Previous month:
December 2007
Next month:
February 2008

37 posts from January 2008

No Updates From IBM At Its Web Site About Its February 2007 Data Breach

Every few weeks, I check IBM's employee web site for any updates about the company's February 2007 data breach. So far, IBM has not updated the site page. It contains the same content it did when I first visited the site in May 2007 -- eight months ago.

I had hoped that the site would have included updates about the status of the breach and data tape investigation. Maybe IBM will have recovered some or all of the "lost" data tapes by now? Or maybe the investigation might have uncovered some corrupt employees or vendor employees? I had hoped that IBM would have communicated more frequently with the identity-theft victims its breach created.

I am still hoping that during the next few months IBM will update the site with information about extending the credit monitoring service with Kroll after the year of free credit monitoring ends. Who knows, maybe the term of free credit monitoring will be extended.

It's hard to know what's going on with IBM since the page displays the same stale information it did in May 2007. Various news reports have reported that IBM cut the base pay of many employees by 15% after settling various class-action lawsuits which claimed that the company denied the workers overtime pay by illegally classifying them as exempt instead of hourly. Apparently, the pay cuts extend beyond the original group of employees identified in the class-action lawsuits.

Sounds like an attempt by IBM to play hard-ball.


Verification Messages to Both New & Old E-Mail Addresses

This is a security feature I wish that more web sites used. I use the Google Reader site to read and manage several news RSS feeds. When I changed the e-mail address associated with my Google Reader account, the Google Reader site sent this e-mail message to my old e-mail address:

From: accounts-noreply@google.com
Subject: Google Accounts: Email Change Notification

Dear Google Account holder:
We've received a request to change the email address associated with your Google Account from: [my old e-mail address] to: [my new e-mail address]

If you initiated this request, there's no need to take any further action. If you didn't request an email change, please visit the Google Accounts Help Center and fill out our contact form.

Thank you for using Google. For questions or concerns regarding your account, please visit the Google Accounts FAQ. This is a post-only mailing. Replies to this message are not monitored or answered.

The Google Reader site also send this message to my new e-mail address:

From: accounts-noreply@google.com
Subject: Google Accounts: Email Change Verification

Dear Google Account holder:
Thank you for changing the email address on your Google Account. To verify your new email address, just click the following URL: [verification URL]

Thank you for using Google. For questions or concerns regarding your account, please visit the Google Accounts FAQ. This is a post-only mailing. Replies to this message are not monitored or answered.

That's an excellent approach to security I all companies should use. Both messages were clear, easy to read, and reinforced the security for my account. The verification link was quick and easy. The FAQ link provided relevant information I could use, if needed.


Chicago Woman Gets 8 Years For Identity Theft

I like reading news stories about identity thieves who were caught and convicted. The Chicago Tribune newspaper reported:

"A Chicago woman who used a stolen identity to buy a house and a vehicle was sentenced Monday to 8 years in prison. Denise Williams, 37, bought a $173,000 house in the 6000 block of South May Street and a $24,000 Chevrolet Equinox using the personal information of a woman whose wallet was stolen during a trip to Chicago, said Andy Conklin, a spokesman for the Cook County state's attorney's office. Williams was not accused of stealing the wallet, but she used its contents, including the victim's Social Security card, to buy the home and the vehicle, Conklin said. It's unclear how she obtained the wallet."

The story demonstrates the damage identity thieves can do with a SSN, birthdate, and name. The story highlights the fact that identity information is bought and sold by numerous criminals. In my opinion, 8 years in prison sounds about right.


The New U.S. Passports (RFID)

In a prior post, I discussed the new RFID technology and its data security and privacy issues. There is an excellent Los Angeles Times article which questions just how secure the U.S. State Department's new RFID passports are. Here's how the new U.S. passports work:

"The chip on your passport stores your name, gender, birth date and place; your passport number, its issue and expiration dates; and a digital version of your ID photo. It broadcasts this data when its antenna is activated by signals from a government reader at a border crossing. The security of this broadcast is the crux of the debate. The State Department says the chip's range is about 4 inches and that it cannot be read when the passport book is fully closed. But with the right equipment, early critics said, people several feet away or more could secretly access the data and use it to identify Americans, track their movements and steal their personal information. The chip could also be copied or altered to make phony passports..."

