financial incentive not to tell. Interest earned on the money, which can be significant, belongs to the state treasury. In some states, after a certain amount of time passes, the state gets to keep the money.

Why would you forget about money you have coming to you? It's common for consumers to forget about a small balance in a bank account, or an overpayment made on the last check sent to a mortgage company, for example.

Some examples from Washington
A quick search of Washington state's unclaimed property site offers a few more examples:

*A bail refund in the amount of $50-$100.

*An "unidentified remittance" from Chase Manhattan Bank for "over $100."

*An unclaimed rebate in the amount of $25-$50 from electronics store Car Toys.

Consumers who want to see what they have coming to them should search every state they've ever lived in.
But they shouldn't accept unsolicited offers from organizations promising to help them find the money.
"There's no defense of this practice," said Osborn. "Especially the ones taking 33 or 35 percent of the money."

Consumers should also avoid companies that urge them to call a phone number with an 809 area code promising to assist in the search for free cash. Calls to 809 numbers are billed at a high rate, similar to 1-900 numbers.

"If you got contacted by one of these agencies, you need to call you state's unclaimed property office and report it," he said.

Identity theft is usually a virtual, intangible crime. The theft often occurs in cyberspace, with criminals ordering merchandise with stolen credit cards, or downloading cash from online bank accounts. The victims rarely know anything has happened until months -- or even years -- later. There's no blood, no shattered glass, no broken locks. Not even the anxiety rush that comes after the brush of a pickpocket.

But identity thieves, in the end, are real people stealing real money and causing real harm. And surprisingly often, they are friends, family members, or co-workers who initiate the crime by stealing personal information found on papers left around offices or homes. The stolen data can be surprisingly easy to come by, as this ID theft "commercial" shows.

In it, a YouTube poster claims to have a cache of stolen data dossiers for sale. He films himself sitting in his car, sifting through what appear to be file folders, perhaps freshly stolen from an office or a dumpster outside an office building. With a shaky hand, he shows some of the files, then announces that he will sell complete data sets for $25 -- or at a discount of 5 for $100 -- to anyone who e-mails him.

You can watch part of the video by clicking above. We've included only a small portion of the video to avoid abetting what appears to be a crime. Here's more of what the salesman had to say in the video:

"I have records for sale. These records include the following: Name. Sex of the individual. Social Security number of the individual. Mother's name. Their current street address," he says.

At this point, a beeper begins to sound in his car, perhaps because his seat belt isn't fastened. Then, he continues to list the items he has for sale. "License number. Their date of birth. Kind of work they are in, the industry that they're in. And their net worth. That's including real estate and any liquid assets. And I could get a good credit read on them as well."

Those details would give an identity thief all the information they'd need to wreak havoc with a victim's credit report, and probably, their financial life,

Without purchasing records from the poster, it is impossible to determine that the records are genuine. But in a short e-mail dialog with msnbc.com, the poster claimed the information was real and said that he could sell us 100 records if we deposited money into his PayPal account.

He did not answer a question posed about the video, which was removed from YouTube a few days after it appeared, but not before msnbc.com viewed it and copied it. A message at the link now says the video was "removed by the user."

Before finishing the sales pitch in the video, the poster includes some fine print:

"These records are not to be used for any illegal purposes. They are for outsourcing marketing materials and anything of that nature," he said.

He then closed with a polite sign off.

"Thank you very much," he said.

When Mike Templeton looked at the credit card application his college-aged son received in the mail, his blood started to boil. The card promised an attractive 9.9 percent interest rate, but there was a catch. Buried in the fine print was a list of fees that seemed almost comical.

• Account set-up fee: $29.00
• Program fee: $95.00
• Annual fee: $48.00
• Monthly servicing Fee: $84.00 annually
• Additional card Fee: $20.00 annually

And then, at the bottom, was a sentence that it's hard to imagine someone could write with a straight face:

"If you are assigned the minimum credit limit of $250.00 your initial available credit will be $71.00 ($51.00 if you select the additional card option)."

