Previous month:
March 2011
Next month:
May 2011

16 posts from April 2011

Sony Playstation Network Data Breach Affects 77 Million Consumers Worldwide

Earlier this week, the Sony notified its Playstation Network (PSN) customers of a data breach affecting as many as 77 million consumers. Hackers accessed PSN between April 17 to 19, 2011 and stole the following sensitive personal information:

"... name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility."

The PSN website includes notifications for consumers living in the United States, Puerto Rico, and outside the United States. The notifications offer the usual advice for consumers to monitor their credit reports for fraudulent entries, and to access their credit reports at either the official free credit report website or via the three credit reporting agencies: Experian, Equifax, and TransUnion.

Sony expected to notify all customers by April 28. Affected PSN customers can visit www.us.playstation.com/support and www.qriocity.com for more information. PSN has about 36 million customers in the United States, 32 million ins Europe, and 9 million in Asia.

In response to the attack, Sony turned off the Playstation Network and Qriocity service to strengthen the security of its network, and hired a security firm to perform an investigation of the breach cause. At press time, PSN is still unavailable.

The unannounced PSN outage caused some anxiety among game users, and some experts believe that anxiety has morphed into "what about my personal data?" At least one PSN customers has filed a lawsuit against Sony for failing to adequately protect their personal data, and for losses from stolen money.

In an update on the PSN blog, Sony said that credit card data was encrypted and personal data was not encrypted. However, the ArsTechnica blog reported that some PSN customers have already experienced credit card fraud. So, the encryption may not be very good, the credit card data was stolen during transmission, or another source caused the credit card fraud. Regardless, PSN customers should check their credit card statements for fraudulent entries.

The type of data stolen allows identity thieves to easily access consumers' online accounts that use the same sign-in credentials (e.g., username and password). This means that money and more sensitive data can be stolen, if a consumer used the same sign-in credentials with PSN and with their online bank, telephone, and social networking websites. Consumers should change the passwords on their online accounts.

The type of data stolen makes it pretty easy for identity thieves to assume a stolen identity either online or offline in the real world. And since e-mail addresses were stolen, breach victims can expect to receive phishing e-mail messages from fraudsters. Consumers should learn how to recognize phishing e-mails and phishing websites.

Where does the PSN dat breach rank among other data breaches? USA Today reported:

"... the PSN intrusion is arguably the second largest data breach ever, trailing only 2009's Heartland Payment data breach, which impacted 175,000 merchants and millions of payment card transactions per month."

Since credit card account data was stolen, banks will ultimately need to re-issue new credit cards and account numbers to affected consumers. When credit card data was stolen during the Heartland breach, Heartland ultimately paid many millions to credit card companies and banks to cover the costs of re-issuing affected card accounts. After its data breach, Heartland saw its stock price drop about 33%.

One I've Been Mugged reader shared a link to this Ars Technica blog post from February 2011, which warned months ago how PSN credit card data could have been stolen:

"A document written by the hackers has clarified what they did and what privacy and security risks they believe the PlayStation 3 poses. The PS3's connection to PSN is protected by SSL. As is common to SSL implementations, the identity of the remote server is verified using a list of certificates stored on each PS3. The credit card and other information is sent over this SSL connection... custom firmwares could subvert this system. A custom firmware can include custom certificates in its trusted list. It can also use custom DNS servers. This raises the prospect of a malicious entity operating his own proxies to snaffle sensitive data. He would distribute a custom firmware that had a certificate corresponding to his proxy, and that used a DNS server that directed PSN connections to the proxy. His proxy would decrypt the data sent to it, and then re-encrypt it and forward it to the real PSN servers."

While many commenters on this February Ars Technica blog post discredited the hackers' claims and defended Sony, those commenters sure look a little silly now.


Apple Responds About Location Tracking With Its iPhone

Last week, scientists discovered a data file on the Apple iPhone that saves location data (e.g., latitude, longitude, and time stamps) of the phone's recorded coordinates. Yesterday, Apple released a statement about iPhone tracking.