To respond to the threat, the State Department modified its new passports:

  • "To block radio signals, it put metallic material in the passport's front cover and spine.
  • To thwart eavesdropping, it placed a cryptographic key on the printed data page that must be read by an optical scanner to unlock the chip's data. (Officials note Social Security number and address are not on the chip.)
  • To prevent tracking, it installed a "randomized unique identification" system that presents a different ID to a reader each time the chip is accessed.
  • To counter fraud, it installed a digital signature that flags chips that have been altered."

Are the new passports 100% safe? Nobody knows. I hope that these identity protection measures work. There's an awful lot at stake.


The Age Of Conversation 2008: Call For Authors

The Age Of Conversation The debut of The Age of Conversation book in 2007 was such a refreshing and innovative look at blogging, it's no surprise that the planning for version 2.0 of the book is already underway. (If you haven't read the book, here's a backgrounder.) Version 1.0 featured 101 authors, including a couple Boston-area bloggers I know and work with: Lori Magno of Moda di Magno, and Ryan Barrett of Cheap Thrills. I hope to participate in version 2.0.

From now through February 3, 2007 you can vote online for the topic for version 2.0. The three topic options:

  • Marketing Manifesto
  • Why Don’t People Get It?
  • My Marketing Tragedy (and what I learned)

Bloggers interested in contributing to the 2008 edition as an author, should visit Drew McClelland's Marketing Minute blog. Potential authors must provide contact information: your full name, snail-mail address, phone, blog URL, and e-mail address. If your contact information doesn’t make it clear — please share your experience/expertise that would make you a good candidate for writing a chapter in a business/marketing book.


Is Your IP Address Personal Data?

FYI... this news story caught my attention, since government policy and legislation affects how companies protect (or not) consumers' personal data:

"An official of the European Union has contradicted Google Inc. and said IP addresses should, for the most part, be regarded as personal information, according to reports Monday. When someone can be identified by an Internet protocol address "then it has to be regarded as personal data,"AP quoted Germany's data protection commissioner, Peter Scharr, as saying. Mountain View-based Google disagrees, AP reported, and says an IP address identifies the location of a computer but not the individual user."

To learn more, see this Associated Press (AP) news story.


New California 'Shine The Light' Law Hotly Debated

The State of California's 2005 "Shine The Light" law (Civil Code 1798.83) provides California residents with the right to ask a retailer whom else that retailer has shared their personal information with. I think that it is instructive to look at California, which was the first state to enacted strong first identity theft laws with mandatory data breach notification.

While it is against the law for retailers to share consumers' credit card information, retailers legally can share consumers' name, address, and telephone information with data brokers (companies that buy and sell lists of consumer data). Some argue that this makes consumers more vulnerable to data theft.

Consumer advocates argue for more transparency by retailers, including more opt-out choices so consumers have some control over where their personal data is shared. Not surprisingly, small business lobbyist groups argue against additional legislation in California. Given the massive TJX/T.J. Maxx data breach, retailers definitely need to do more to protect consumers' personal data. I encourage you to view this San Francisco television news broadcast from January 18.

to learn more, read this Privacy Rights Clearinghouse article and this Lyris guide for retail businesses.


Credit Card Truncation, Identity Theft, and Class Action Lawsuits

At the Credit Slips blog, contributing author Adam Levitin wrote an interesting post about retailers' responsibility to truncate credit card and debit card account numbers on consumers' bills:

"In 2003, Congress enacted the federal credit card truncation statute, 15 U.S.C. § 1681c(g), as part of the Fair and Accurate Credit Transaction Act (FACTA). This law, which was intended to help prevent identity theft, forbids anyone who accepts credit or debit cards from printing more than the last 5 digits of the card number or expiration date on any electronically printed receipt given to the cardholder at point of sale. The law became effective for all new cash registers as of Jan. 1, 2005, and for those registers already in use, as of Dec. 4, 2006."

