I am pleased to announce two big changes in this blog.
First, I now accept online donations from readers. Donating online is easy, fast and secure. To donate, click on the DONATE button in the far right column. It links to the secure payment flow at the PayPal site. You can donate using a credit card or with your PayPal account. Your donation can be any amount of your choice: $2, $5, $10, $25, or more. Your donations help me continue the unbiased reporting, plus product and service reviews.
Second, my blog also contains online ads. For the past two and a half years, I have funded this blog with my personal savings. It is time to explore new revenue sources. So, I've allocated a space in the near right column to rotate ads within.
I chose an ad approach that seemed as non-intrusive as possible. The ad space is in the same location on all blog pages. Many blogs insert ads both inside blog posts and between the post and comments. I avoided these options to keep the blog easy to read.
If you find the ads interesting, I hope that you will read and click on them. Adify.com allows publishers to select which which ads display on a blog, so I have tried to pick ads from trustworthy, reliable brands and companies. If you find the ads intrusive or if you disagree with the ad selections, please share your comments via e-mail. I can explore other options.
Thanks for your readership and I hope that you will donate online today.
In addition to the right column ad space, there is an
ad space at the page bottom on the Reviews, List of Lists, and ID-Theft Resources pages. So, you have a choice in ad size and location. Statistics about my blog are available on the Advertise page. Ad rates are available at the Adify.com site.
Thanks for your interest and I hope that you will consider I've Been Mugged for your advertising needs.
But first, a brief background. The editors - Drew McLelland and Gavin Heaton - of Age of Conversation are not professionally-trained publishers, but are bloggers like many of us. Regardless, the Age of Conversation 2 (AOC-2) was a beautiful book, in both paperback and hardcover. Two authors from the AOC-2, Gretel Going & Kate Fleming, started a publishing company called Channel V Books and offered to help publish Age of Conversation 3 (AOC-3).
So, an agreement was reached and Gretel/Kate assumed most publishing duties for AOC-3. According to Drew McClelland, these duties included:
"... in-house management of the entire publishing and marketing processes from start to finish (often working with the author from the beginning to shape the manuscript for his/her audience and create their platforms), and their seamless connection to major online retail distribution channels such as Amazon and Barnes & Noble. Finally, they handle all royalty and online distribution/fulfillment, which allows authors to focus on personal goals and business objectives, rather than on the business of their book."
AOC-3 Editor Drew McLelland described the benefits of working with Channel V Books:
"They work with business thought leaders who need to publish books in order to promote themselves and their businesses, solidify their credibility and attract new opportunities—but don’t have the time (or desire) to learn and manage the intricacies of the publishing business in the process. Channel V Books bridges the gap between self-publishing and traditional publishing by offering the best of both worlds: the highest production quality, distribution channels, visibility, creative flexibility, ease and, most importantly, profitability."
"In our Scamville series of posts last October we exposed the massive user fraud occurring Facebook and MySpace social games. Fake quizzes tied to long term mobile subscriptions, malware-laden toolbar downloads and other scams were the center of the controversy. The industry did a lot of talking in the wake of those posts and some long term changes have been made... But now we’re seeing the same old scams hit the iPhone. And the same players, particularly OfferPal Media and SuperRewards and now Google, are powering those scams. Specifically we’re seeing SMS-subscription offers, which trick users into putting long term subscriptions on their mobile phones (or their parent’s mobile phones)."
What makes these shady offers so bad:
"Users are offered virtual currency in exchange for answering a quiz or some other seemingly harmless offer. But once they click through and answer the quiz questions they’re told they need to enter their mobile phone number to get quiz results. Often there is fine print outlining the charges. But the already tiny print is completely unreadable on a mobile screen, making that disclosure meaningless even when it appears. SMS subscription scams are among the most lucrative offers to game publishers because users get a recurring fee of $10 – $25 per month..."
Zwinky returns to Facebook:
"We’ve also seen offers for the Zwinky toolbar back on Facebook games. When Zynga CEO Mark Pincus said “I did every horrible thing in the book to, just to get revenues right away” he was talking about Zwinky, one of the most hated malware wrappers on the Internet..."
