Previous month:
October 2010
Next month:
December 2010

14 posts from November 2010

Valid Corporate Email Or Phishing Email?

Late in October, I visited online the Breyers Ice Cream website and submitted comments online about one of their ice cream products. The comments and feedback I submitted are not important. What is important are the two email messages I received since then. The first email message arrived on November 12 and the second on November 19:

"From: Judy Brown (socialmedia@tcfcr.com)
Subject: Breyer's would like your feedback!
Date: Nov 19, 2010 9:01 AM

Your opinion matters to us. It is not only important to Breyer's that you think of us as providing the highest quality products, but also as delivering the very best customer service. We are looking for your feedback on the latest ways that people communicate with each other and the companies whose products they purchase.

It should only take a few minutes of your time and the results will be used by Breyer's to ensure we are meeting our customers’ needs in every possible way. Please click on the link below to take part in this important and timely study.

http://vovici.com/l.dll/JGsA550C6F994lKuD9U1198272J.htm

Thanks in advance for your feedback. If you would like to remove your name from this list, please send an email to unsubscribe@tcfcr.com with “Remove” in the subject or email. Please do not reply to this email. This mailbox is not monitored and you will not receive a response. If you have questions or concerns regarding a Breyer's product, please contact them directly."

At first I was tempted to click on the link since this message arrived soon after I had visited the company's website. But something didn't seem quite right with this email message. I began to wonder if it was a valid corporate email or a fake.

It seems to me that a valid corporate email should contain the company representative's name, title, address, and phone number. The message also should contain the corporate phone number for questions or feedback. This message didn't, so I started to believe this was a phishing email.

I did not recognize the vovici.com website domain in the link destination. Nor did I recognize the tcfcr.com domain name in the sender's email address. Both are different from Breyer's website address. This added to my suspicions that the email was a phishing email.

I do realize that companies often hire public realtions agencies to operate their social media webistes, and to process questions from both consumers and news media reporters. If so, email messages should clearly identified the agency hired, the agency's name, and a contact at the company to confirm the relationship. This message didn't contain any of that either.

Much later, I performed a Google search on tcfcr.com and learned that it is indeed a real company: The Center For Client Retention. I checked Snopes.com to see if it reported anything about the above email as a phishing email or hoax. Snopes didn't say anything about it, but there have been several phishing emails disguised as surveys.

Consumers should not have to go to these lengths to verify a company's email message as genuine or a fake. The sender's email address domain name should match the link destination for the survey, and both should match the company's website address.

In my situation, if the above email message was a follow-up or reply to my prior submission, it should have acknowledged it. Plus, Breyers already has my feedback about one of their products. I am looking for an answer from Breyers, not another web link to provide more feedback.

In the end, I concluded that the above email message was a phishing message intended to trick me (or any other consumer) into revealing sensitive personal information. If this was a valid corporate email, then it was a very sloppy online and poor execution. I wonder if executives at Breyers are aware of it? Do they care?

What do you think? Was this a valid corporate email or a phishing email?


When Your Employer Disables Your Personal Phone

This story is a warning about the risks of using your personal smart phone, tablet computer, or mobile device for work for your employer. NPR reported a story about how Amanda Stanton's employer killed her personal iPhone remotely without notice and without authorization:

"... Amanda Stanton's iPhone suddenly went black. She had been talking on it and navigating with a GPS app during a work trip to Los Angeles. Then, without any warning or error message, the phone quit. Everything was gone — all her contacts, photos and even the phone's ability to make calls."

I would imagine that Stanton felt mugged. I know that I would have felt like I had been mugged. We consumers store so much personal information on our smart phones and tablet computers.

In this case, the Information Technology department at Stanton's employer accidentally wiped clean Stanton's smartphone with a command via a email. While that sounds like science fiction, it is indeed fact. According to the news story, many of today's smartphones and tablet computers come preloaded with software that enables key device features (e.g., the device, its camera, its web browser) to be turned on or off.

Did you know this? I didn't and I bet you didn't either. Stanton's experience is troubling because it was her personal iPhone and not the company's property. While it is convenient for consumers to use a single mobile device while traveling or away from the office, it may not be wise to use your mobile device for your employer's business. Stanton's experience highlights several issues consumers need to consider:

  • Lost/stolen mobile devices: the remote wipe function is helpful for consumers when your smartphone/tablet is lost or stolen. The thief is unable to use the device and can't access any sensitive personal data you have saved on it. Browse remote-wipe instructions for iPhone users, or for Palm Pre users. Browse data security suggestions for Blackberry users. Consumers with Android phones should consider using the Mobile Defense app.
  • Protection of company assets: the remote-wipe function is helpful for employers to minimize the data breach impact when smartphones or mobile devices contain proprietary company data or information about the company's clients, customers, processes, or financial statements. Plenty of data breaches have resulted from lost/stolen laptops. Smartphones and tablets represent the next wave of data breaches. It wise to avoid storing company information on your personal smartphone or tablet PC.
  • Corporate policies: it is wise for consumers to know their employer's policy about using personal mobile devices for company business. The policy may require the employee to waive certain rights. In Stanton's case, she decided it was too risky to use her personal iPhone for company business. The same risks may apply to you. The employer's policy make maybe one-sided; effectively that the employer gets the right to control the employee's personal device. Or worse: the employer may not have a policy leaving things vague or inconsistently handled by the employer's Information Technology or security department.
  • Safety Issues: Stanton's situation could have placed her personal safety at risk. I shudder to think of a woman traveling alone in a strange city who may need help only to find her smartphone doesn't work due to a remove wipe. Stanton's situation could have had really negative, unintended consequences.
  • Password Protection: you should password-protect your phone so only you can use it. You can set your phone to automatically self wipe after X number of failed sign-in attempts.

If  an employer lacks a policy for mobile devices and events like Stanton's continue to happen, then I expect the issue will get resolved in the courts. As the author concluded:

"... there's now a breakdown of the old paradigm that your company controls work devices and you control yours and 'never the twain shall meet.' "

Breakdown, indeed. For the reasons listed above, there it is wise to keep your business and personal information on separate mobile devices. What do you think?


More RSS Feeds Are Available On The I've Been Mugged Blog!

I am happy to announce two new features for this blog:

The first feature allows you to more easily follow comments about a specific I've Been Mugged post. You no longer have to revisit the blog post to see if somebody replied to your comment. To follow comments about a specific blog post, look for the orange RSS icon and this sentence at the bottom of the blog post:

Feed You can follow this conversation by subscribing to the comment feed for this post.

Next, click on either the orange RSS icon or the "comment feed" text link. Then, follow the instructions in your web browser. It's easy!

The second feature allows you to follow I've Been Mugged posts about a topic. The tag cloud in the near right column lists all topical categories. There are more than 50 to choose from. For example, "Court Cases" includes both lawsuits decided and new class actions filed.

To follow blog posts about a topical category, click on a category name in the tag cloud. On the next page, you will then see an orange RSS icon next to the title for that category. Click on the orange RSS icon and follow the instructions in your web browser to subscribe to the RSS feed for that topical category.

Of course, the RSS icon on the home page lets you follow all I've Been Mugged blog posts.

Have a safe, enjoyable holiday! Posts resume on Monday.


Nearly 1 Million Lifelock Customers To Receive Checks From The FTC

Well, this press release says it all. Last Thursday, the U.S. Federal Trade Commission (FTC) announced in a press release that it is mailing refund checks to victims of Lifelock's allegedly false marketing claims:

"In March 2010, FTC Chairman Jon Leibowitz announced that LifeLock had agreed to pay $11 million to the FTC and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the company’s CEO’s Social Security number on the side of a truck. The FTC charged that LifeLock provided less protection against identity theft than promised and made claims about its own data security that were not true. Consumers who signed up for LifeLock’s services based on those false claims will now be receiving refund checks."

Celebrities including Rush Limbaugh and Montel Williams promoted Lifelock's services. Consumer Reports reviewed Lifelock's services. In 2008, Experian sued Lifelock about the placement of Fraud Alerts, and in 2009 a California District court ruled in Experian's favor.

About 957,928 consumers will receive checks for $10.87 each. This will be the entire and only distribution to eligible consumers. If you have questions about eligibility, contact the administrator toll-free at 1-888-288-0783, or visit www.ftc.gov/refunds.


The 10 Most Dangerous Facebook Pages

Are some Facebook pages more dangerous than others? Which Facebook pages are infected with computer viruses? Which Facebook pages are likely to infect your posts with spam?

There is a good blog post at the SafeToBe.Me blog titled, "Top 10 Most Dangerous and Spamiest Facebook Pages" that answers these questions. The SafeToBe.Me is the name of both the Facebook application ("app") and the data-security company that produces the app:

"The application looks for spam, malware, phishing scams, automatic file downloads, and strong language. SafeToBe.Me scans Facebook Pages, status updates, comments to statuses, and application posts, and notifies users of any potential spam or danger."

The application monitors the 5,000 most popular Facebook pages. Obviously, there are more than 5,000 Facebook pages. That means there are dangerous facebook pages that are not yet monitored because those pages either aren't as popular, or the page owners haven't enabled the app.

Actually, the application produces two top 10 lists weekly. One list includes Facebook pages that contain the dangerous phishing, malware, and/or computer viruses in its status message post timeline. The second list include Facebook pages that produce the most spam. Farmville, a popular Facebook application, is on both lists.

An application like this is long overdue, because spammers and identity thieves are using Facebook more and more. With 500 million members, spammers and identity criminals would natural target Facebook.com. I want an app like this to monitor the multitude of apps available for consumers's smart phones, PDAs, and tablet computers.

Since the list of dangerous pages changes weekly, I did not mention this week's list in this log post. You can visit the SafeToBe.Me blog to read the latest list for yourself. You may recognize Facebook pages that you already like, or pages that you plan to visit. You now know which Facebook pages to avoid.