Adam's post drives home the point about retailers' liability:

"If the merchant was negligent, then the merchant is liable for actual damages and attorneys’ fees/costs. But if the violation was willful—and this is key—meaning—meaning knowing or intentional, not malicious—then the merchant is subject to statutory damages of a minimum of $100 violates, plus punitive damages, and costs/attorneys fees. $100 doesn’t sound like a lot, but multiply that by every transaction made at that register since the truncation statute’s effective date and potential damages are huge."

The Clausen Miller law firm confirmed this in a November 2007 post to their corporate clients:

"Whether large or small, all businesses that are not in compliance with FACTA are potential targets of this litigation. The driving force behind this flurry of class action litigation is financial. Statutory damages for a willful violation of FACTA are between $100 and $1,000 per violation, regardless of whether any actual damages were incurred or whether an individual’s identity was stolen."

The Clausen Miller article also highlighted the resulting class-action lawsuits:

"Entities such as Victoria’s Secret, Toys “R” Us, The Gymboree Corporation, California Pizza Kitchen, In-N-Out Burgers, Adidas Promotional Retail Operators, El Pollo Loco, Costco, and IKEA have all been involved in this litigation."

Want to learn more? Similarly, the Jones Day law firm advises their corporate clients to comply with the FACTA.

So, the next time you go shopping, check to make sure that the retailer's receipts display only a portion of your credit card or debit card number. And, shred any unneeded receipts which contain your personal information.


Computer Virus Hits Nokia Mobile Phones

Well, it has finally happened. PC World magazine reported yesterday:

"Security vendor Fortinet has uncovered a malicious SymbianOS Worm that is actively spreading on mobile phone networks. Fortinet's threat response team warned on Monday that the worm, identified as SymbOS/Beselo.A!worm, is able to run on several Symbian S60 enabled devices. These include handsets such as Nokia 6600, 6630, 6680, 7610, N70 and N72 handsets. The malware is disguised as a multimedia file (MMS) with an evocative name: either Beauty.jpg, Sex.mp3 or Love.rm. Fortinet warned this is deceiving users into unknowingly installing the malicious software onto their phones."

The worm seems to be spreading in the EMEA (Europe, Middle East, and Africa) region. Up until now, mobile malware (e.g., computer viruses) has been rare.

"After installation, the worm harvests all the phone numbers located in the phone's contact lists and targets them with a viral MMS carrying a SIS-packed (Symbian Installation Source) version of the worm. In addition to harvesting these numbers, the malware also sends itself to generated numbers as well. Interestingly, all these numbers are located in China so far and belong to the same mobile phone operator."

What should mobile phone users do? Practice safe mobile phone use just like you do with your computer. Don't accept or open files from people you don't know. Be careful who you share your mobile phone number and text messaging address with. Contact your mobile phone manufacturer or mobile network provider for assistance.


Treat Consumers Personal Data Like "Nuclear Fuel"

Since I started this blog in July 2007, I've consistently argued that the risk period for consumers is very long after their personal data has been exposed, especially after a corporate data breach. This includes breaches of birthdate and SS#, not credit card accounts. According to an article in the Guardian Unlimited:

"We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back."

While this description sounds extreme, I have to agree with it. When IBM lost my personal data in February 2007, the personal data of mine and all of the other identity-theft victims is just as valuable today as it was a year ago. Identity thieves can open accounts, get loans, or get government identification with it. This is why I also lobby for far longer periods than one or two years of free credit monitoring services from companies that have a data breach. The risk period is long.

In the article, Corey Doctorow write not just about the descriptive data (name, birth date, SSN), but all of the usage data attached to it:

"Data is acquired at all times, everywhere. For example, you now must buy an Oyster Card if you wish to buy a monthly travel card for London Underground, and you are required to complete a form giving your name, home address, phone number, email and so on in order to do so. This means that Transport for London is amassing a radioactive mountain of data plutonium, personal information whose limited value is far outstripped by the potential risks from retaining it... All these people could potentially be identified, located and contacted through the LU data. We may say we've nothing to hide, but all of us have private details we'd prefer not to see on the cover of tomorrow's paper."