Well, it didn't take long. About 85 days into 2010, we now have the largest data breach of the year, by far.
Last week, the Education Credit Management Corporation (ECMC) announced in its web site that 3.3 million borrowers' sensitive personal data was stolen during a data breach. According to ECMC, the stolen data included:
"... names, addresses, dates of birth and Social Security numbers. No savings, checking or credit card information was included in the data."
This is not good. Not at all. First, a breach with a huge amount of sensitive data like this indicates a breakdown in security, employee training, or both. This huge amount of data should never be this vulnerable on any type of storage media: USB drive, external hard drive, portable device, or whatever.
"ECMC said the stolen information was on a portable media device... simple, old-fashioned theft... It was not a hacker incident... It plans to notify affected customers in writing this week... ECMC also owns Premiere Credit LLC, a federal student-loan collection agency. No Premiere accounts were affected by the theft... Federal student-loan guarantors such as ECMC, USA Funds and American Student Assistance have contracts with the federal government to insure student loans against default... ECMC is the designated guarantor for loans in Oregon, Virginia and Connecticut, but borrowers from all states could be affected."
What is particularly nasty about this theft is that many borrowers, students, represent a vulnerable consumer segment. This consumer segment is often the least experienced and prepared about identity theft and fraud. They don't have the awareness, knowledge and funds (yet) to monitor their credit reports for fraudulent loans and other activity, plus subscribe to credit monitoring and resolution services.
In my opinion, ECMC has done the minimum: arranged for only 12 months of free credit monitoring services for its breach victims. I expected a far longer period of free credit monitoring services. Four years minimum seems sufficient to me, since it allow the students to complete (and keep the focus upon) their education and enter the workforce. To ECMC's credit, the company-arranged services from Experian include both credit monitoring and credit resolution (PDF).
While many colleges and universities have policies about identity theft and data breaches for staff and faculty, only a handful of higher education institutions have produced identity theft prevention events for students. This massive breach could be an opportunity for insurers like ECMC to show how much they care -- to do more than the minimum. Provide a longer period of free credit monitoring/resolution services, plus support and fund college-based identity-theft education and prevention programs.
I first saw the report on the evening news Thursday. It included real video of a mugging by the victim's Facebook.com friend.
You have been warned. Be careful who you accept as friends. Make sure your Facebook privacy and application settings are locked down tight. Even better: don't share your location information. If you feel that you must share location-based information, do so after you return home.
"Today, 63% of consumers indicate that they are comfortable or very comfortable with shopping online, but 22% report they never make purchases online or haven't made one in the past 12 months. Despite the sluggishness of the global economy in 2008 and 2009, domestic e-commerce climbed 10.8% from $185 billion in 2008, and to $205 billion in 2009. At the same time, the share of total retail sales represented by online transactions continued to rise, reaching 5.5% in 2009. The study indicates that 70% of US consumers used a major credit card to make an online purchase during 2009. The only other two options used by more than 50% of respondents were major debit cards, and an online payment service such as PayPal or Google Checkout."
Javelin performed the study in November 2009 with a random-sample panel of 3,294
consumers representative of the USA population. The other important takeaway:
"While debit share of online payments volume climbed just two percentage points to 28%, the dollar value of online sales attributed to debit cards rose 21% from 2008 to 2009. During the recent economic downturn, consumers turned increasingly to debit cards as an option to help them control spending. Debit also grew because it was one of the available options for consumers who had reached the limit for purchases on their credit cards or were unable to qualify for credit."
So, which payment method is best: cash, credit cards, debit cards, or charge cards? This video below from ABC News offers some practical tips to help you make an informed choice.
If you need to build up your credit history and credit score, paying with cash and/or a debit card won't help. If you have the discipline, charge cards offer several advantages over credit cards including the opportunity to build your credit history/score.