Welcome to the world of low-credit score credit cards -- a destination more Americans are finding their way to as the economy continues to sputter and unemployment rises.

Most consumers take credit cards for granted as a necessary tool for living in 21st century America. Cards are incredibly convenient, and in some cases, a necessity. It's difficult to rent a car, book a hotel room, buy anything online or even rent a movie without a credit card. With billions of pre-approved credit card applications sent out each year, it's easy for many Americans to get plastic - in fact, perhaps too easy. But another segment of the population -- those who've got low credit, or no credit -- find themselves in an alternate universe, where credit card plastic can literally cost its weight in gold. The card Templeton was studying, issued by South Dakota-based First Premier bank, essentially has a $250 sign-up fee disguised a series of smaller fees.

"I wonder how many college kids have fallen for this?" said Templeton, who lives just outside Dallas. "Isn't this usury under the guise of finance fees?"

It's not usury. Credit card firms get wide latitude on fees they charge, thanks to a Supreme Court decision in 1996 that affirmed banks are only subject to their home state's laws, no matter where their consumers live. When levying fees, First Premier need only comply with South Dakota's relaxed consumer protection law.

First Premier is hardly the only bank charging high fees. In 2007, the National Consumer Law Center reported on what it called "fee-harvesting" cards aimed at the low-end of the credit card market. With some of these cards, after fees are counted against the credit limit, consumers have virtually no credit left to spend, it said.

"It's hard to speculate why people sign up for these cards, but it's certainly possible they fail to notice these high fees," said consumer attorney Chi Chi Wu, who helped write the report. "It's an incredibly expensive product."

Consumers who have trouble getting credit cards are faced with two bad choices. They can either opt for what's called a "secured" card, which requires a hefty up-front deposit, or they can sign up for a card with hefty up-front fees.

With a secured card, consumers send a bank $200 to $500, then get back a credit card with an identical credit limit. The bank holds the deposit in case the consumer defaults on the card. With secured cards, the consumer is essentially borrowing his or her own money and paying interest for the right to carry plastic. After a user demonstrates a good payment history, some banks extend the credit limit and eventually offer the consumer a chance at a traditional unsecured card.

Those with bad credit might have trouble coming up with deposit money for a secured card, however. Fee-harvester cards fill this gap, because they require no up-front payment before the card arrives. Some also don't require immediate payment of the fees; the $200 or so in extra charges can be financed by the consumers. That can lead to even more credit trouble down the line.

'They are a tool'
"These have been around for a long time," said Howard Dvorkin, who runs Consolidated Credit Counseling Services, Inc., a credit-card industry-sponsored nonprofit that helps consumers get out of debt. "You're going to see more of them in the coming years. The reality is these are high margin products for banks. … It's an incredibly profitable sector of the credit card business if you know what you're doing. But it can also be incredibly volatile area."

Dvorkin isn't as critical of the high-fee cards as Wu. He said banks need to cover the risk of extending credit to customers who've already demonstrated they might not pay their bills.

"They are a tool, and sometimes tools cost a lot," he said. "It's a tool for teaching people about how to use a credit card ... but to be frank with you, the reason why they charge so many fees is because they can, because these people have nowhere else to turn. The justification on the banks' side is these are riskier consumers. … But is it a good deal for a consumer? Probably not."

Both fee-harvester cards and secured cards have other gotchas, too. The Applied Bank Secured Visa card, for example, has no grace period. With most credit cards, consumers who pay their balance in full each month pay no interest on new purchases during a 25- or 30-day grace period. But with the Applied Bank card, the consumer is charged interest from the moment a purchase is made -- similar to taking a cash advance – even though the bank is already holding the consumer's money as a deposit.

Linda Sherry, executive director of Consumer Action, said she'd seen a disturbing new trend in the low-end side of the credit card market -- cards that combine the worst features of both secured cards and fee-harvesters.