You're probably wondering how long entities should be allowed to keep this personal data private. When should it be destroyed? Given the increasing capacity for digital storage, that seems to be a worthwhile conversation to have in the USA, too. Regarding privacy, Doctorow, argues:

"A century is probably a good start, though if it's the kind of information that our immediate descendants would prefer to be kept secret, 150 years is more like it. Call it two centuries, just to be on the safe side. If we are going to contain every heap of data plutonium for 200 years, that means that every single person who will ever be in a position to see, copy, handle, store, or manipulate that data will have to be vetted and trained every bit as carefully as the folks in the rubber suits down at the local fast-breeder reactor... And what's worse is that we, as a society, are asked to shoulder the cost of the long-term care of business and government's personal data stockpiles. When a database melts down, we absorb the crime, the personal misery, the chaos and terror. The best answer is to make businesses and governments responsible for the total cost of their data collection."

The last sentence above is key. Entities, corporations or government agencies, decide to store personal data for long periods of time because it benefits them -- financially or otherwise. If they are going to enjoy those benefits, then it's fair for them to also accept the risks and costs. And the cost includes credit monitoring for consumers after their data has been exposed during a data breach.

Free credit monitoring for one year is not acceptance of the cost, in my view. Not even close. 15 or 20 years of free credit monitoring is far closer to the goal.


Report: Warrantless Surveillance Legal

Regardless of your political party affiliation, I found the following United Press International (UPI) news story quite interesting:

"U.S. President George W. Bush's authority to conduct warrantless electronic surveillance comes from the Constitution, a partisan congressional report says. A Republican staff assessment of the revised Foreign Intelligence Surveillance Act said the president's controversial program is legal. The 13-page assessment comes as the Senate prepares to debate legislation as early as Tuesday on extending legislation governing electronic surveillance of suspected foreign terrorists and spies, The Washington Times reported Monday. The Protect America Act, passed in August, temporarily revised the 1978 Foreign Intelligence Surveillance Act to help authorities better monitor newer technologies. The law expires at the end of January."

We US citizens get to decide what type of government we want. It is not a given; it is not a "slam dunk" that there shouldn't be data privacy for consumers. We get to decide as a nation. We citizens get to decide via voting and via our Congressional reps what checks and balances should exist between the three branches of federal government. We get to decide what oversight exists.

Want to learn more about the Protect America Act? Read this ACLU fact sheet, this Wired analysis, or this San Francisco Chronicle analysis.


Consequences of McCain Pledging His Donor List

Many consumers care about where their personal data goes. At the Ephemeral Law blog, William Morriss explores some interesting issues regarding data privacy and political campaigns:

"According to this story from Politico, John McCain's presidential campaign has pledged its fundraising list as collateral for a loan."

Quite logically, Morriss concludes that this violates the McCain web site's privacy policy:

"John McCain 2008, will not sell your information to third parties or any commercial entities." While the policy does state that "We may share information -- that you voluntarily provide us -- with like-minded organizations committed to the principles or candidates of the Republican party, Republican State Party organizations, local Republican groups and like-minded organizations" it seems unlikely that the commercial banks which made the loan are "like-minded organizations," so there seems to be a conflict between the pledge and the policy.

This got me to thinking about how the privacy policies at other presidential candidates' web sites. The Giuliani 2008 site states this about sharing your personal data:

"The Campaign may share your information with third parties for various reasons, including but not limited to enhancing your experience on JoinRudy2008.com, expanding your opportunities to participate in Republican politics, providing services that you have requested, when we have your permission, or under the following circumstances: in response to subpoenas, court orders or legal process, or to establish or exercise our legal rights or defend against legal claims; when we believe it is necessary to share information in order to investigate, prevent or take action regarding illegal activities, suspected fraud, violations of the Campaign’s policies or as otherwise required by law."

The Mitt Romney site doesn't say anything about whom (besides the FEC) they may share your personal data with:

"... If you chose to donate through our online contribution form, rest assured that we have taken every reasonable precaution to keep you and your billing information safe and secure. To comply with Federal election law and the regulations of the Federal Election Commission, we are required to make our best efforts to collect and report the name, mailing address, occupation and name of employer of individuals whose contributions aggregate in excess of $200 per election cycle."