Privacy advocates were concerned about both the location tracking and the storage of locaton information in an unencrypted file on both the mobile device and the user's computer. Apple said that during the coming weeks, an operating system update will encrypt that file. About tracking, Apple said:

"The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location..."

When privacy advocates why Apple was storing about a year's worth of location information in this data file, Apple said that the storage included WiFi hotspot data and that the large amount saved a software bug:

"This data is not the iPhone’s location data—it is a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location. The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data."

Privacy advocates wanted to know why this tracking persisted even after the iPhone user had turned off Location Services. Apple's response was that this was a software bug too, and would be fixed during the upcoming oeprating system update.

There seem to be some extensive and major "bugs" in the iPhone. My impression was that Apple charges a price premium for its high-quality products. Bugs like this are a surprise.

While several media sources reported a data file with location tracking in the Apple iPad, Apple's statement only addressed the iPhone. Below is the entire text of Apple's statement:

1. Why is Apple tracking the location of my iPhone?
Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so.

2. Then why is everyone so concerned about this?
Providing mobile users with fast and accurate location information while preserving their security and privacy has raised some very complex technical issues which are hard to communicate in a soundbite. Users are confused, partly because the creators of this new technology (including Apple) have not provided enough education about these issues to date.

3. Why is my iPhone logging my location?
The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple.

4. Is this crowd-sourced database stored on the iPhone?
The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone. This cache is protected but not encrypted, and is backed up in iTunes whenever you back up your iPhone. The backup is encrypted or not, depending on the user settings in iTunes. The location data that researchers are seeing on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location, which can be more than one hundred miles away from the iPhone. We plan to cease backing up this cache in a software update coming soon (see Software Update section below).

5. Can Apple locate me based on my geo-tagged Wi-Fi hotspot and cell tower data?
No. This data is sent to Apple in an anonymous and encrypted form. Apple cannot identify the source of this data.

6. People have identified up to a year’s worth of location data being stored on the iPhone. Why does my iPhone need so much data in order to assist it in finding my location today?
This data is not the iPhone’s location data—it is a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location. The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data.

7. When I turn off Location Services, why does my iPhone sometimes continue updating its Wi-Fi and cell tower data from Apple’s crowd-sourced database?
It shouldn’t. This is a bug, which we plan to fix shortly (see Software Update section below).

8. What other location data is Apple collecting from the iPhone besides crowd-sourced Wi-Fi hotspot and cell tower data?
Apple is now collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years.

9. Does Apple currently provide any data collected from iPhones to third parties?
We provide anonymous crash logs from users that have opted in to third-party developers to help them debug their apps. Our iAds advertising system can use location as a factor in targeting ads. Location is not shared with any third party or ad unless the user explicitly approves giving the current location to the current ad (for example, to request the ad locate the Target store nearest them).

10. Does Apple believe that personal information security and privacy are important?
Yes, we strongly do. For example, iPhone was the first to ask users to give their permission for each and every app that wanted to use location. Apple will continue to be one of the leaders in strengthening personal information security and privacy."


Protection Direct, Auto Warranty Service Program: A Good Deal?

Recently, I received the letter below from a company named "Program headquarters (SPD)." Perhaps you have received this letter, too:

Letter from SPD a/k/a Protection Direct

At first, I was not going to write about this, but after receiving two letters from SPD a blog post seemed appropriate. I hadn't heard of SPD before, and the way the company listed its name in the letter seemed odd.

A quick Google search found an entry about SPD at the Better Business Bureau website. SPD, which has an "F" rating, goes by the names "Service Protection Direct" and "Protection Direct." When a company uses several names, the names on its letterhead and website don't match, and the letter fails to provide a website address that is usually a red flag alert to me. This letter reminded me a lot of my experience with Shelton & White (a/k/a Larson Keller).

While most of the complaints against SPD on the BBB website appear to have been resolved, the nature of the complaints was troubling:

"Complainants primarily allege misleading sales or advertising practices, in many cases claiming that they were led to believe that this firm was associated with the manufacturer or dealer, when they are not, difficulty canceling contracts and obtaining refunds, that the firm failed to cover needed repairs, poor customer service and that they received harassing sales calls or solicitations, even after the consumer requested that they cease."