For many years, I had an American Express charge card. I used it to pay for business travel, since my employer promptly reimbursed me for business travel. Later in my career, I simplified both my life and my finances by reducing my use of credit/plastic. Ultimately, I paid off all of my credit card debt and cut back to two credit cards from a high of five credit/charge cards (and a high balance of $18,000). Today, I pay my credit card bills in full every month.
I am happy and excited to announce that the Age of Conversation 3 (AOC-3) is at the publisher for printing! The book will be available sometime during April 2010, and in the following formats: paperback, hardcover, Kindle, and iPad.
The theme for the AOC-3: It's Time To Get Busy. The book has a new Web site, thanks to Sticky. The new cover artwork was designed by Chris Wilson.
I am thrilled to introduce you to the talented and insightful social media authors who contributed to the AOC-3 -- of which I am one. As the publication date nears, I will share more information about the book.
Now, take a few minutes and browse the AOC-3 authors' blogs:
This is news regardless of where you live. Why? The use of skimming devices by identity criminals is not limited to Utah. ABC 4 television news reported:
"Utah police investigators said crooks have installed electronic "skimming" devices at 180 gas stations from Salt Lake to Provo in an attempt to steal bank card and pin numbers... The skimming device is actually located inside the gas pump... The “Skimmer” copied card and pin numbers giving the criminals free access to the victim’s bank accounts... Crooks used the stolen card information captured by the device to steal more than $11,000 using ATM machines in Los Angeles... Investigators don't know how many card numbers the crooks stole... The only way that you're going to know if you've fallen victim to this is if your credit card starts being used or if your debit card number starts being used..."
If thieves drain your checking account balance to zero, you'll know that way too. By then the damage has been done, and your bank may not reimburse you for the stolen money.
Because it is impossible to spot a gas station pump that has been tampered with, I never pay at the pump. Instead, I go inside to the cashier and pay with credit or cash. And I keep my credit card within eyesight. I use my debit card only at my bank's ATM machines.
At his Krebs On Security blog, Brian Kebs has a good blog post about how to recognize a skimming device attached to the card slot of an ATM machine. Identity criminals will try to place these devices on ATM machines (and gas station pumps) to steal your debit card sign-in credentials so they can drain your bank account.
Brian's blog post includes photos, which clearly indicate how thieves can attach a skimming device to the ATM card slot.
Now don't panic and think that every ATM machine has been tampered with. The thieves target ATM machines that are not in well-lit and public places.
Use ATM machines from your bank. You know what they look like and familiarity makes it easy to spot tampered machines
Use ATM machines that are in well-lighted and in public places
If the ATM machine looks like it has been tampered with, use another machine
I avoid unfamiliar-looking ATM machines, that are often in convenience stores
"Around 5000 First National Bank of Durango customers have been unable to use their cards in stores, although they can still withdraw cash at ATMs. In a notice on its Web site, the bank says: "Please be aware that as a result of a security breach at Heartland Payment Systems that occurred over a year ago, debit cards issued by the First National Bank of Durango may have been compromised. It is important to note that there was not a security breach at First National Bank of Durango, our systems remain secure. The breach occurred at a 3rd party processor."
Reportedly, the First National Bank of Durango blocked payments after several customers contacted the bank about suspicious charges on their bills.
Are these continual post-breach impacts unusual? Experts say that this is to be expected. According to Bank Info Security:
"What happened to First National Bank of Durango is not unusual, says Avivah itan, Gartner distinguished analyst. "Typically the crooks will use stolen cards right after a heist until the looting is discovered and publicized in the media... At that point, the crooks will lie low and not use them
because of heightened alerts that will flag and stop their use (e.g. because the
cards are on watchlists). Then when time passes and the heat is off, "The crooks will rear their ugly heads and start using them again... Debra Geister, Senior Director, AML and Compliance Services at LexisNexis Risk Solutions, says this scenario is really no different from a sleeper scam, where the fraudsters sit back and wait until an opportune time to strike."
As I've written repeatedly in this blog, identity thieves are smart and persistent. The risks continue as long as the thieves believe that they can use the stolen information successfully, or resell it to others who can use it successfully.
