The New Identity Theft Trifecta

Slowly, More Consumers Consider Website Privacy Policies Before Buying

PC Pro recently reported the results of a recent Forrester Research study. Forrester surveyed 37,000 consumers in North America, and found that a growing percentage of consumers consider companies' website privacy policies in their decisions about whether to do business with a company:

"Websites need to rethink their privacy policies as consumers ditch those that hide data rules or leak information, according to research from Forrester. The analyst found that a growing number of consumers were reading how companies dealt with their privacy and voting with their feet if they didn’t like what they saw."

More than half of survey respondents over 55 years of age said that they refused to complete an online transaction because of the company’s terms of use or privacy policy. In 2008, 40% answered this question the same way.

The PC Pro article would have been more helpful if it linked directly to the Forrester Research report and included more facts. The Forrester research study found:

"Individuals see different types of data differently -- they're most worried about what we consider individual identity data, and far less concerned about the capture and use of their behavioral data... Most consumers are willing to share their data in exchange for value. But, what they consider "valuable" is very age-dependent..."

If the article had included examples of well-crafted privacy policies, this would help consumers learn about what to look for in privacy policies -- at websites, social networking websites, and with mobile-device apps. In 2011, the European Union Justice Commissioner described four pillars of online data privacy, which is a good start for any corporate privacy policy.

In 2008, a brief review of the privacy policy at Mint.com prompted a huge discussion on this blog -- that still continues today.

Investigate The Banks

Professor, political economist, author and former Secretary of Labor chief Robert Reich called on President Obama to hold big banks fully accountable for their part in the alleged mortgage abuses and housing market crash -- which the President finally addressed, in part, during his SOTU speech last night:

"We'll also establish a Financial Crimes Unit of highly trained investigators to crack down on large-scale fraud and protect people's investments. Some financial firms violate major anti-fraud laws because there's no real penalty for being a repeat offender. That's bad for consumers, and it's bad for the vast majority of bankers and financial service professionals who do the right thing. So pass legislation that makes the penalties for fraud count."

To learn more, visit YesHeCan.org.

The Personal Data Elements Consumers Want To Keep Private Online

At the All Things D blog, Liz Gannes has posted a very interesting inforgraphic about the data elements consumers care about and want to keep private online. The inforgraphic was created from a research report by Forrester Research. Some of the data elements and the percent of consumers that care about each item:

• 72% - Social Security number
• 71% - credit card number
• 62% - driver's license number
• 57% - credit score
• 52% - Internet browsing history

This was a good infographic. It would have been even better if it included consumers' GPS location history, since so many mobile phone companies, telecommunications companies, and social networking websites collect this data. When and where you go in the physical world is very valuable and equally sensitive data. It is a way of uniquely defining you.

Learn About Credit Unions. Free Workshops At A Nearby City

While there hasn't been much mentioned lately in the mainstream news media, consumers are still moving their money out of the big banks to local community banks and credit unions. If you want to learn more about what a credit union is and its benefits, the National Credit Union Administration (NCUA) is hosting free workshops in several citys.

The NCUA is the independent federal agency that regulates and supervises federally chartered credit unions. The NCUA operates the National Credit Union Share Insurance Fund (NCUSIF), which insures deposits at federal credit unions and most state-chartered credit unions. Deposits are insured up to $250,000 per account.

Upcoming workshop dates and locations through June 2012:

• March 3: Phoenix, AZ
• March 10: Los Angeles
• March 22: Richmond, VA
• April 11: Chicago
• April 12: Portland, ME
• April 19: Philadelphia, PA
• May 3: Detroit, MI
• May 11: Minneapolis, MN
• May 19: New York, NY
• May 23: Albuguerque, NM
• May 30: Baltimore, MD
• June 2: Denver, CO
• June 7: Omaha, NE
• June 9: Dallas, TX

To learn more and register for a workshop, visit the NCUA website. The NCUA operates the MyCreditUnion.gov website for consumers, with plenty of resources, tips, and advice. This prior blog post includes basic information about how to find a credit union near where you live.

Data Breach At City College Of San Francisco Affects Thousands

The San Francisco Chronicle reported that a data breach at the City College of San Francisco (CCSF) could affect tens of thousands of students, employees, faculty, and staff. After the Thanksgiving holiday, computer viruses were found installed on computers in the college's computer labs.

The computer viruses had been installed as long as 10 years ago, and transmitted stolen data to locations in several countries. The data stolen included personal banking and other sensitive personal data. According to the newspaper report:

"Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran... Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected."

The college has posted a page with frequently asked questions to assist its users. the page stated in part:

"Currently there is no evidence that any of the College’s main servers and databases held in trust by the College have been compromised. Our security consultants are still conducting their analysis but it appears at this time that the viruses focused on information taken off individual workstations and computer servers for student labs. Confidential student and employee information is held in trust and stored on District servers. Our network security consultants are continuing their analysis of the servers and we will communicate the results of this work as soon as it is available."