"Quite a few secured cards have processing fees of $99," she said. The means the bank gets its money up front and makes money on large fees, too. "It's gross, but not actually surprising."

One reason high-fee cards might be more aggressively marketing their product recently -- price controls are coming. New rules issued by banking regulators that take effect next year will limit the fees on cards to 50 percent of the available credit limit. That's still very high, but it would cut First Premier's fees on a $250 limit card in the example above from $179 to $125.

Despite that limitation, Dvorkin predicts that some credit card company will enjoy fast growth by deciding to extend credit to consumers who have only temporarily fallen on hard times.

"It happened after the last recession with Capital One," he said. "There are people coming out of the recession with beat up credit. There will be huge demand for products catering to the less credit-worthy, and traditional banks aren't going to do it. "

RED TAPE WRESTLING TIPS
Bill Hardekopf, who runs a credit card comparison site called lowcards.com, said it's extremely important for consumers who have low credit to shop carefully for a credit card.

"You have to do a lot of research to make sure you don't sign up for something that is very, very bad for you," he said. He steers consumers toward secured cards as the better deal. It's important to find a secured card that offers a grace period, low fees and a bank that promises to place the security deposit in an interest-bearing account, he said.

It's also important to ask about the path to getting a standard, non-secured card.

"How many months of good payment history do you need before you qualify? Consumers should ask," he said.

And for consumers whose chief goal is restored credit and a higher credit score, it's essential to learn if the card-issuing bank reports payments to the credit bureaus. Not all do.

One way to avoid high-cost cards is to use a debit card for online purchases and travel, but not all car rental companies accept debit cards for deposits. And not all consumers who have credit troubles can open a checking account and get a debit card.

Meanwhile, using a debit card does nothing to improve the consumer's credit score.

Dvorkin recommended avoiding the expensive credit cards if possible. Instead, consumers who want to rebuild their credit should start by re-establishing a relationship with a bank. One trick: Deposit money into a Certificate of Deposit, and then take out a small loan with the CD as collateral. Paying the loan back and getting "paid as agreed" entries on a credit report will slowly help improve a credit score.

Again, it's vital that the consumer's bank report payments to the credit bureaus, so be sure to check.

Acxiom is one of the world's most sophisticated companies. Its massive computers keep track of more than 10 billion pieces of information, most of it marketing data designed to keep track of you. The firm claims it "engages" 375 million consumers around the world every month.

But the company is entirely old fashioned when it comes to letting consumers opt out of its huge database of personal information. To do so, they must visit the firm's Web site and fill out a Web form. Acxiom will then mail a paper "opt-out form," which consumers must then fill out and mail back.

"It's ridiculous to think that in this era these companies require a letter for this," says Pam Dixon, director of the World Privacy Forum, which sent a formal letter of complaint (PDF) to the Federal Trade Commission this week. "If you ask any consumer why a Web site would ask for a letter, they would say the paper opt out is there because the company is trying to discourage (consumers) from doing it."

Acxiom did not immediately respond to requests for an interview.

Arkansas-based Acxiom isn't the only company in the organization's cross-hairs. The World Privacy Forum, a California-based, nonprofit advocacy group, also named online data brokers US Search, USA People Search and PublicRecordsNow in its complaint.

"In an age of Twitter and Web 2.0, requiring people to mail in their opt outs imposes a burden for consumers that is simply not necessary," Dixon said.

At US Search, consumers are presented with a Web form, but they are told to fill it out, print it out, and then mail it to the company.

"Please note that if you do not follow these instructions exactly, we will not be able to honor your opt-out request," the site says. "Enter your information in the fields below. You should include every address where you've lived or received mail over the past 10 years."

Stefanie Rubin, spokeswoman for US Search, said many of the Privacy's Forum's claims were "incorrect."