After a data breach with debit/credit cards, banks block accounts and then re-issue cards with new account numbers as needed, since re-issuing cards is expensive. After a breach of sensitive personal information (e.g., Social Security number, birthdate, etc.), companies often offer free credit monitoring services for a year or two. This Heartland post-breach experience casts doubt on both practices since criminals don't magically give up after a year or two.
One answer to this question is in the courts. I didn't have to look far with Google.com to find court cases.
In U.S. v. Abdelshafi, the owner of a medical transportation company was convicted of submitting fraudulent health care billing claims and aggravated identity theft after using patients' medical information to submit fraudulent bills for trip services that never happened. The CCH Healthcare publication reported about a January 2009 court decision about then length of the owner's court sentence:
"The transportation company contracted with a HMO to provide medical transportation services to Medicaid patients... It was discovered that the owner of the transportation company submitted claims with substantially inflated mileage amounts and also claims for trips that did not occur, enabling the owner to collect at least $303,329 in fraudulent payments... The Court of Appeals for the Fourth Circuit noted, however, that while the owner did have the lawful authority to use the identifying information for proper billing purposes, he did not have the lawful authority to use Medicaid patients' identifying information to submit fraudulent billing claims... U.S. Sentencing Guidelines provides that an individual's offense level should be increased by two levels if the individual abused a position of trust that significantly contributed to the commission of the offense... The owner abused the authority of his position by misusing the Medicaid patients' identification information to file fraudulent claims for payment. Therefore the sentence enhancement was proper."
Then, there's this case from BenefitsLink.com about an employee who stole another employee's identity and then used that identity information to steal money from the victim's 401-K retirement account. While the criminal was not a senior level executive, the case includes identity theft and 401-K retirement account fraud:
"A former employee of a Kansas City, Mo., gaming casino was sentenced to one year in federal prison and three years of supervised probation after completion of her prison term. Dana Wachter also was ordered to make approximately $38,000 in restitution stolen from a co-worker... Wachter was sentenced June 29, 2009 in U. S. District Court for the Western District of Missouri. She was
indicted in June 2008 on one count each of aggregated identity theft, mail fraud and theft... The indictment contends that, in March 2007, Wachter used her co-worker's social security and personal identification numbers to authorize an $18,000 distribution from her co-worker’s 401(k) account. Wachter is further alleged to have used the mail to steal a distribution check and forged the participant’s signature on the check."
To find more white-collar crime, one doesn't have to search far. I decided to broaden my searches for cases that didn't necessarily include identity theft. The U.S. Attorney Office in Nebraska published this news release involving a C-Suite executive:
"On March 3, 2009, the Honorable Judge Laurie Smith Camp sentenced Marilyn Adams, 66, of Omaha, Nebraska, to a term of 12 months in prison followed by 3 years of supervised release... Adams was indicted in April of 2008 in a two count indictment alleging that a nursing staffing business she formed, AMS Healthcare Services, withheld monies from the paycheck of its employees for purposes of making contribution to a company sponsored 401K program through Hartford Life Insurance Company. Adams, along with her son, Jeffrey Adams, withheld $111,136 dollars with the promise of forwarding those funds to the Hartford Life Insurance Company. Marilyn Adams, as the company president and plan administrator was required to file forms with the Department of Labor documenting funds withheld and transmitted to the 401K plan. Judge Smith Camp ordered Marilyn Adams to pay restitution in the $111,136 dollar amount to the 39 former employees from whom she stole."
I'll bet that those 39 employees felt they had been mugged when they didn't see the contributions to their 401-K accounts while the company deducted money from their paychecks.