What do you think of this app? Would you like a similar app to scan the apps on your tablet computer or smartphone?


Report Cites Causes of Numerous Breach History in The State of Hawaii

A post last week covered several historical data breaches at the University of Hawaii. It seems that some government officials in the State of Hawaii are concerned and finally taking action about breaches across the state.

At the request of Hawaii State Senator Mike Gabbard, the Liberty Coalition, a Washington-based policy institute, analyzed the history and causes of all data breaches in the state since 2005. The trigger for this was the latest breach at the University of Hawaii which affected 40,000 students and alumni. Earlier this week, the Liberty Coalition issued Part 1 of its report (PDF format). Key findings from the report were pretty damning:

  • "Since 2005, at least 479,000 Hawaii records have been breached: Almost one for every three residents."
  • "The University of Hawaii is responsible for 54% of all breaches in Hawaii (259,000 records); more than all other Hawaii organizations combined."
  • "As the single biggest contributor to Hawaii data breaches, the University of Hawaii has a pattern of breaches and unfulfilled promises."
  • "Neither business nor academic organizations have adequate market incentives to keep personal information secure."
  • "Breach notifications are vague and fail to empower victims. Victims cannot know which breach caused identity fraud, cannot hold organizations accountable, or protect themselves."

The breaches happened in a variety of ways, including hacking, lost or stolen laptops, negligence, or a combination of ways. I found this finding key:

"Although each breach event may differ slightly, Hawaii has a policy climate which does not give its citizens sufficient means to protect themselves from breaches. If identity fraud occurs, the entire burden rests on the individual to recover. In contrast, a breaching organization usually bears no responsibility to help victims recover."

That is a playing field heavily tilted toward businesses and against consumers,, students, and residents. The historical list of breaches in Hawaii since 2005:

  1. June, 2005: University of Hawaii (UH) - 150,000 records
  2. September, 2005: Internal Revenue Service (IRS) - 2,300 records
  3. October, 2005: Wilcox Memorial Hospital - 130,000 records
  4. November, 2005: Safeway - 1,400 records
  5. April, 2006: NewTech Imaging - 40,000 records
  6. January, 2007: Wahiawa Women, Infants and Children program (WIC) - 11,500 records
  7. August, 2007: United States Postal Service - 3,000 records
  8. April, 2009: Hawaii Department of Transportation - 1,892 records
  9. April, 2009: UH - 15,487 records
  10. June, 2009: A Hawaii Hospital ~1 record
  11. November, 2009: Chaminade University - 4,500 records
  12. February, 2010: UH Breaches - 35 records
  13. April, 2010: Blood Bank of Hawaii's Donor Center - 25,000 records
  14. June, 2010: Destination Hotels & Resorts - 500 records
  15. June, 2010: UH - 53,821 records
  16. October, 2010: UH - 40,101 records

The report's conclusion about the University of Hawaii:

"If UH had fulfilled its multiple promises to the Hawaii legislature and UH alumni, then all of its subsequent breaches would have been prevented or substantially mitigated. The fact that breaches continue to occur is evidence that UH has not implemented its policies, nor fulfilled its promises to the legislature. The Hawaii legislature must hold UH accountable..."

Business and higher education executives need to be fired, fined, and/or jailed. Or perhaps an entity needs to lose its funding temporarily. Business as usual is not acceptable. The report's conclusions about the state's existing laws about data ownership:

"Unfortunately, Hawaii law asserts, without legal precedent, that organizations may “own” or “license” personal information. The notion that organizations can “own” personal information is a threat to privacy because if you can own my personal information, you can own me. But intellectual property rights in personal information have little basis in law. Most personal information, such as names, addresses, phone numbers, and social security numbers are facts. Facts are not copyrightable. Personal information is not patentable..."

A threat to privacy? If Hawaiian residents don't own their personal information, they have no control over it. That means, effectively, no consumer privacy.

Part 2 of the report is due during the coming months. I look forward to reading responses from the Governor and state senators about the report's findings. If the state's legislature fails to publicly debate and implement stronger breach laws with consumer protections, then I hope residents elect new state representatives during the next elections. Or maybe a dip in tourism will prompt the needed changes.

The Liberty Coalition is an independent public policy organization that focuses on issues about civil liberties, basic rights, and individual privacy. The coalition works with 80 partner organizations, operates the National ID Watch project, and the Privacy Commons.The report is good work.


What To Do When Your Tablet Computer/Mobile Device Is Lost or Stolen

Consumers are storing more and more information on their mobile devices: smart phones and digital tablets. Perhaps you own an Applie iPad, ViewSonic ViewPad 7, Maylong M-150, or Samsung Galaxy Tab. These devices are fun to use and convenient. What do you do when yours is lost or stolen?

First, I am going to assume that you backed up any information (contacts, phone numbers, documents, etc.) you saved on your tablet computer. And, I am going to assume that you listed your new tablet computer on your homeowner's (or renter's) insurance policy. And, I am going to assume that you did not password protect your tablet computer.

