Javelin Research Reports Results About Bank Transfer Day

Finally, some firm statistics are being released about the results of Bank Transfer Day, when consumers moved their money from big banks to credit unions and local community banks. Based on extensive research, Javelin Strategy & Research estimated that 5.6 million U.S. adults moved their money during a 90 day period. Some details:

• 11% (610,000 of the 5.6 million) mentioned Bank Transfer Day as the reason they moved their money
• 26% said that high banking fees were the reason they moved their money

Javelin concluded that both Bank Transfer Day and the Occupy Movement had a measurable impact when compared to research results from prior years. So, a true grassroots movement can have an impact.

Previously, CUNA revised downward its estimates of Bank Transfer Day results due to a flawed methodology. CUNA did not change its estimate of more than 40,000 new credit union accounts opened by consumers on November 5, Bank Transfer Day.

Javelin designed the online research questionnaire and surveyed 5,878 consumers during December 2011. The survey process included:

"... targeted respondents based on representative proportions of gender, age, income, and ethnicity, and data was weighted to U.S. census proportions. The survey is based on a set of questions that were first fielded in 2003, and are now deployed on a twice-annual basis."

Javelin has research identity theft and fraud, with reports covering 2008 and 2010, plus trends in corporate data breaches. I have found Javelin's work reliable, but still await more results about Bank Transfer Day. It would be great to know the average bank account balance transferred, since the big banks seem to have focused on getting consumers to consolidate their accounts (e.g., checking, savings, and investments). The big banks are probably willing to lose consumers with smaller balances.

In a recent conversation with banking industry analysts, the Bank of America CEO reported a 20 percent increase in account closures during the fourth quarter of 2011.

How To Dispose Of Your Old Smart Phone Or Tablet

It seems that about every few months, manufacturers introduce a new smart phone or tablet mobile device. Perhaps, you received a new mobile device recently as a Christmas or birthday present. Maybe, you are a consumer who must have the latest technology. Regardless, your collection of old and obsolete mobile devices can quickly pile up.

What should consumers do with their old mobile devices? Or more precisely: how should consumers dispose of their old mobile devices to avoid identity theft and fraud?

The U.S. Federal Trade Commission (FTC) advises consumers to, first, permanently delete all personal information from your old smart phone or mobile device:

"Permanent data deletion usually requires several steps. Remove the memory or subscriber identity module (SIM) card from the phone. That’s an important first step in deleting information, but you likely will need to do more to erase all the sensitive data on your device. You can command a cell phone to delete certain data, but that will only delete the references to where the data is located; the actual information stays on the phone’s operating system."

Consult the user manual for your smart phone (you kept it, didn't you?) for the exact steps to permanently delete contact information, lists of calls received and made, photos, passwords, and any payment information.

Second, you have several disposal options:

• Recycle: many cellular phone manufacturers, service providers, and non-profit organizations groups offer programs to recycle their components, including accessories like chargers. Visit the Environmental Protection Agency (EPA) to learn more about recycling programs. Consult Earth911 to find a nearby recycling center. The U.S. Postal Service operates a free “Mail Back” program for consumers to recycle small electronic products: smart phones, digital cameras, PDAs, and inkjet cartridges. Free envelopes are available at select Post Offices.
• Donate: some charitable organizations accept old mobile devices.
• Resell: Some individuals and organizations will buy your old mobile devices.
• Dispose properly: mobile device batteries should not be placed in the trash. Many cellular phones contain toxic metals, which can contaminate the environment. Instead, dispose when your town/city offers hazardous waste collection days.

If you operate a small business that collected the sensitive personal data of your clients, customers, contractors, and/or employees, then certain data security rules may apply. Check with your industry trade association of the FTC website. For example, certain rules apply for health organizations when disposing PHI data (PDF). Another example, the American Bar Association (ABA) advises its member attorneys:

"... However, the January 01, 2007 edition of the Federal Trade Commission's Disposal Rule (16 CFR Part 682) says that the responsibility to properly dispose of consumer information includes the sale, donation or transfer of any medium, including computer equipment, upon which consumer information is stored."

Why You Shouldn't Install Those Entertaining Apps On Facebook

There is an excellent Facecrooks blog post that explains the risks of installing most "fun and entertaining" apps on Facebook. First, you have to understand the extreme limitations of Facebook:

"... there is no formal review process for applications or developers on the Facebook platform. Anyone and everyone (scammers included) can create apps. This is far different from the “Walled Garden” approach taken by Apple. Many unsuspecting users might be under the impression that if it’s on Facebook then it must be legitimate. That is totally not the case."

Second, think long and hard before installing any app that requires you to give it permission to:

• Access all of the data in your Facebook profile
• Access all of your Facebook friends list
• Post as you
• Just because the app address starts with HTTPS doesn't mean it is safe
• Doesn't have a privacy policy
• Has a privacy policy you don't like

Third, it is wise for Facebook members to "like" Facecrooks and follow its posts, so you are aware of emerging threats and scams.