Then, I visited the the U.S. Department of Labor (DOL) site to see what else I could find. The DOL site publishes summarizes of the court cases -- both civil and criminal -- it prosecuted during the past year, and the money collected. The agency's March 2010 Fact Sheet reported:
"... in Chao v. Gene Shawn Group, et. al., the U.S. Department of Labor obtained a Consent Judgment and Order. The Consent Judgment requires defendants Young Jin Lee and Juliette Lee, owners of the Gene Shawn Group, LLC dba A-Q Dental Laboratory (Company), to repay $32,587, including interest, to the A-Q Dental Laboratory 401(k) Profit Sharing Plan. The Consent Judgment holds the Lees responsible for restoring any losses remaining after the conclusion of the Company’s bankruptcy proceedings. Additionally, the Lees were permanently enjoined and restrained from future service as a fiduciary of, or service provider to, any ERISA-covered plan. The Department alleged that the defendants
violated ERISA by failing to remit employee contributions, employer matching contributions and loan repayments to the plan."
Here's one of several criminal cases summarized in the Fact Sheet:
"... Mark Harrington was sentenced to 2 years imprisonment, 24 months probation, and ordered to pay restitution of $349,870. On April 14, 2009, Mark Harrington pled guilty in the U.S. District Court for the District of Massachusetts to embezzlement from an employee pension fund. Mr. Harrington had been the Vice President and Controller at Anchor Capital Advisors, LLC and in this position he also acted as the Plan Administrator for the Anchor Employees' 401(k) Plan (Plan)... As the Plan Administrator, he directed the custodians of the Plan's assets to make distributions totaling $386,711.70 to various fictitious entities. At the same time, he employed the services of a relative to establish bank accounts at different banks in the name of these fictitious entities and to deposit the distributions into those bank accounts. Harrington used the stolen funds to buy a home, a Cadillac Escalade, breast implants, jewelry and other items."
"... in Chao v. Craig Wagner, the U.S. Department of Labor obtained a default judgment ordering Concrete Construction Co. of Acworth, Georgia, and its president, Craig Wagner, to restore $11,672 in employee contributions, employer contributions, and interest to the company’s 401(k) plan. The Department alleged that the defendants violated the Employee Retirement Income Security Act (ERISA) when they withheld employee contributions to the plan and illegally commingled the contributions with the general assets of the company..."
The fact sheet also published statistics about the agency's performance. In 2009, the DOL closed 1,042 civil cases of which 87% (910) included violations, and closed 64 criminal cases of which 52% included criminal indictments -- both totaled about $17.9 million.
The fact sheet also includes historical agency performance. In 2007, the agency prosecuted cases with judgments totaling more than $51 million. In 2004, the agency closed almost 1,600 civil cases. In 2003, the agency the judgments totaled more than $135 million. That's a lot of money. That's a lot of crime.
This fact sheet was a good read. C-Suite executives seem to receive similar consequences as lower-level employees.
The historical statistics indicate to me that there is (and has been) a significant amount of crime by people usually in a position responsible for employee 401-K retirement plans -- often C-Suite executives. I could have listed more court case summaries, as I found more cases involving medical identity theft.
After reading these court summaries, I can only imagine that the C-suite executives in these cases were arrogant and felt entitled to use other peoples' money as if it was theirs to use as they please. I'd like to congratulate the DOL Employee Benefits Security Administration for those achievements. I look forward to reading the agency's fact sheet in 2011 about its accomplishments during 2010.
I don't know anything about Filbert, the squirrel in the ad. I have nothing against Filbert either.
At first view, the ad seemed harmless enough. It is wise for consumers to know their credit score, since many purchases depend upon having good credit. To learn more, I visited the FreeScore.com site.
That's when things really got squirrely.
The site is easy to read and easy to navigate. There are huge buttons on the home page to start the registration process to get those free credit scores. Consumers can get "free" credit scores from each of the three major credit reporting agencies: Equifax, Experian, and TransUnion:
The above page copy also inform users that they can get their credit reports when ordering their free credit scores. Further down the page (out of view when the page first loads) is as a huge button for consumers to click to view a sample report compiled with information from the three credit reporting agencies. A sample report is a good thing to view before registering. A more friendly page design would place that sample button further up the page so it is easier to see.
Now, I already know my credit score, so I didn't register for the FreeScore.com service. If you scroll to the bottom of the page, you will see tiny text that is easy to miss, especially if you clicked on any of the large buttons near the top of the page. So, I've repeated the tiny text here:
"FreeScore.com is not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under law, you must go to www.annualcreditreport.com.