The good people at the Identity Theft Resource Center (ITRC) provide many helpful step-by-step instructions about what to do in situations like this. A lot of what you must do next depends upon what sensitive personal information you have stored on your shiney, new tablet computer.

  1. Did you save on your tablet computer any sign-in credentials to your bank or financial accounts?
  2. Did you download and save any statements for other accounts (e.g., utilities, department store charge cards, telephone accounts, store membership information)?
  3. Did you save on your tablet the names, addresses, birth dates, e-mails, and similar personal information of friends and/or family?
  4. Did you download any confidential property (e.g., customers' contact information, prospective customers' contact information, employee employment records, medical records, etc.) from your employer's online systems?
  5. Did you save on your tablet computer any codes, passwords, or access information and procedures to your employers bank accounts or proprietary information (online of offline)?

If #1 applies, obviously you will need to contact your bank(s). Think about if you do online banking and electronic money transfers. You may have stored several account numbers on your tablet computer.

If #2 applies, you will need to contact the appropriate retailers and businesses.

If #3 applies, you will need to alert your friends and family. Criminals may use the data on your stolen tablet computer to send out spam email/text messages, and/or send out phishing email/text messages. Criminals may try to impersonate you on social networking sites to trick your family and friends into wiring money to them (e.g., a variation of the "grandparent scam").

If #4 or #5 apply, you will need to inform your employer or school since state laws may require it to disclose data breaches to state government. If your school or employer owns the tablet computer, then you should follow their instructions and policies regarding lost/stolen equipment. An increasing number of higher education schools -- and some secondary schools -- are integrating mobile devices into their classroom study and curriculum. Ideally, the school will also offer training classes about good data security habits.

Steps you should do if your tablet computer is lost or stolen:

  • Change the passwords to any online accounts or email accounts associated with your mobile device. You may also have to alert the data plan provider about the theft
  • File a police report. List the items stolen and the contents. Get the business card of the officer or detective you meet with. Keep a copy of the police report as you may need it later with insurance companies.
  • If your mobile device was stolen at work, you should notify the Human Resources department at your employer and follow any related personal policies about workplace theft.
  • If your helath insurance information was stolen, notify your insurance provider. You don't want somebody else gaining healthcare in your name. Plus, this will corrupt your medical record. Request a replacement policy account.
  • If your auto insurance information was stolen, notify your insurance provider. You don't want somebody else using your information in an accident. Request a replacement policy account.
  • File a Fraud Alert if your sensitive personal information (e.g., name, address, birth date, Social Security Number) have been stolen or exposed. This is enough information for criminals to apply for loans in your name. Do this from your home phone as most credit reporting agencies use automated phone systems. If you have a credit monitoring service, it may do this for you.
  • Contact the U.S. Citizenship & Immigration Services (USCIS) and/or your country’s embassy if immigration papers and information were stolen
  • File an identity theft complaint with the U.S. Federal Trade Commission. They track this activity and need to know to develop effective commerce and security rules for businesses
  • In a couple months, check your credit reports for fraudulent entries. File a Security Freeze if criminals have already applied for or obtained loans or credit in your name. Fees vary by state, and you will need to contact in writing the three leading credit reporting agencies.

Keep a log and printed copies of all correspondence. Request printed confirmation of any accounts closed.

Be safe and hopefully you won't need the information in this blog post.


FTC Wins $3.6 Million Judgement Against Payments Processor Who Helped Deceptive Telemarketers

This is news I like to read about. Earlier this month, the U.S. Federal Trade Commission (FTC) announced in a news release that a federal court judge had ruled in its favor against a payment transactions processor that had helped telemarketing companies place charges on consumers' bank accounts that consumers did not request nor authorize:

"According to a 2007 complaint filed by the FTC and seven states, Your Money Access, LLC and its subsidiary, YMA Company, LLC, processed unauthorized debits on behalf of deceptive telemarketers and Internet-based schemes that were violating the FTC’s Telemarketing Sales Rule and state consumer protection laws. The companies played a critical role in these schemes by providing access to the banking system and the means to extract money from consumers’ bank accounts."

The states involved with the FTC lawsuit were Illinois, Nevada, North Carolina, North Dakota, Ohio, and Vermont. In October 2008, a default judgment stopped Your Money Access and YMA Company from payment processing for any company that conducted deceptive, unfair, or abusive business practices, as defined in the FTC Act, the Telemarketing Sales Rule, and state consumer protection laws. According to the 2007 FTC complaint (PDF format):

"Since at least November 2003 through on,or about December 1, 2006, defendants, through YMA, offered payment processing services to hundreds of client merchants.... Between June 23, 2004 and March 31,2006, YMA processed on behalf of its client merchants more than $200 million in debits and attempted debits to consumers' bank accounts. Of these attempted debits, more than $69 million were ultimately returned or rejected by consumers or consumers' banks for various reasons, evidencing the lack of consumer authorization."