"For example, the US Search opt-out process does offer a means to expedite opt-out requests for peace officers, and stalking and ID theft victims," she wrote in an e-mail to msnbc.com. "Moreover, the report does not adequately appreciate the challenges around authenticating opt-out requests in an online environment. We hope to begin a dialogue with the World Privacy Forum on these issues in the near future."

At ChoicePoint, opting out is easier
Not all companies require a paper trail. Georgia-based Data broker ChoicePoint allows customers to opt out via a simple Web form. So does the Direct Marketing Association.

"If ChoicePoint can do it, these other companies can do it," Dixon said.

In the complaint letter to the FTC, the privacy organization argued that the commission has established a standard for Web site opt-outs and that requiring paper letters doesn't meet it.

It bases that claim on standards the FTC published in 2007 concerning consumers who try to opt out of databases that fall under the Fair and Accurate Credit Transaction Act.

In its Affiliate Marketing rule, the FTC stated that "reasonable and simple methods for exercising an opt-out right do not include:
• Requiring the consumer to write his or her own letter;
• Requiring the consumer to call or write to obtain a form for opting out, rather than including the form with the opt-out notice;
• Requiring the consumer who receives the opt-out notice in electronic form only, such as through posting at an Internet Web site, to opt out solely by paper mail or by visiting a different Web site without providing a link to that site.

The rule is designed for data brokers that sell credit reports, such as ChoicePoint or credit reporting agency Trans Union, and may not cover other kinds of data brokers that don't sell reports used to make credit-related decisions. The privacy group is asking the FTC to issue a statement that would explicitly declare that the rule applies to any data broker, and to declare mail-in opt-out requirements "unfair and unlawful."

Claudia Bourne-Farrell, an FTC spokeswoman, said the agency had received the letter it was "taking their concerns under advisement."

There are important reasons that consumers might want to remove information from such databases, Dixon said. Victims of stalking and law enforcement officials have a need to keep their personal information away from antagonists, for example. In its letter, the Privacy Forum cites consumer complaints it obtained from the FTC under the Freedom of Information Act to make this point.

"I am a detective for the (removed) police department, and as you can probably guess I don't want the criminals that I have put away having such easy access to my personal information," wrote one.

A victim of stalking wrote to the asking for "immediate help" expunging the public databases.

Dixon said her group discovered the burdensome letter-writing process while preparing a popular new feature for the agency's Web site, a "Top 10 Opt Out" page. The list includes recipes for removing information from telemarketing lists, junk mail lists, financial firm information sharing and others.

When Aaron Marks tried to electronically file his tax return last spring, it was rejected by IRS computers. The reason, according to the agency, was that someone had already filed a return using his Social Security number. Not to worry, an IRS operator told him on the phone, just mail in your tax return and it'll get fixed. "(The agent) acted like there was nothing to panic about," Marks said.

But a year later, the Boston resident still doesn't have his $2,000 tax refund.

About the same time Marks tried to file, IRS officials testified before the Senate Finance Committee about the problem of tax return ID theft. The committee heard horror stories about the ease of filing false tax returns, the criminals who essentially steal citizens' refunds, and about the thousands of Americans who sometimes spend years dealing with the fallout.

For years, tax return scams have been relatively easy to commit. Armed with a Social Security number and the right company tax ID, criminals could file a return and likely get a refund check, as long as they filed before the legitimate SSN user. In fact, many criminals exaggerated deductions or withholding amounts in the returns to get an even bigger refund check, causing further problems for the real taxpayer down the road.

IRS Commissioner Douglas H. Shulman, who had just taken office weeks before the April 11, 2008, hearing, pledged major changes to stem the growing problem. He promised a new identity theft investigation unit within the IRS and a new 1-800 number for victims. He also said the entire agency would be trained to better handle the problem.

"If you say the words 'identity theft,' you'll be sent to a person trained to deal with identity-theft victims," he pledged.