And, party affiliation seems irrelevant. The Hillary Clinton site contains language similar to the McCain site:

"When you make a contribution to us, we may also exchange your contributor information with successor organizations and other like-minded Democratic candidates and organizations, and they may solicit you (see below for additional information regarding your contributor information). However, we will not sell or exchange your credit card information to any other third party under any circumstances."

And:

"When you sign one of our petitions, we treat your name, city, state, and any comments as public information. We may, for example, provide compilations of petitions, with your comments, to national leaders, without disclosing email addresses. We may also make comments available to the press and public online, identifying only your city and state."

Now more than ever, it is always wise to read the fine print in the Privacy Policy at any web site you plan to make a transaction with.


IronMountain Can't Find A GE Money Data Tape With Records For 650,000 Consumers

Stuff like this isn't supposed to happen to a company whose core business is data security and storage. InformationWeek reported last week:

"Iron Mountain can't find a backup tape belonging to GE Money that contains the personal information of some 650,000 customers of J.C. Penney and about 100 other retailers. GE Money handles credit card processing for the affected retailers. The missing data includes about 150,000 social security numbers, according to an Associated Press report. GE Money requested the backup tape from an Iron Mountain vault in October, according to a statement issued by Iron Mountain. When the tape could not be located, Iron Mountain personnel began looking for it. The tape remains unaccounted for."

I've seen this play before. In February 2007, IBM exposed my personal data when its transportation vendor lost backup data tapes. IBM refused to disclose the number of records exposed, and never fired the transportation vendor. We'll see what GE Money does. At least GE Money disclosed the number of records exposed.

When things like this happen, I wonder if it's an inside job. The tape has been missing since at least October 2007. Data protection is supposedly Iron Mountain's core business. From Iron Mountain's web site:

"With over 30 years of experience, Iron Mountain delivers the most reliable, battle-tested, data protection and recovery solutions available - from offsite tape vaulting and archiving to server and PC data backup, email continuity, and disaster recovery."

A disaster? Yes. Reliable? Apparently not. Backup data tapes shouldn't go missing. Senior management heads at Iron Mountain need to roll. If you received a breach notification letter about this, let us know in the Comments section below what the breach notification letter said. I've Been Mugged readers want to know.


Satisified With RFID Skimming Protection (Product Review)

A couple weeks ago, I purchased online the Armadillo Dollar "skimming" shield product. I ordered two shields and both arrived in separate business-size envelopes within a larger U.S.P.S. Express Mail package. Each envelope included a shield and instructions. That makes it easy to give the second shield as a gift.

I opened one envelope and read the instructions, which were clear and simple. The instructions said that you could place the Armadillo Dollar product in your wallet to protect multiple RFID cards, often referred to as "smart cards" or contact-less credit cards. I folded one Armadillo Dollar product in half, placed two contact-less smart cards inside, and then placed the bundle in my pants pocket. I don't want to open my wallet every time I need to use one of my RFID cards. I planned to test Armadillo Dollar the next day on the way to work.

One the way to work the next morning, I pulled the Armadillo Dollar and my RFID cards out of my pocket and waived them near an RFID reader at a Boston MBTA station entrance. Nothing happened: the turnstile did not open. The RFID reader was unable to penetrate the Armadillo Dollar shield. Great! Then, I removed my MBTA Charlie Card by itself and waved it by the station's reader. The turnstile opened as usual.

At work, I repeated this process at the the downtown-Boston office where I work. Employees use RFID badges to access both the building elevators and individual company offices. As expected, the RFID reader was unable to penetrate the Armadillo Dollar shield. I then removed my employee badge by itself and waved it the RFID reader. The turnstile opened as expected.

While this isn't a scientific test, it is good enough for me. The product works as advertised... RFID readers couldn't penetrate the Armadillo Dollar shield. Wisteria House fulfilled my product order as requested, and applied the product discount as promised. I am satisfied since I now have some identity protection for my RFID cards. When I receive my new RFID U.S. Passport, I'll repeat this test with the Armadillo Dollar shield.