You can view online the October 2010 judge's order (PDF format). According to BusinessWeek, Your Money Access LLC went bankrupt in 2008. Your Money Access, LLC was located on West Lake Mary Boulevard in Lake Mary, Florida. It operated under several brand names including Netchex Corp., Universal Payment Solutions, Check Recovery Systems, Nterglobal Payment Solutions, and Subscription Services, Ltd. YMA, a wholly-owned subsidiary of Your Money Access, was located at the same address. Derrelle Janey was the President, and Tarzenea Dixon was the Chief Executive Officer of Your Money Access.

The FTC advises consumers to perform these steps if you are billed for products or services that are never delivered:

  • If you were billed on your credit card, write to the bank that issued your credit card at their address for "billing inquiries" (not the address to send payments to). Describe in your letter billing error and amount. Also include your name, address, and account number
  • Your letter must arrive at your credit card issuer within 60 days of the bill that contained the error
  • Send your letter by certified postal mail, return receipt requested. That way, you have proof when your letter arrived at your credit card issuer
  • To support your description, include copies (not originals) of sales receipts with your letter. Keep a copy of your letterfor your records
  • Send your letter to the correct company. For example, if you have a Visa credit card, look on the back of your statement for the correct addres, so you send your letter to the bank that issued your card; not to Visa

The FTC website provides a sample dispute letter. By law, your credit card issuer must acknowledge your complaint in writing within 30 days after receiving your letter, unless the problem has already been resolved. Your credit card issuer must resolve the dispute within two billing cycles (but not more than 90 days) after receiving your letter. You do not have to pay the disputed amount, but you have to pay the rest of your credit card bill and applicable interest charges.

If you paid with a debit card, contact the bank that issued your debit card to see what protections are offered. You may or may not have the same protections as purchases made with a credit card. See the FTC website for additional information if you ordered the products or services via mail or telephone.

 


Ringleader Digital And Others Sued For Using 'Zombie Databases" on Consumers' Mobile Devices

Advertisers and tracking companies have gone to great lengths to track consumers' Internet usage on laptop and desktop computers. 28% of mobile subscribers have smart phones. As consumers have shifted their usage to mobile devices (e.g., smart phones, PDAs), online tracking has followed.

I read the Aughenbaugh et al v. Ringleader Digital Inc et al complaint (PDF format; 1.3 MBytes) filed in California District Court. The class-action lawsuit alleged that Ringleader Digital and the other companies intentionally exploited software on mobile devices to track consumers' Internet usage, since many consumers now use mobile devices to surf the Internet instead of their laptop or desktop computer.

A prior blog post discussed how companies use "zombie cookies" to track consumers Internet usage by regenerating browser cookies that consumers deleted from the web browsers on their laptop or desktop. Because browser cookies are not as useful for tracking Internet usage on mobile devices, the companies in this lawsuit used a new tracking scheme:

"Defendants found the solution to their problem with HTML 5. A large number of hand held mobile devices, such as the iPhone, use HTML 5 software to operate the mobile browsers on these devices. The HTML 5 software contains local storage databases that allow websites to store information on these devices..."

You could call this database of consumer information a "zombie database" since consumers cannot delete the tracking database on their mobile devices, and when deleted the database recreates itself immediately. Is that what you want on your mobile device? I doubt it. Me neither.

The companies named in the lawsuit are CNN, Surfline/Wavetrack, Whitepages, Travel Channel, Accuweather, Go2 Media, Merriam-Webster, and Medialets. All of these companies operate mobile website versions of their traditional websites. All of these companies allegedly use Ringleader Digital's Time Stamp technology. With its Media Stamp (TM) product, Ringleader Digital alleged collected sensitive personal information about millions of smart phone users in this way:

"When a mobile website that uses media Stamp is accessed, Ringleader's own databases collect information from the mobile device and the Media Stamp technology assigns Plaintiff's mobile device a "unique" identifying number. Ringleader stores this number on its database and uses the HTML 5 storage databases on the users' hand held mobile devices to store the assigned "unique" identifying number."

Were you aware that your Internet usage with your smart phone was being tracked this way? Did you authorize any companies to do this tracking and/or save information to your smart phone? I'll be you didn't. This is huge also because:

"The HTML 5 database is titled RLGUID, which stands for Ringleader Global Unique ID. With a unique identifying number that is assigned to a specific mobile device, Media Stamp allows Ringleader Digital, advertisers, ad agencies and website publishers to track a user's web browsing movements across the entire Internet and not just one particular website."

Think about that and when you used your smart phone to do online banking, accessed your health records, and/or researched medical conditions online. Do you want all of this tracked? I doubt it.

If you read the online terms and conditions policies at the websites for the companies listed above, you still wouldn't know about the mobile tracking:

"CNN, Surfline, Accuweather, Go2.com, Whitepages, Merriam-Webster's and Travel Channel's privacy policies inadequately inform Plaintiffs of the extent in which they are being tracked by an unidentified third party... most of the Defendants' sites fail to address or identify Ringleader and media Stamp at all. Accuweather, Surfline, Go2,.com and CNNmoney.mobile do not even have a privacy policy on their mobile webpage."