Insider Identity Theft Example: Banc of America Broker

If you wonder what the phrase "insider identity theft" means, this case below is an excellent example. The basic definition of insider identity theft is when an employee (or contractor) at a company accesses personal information they aren't authorized to access. In the case below, it included the contact information of the company's clients. If you are one of those clients, this case illustrates how your contact information can be abused.

The Forbes article described how Dante J. DiFrancesco worked at Banc of America Investment Services (BAIS). When he left BAIS, DiFrancesco attempted to take his clients' contact information with him, only to clumsily discover that he'd take the contact information for 36,000 clients instead of his 180 clients.

The good news in this story is that BAIS discovered DiFrancesco's data access attempts. Companies with good data security have processes in place to detect when employees attempt to access information they aren't authorized to access, as BAIS did.

Like many things in business, the case went to court. The Financial Industry Regulatory Authority (FINRA) investigated, filed charges, and ultimately ruled in favor of BAIS. DiFrancesco appealed the ruling twice; first at FINRA (which affirmed the first ruling) and then at the U.S. Securities & Exchange Commission (SEC). The SEC ruled against DiFrancesco, too.

The New Identity Theft Trifecta

Slowly, More Consumers Consider Website Privacy Policies Before Buying

PC Pro recently reported the results of a recent Forrester Research study. Forrester surveyed 37,000 consumers in North America, and found that a growing percentage of consumers consider companies' website privacy policies in their decisions about whether to do business with a company:

"Websites need to rethink their privacy policies as consumers ditch those that hide data rules or leak information, according to research from Forrester. The analyst found that a growing number of consumers were reading how companies dealt with their privacy and voting with their feet if they didn’t like what they saw."

More than half of survey respondents over 55 years of age said that they refused to complete an online transaction because of the company’s terms of use or privacy policy. In 2008, 40% answered this question the same way.

The PC Pro article would have been more helpful if it linked directly to the Forrester Research report and included more facts. The Forrester research study found:

"Individuals see different types of data differently -- they're most worried about what we consider individual identity data, and far less concerned about the capture and use of their behavioral data... Most consumers are willing to share their data in exchange for value. But, what they consider "valuable" is very age-dependent..."

If the article had included examples of well-crafted privacy policies, this would help consumers learn about what to look for in privacy policies -- at websites, social networking websites, and with mobile-device apps. In 2011, the European Union Justice Commissioner described four pillars of online data privacy, which is a good start for any corporate privacy policy.

In 2008, a brief review of the privacy policy at Mint.com prompted a huge discussion on this blog -- that still continues today.

Investigate The Banks

Professor, political economist, author and former Secretary of Labor chief Robert Reich called on President Obama to hold big banks fully accountable for their part in the alleged mortgage abuses and housing market crash -- which the President finally addressed, in part, during his SOTU speech last night:

"We'll also establish a Financial Crimes Unit of highly trained investigators to crack down on large-scale fraud and protect people's investments. Some financial firms violate major anti-fraud laws because there's no real penalty for being a repeat offender. That's bad for consumers, and it's bad for the vast majority of bankers and financial service professionals who do the right thing. So pass legislation that makes the penalties for fraud count."

To learn more, visit YesHeCan.org.

The Personal Data Elements Consumers Want To Keep Private Online

At the All Things D blog, Liz Gannes has posted a very interesting inforgraphic about the data elements consumers care about and want to keep private online. The inforgraphic was created from a research report by Forrester Research. Some of the data elements and the percent of consumers that care about each item:

• 72% - Social Security number
• 71% - credit card number
• 62% - driver's license number
• 57% - credit score
• 52% - Internet browsing history

This was a good infographic. It would have been even better if it included consumers' GPS location history, since so many mobile phone companies, telecommunications companies, and social networking websites collect this data. When and where you go in the physical world is very valuable and equally sensitive data. It is a way of uniquely defining you.

Learn About Credit Unions. Free Workshops At A Nearby City

While there hasn't been much mentioned lately in the mainstream news media, consumers are still moving their money out of the big banks to local community banks and credit unions. If you want to learn more about what a credit union is and its benefits, the National Credit Union Administration (NCUA) is hosting free workshops in several citys.

The NCUA is the independent federal agency that regulates and supervises federally chartered credit unions. The NCUA operates the National Credit Union Share Insurance Fund (NCUSIF), which insures deposits at federal credit unions and most state-chartered credit unions. Deposits are insured up to $250,000 per account.

Upcoming workshop dates and locations through June 2012:

• March 3: Phoenix, AZ
• March 10: Los Angeles
• March 22: Richmond, VA
• April 11: Chicago
• April 12: Portland, ME
• April 19: Philadelphia, PA
• May 3: Detroit, MI
• May 11: Minneapolis, MN
• May 19: New York, NY
• May 23: Albuguerque, NM
• May 30: Baltimore, MD
• June 2: Denver, CO
• June 7: Omaha, NE
• June 9: Dallas, TX

To learn more and register for a workshop, visit the NCUA website. The NCUA operates the MyCreditUnion.gov website for consumers, with plenty of resources, tips, and advice. This prior blog post includes basic information about how to find a credit union near where you live.