For users that have experienced identity theft or fraud, the college FAQ page directs users to the U.S. Federal Trade Commission (FTC) website for further assistance.

If this FAQ page is the extent of the breach notice by the college, then -- in my opinion -- it is woefully inadequate. It would seem that the data breach caught the school administration unprepared.

The notice should inform users about the results of the breach investigation and actions so this breach doesn't happen again. Since online banking credentials appear to have been stolen, that represents ways for identity criminals to access the bank accounts of breach victims to steal money and/or more personal information: personal data: full names, email addresses, street addresses, Social Security numbers, and mobile phone numbers. With this core personal data stolen, thieves can obtain credit fraudulently.

Given this, the breach notice should also provide contact information and links to the credit reporting agencies. Simply suggesting to users that they change their online passwords is not enough given the personal information exposed. If further fraud happens, the college needs to step in and provide free credit monitoring and resolution services.

Scammers Target American Airlines Customers With Phishing Emails

Earlier this week, a reader wrote about an email message he had received. The email message included a confirmation for tickets purchased through the American Airlines website. The reader was concerned that his bank information had been hacked, because he had not purchased any airline tickets.

The email message:

Subject: Your Order#647842534
Date: 15 Jan 2012 07:14:55 -0000
From: American Airlines (news-nr221@aa.com)
Reply-To: American Airlines (news-nr221@aa.com)
To: XXXXXXXX@XXXXX.com

Hello
FLIGHT NUMBER AA683
ELECTRONIC 885741402
DATE & TIME / JANUARY 30, 2012, 10:22 PM
ARRIVING / Raleigh
TOTAL PRICE / 395.22 USD

Please find your ticket attached. You can print your ticket. Thank you for your attention.
American Airlines.

The email included a ZIP file attachment. Clearly, this was a phishing email scam since it included an incomplete itinerary and the ZIP file attachment. A real airline wouldn't do either. Like most phishing emails, this one tries to trick consumers to open the ZIP file attachment which installs a computer virus on the victim's computer to collect password data, directs the victim's web browser to a fake American Airlines website to collect personal data, or both.

If you receive a phishing message like this, or from any other airline, experts advise consumers to:

• Don't click on any links within the email message,
• Don't open any files attached to the email message,
• Don't send a reply email message to the sender,
• Manually enter the website address into your web browser to visit the airline's official website to verify the email message, and
• Check your credit card or bank statement for any fraudulent charges

The official American Airlines website has a page devoted to phishing email scams. It provides examples of various email scam messages, and advises consumers:

"American Airlines will never ask you to perform security-related changes to your account in this fashion or send emails to collect user names, passwords, email addresses or other personal information. If you receive an email claiming to be from American Airlines, that asks for account information, it should be considered fraudulent... do not click on any links, open any attachments, call any phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to webmaster@aa.com so that we can investigate further."

The Snopes.com website also contains information verifying email phishing scams, including the above scam.

Several Websites Are Dark Today To Protest SOPA And PIPA

To protest the proposed SOPA and PIPA legislation in the U.S. Congress, several websites have gone dark for the day. Critics of the legislation are concerned about the legislation's negative impacts on jobs and on free speech on the Internet. You could call the proposed legislation an online mugging.

Some of the websites that have promised to go dark on Wednesday:

• Free Press
• iSchool at Syracuse University
• MoveOn.org
• Mozilla
• Reddit
• TwitPic
• Wikipedia
• WordPress
• XDA Developers

Other websites, like Google, support the protest by remaining available but with anti-SOPA and anti-PIPA messaging:

"End Piracy, Not Liberty"

In December, GoDaddy reversed its support of SOPA after many users protested by moving their websites to competitors' hosting services.

If you want to learn more about the online protest, read this. If you want to learn more about SOPA and PIPA, read the analysis by EFF. The text of the SOPA legislation is here. ABC News has a basic summary.

Zappos Data Breach Affects 24 Million Consumers

Several news organizations and USA Today reported about the data breach at Zappos.com, an online shoe and clothing retailer. Identity thieves hacked into the Zappos website and stole the names, street addresses, email addresses, telephone numbers, the last 4 digits of credit card numbers, and the online passwords of 24 million customers.

The Zappos CEO advised his employees via email that affected customers would receive the following notice, which read in part:

"... there may have been illegal and unauthorized access to some of your customer account information on Zappos.com... The secure database that stores your critical credit card and other payment data was NOT affected or accessed. For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail... We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there..."

While the company has reset online passwords and notified affected customers about how to create stronger passwords, the types of personal data stolen are sufficient for identity thieves to create plenty of damage. The damage can include spam using stolen email addresses, spam to/from linked mobile phone numbers, and further hacking into consumers online accounts.