Ringleader Digital launched in October 2010 a certification program for its Time Stamp clients. What? They weren't doing this alreadY? This new certification program sounds like too little way to late, since Ringleader started in 2005.

Plus, the certification program requires Stamp clients to provide consumers with both a mobile tracking opt-out mechanism at their website, and a link to the mobile tracking opt-out mechamism at Ringleader's website. Opt out? We've heard this sad song before.

Ringleader's approach is to automatically include all mobile users in tracking, and place the burden on consumers to opt out of the mobile tracking. We've seen this approach before in various behavioral advertising programs, and it is too easy to override consumers' opt-out choices as new Time Stamp clients join, or as mobile privacy policies change.

If Ringleader Digital and its Time Stamp clients are as customer focused as they claim, then the tracking program default should be all mobile users excluded with an opt-in mechanism. If Ringleader's program is as good as the company claims, then consumers will opt-in. Let the marketplace decide.

Back to the class-action complaint. The sensitiver personal consumer data collected:

"... Ringleader Digital, at a minimum, collected browser identifiers, session information, device type, carrier provider, IP addresses, unique device ID, carrier user ID, and web sites visited... it is unclear if they collect telephone numbers and specific names..."

According to Courthouse News Service, a second class-action lawsuit filed last week in New York State (Hillman et al v. Ringleader Digital) alleged the data collected also included:

"... gender, age, race, number of children, education level, geographic location, and household income... what the web user looked at [online] and what he/she bought, the materials he/she read, details about his/her financial situation, his/her sexual preference, his/her name, home address, e-mail address and telephone number, and even more specific information like health conditions..."

In this second class-action lawsuit, one of the affected consumers is 12 years old. So the mobile tracking of a minor allegedly broke the Children's Online Privacy Protection Act, in addition to other laws. Yes, minors use mobile devices, too.

When I read about situations like this, I wonder what illgotten consumer information collected by Ringleader Digital is also shared with mobile device apps. We've seen this abuse happen on social media sites.

When I read about situations like this, it is sad and depressing. First, there is the mobile tracking without disclosures and without obtaining consumers' consent. Second, today's mobile devices are more like personal computers than the simpler cellular phones of eight years ago. Yet, mobile devices are still marketed with the walled garden approach of celular phones from 10 years ago.

Most mobile devices are still restricted to a single telecomunications network, and to a single online store for apps. Do you shop in the physical world at a single store? I don't. Plus, the list of apps are prescreened and censored. Many mobile devices restrict which apps you can disable or uninstall.

I don't have these restrictions with my laptop/desktop, and I don't want them with my mobile device. (Many social networking websites, like Facebook, are walled gardens too, but that is another discussion.) The freedom of choice is how we consumers exercise power in the marketplace.

No matter how cool the interface is on an Apple iPhone or iPad is, giving up the power of choice in the marketplace for convenience is giving up too much.

I want the freedom to install any software I want on my mobile device; especially to manage any tracking mechanisms. That includes software like MAXA Research, which I use on my laptop to manage and delete (LSO) tracking files.

What do you think of the mobile tracking? Of the related issues? Are you happy with today's mobile devices and the restrictions?

[Correction: this blog post has been updated to list the Hillman et al v. Ringleader et al class-action lawsuit filed in New York Southern District court. The post originally mentioned a class action filed in Texas.]


How To Spot a Phishing Email Message

Yesterday, this email message arrived in my inbox:

"From: Citibank.message@emailmessage.citibank.com
Date: November 9, 2010 5:37 PM
Subject: View Your Account (Action Required)

Citibank Fraud Prevention

Due to your recent account activity, you need to confirm that the last transactions were made by you or another authorized user of the account. You can do this by following the link below:

https://online.citibank.com/US/JSO/signon/DisplayUsernameSignon.do

Once your activity is confirmed, you can continue using your account normally.

Thank you for banking with Citibank!
Citi Online Banking Security"

Do you think that this email message was real? I hope not because it was a fake... a fraud, a phishing email that tried to trick me into clicking on the link to reveal my financial account sign-in credentials (e.g., ID and password). It was easy to recognize this phishing email:

  • I don't rely on the sender's email address in the From line. Email addresses can be faked. A closer inspection of the email message is always wise
  • The subject line is blatant: "Action Required"
  • A bank or financial institution would never send an email message like this asking me to verify transactions. My bank does send alerts which I setup and customized myself for my own account management. The alerts from my bank look nothing like this and are triggered by a different set of factors
  • Usually spelling mistakes and grammatical errors are tip-offs to phishing email messages. This one was pretty good, but a tipoff was the insistence that I had to verify something
  • While the destination website address looked like areal CitiBank website address, it wasn't. I always mouseover a link first to see the actual destination in the bottom of my email message window. The real website destination is a page at Benburns.com. I don't do banking at BenBurns.com and I doubt that you do either
  • The message implies my account was suspended: "Once your activity is confirmed, you can continue using your account normally." My bank wouldn't do this.
  • There are websites that track phishing messages. If you aren't sure, you can search a website like PhishTank, which clearly lists the BenBurns.com destination site as a phishing site
  • I don't have a bank accoount with CitiBank

The phishing message was easy for me to spot. Some are more difficult, as crimminals create messages that appear to come from a friend, an employer, or a website you use regularly (e.g., eBay, PayPal). If you use the Internet, you need to develop you skill at recognizing phishing email messages. Phishing is a popular tool of identity thieves. Recently, phishing crimminals have targeted U.S. military members and their families.