Translation: while you can get credit reports at the FreeScore.com site, they aren't free. The credit scores are free but the credit reports have a monthly fee. The tiny text explains why there is a monthly fee:
"FreeScore provides you with the tools you need to access and monitor your financial/credit information through the program's credit reporting and monitoring benefits. FreeScore and its benefit providers are not credit repair service providers and do not receive fees for such
services, nor are they credit clinics, credit repair or credit services organizations or businesses, as defined by federal and state law. Credit information provided by TransUnion Interactive, Inc."
Translation: the site is operated by TransUnion, one of the three major credit reporting agencies. FreeScore will help you monitor your credit scores and credit reports, but it won't help you fix them should something bad happen. You are on your own if you need to remove errors in your credit reports, or if you are already an identity-theft victim and thieves have made fraudulent purchases affecting your credit scores and reports.
So, if the credit reports at FreeScore aren't free, how much do they cost? In my opinion, a better design would have displayed the price along with the credit report offer on the home page. Instead, the consumer has to hunt for the price information, which appears on the FreeScore registration page below. The price is in small type in the right column under OFFER DETAILS:
I've repeated the tiny copy here so it is easier to read:
"Simply click "View Scores" on the next page to activate your FreeScore trial membership and claim your 3-in-1 Credit Profile and Triple Credit Score. After your 7-day FREE trial period it's just $19.95 per month for FreeScore. Remember, you can call FreeScore toll-free at 1-800-316-8824 within the first 7 days to cancel, and you will not be charged/debited."
Translation: you get free credit scores only during the seven (7) day trial period. After that, charges apply if you don't cancel your trial membership, which automatically signed up for a credit monitoring service costing almost $20 per month. The trial membership period is awfully short, too.
This offer by FreeScore.com reminded me a lot of the pitch by FreeCreditReport.com, a site that pitches free credit reports but enrolls consumers in a credit monitoring program with a monthly fee if you don't read the tiny text and cancel. Yesterday's post discussed the new Credit Report disclosure rules mandated by the FTC. The FreeScore.com site never pitches free credit reports, so I guess that TransUnion believes that they don't have to comply with the new disclosure rules since they aren't selling free credit reports at the site.
In my opinion, the FreeScore.com site is the same as the FreeCreditReport.com site. Both advertise X (e.g., get something for free) but really offer Y (credit monitoring for a monthly free) and place the important details in small print rather than say so upfront in easier to read type. Both sites use the auto-opt-in method: the user is enrolled in the credit monitoring service unless they cancel in time. To me, this is a sleezy marketing approach. The old "buyer beware" advice definitely applies here.
In my opinion, FreeScore.com is expensive since the price includes credit monitoring and not credit resolution services. And, the FreeScore monthly fee of $19.95 is higher than the FreeCreditReport.com monthly fee of $14.95. So, maybe the cost of those "free" credit scores is baked into the higher monthly credit monitoring fee.
Is FreeScore for you? That's a decision only you can make. You know your credit situation best. Having good credit is critical and monitoring your credit reports is wise to ensure their accuracy. If you are a victim of identity theft and fraud, then monitoring your credit reports for fraudulent purchases is critical, but getting credit resolution service is equally important.
My advice: shop around and always read the FINE PRINT at a Web site; especially sites offering freebies and/or credit monitoring services. Know the limitations of the credit monitoring service you are considering. Be an informed consumer.
In a press release late last month, the U.S. Federal Trade Commission (FTC) announced new disclosure rules that will go into effect on April 2 for Web sites offering "free" credit reports. The new rules aim to help consumers better understand Web sites offering "free" credit reports. The new FTC Credit Reports Rule effective April 2:
"... will require new prominent disclosures in advertisements for “free credit reports.” For example, any Web site offering free credit reports must include a disclosure, across the top of each page that mentions free credit reports, which states:
THIS NOTICE IS REQUIRED BY LAW. Read more at FTC.GOV. You have the right to a free credit report from AnnualCreditReport.com or 877-322-8228, the ONLY authorized source under federal law."