That didn't sound good. My Google search also found this St. Louis Business Journal article from 2009:

"Despite an agreement last year between the Missouri attorney general’s office and one of St. Louis’ largest vehicle service contract companies, the BBB said Thursday it has received 80 complaints about the firm so far this year. That’s up from the 60 complaints received in the four months before the state’s agreement with Service Protection Direct, now known as Protection Direct and owned by TXEN Partners..."

So SPD or Protection Direct has been doing this form of marketing since 2008. Maybe things have gotten better during the three years since. In March 2010, the Missouri Attorney General's office stated that it was:

"... creating a task force to look at sales practice guidelines designed to stop auto service contract fraud, the number one complaint to the Attorney General's office in 2009... the Department of Insurance, Financial Institutions & Professional Registration began regulating service contract providers and administrators in 2008, but some independent marketers are not licensed and have continued to run roughshod over consumers... these marketers have used misleading letters, postcards, and telephone sales marketing to lure consumers into purchasing service contract coverage without providing basic information about that coverage... while consumers believed they were extending auto warranties, they were actually purchasing service contracts or automotive additives."

While complaints in Missouri about auto warranty/service programs have dropped due to prosecution, the Missouri Attorney General's office on February 25, 2011 still listed auto warranty/service scams in its the top 10 scams listing. So, there are several companies operating in the auto warranty/service program space, besides SPD. The reverse side of the SPD letter I received mentioned several states: New York, Wisconsin, Texas, and Florida. So, Protection Direct is marketing in several states.

Next, I visited the Protection Direct website to see how it addressed any of the above concerns. My experience at the website wasn't much better than the letter. The Service Facts page seemed to only list the costs of various auto repairs. That was technically accurate, but not very helpful. And, it seemed like a scare tactic.

The News page included an April 4 item about the poor BBB rating above, with a general promise that the company is working with the BBB to improve that rating. I completed the "Find Your Plan" form on the home page, and the results page didn't deliver any plan information. Instead, the results page linked me to another form page. That was not helpful, and it seemed to me like a slick attempt to get website visitors to reveal more personal data without delivering a quote or any real value first.

To learn a little more, I called the phone number on the SPD letter. The representative that answered was very polite; not pushy at all. When I asked how SPD got my name and auto information, she said, "SPD has access to the same databases as auto dealers." That answer wasn't helpful. I asked what that meant and the phone representative said she didn't know. Not good.

I expect more from a company. It should be able to sufficiently explain where it got my name and auto information from. The reverse side of the letter I received included this fine print:

"PRESCREEN & OPT-OUT NOTICE: This "prescreened" offer of credit is based on information in your credit report indicating that you meet certain criteria."

What? I wonder how accurate that statement is. If it is true, SPD should not have contacted me because it shouldn't have been able to access my credit reports. I placed a Security Freeze on my three credit reports three years ago. And, I opted out of pre-screen credit offers years ago. Perhaps, SPD obtained my name from one of the smaller, regional credit bureaus.

More likely, SPD purchased my name and auto data from the state registry of motor vehicles. Many consumers don't realize that many states do sell this driver data. This lawsuit highlighted the fact that many states sell driver information to marketing companies. If true, then the disclaimer on the back of the SPD letter is misleading and inaccurate.

The phone representative (and the letter) mentioned Marathon Financial Insurance as a provider of coverage for SPD. To the good, Marathon has a far better BBB rating: A+. That is encouraging, but the BBB "F" rating for SPD and my negative experience far outweigh that.

While on the phone, the rep promised a quote if I answered a few questions. After answering about four questions, that seemed again like an attempt to get more personal data out of me. I refused to answer any more questions and asked for a quote. I'd already provided my auto's mileage, year, and general condition -- which should have been enough. The rep declined politely and said that she needed to ask all of these questions to get to a quote. I asked for a quote range instead, and again she declined. At that point, we agreed to end the phone call.

About five days later, a different phone rep from Protection Direct called me at home and provided a quote: about $3,800 over three years. Then, the phone rep explained what repairs were covered and discounted the quote to $2,800 to get me to sign up immediately. I asked for a contract to review first. The rep said the Protection Direct doesn't send out contracts due to cost reasons, and offered a 30-day trial instead. I could cancel in 30 days and get a refund.