Want to learn more? This video provides some background about RFID or smart cards and "skimming"... how an identity thieve can clone a smart card:

Want to learn more? Read this New York Times article about no-swipe credit cards, or this C/Net Review about contact-less credit cards. You can also visit the Smart Card Alliance, armadillodollar.com, or the National Envelope web sites.

[Author's note: you can rely on I've Been Mugged for independent product reviews. The I've Been Mugged blog is wholly independent, and is not affiliated with any identity theft or identity protection products. Nor do we accept any advertising or payments from manufacturers of identity theft products or services.]


Breaches

Most of us begin every new year with resolutions... habits we'd like to change, stop, or start. While considering resolutions for 2008, I thought about changes I'd like to see regarding data breaches, data security, and identity protection. This inspired the poem below (with sincere apologies to the great American poet, Joyce Kilmer).

Breaches

I think that I will never see
A month pass that's data-breach free.

No unencrypted WiFi feeds
By retail chains' focus on greed;

No stolen past employee files,
That firms claim were "lost" for a while;

No stolen backup data tapes,
Spawning breach notices that make

People pay to lock credit files,
Or add fraud alerts for awhile;

One-year offers of free credit
monitoring -- what a poor fit!

People like me would love to see,
Lifetime credit monitoring for free.


Online Privacy Concerns Increase

The Associated Press news services reported the results of a new survey by the University of Southern California's Center for the Digital Future:

"Privacy concerns stemming from online shopping rose in 2007, a new study finds, as the loss or theft of credit card information and other personal data soared to unprecedented levels. Sixty-one percent of adult Americans said they were very or extremely concerned about the privacy of personal information when buying online, an increase from 47 percent in 2006. Before last year, that figure had largely been dropping since 2001. People who do not shop online tend to be more worried, as are newer Internet users, regardless of whether they buy things on the Internet..."

In 2007, about 57% of survey respondents were very or extremely concerned about credit card security. In 2006, the same number was 53 percent. In 2007, about two-thirds of adult Internet users shop online, compared with just 50 percent in 2006. Most spend $100 or less a month, and two-thirds of online shoppers have reduced buying at brick-and-mortar stores. The survey included a random selection of 2,021 Americans contacted from Feb. 28 to Aug. 6, 2007.

More survey results about online usage:

"... online parents are more likely than ever to withhold Internet use as punishment — 62 percent in 2007, compared with 47 percent a year earlier and 32 percent in 2000... Nearly two-thirds of parents, meanwhile, worry about kids participating in online communities and about half believe online predators to be a threat..."


How To Do A Background Check On Yourself

To learn what others -- a potential employer or landlord -- can learn about you, you might consider doing a background check on yourself. This June 2007 post at The Consumerist lists several sources, many of which are free. Note the comments in the post about Lexis-Nexis, and in particular their Consumer Access Program. I have contacted only a couple of the sources listed, but in time I expect that I will contact all of them. In prior posts, I have discussed my experiences with C.L.U.E. insurance reports from Choicepoint.


Capital One: What's In Your Database? (Part 2)

I wrote a December 20, 2007 post about Capital One database corruption reported by Justin James in his TechRepublic Programming and Development blog. Since that post, I checked my Capital One credit card statements for erroneous charges. Fortunately I didn't see any.

To be safe, i wrote a letter to Capital One asking for clarification. It seemed to me that their database corruption could have resulted from a data breach. And, since I live in a state where data breach notification is required by law, I would have expect a notice from Capital One. My e-mail message to Capital One:

To: <webinfo@capitalone.com>
Sent: Thursday, December 20, 2007 7:26 PM
Subject: Capital One's credit card database corruption

Dear Sir/Miss:
Please see this TechRepublic blog which reported database corruption within your company's customers' credit card files:
Capital One: What's In Your Database?

This is very scary given the current identity theft situation in the USA. I am a Capital One Visa credit card customer. I am wondering why I have not received a breach notification from Capital One due to this database corruption. Data corruption like this just doesn't happen by itself. I look forward to a prompt reply and explanation from your company. If I do not hear from you soon, I will likely cancel my Visa card with you and do business elsewhere.