The Credit CARD Act of 2009 required the FTC to change the Credit Reports Rule by February 22, 2010 to prevent deceptive marketing of “free credit reports.” During the interim period from February 22 until April 2, the disclosure requirement is shorter, includes only text, and excludes links:
“Free credits reports are available under Federal law at: AnnualCreditReport.com.”
After April 2, the disclosure includes longer text (see above), a clickable button to "Take me to the authorized source" for free credit reports, and clickable links to both AnnualCreditReport.com and FTC.GOV. Prior to issuing the revised rules, the FTC sought and received feedback about the proposed rule change from consumers, consumer reporting agencies, consumer report
resellers, business and trade organizations, state attorneys general, consumer
advocates, law firms, members of Congress, and academics.
This is the best that the FTC could do? It doesn't seem to prevent deceptive advertising but, moderate it instead.
Is the interim disclosure enough? Obviously not. While it is a step in the right direction, it is a small step. It includes minimal text and no links.
A even better solution would be for the rule to prohibit companies from making what is essentially, in my opinion, a "bait and switch" offer. Then, these micro-managing rule changes would be unnecessary and not waste limited government resources. At FreeCreditreport.com, the "free" credit reports really aren't. The site currently contains the interim disclosure, as required by the FTC.
I am sure that the credit reporting agencies are happy with the FTC's new rule change because it allows business-as-usual with minimal changes. Experian doesn't have to pull all of its FreeCreditReport.com ads that appear on both Youtube and late-night television and cable.
Sadly, the new rules are a business-friendly solution that allows companies to continue presenting Web sites with similar "bait and switch" offers; only to replace "free credit reports" with other freebies to evade the new disclosure rules.
It's important to note when identity thieves get what they deserve in court. The Wired Threat Level blog reported last week:
"Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy... Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts. Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers."
The group used money mules to withdraw money from ATM machines with stolen bank account information and to wire money to overseas accounts in Latvia. In December 2009, former Morgan Stanley programmer and co-conspirator, Stephen Watt, received two years in prison. Watt wrote the code for a sniffer computer program used to steal card account data from the TJX network. For his role in the conspiracy and thefts, experts say Gonzalez may receive at least 17 years in prison.
Early in my career, jobs at Xerox Corporation taught me how copy machines work. This WBZ Television news item definitely caught my attention:
"Copy machines today are just like computers... They have hard drives and can store data that can be extracted... Think about it. Your tax preparer, your mortgage broker, your doctor, chances are they have all made copies of documents containing your personal information. That means your social security number; your bank accounts and credit card information could all be sitting on a hard drive in an office copy machine... There are massive warehouses across the country filled with hundreds if not thousands of used copiers that are up for sale. Companies are supposed to wipe the hard drives clean, but that does not always
It's good that the news media is now aware of and reporting this problem. In my experience, the threat is not from just copy machines but from the broader office equipment liquidation process -- how companies discard used office equipment: servers, routers, desktop computers, laptops, mobile devices, and external storage devices.
The liquidation process is supposed to work like this: a company hires an equipment vendor to buy, transport, and wipe clean the hard drives on the used office equipment it discards. The vendor is supposed to perform all of these tasks; and makes money by reselling the used equipment.
In reality, not all vendors consistently wipe clean the equipment they have been entrusted to cleanse. And, nobody at the client company checks or audits their performance. So, large amounts of sensitive data literally exit companies' doors on thousands of used copy machines, computers, laptops, and related office equipment.
It's the dirty little secret nobody within a company wants to discuss.
"LifeLock, Inc. has agreed to pay $11 million to the Federal Trade
Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck. In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers. “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz."
"The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection."