How did the fraudster get my email message? Most likely, a fraudster collected my email address since it is displayed on my I've Been Mugged blog. To learn more about how to spot phishing email messages, visit these resources:

I scored 100% correct on the PayPal quiz. How did you do?


The University of Hawaii Majors In Data Breaches

I love the Hawaiian islands. I have visited there twice. First in 1979 and then in 2004. The second trip was a cruise from Honolulu around the islands. The weather, food, and surf were enjoyable. Unfortunately, its university has suffered data breaches like other colleges and universities around the USA.

In July 2010, the University of Hawaii at Manoa announced a data breach with it Parking Office database affecting about 40,000 persons. The breach occured on May 30, was discovered on June 15, and breach victims were notified July 6. The data exposed included Social Security Numbers and personal information were exposed for thse individuals, plus information for 200 credit cardholders. A few weeks later, the number of affected persons was revised upwards to 53,000. Affected individuals included:

"UH Mānoa faculty and staff members employed in 1998... faculty and staff employed within the UH system in 1998 and any registered student at UH Mānoa in 1998... Anyone who had business with the UH Mānoa Parking Office between January 1, 1998, and June 30, 2009..."

Basically, a lot of people related to the university was affected. In its announcement, the university referred breach victims to a website page with information about how to access their credit reports. The university did not offer its breach victims any credit monitoring or credit resolution services. Not good. Organizations usually do this, but not the UH.

In its July 2010 announcement, the university said:

"To protect personal information from further unauthorized access, Social Security numbers are no longer used for parking transactions, and are being purged from all current and historic Parking Office databases. Additional security measures that are being taken include strengthening internal automated network monitoring practices, and performing extensive evaluations of systems to identify other potential security risks."

The university is just getting around to implementing these security measures? That might be understandable if this was the university's first data breach. Sadly, it wasn't.

In June 2005 the University of Hawaii Library in Honolulu experienced a breach where the personal information of 150,000 students, faculty, staff and library patrons was exposed and stolen. At that time, the university used Social Security numbers to track who checked out library materials. A former employee gained access to the personal information and used the Social Security numbers to obtain fraudulent loans.

And in May 2009, the university experienced another breach at its Kapiolani Community College campus in Honolulu. In this breach, 15,487 students who applied for financial aid were affected after an information-stealing computer virus was found on one of its Internet servers. The infected computer was connected to a network with names, addresses, phone numbers dates of birth, and Social Security numbers.

So, with this breach history the parking office is just getting around to removing Social Security numbers from its databases? Five years later?

But there is more. On October 29, 2010 the university experienced yet another breach. This breach at the University of Hawai'i West O'ahu (UHWO) in Pearl City included 40,101 records affecting students and alumni at both the UH and the University of Mānoa. The data exposed included names, Social Security numbers, birth dates, addresses and academic information. Reportedly, the faculty member who accidentally placed the files on an unencrypted Internet server retired before the breach was discovered.

This breach history makes me wonder if the University of Hawaii is serious about data security; if the senior executives at the school get that the school has a security problem. The school's latest announcement doesn't mention any training of faculty and staff about good data security habits. As Dark Reading noted:

"The vast majority of the breached information was placed online... by a now-retired Institutional Research Office (IRO) faculty member... he had [also] transferred large amounts of student information to his home computer for easier access. He deleted the remainder of this information after this breach came to light. The University of Hawaii has not commented on how many other faculty members have transferred student personal information to their home computers."

Sounds like the university needs a Chief Security Officer to help it develop some effective data security policies and then train the appropriate faculty and staff. Otherwsie, more breaches will likely happen. If the university already has a CSO, then it needs a new one.


13 Things Not To Post On Facebook Or Any Social Media Site

It was good to read this Huffington Post slideshow: "What Not to Post on Facebook: 13 Things You Should Not Tell Your facebook Friends." The first item on the list is an item I warned readers about way back in March 2009. Some of the items on the list might surprise you, like your children's names.

A lot of supposedly smart people I know in website design and development positions at digital advertising agencies insist on posting/tweeting their daily locations and home/work travel. That is a no-no, too. When you do that, you make it easy for a criminal to data-mine your social media profile stream and construct a daily pattern of when you are at work, home, the gym, grocery shopping, and picking up the kids from daycare.