Sincerely,
George Jenkins

The first e-mail reply I received from Capital One was a form letter which confirmed receipt of my inquiry, provided a Case ID number, and explained that Capital One tries to reply to e-mail inquiries within 3 days (72 hours). So far, okay. Not great, but okay. To me, it's important to communicate in writing about very important issues, and Capital One's database corruption seemed to be one of those issues.

Capital One finally replied on January 4, 2008 -- far after the 3-day promise. The content of the reply was quite a disappointment:

From: "Capital One Web Information" <webinfo@capitalone.com>
Sent: Friday, January 04, 2008 12:10 PM
Subject: Re: Capital One's credit card database corruption

Hello George Jenkins,
Thanks for your message regarding our online security practices. Protecting customers’ credit and personal information is a top priority for Capital One. For this reason, account information is displayed on secured pages. A secured page is any Web document sent from a server to a browser in an encrypted form.

Encryption is a process for turning plain text or other information into an unrecognizable pattern of data. The type of encryption used by Capital One is 128-bit encryption, which is the strongest form commonly available for use on the Internet. It provides a high level of security and privacy for our customers when they use our Online Account Service. Capital One requires that our customers use 128-bit encryption when using our site.

Please visit our security pages on our Web site at http://www.capitalone.com/protection, for additional information about the steps we take to protect customers’ privacy and the security of their account.

Since regular electronic correspondence is not a secure method of contacting us and we wish to protect the integrity of account information, Capital One prefers to discuss personal and account-specific questions by telephone rather than by e-mail. We assure you that all other electronic contact with us such as viewing statements and making payments is secure.

Thank you for contacting Capital One.

Regards,
Capital One Online Banking

Wow! A lot of words but nothing related to my question. Encryption is not database corruption. Is their customer database corrupt? Was that the result of a data breach? The letter seems to suggest that there was no problem since all data is encrypted. That seems to me to be a gross over-simplification.

It seems that Capital One prefers phone correspondence and considers their database corruption to be an account-specific problem. And, nobody at Capital One had the courtesy to sign the letter making follow-up easy.


TSA Web Site Puts Travelers At Risk of Identity Theft

If you fly on commercial airlines, then you are aware of the constantly changing security rules. If you have a complaint about a travel  experience, you can submit it to the airline or to the Transportation Security Administration (TSA). According to the Washington Post newspaper:

"A government Web site designed to help travelers remove their names from aviation watch lists was so riddled with security holes that hackers could easily have stolen personal information from scores of passengers, a congressional report concluded yesterday. Thousands of people used the Web site, and as many as 247 submitted detailed personal information between October 2006 and last February, the report says."

And, it gets worse. It looks like the fix was in:

"Congressional investigators raised concerns about a conflict of interest in how the no-bid contract to create the Web site was awarded. The TSA employee who framed many of the contract's requirements and was in charge of overseeing the site was once employed by the firm that was awarded the contract -- Desyne Web Services, a small firm in Boston, Va. -- and socialized with members of the company... The TSA continues to use Desyne on various projects, the report said, and has awarded the company no-bid contracts worth about $500,000."

You can download the House Oversight report. I spent some time at Desyne's web site. I've seen better designed web sites with better designed navigation elements. I found the current TSA web site difficult to use and poorly organized. (Note: An an Information Designer in my day job, my role is to architect clients' web sites so they are easy to use from a user's point-of-view.)

The TSA has a history of producing less-than-optimal web sites. In his Surveillance State blog, Chris Soghoian described his experience with the TSA site:

"This site had a number of security vulnerabilities: it was not hosted on a government domain; its home page was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. Furthermore, the site was filled with typos and other errors, causing some to wonder whether TSA's site had been taken over by phishers... The site was only taken down after I discovered it in February 2007 and posted something to my blog. Shortly after, Wired and a number of other sites picked up the story, and TSA was shamed into pulling down the site."

No matter how the TSA representative tries to spin an answer, a no-bid contract isn't right. It doesn't smell right, either. We citizens aren't getting the best value for our dollars, either.