The changes have achieved mixed results.

The IRS launched its new unit, the IRS Identity Protection Specialized Unit. There's a Web site and a toll-free number for victims at 1-800-908-4490 that's staffed 12 hours per day.

Aaron Marks, however, still hasn't received his $2,000 from the 2007 tax year, or, his 2008 stimulus check. And this year, when he tried to electronically file, his return was again rejected. He called the IRS. An agent told him to paper file. He insisted that more action be taken. He demanded a manager. She told him his refund check was sent out last year, but wouldn't tell him where, or even confirm that it wasn't sent to his home address.

"Then she told me to tell the Federal Trade Commission," he said. When he filled out an FTC Identity Theft affidavit, he was then told to get a police report.

"The Boston PD aren't going to know what to do about this," he said. Including his expected refund from this year, Marks figures he's out $4,000 right now. Meanwhile, he figures, a criminal is running around with his tax refund.

"The only reason I found out about this was because I expected money back," he said. "Who knows how big this problem really is?"

The IRS says it knows, and it's miniscule. Spokeswoman Michelle Lamishaw said tax return ID theft hit a tiny fraction of 1 percent of all returns all returns last year.

"It is not what we consider widespread," she said. "But the impact on individuals we take very seriously." Lamishaw said she was unable to discuss Marks' situation because IRS agents are not allowed to publicly discuss any taxpayers' account.

'A huge potential to really address the problem'
Nina Olson runs the National Taxpayer Advocate Service, an agency that helps citizens engaged in entrenched battles with the IRS. A frequent critic of the agency, she gave it relatively high marks for its new identity theft initiatives.

For the first time, she said, the agency has initiated a "flag" to track citizens struggling with identity theft. Even consumers who merely suspect they might suffer tax return fraud -- for example, a victim who lost a wallet -- can now ask the IRS to add such a flag and not send a refund check to a potential imposter. And it has developed "business rules" to help it determine the rightful SSN user when multiple returns are filed, similar to rules used by credit card firms to identify fraudulent credit card transactions, she said.

The agency also has added the ability to proactively inform a citizen if a Social Security number is being used by someone else, she said. The agency has plans to send warning letters to SSN holders, but has not begun. Only recently did it get legal clearance to send such letters, she said.

"The new unit has a huge potential to really address the problem," she said. "The progress in the last year has been enormous."

On the other hand, the National Taxpayer Advocate Service has seen an 88 percent increase in ID theft cases this year over the same period last year. It's unclear if the spike means an increase in crime or merely an increase in awareness, but either way, the problem is still severe, she said.

Last year, there were 24,000 known cases of tax ID theft, and that number severely undercounts the actual number of victims, many whom have yet to discover the problem, she said.

"Those 24,000 taxpayers are spending their lives on the phone. Maybe their wages are being garnished. Maybe they found out because there was a lien," she said. "For those victims the problem is very real. It's often a full-time occupation to fix it."

No faith
It's not clear why Marks' case continues to slip through the cracks. Lamishaw said IRS operators be aware of the agency's ID theft hot line, but speculated that there might be a communications lag because the office is new.

Recently, Marks found his way to the Identity Theft Resource Center Web site, which recommended people in his situation contact the Taxpayer Advocate office. He did so, and said that he spoke to a helpful caseworker who took an interest in his problem and offered to help. He's optimistic, but he's still waiting for his refund.

"My faith in the federal government has been kicked down yet another notch," he said.

Lamishaw, meanwhile, urged victims like Marks to contact the IRS' toll-free ID theft number, even if they've already tried unsuccessfully to resolve the problem earlier.

"We do recommend people give this office a try, even if they were frustrated in the past," she said.

RED TAPE WRESTLING TIPS
There are many ways an identity thief can get a hold of the necessary information and file a tax return in someone else's name. Linda Foley, director of the Identity Theft Resource Center, says some imposters are illegal immigrants using someone's Social Security number in order to get work permission. But there are many other variations on the crime.