Data Breach At City College Of San Francisco Affects Thousands

The San Francisco Chronicle reported that a data breach at the City College of San Francisco (CCSF) could affect tens of thousands of students, employees, faculty, and staff. After the Thanksgiving holiday, computer viruses were found installed on computers in the college's computer labs.

The computer viruses had been installed as long as 10 years ago, and transmitted stolen data to locations in several countries. The data stolen included personal banking and other sensitive personal data. According to the newspaper report:

"Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran... Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected."

The college has posted a page with frequently asked questions to assist its users. the page stated in part:

"Currently there is no evidence that any of the College’s main servers and databases held in trust by the College have been compromised. Our security consultants are still conducting their analysis but it appears at this time that the viruses focused on information taken off individual workstations and computer servers for student labs. Confidential student and employee information is held in trust and stored on District servers. Our network security consultants are continuing their analysis of the servers and we will communicate the results of this work as soon as it is available."

For users that have experienced identity theft or fraud, the college FAQ page directs users to the U.S. Federal Trade Commission (FTC) website for further assistance.

If this FAQ page is the extent of the breach notice by the college, then -- in my opinion -- it is woefully inadequate. It would seem that the data breach caught the school administration unprepared.

The notice should inform users about the results of the breach investigation and actions so this breach doesn't happen again. Since online banking credentials appear to have been stolen, that represents ways for identity criminals to access the bank accounts of breach victims to steal money and/or more personal information: personal data: full names, email addresses, street addresses, Social Security numbers, and mobile phone numbers. With this core personal data stolen, thieves can obtain credit fraudulently.

Given this, the breach notice should also provide contact information and links to the credit reporting agencies. Simply suggesting to users that they change their online passwords is not enough given the personal information exposed. If further fraud happens, the college needs to step in and provide free credit monitoring and resolution services.

Scammers Target American Airlines Customers With Phishing Emails

Earlier this week, a reader wrote about an email message he had received. The email message included a confirmation for tickets purchased through the American Airlines website. The reader was concerned that his bank information had been hacked, because he had not purchased any airline tickets.

The email message:

Subject: Your Order#647842534
Date: 15 Jan 2012 07:14:55 -0000
From: American Airlines (news-nr221@aa.com)
Reply-To: American Airlines (news-nr221@aa.com)
To: XXXXXXXX@XXXXX.com

Hello
FLIGHT NUMBER AA683
ELECTRONIC 885741402
DATE & TIME / JANUARY 30, 2012, 10:22 PM
ARRIVING / Raleigh
TOTAL PRICE / 395.22 USD

Please find your ticket attached. You can print your ticket. Thank you for your attention.
American Airlines.

The email included a ZIP file attachment. Clearly, this was a phishing email scam since it included an incomplete itinerary and the ZIP file attachment. A real airline wouldn't do either. Like most phishing emails, this one tries to trick consumers to open the ZIP file attachment which installs a computer virus on the victim's computer to collect password data, directs the victim's web browser to a fake American Airlines website to collect personal data, or both.

If you receive a phishing message like this, or from any other airline, experts advise consumers to:

• Don't click on any links within the email message,
• Don't open any files attached to the email message,
• Don't send a reply email message to the sender,
• Manually enter the website address into your web browser to visit the airline's official website to verify the email message, and
• Check your credit card or bank statement for any fraudulent charges

The official American Airlines website has a page devoted to phishing email scams. It provides examples of various email scam messages, and advises consumers:

"American Airlines will never ask you to perform security-related changes to your account in this fashion or send emails to collect user names, passwords, email addresses or other personal information. If you receive an email claiming to be from American Airlines, that asks for account information, it should be considered fraudulent... do not click on any links, open any attachments, call any phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to webmaster@aa.com so that we can investigate further."

The Snopes.com website also contains information verifying email phishing scams, including the above scam.

Several Websites Are Dark Today To Protest SOPA And PIPA

To protest the proposed SOPA and PIPA legislation in the U.S. Congress, several websites have gone dark for the day. Critics of the legislation are concerned about the legislation's negative impacts on jobs and on free speech on the Internet. You could call the proposed legislation an online mugging.

Some of the websites that have promised to go dark on Wednesday:

• Free Press
• iSchool at Syracuse University
• MoveOn.org
• Mozilla
• Reddit
• TwitPic
• Wikipedia
• WordPress
• XDA Developers

Other websites, like Google, support the protest by remaining available but with anti-SOPA and anti-PIPA messaging:

"End Piracy, Not Liberty"

In December, GoDaddy reversed its support of SOPA after many users protested by moving their websites to competitors' hosting services.

If you want to learn more about the online protest, read this. If you want to learn more about SOPA and PIPA, read the analysis by EFF. The text of the SOPA legislation is here. ABC News has a basic summary.