How might further hacking happen? Too many consumers still use the same password for all of their online accounts. Simply, identity theives could access your debit/credit card numbers at other online retailer or bank accounts where you use the same password.

It is important for consumers to remember that identity criminals are persistent and re-sell stolen personal information. So, the thieves that attempt to hack into your online accounts probably won't be the same thieves that stole your personal information. Re-sold stolen personal information creates a situation where many thieves can ultimately create further damage.

Experts advise:

• Immediately change your passwords at other online accounts/retailers where you have used the same password you used at Zappos.com,
• Change your online passwords every 90 days,
• Don't use the same password for all of your online accounts,
• Don't use passwords that are easily guessable, or match items on your profile page at Facebook or other social networking website,
• Learn how to create strong passwords,
• Don't use any passwords on this list, and
• Learn how to protect your sensitive personal information at public WiFi locations.

Addendum - January 18: After further consideration, I found the above breach notice and response by Zappos far from satisfactory for consumers. Their response assumes breach victims won't experience any identity fraud, since their message does not include any instructions about what consumers should do if they do experience identity fraud. And, the Zappos breach notice does not seek to explain to their customers the final results of their breach investigation, including why a breach like this won't happen again. The whole event can be summed up as "ooops, we lost a few passwords. reset them and everything will be okay." Not necessarily so.

Addendum - January 19: At least one lawsuit has been filed again Zappos and its parent company, Amazon.com.

Thoughts For Today

While writing this blog, I have tried to consistently argue for the rights of consumers... of individuals. Given today's holiday and threats such as Internet blacklist legislation, these quotes seem as relevant today as when they were originally said:

"Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity."
-- Martin Luther King, Jr.

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy."
-- Martin Luther King, Jr.

"Never forget that everything Hitler did in Germany was legal."
-- Martin Luther King, Jr.

"That old law about 'an eye for an eye' leaves everybody blind. The time is always right to do the right thing."
-- Martin Luther King, Jr.

"Injustice anywhere is a threat to justice everywhere."
-- Martin Luther King Jr.

Debit Cards: A New I've Been Mugged Topic

Since many consumers have shifted their purchases from cash and credit cards to debit cards, I have added a new topic in the tag cloud in the near right column. With recent events in the banking industry, new offerings allows employers to perform direct deposits to employees payroll cards, a customized version of debit cards. The "Debit Cards" topic includes this content of interest to consumers and residential banking customers. I hope that you like the new category.

Plenty Of Collateral Damage From a Credit Card Theft

There is a good article in PC Magazine that describes the scope of damages from identity theft when credit cards, smart phones, and spammers intersect. Jacqueline, a sales manager, had her credit card stolen and cloned, which resulted in over $2,000 in fraudulent charges. (Damages #1.) Her bank cancelled the exisitng credit card account and issued her a new credit card account. You would assume that was the end of the story, but sadly it wasn't.

Then, the credit card theft and card cloning happened with the replacement credit card -- which suggests an insider identity-theft problem at the bank Jacqueline uses.  Her bank cancelled the replacement credit card account, and issued her a second replacement credit card. End of the story, right?

Wrong. Next, Jacqueline and her contacts began to receive a flood of text message and phone call spam from unknown phone numbers. Apparently, the identity criminals had also stolen Jacqueline's mobile phone number (Damages #2.) along with her credit card information. Jacqueline's company-issued Blackberry-brand smart phone had been spamming people and phishing for consumers' Sovereign Bank sign-in credentials.

Jacqueline doesn't work at Sovereign Bank. After more investigations by the IT department at Jacqueline's employer, her mobile carrier, Verizon, informed them that the text message spam wasn't coming from its network, but from a computer pretending to be Jacqueline. Apparently, the credit card thieves re-sold Jacqueline's personal data and mobile phone number to other identity criminals, which included a spammer (Damages #3.):

"Someone had gotten a hold of her mobile number and was spoofing other phones using her digits. It turns out there's software designed specifically for businesses to send bulk SMS to lists of phone numbers from a computer."

Wow! What a mess. This saga highlights several issues, including the:

• Creativity and persistence of identity thieves,
• Efficiency of online forums where consumers' stolen personal data is resold and traded,
• Value of consumers' (digital) personal information, and
• Duration of damages from identity theft and fraud.

The average consumer doesn't think about how valuable the various bits of their personal information are. But, identity criminals think about it deeply.

The good news in this story was that the IT department at Jacqueline's employer was able to rule out any leaky smart phone apps that could have compromised her data security.

Today, there's not much more Jacqueline or her employer's IT department can do. Her personal identity information is out there in the thieves' domain. As I see it, all she can do is file police reports to document the trail of theft, and lock down her credit reports to keep the damage from spreading to her financial accounts. If the thieves also have her Social Security number, then they can obain fraudulent identification cards and drivers licenses. And, there's nothing to restrict the thieves' action with the USA borders.