"People who don't want criminal histories known, have bad credit reports or may be hiding under another SSN to avoid child support payments," she said. "We get a number of cases like this."

Early detection of tax return ID theft is important to quickly resolving the problem. Watch for any suspicious signs -- the rejection of a return, a surprise bill from the IRS for unpaid taxes, a lengthy delay in refund payment, or even unexpected entries in your annual Social Security earnings statement.

The IRS ID theft fact page is very useful.

At the first sign of a problem, call the IRS Identity Protection Specialized Unit at 1-800-908-4490.
You don't have to wait for a tax problem to warn the IRS that you've been a victim of ID theft, however. If a criminal is using your SSN to open credit accounts or compromise your identity in other ways, consider calling the IRS hotline and asking the agency to flag your account. Lamishaw, the IRS spokeswoman, said that won't prevent a citizen from e-filing or delay refunds, it will just instruct the agency to take a bit more care before mailing out refund checks.

And every taxpayer should know about the National Taxpayers Advocate Service. Dealing with the IRS can be challenging. The advocate's service is designed to help taxpayers who feel they've hit a brick wall in dealing with the agency. Last year, the advocate's office had 275,000 open cases. There are offices in every state in the nation. Click here to find the one for your state.

Carl Sagan liked to say, "Extraordinary claims require extraordinary evidence." Well, the tech world has been full of extraordinary claims lately. A worm name Conficker that promised "Doomsday." A botnet that helped the Chinese spy on the Dalai Lama and more than 100 nations. The U.S. power grid infiltrated by the Russian and Chinese governments.

It's been a bad week in cyberspace.

Or has it?

Conficker turned out to be a dud -- at least on D-Day of April 1 -- like so many other predicted virus disasters before it. The Canadian group that exposed the Dalai Lama hack attack says in its own report that many of the intrusions may have been "coincidental" – random acts of cyber-mischief, in other words. And the same officials who warned of the grid attack in Wednesday's Wall Street Journal story also said they "don't see an immediate danger."

Hard evidence of state-sponsored cyberwarfare – never mind extraordinary evidence -- is strikingly absent from the discussion of these looming techno-disasters. Also absent: any real damage.

On the other hand, here's a hard fact: President Barack Obama called for an immediate review of federal cybersecurity efforts in February, and the report is due within days. Some observers say the timing of the dramatic stories is no coincidence.

"(Security experts) are fighting for budget dollars ... so they're positioning themselves. It's a natural response," said Richard Power, distinguished fellow at Carnegie-Mellon's computer security research center, CyLab. He said he didn't think any of the news stories were inaccurate, though some elements might have come from older incidents that have been "reframed," rather than new threats.

If there is hyperbole, Power said, part the explanation is what he calls the "lost 10 years" for cybersecurity. "It's like time stood still, like the movie 'Ground Hog Day. 'We did almost nothing in the last 10 years. We keep having the same discussions. So people are frustrated."

Real risks, real exaggeration
Welcome to the tricky world of securing cyberspace. Few disagree that the risks are real. There's a decade's worth of alarming stories involving old-fashioned utility command-and-control systems. Just last year, a CIA official told a group of security researchers that hackers had infiltrated foreign utility plants and extorted operators for money. But most of the stories rely on anonymous accounts or involve relatively small incidents. Ten years ago, Richard Clarke, then-White House director of cybersecurity, warned of an impending "Digital Pearl Harbor." It never materialized, and the phrase is now a punch line in the security world, with many believing Clark cried wolf at the time.

On the other hand, most observers believe the U.S. government hasn't done nearly enough to secure its critical computer systems. Unfortunately, government money rarely flows to stop a problem before it has serious consequences – consider the levees around New Orleans, for example. So security analysts must walk a thin line between calling attention to real potential threats while avoiding hyperbole. The real danger created by the boy who cried wolf, you might remember, is that when the risk was finally real, no one took him seriously.