Ponemon Institute released last month its list of the 20 most trusted companies for privacy. The list is compiled from an annual survey of 6,627 adults in the United States. Survey participants were asked to rank their most trusted companies from a list of companies provided. Highlights from this year's survey:
"Among the brands that made the top twenty were four not listed in the previous study, including Google, Weight Watchers, Walmart, and AT&T. Of the companies listed last year, Facebook, AOL, and eLoan did not make the 2010 list. 2009 was a tumultuous year for privacy, as illustrated by Facebook’s drop out of the top twenty in a year when they found themselves at the center of a very public debate over the evolution of their privacy policies and settings."
It's good to see that there is a "cost" when a Web site or company has confusing or constantly changing privacy policies and rules. Some other highlights:
"Consumers feel they are losing control of personal information: Only 41 percent of consumers feel they have control over their personal information, down from 45 last year and an overall drop from 56 percent in 2006."
The next finding definitely caught my attention:
"Identity theft is top of mind: 59 percent of consumers said fear of identity theft was a major factor in brand trust diminishment, and 50 percent said notice of a data breach was a factor. Other significant threats to brand trust were abuse of civil liberties and annoying “background chatter” in public venues."
The Top 10 most-trusted companies for privacy (with their prior year ranking in parentheses):
1. American Express (1)
2. IBM (3)
3. Johnson & Johnson (5)
4. Hewlett Packard (6)
5. E-bay (2)
6. U.S. Postal Service (6)
7. Procter & Gamble (7)
8. Amazon.com (4)
8. Nationwide (9)
9. USAA (11)
10. WebMD (13)
AT&T's jump up the list could be related to the telecommunications company's public statement about its behavioral targeting policy, which is more consumer-friendly than most companies. Then again, maybe the public has forgotten about AT&T's role with internal spying.
Identity thieves want far more than your credit card, debit card, and bank account information. They want your medical information. Why? For a variety of reasons, one of which I covered in yesterday's blog post. Another reason is to sell stolen medical information to others to get free health care they don't have access to otherwise.
ComputerWorld reported the results of recent survey about medical identity theft:
"Roughly 5.8% of American adults have been victimized, according to a new survey from The Ponemon Institute. The cost per victim, on average, is $20,160... "The National Study on Medical Identity Theft" is based on findings from 156,000 people who agreed to discuss identity theft in general. Among those surveyed, 5.8% provided specific details about how they had been hit by medical ID theft, in particular."
Medical identity theft is defined as when another person uses stolen medical insurance information to acquire health care goods and services. Some key statistics from the survey:
"29% of victims of medical ID theft discovered the problem a year after the incident, and 21% said it took two or more years to learn about it... Nearly half of the victims (48%) lost coverage due to medical ID theft. Roughly 75% found resolution difficult, and only about 25% said there were no consequences due to the theft... 46% did not report the incident to law enforcement or other legal authorities... and 33% said the medical ID theft occurred because a family member used their medical ID for goods and services without their knowledge."
So, consumers should protect their medical insurance cards just as you would protect your debit/credit cards.
When law enforcement catches identity thieves and fraudsters, I like to acknowledge it.
Yet, some identity criminals never seem to learn. The Miami Herald reported:
"Last year, they were charged with running a racket to pilfer patient records from Jackson Memorial Hospital to sell to lawyers for personal-injury claims. Now Ruben E. Rodriguez and wife Maria Victoria Suarez have been indicted again for paying an ambulance-company employee to steal information on patients transported to Miami-Dade hospitals and healthcare clinics. That theft scheme dates all the way back to 1995, according to an indictment filed last week. In both federal cases, the Coral Gables couple are accused of brokering the stolen computer records of patients' names, addresses, telephone numbers and medical diagnoses to several attorneys in exchange for kickback payments. The lawyers paid them hundreds of thousands of dollars for the referrals after settling injury claims, authorities say... According to court records in the JMH case, one unidentified personal-injury attorney wrote 27 checks totaling $85,250 to a shell company incorporated by Rodriguez as kickback payments for the patient referrals between 2006 and 2009."
Hopefully, this couple -- and the lawyers that facilitated this scam -- will all be off to jail for a long time. And, I hope that the newspaper and the prosecutors publish the full list of attorneys and health care workers involved.