Post about vacation or extended business trip after you return home. When do I go on vacation? You'll never know because the blogging software I use lets me preset blog post publishing times. So, new blog posts are published when I am not at my computer.

The list of things you should not post on Facebook (or any other social media website):

  1. Your birth date: identity criminals use this to distinguish between multiple people with the same name
  2. Your mother's maiden name: a common security question used by many websites
  3. Your home address
  4. Your long trips from home
  5. Your short trips from home

Items that weren't on the HuffPost list and should have been:

  • Criminal activity or laws you have broken
  • Confidential information about your employer
  • Your Social Security Number or equivalent taxpayer identification number
  • Your Medicare card number
  • Things (e.g., pets' names, children's names, favorite colors, favorite celebrities) you also use as passwords for your financial accounts

To read the full list, visit the Huffington Post website.


A Primer On Credit Scores

Lately, it seems like many websites are offering free credit scores. Some of those websites, like FreeScore.com, I have reviewed in this blog. But there are others. Consumers should know that there there are different brands of credit scores. Here is what you need to know about credit scores:

1) A credit score is a three-digit number banks and lenders use to decide whether or not to give you credit. Examples of credit are mortgages, bank loans, auto loans, and credit cards. A variety of companies use credit scores, including banks, credit card issuers, telephone companies (e.g., landline, cellular), landlords and utilities (e.g., gas, electric companies).

2) You should check your credit score before you apply for a loan. Why? It will give you a good idea of your chances of being approved for a loan or credit. According to About.com:

"People with credit scores lower than 620 find it harder to get applications approved and are left with higher interest rates."

3) Not all credit scores are the same. If your credit score is 802, that means one thing if the high end of that credit score brand is 850; and it can mean something different if the high end of that credit score brand is 990. Knowing both the brand and range the of credit score is important. You may encounter the term "FAKO score." That terms refers to any credit score that is not the myFICO brand credit score.

4) Several events will negatively affect your credit score. When credit score producers cacluate your credit score, they look at your credit history. Examples of events that will lower your credit score include: paying late, defaulting on a loan, high balances on your credit cards, and a personal bankruptcy. See this page at About.com for the list of 15 events that negatively affect credit scores.

5) You need to know which credit reports and credit score brand your bank or lender uses to evaluate your credit worthiness and risk. You don't want to buy a credit score brand you don't need. You don't want to buy credit score brand X while your bank or lender uses brand Y.

6) Some sources, like the credit reporting agencies, will sell to you both their credit score brand and other credit score brands. You may or may not find this helpful. Compare prices and see #5.

7) If you are a victim of identity fraud, then criminals have both stolen your identity information and obtained credit (e.g., loans, mortgages, services) fraudulently in your name. Obviously, the criminals don't plan to pay off the loans they have obtained in your name. When they fail to make payments, it will negatively affect your credit scores. Plus, the lenders will come to you looking for payments. So, it is important to protect your identity information, check your credit reports for fraudulent entries, and correct any fraudulent entries.

8) Your credit score isn't the only factor that matters. You still need to review your credit reports for accuracy. Fraudulent entries can lower your credit score. Your credit utilization ratio (the balance on your credit card as a percentage of the card limit) matters more to some lenders than your credit score. If you max out your credit card limits every month, that will reduce your credit score. Experts suggest you keep your credit utilization ratio below 50% -- ideally at 30%.

Since there are several credit score brands, to stay organized I compiled a list:

I am sure that there are more. What credit score brands have you used? Share your experiences below in the comments section. I've Been Mugged readers want to know.


8 Warning Signs Of Fraud And Scams

Recently, the United States Postal Inspection Service, the federal agency division that investigates postal mail fraud, sent to consumers an informative flyer about the warning signs of fraud and scams. I received the flyer last week. Perhaps, you received a flyer too.

The ability to spot a scam can help you avoid becoming a victim of indentity theft and identity fraud. The 8 warning signs of a scam:

1. Sounds too good to be true.
2. Presssures you to act "right away"
3. Guarantees success.
4. Promises unusually high returns.
5. Requires an upfront investment -- even for a "free" prize.
6. Buyers want to overpay for an item and have you send them the difference.
7. Doesn't have the look of a real business.
8. Something just doesn't feel right.

If you received a fraudulent offer via email, the USPS advises you not to click on any links in the message. If you do buy something from an offer, keep any and all receipts, statements, and package delivery slips. Don't wire any money to a person you don't know. If somebody you know asks you via a social networking site to wire money to them, verify their inquiry first with them via phone. It only takes a couple minutes and can save you a lot of money and grief.

Know that foreign lotteries are illegal in the USA, so you can't win no matter what they claim. It doesn't matter how the fraud or bogus offer started: website, telephone, email, or in person. If it used the U.S. postal mails, consumers should report the fraud to the U.S. Federal Trade Commission, and to:

U.S. Postal Inspection Service
Criminal Investigations Service Center
Attention: Mail Fraud
222 South Riverside Plaza, Suite 1250
Chicago, Illinois 60606-6100
Phone: 1-877-876-2455