That time might be now, said several analysts interviewed for this piece, including Power.

"The stuff we were talking about 10 years ago is reality now," he said.

Alan Paller, director of research at security firm SANS, said he thought all three threats were "extraordinarily serious. " He said a source had independently confirmed the Wall Street Journal story that computers at U.S. utility firms had been infiltrated by Trojan horse programs controlled by foreign governments. He declined to provide additional detail.

Paller was the first to report last year on the CIA's claim that utility firms were being targeted by extortionists.

But Chet Wisniewski, an analyst with British security firm Sophos, is skeptical. He pointed to the lack of a smoking gun involving state-sponsored hacking.

"If you're going to accuse a foreign government of committing this kind of crime, I would hope you'd say more than 'we think' this happened," he said. "The accusations seem to be coming from the government, and I guess we can decide if we want to trust their word."

There also are alternative explanations, such as the possibility that organized crime gangs could have orchestrated all three attacks for profit, he said.

But even Wisniewski agreed that cyber-spying is almost certainly a part of every nation's military strategy, even if individual stories may include exaggerations. He said he was encouraged that the Obama administration ordered the security review, which he said demonstrated "they're serious about this problem."

While these three cyberattack stories have arisen with a week's time, each should be viewed on its own merits, he said.

1: GhostNet
The story of GhostNet and the Dalai Lama hacking, first reported in the New York Times, includes by far the most specifics.

GhostNet was studied for nearly a year by Canadian researchers who would likely not be influenced by U.S. government budget decisions.

The 50-page report by researchers based at the University of Toronto included screen images from software that allegedly was used to infiltrate computers in the Dalai Lama's home office and other "high value target" in dozens of nations, including foreign affairs ministry computers in Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan. In one tale retold in the report, a Tibetan sympathizer was refused entry into China and shown printouts of private chat room conversations she had, which could have been gleaned by a government- infected computer.

Tibetan computers had been targeted by relatively tame Web site attacks dating back at least as far as 2002. When the Toronto group investigated attacks timed around the 2008 Beijing Olympics, it discovered compromised computers in the Dalai Lama's personal office.

The attacks weren't necessarily sophisticated, but they were disturbing. In one example, e-mails were sent to workers in the Dalai Lama's person office with an attached Word document titled "Translation of Freedom Movement ID Book for Tibetans in Exile." But the document was infected, and it turned a worker's computer into a "bot," that could be controlled remotely by the attacker, according to the researchers.

The virus used to infect the Tibetan's computer was not well-known by antivirus firms -- only 11 of 34 popular antivirus products were able to detect the firm, the Canadian researchers said.

Most "bot-nets" -- armies of compromised computers -- are built to a grand scale, so they can be rented out to spammers or other hackers. But GhostNet is relatively small, the group said, and 30 percent of the computers in it were those of "high value" targets, like the Dalai Lama. That alone led the Canadian group to speculate that a spy agency was behind the rogue network. Still, the group offered many qualifications along with its guess.

"From the evidence at hand, it is not clear whether the attacker(s) really knew what they had penetrated, or if the information was ever exploited for commercial or intelligence value," its report stated. "It is therefore possible that the large percentage of high value targets identified in our analysis of the GhostNet are coincidental."

The use of bot-nets by hackers has exploded during the past two years. Last year, Google's Vint Cerf -- one of the creators of the Internet -- speculated at a security convention that perhaps 100 million computers around the globe were infected, making it plausible that the Dalai Lama's computer was not targeted by the Chinese government, but rather swept up in a larger attack by a for-profit hacker.

A third intriguing possibility, Paller notes, is that organized criminals not directly affiliated with the Chinese government are doing spy work with its tacit blessing, or perhaps even with government funding.

He also said it could be speculated that any bot-net was the work of state-sponsored hackers, but that the Times story was unique because the Dalai Lama was involved, and willing to speak out about the incident.

2: The power grid
The idea that a disruption in power or water service could be used to augment a traditional military attack has been floated for years. In that sense, there's nothing new about speculation that foreign governments have mapped vulnerabilities in U.S. utility networks.

But Paller said recent discussion of upgrading those networks has paradoxically raised the risks.

In order for so-called "Smart Grid" technology, which would refine power distribution, to work, new power meters networked to talk with each other to balance electrical loads would need to be installed in many locations. But that feature would make them much more vulnerable to attack, Paller said. By allowing remote access to power meters, hackers could break in and shut meters off on a mass scale, for example.

At a recent conference, he said utility security experts were concerned the threat wasn't being taken seriously

"There was real anger by the security guys saying these people are out selling new meters that can be taken over by a computer worm," he said. "And once they are, they would be so damaged that people would have to travel to fix them."

Power went further in his assessment of smart grid risks.

"We're going to replace an archaic grid with smart grids, which is also a synonym for stupid grids," he said. "We're at a very interesting moment in time."

Such concerns would provide motivation to highlight risks at utility firms, even without the "smoking gun" of an actual damage. But, Paller stressed that the risks to utility firms are quite real.

3: The Conficker worm
Security experts use the term "spreading FUD" - fear, uncertainty, and doubt -- to criticize the sales tactics of firms that use hyperbole to scare customers into overpaying for security products. The Conficker incident appears to a be a classic example of FUD.

Spurred by a dramatic "60 Minutes" piece, the technology world was abuzz with tales of impending disaster in the days leading to April 1, when Conficker was allegedly set to unleash an ugly disaster in cyberspace. The calamity never materialized, though, leading to accusations that the worm was really an April Fool's joke. One security company even ran a contest to see which media outlet ran the most outrageous headline.

The winner: "Tick.Tick.Tick. Time Bomb Virus to go Off In Hours"

What was the significance of April 1? Infected computers were supposed to be commanded by the virus to check in with a command-and-control server on that date and get new marching orders. But the program has many variants, and the majority of Conficker-infected hosts weren't ordered to check in on that day, according to Sophos.

In fact, "timed" viruses rarely cause trouble, because tech experts have time to prepare for them. It's the surprise virus attacks that cause the biggest problems.

On the other hand, the threat from Conficker is real. The 9 million computers infected with the worm are very likely being used to attack other computers, and used for identity theft or other crimes. A new variant released this week installed "scareware" on victims' computers, which demands payment from the victim to remove the virus. Getting rid of the program at that point is a serious hassle.

Word of the monster virus was a good occasion for consumers to be reminded about updating their security software. And in fact, about once each year a virus like Conficker captures the public attention. But they rarely live up to the hype.

All roads lead to China
Another reason for Conficker's fizzle: Relatively few of the infected computers – about 4 percent -- are in the U.S., according to a report issued by SRI International in March. About half the Conficker infections were Chinese computers -- or more than 10 times the rate of U.S. infections.

That makes sense, Wisniewski said, because there are now more Web-connected computers in China than any other nation. There's also a high incidence of pirated copies of software in China, meaning users there cannot keep their machines up to date with security patches.

It also means that virtually any Internet threat -- from state-sponsored spying, to organized crime rings, to pranksters -- will appear to originate from China. Smart criminals always use hijacked computer to conduct attacks and cover their tracks. Because the easiest computers to attack are in China, cybercriminals now routinely start their escapades there, he said.

That means researchers need to use great care when concluding that the Chinese government, or Chinese citizens, are behind any computer hack.

"Because there are so many infected computers in China, just because a connection is from China you can't assume the Chinese government is behind it," he said.

This leaves an unanswered question in his head about the recent tales of cyberspying.

"I'm not saying the government isn't behind them," Wisniewski said. " But if it were … it's not likely they'd leave that kind of bread crumb trail behind."