I thanked the phone rep for his flexibility and repeated my request to see the contract first. At that point, we decided to terminate disucsson as Protection Direct and I couldn't agree on how to proceed. If there is one thing I have learned while writing this blog, it's that the contractual fine print is critical. It always lists what is provided and what is covered/reimbursed.

Should consumers buy an auto replacement warranty/service program? Only you can decide that for yourself. You know your needs and budget best. Me? I'll pass. I don't see the value. The amounted quoted by Protection Direct was about the same amount as I would have spent anyway on auto maintenace and repairs. Protection Direct's clumsey letter, unhelpful website, and refusal to provide a contract first were obstacles.

If my auto needs repairs, I get it repaired at an auto dealer. If the repairs are expensive, I'll get several estimates first; and then get my auto repaired at the shop with the lowest estimate. If the repairs are prohibitively expensive, I'll just buy another used car.

What is your opinion of Protection Direct? If you purchased a warranty program from Protection Direct or another company, what was your experience?


Video: Banking Fraudsters Go Unpunished While Federal Government Enables

If you haven't seen this interview, the video below is a must-view. It is a national mugging.

Economics and law professor William Black, at the University of Missouri-Kansas City School of Law, clearly explained during this Daily Ticker interview the problem. He views it as disgraceful that only a handful of executives have been prosecuted about mortgage lending and foreclosure fraud. He also blames policymakers and federal government officials:

 

 

If this bother you (and I sincerely hope that it does), contact your elected officials and demand action.


Update: Pandora Subpoena

When I wrote this earlier post, I'd checked the Pandora website for any news releases or comments from the company. There weren't any comments then.

The Rolling Stone reported that Pandora is removing third-party advertising platforms (e.g., Google, AdMeld and Medialets), and is revising its smart phone apps:

"... certain third-party advertising software development kits (SDKs) from Medialets, AdMeld and Google have been the subject of scrutiny and speculation in the media. While we have no reason to believe that any of these mobile advertising companies acted outside the scope of our privacy policy, we have decided to remove the advertising SDKs entirely to ensure that our listeners have complete confidence in our commitment to their privacy."


Scientists Discover Data Files on iPhone and iPad Devices That Collect Location Data

This week, the news media has been abuzz with reports about the tracking by Apple iPhone and iPad users.

The Guardian UK first broke the story Wednesday, where scientists discovered a data file on Apple iPhones that saves location data (e.g., latitude, longitude, and time stamps) of the phone's recorded coordinates in an unencrypted file on the consumer's smart phone. When the smart phone is synced with iTunes, an unencrypted copy of the tracking file is placed on the consumer's computer.

Other news reports confirmed the tracking with Apple iPad devices. The Wall Street Journal reported that both Apple and Android phones both collect location data and regularly transmit location back to Apple/Google. The blog F-Secure reported that the location data is routinely sent already to Apple twice daily.

The New York Times blog reported from the "so what?" angle: that the data collection is no big deal since most mobile device users have already agreed to the data collection. The BGR blog listed several mobile companies' privacy policies as proof of users' consent to the real-time location data collection.

 What is a consumer to make of all of this?

The scientists that discovered the file, Pete Warden and Alasdair Allan, did a credible job of exposing the data file, and highlighting the implications of the tracking with some visual examples. Here is one map of a person's historical locations based on the data file in their iPhone:

Visual map of iPhone tracking by scientists

I checked the Apple Privacy Policy document, dated June 21, 2010, and it clearly states the company's position about real-time data collection (emphasis added in bold):

"... Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services."

Based on its privacy policy language, Apple seems well within its rights to collect, save, and use users' location data real-time. Of course, some users won't care about any of this as they have made a decision to disclose their location data on multiple social networking sites.

The issues I see with this smart phone location tracking:

  • Several privacy policies apply for each user. Because mobile devices are the intersection of the hardware, operating system, data communication, and apps. Example: I use an HTC Windows mobile phone, so a minimum of three privacy policies apply: Microsoft (Windows 7), AT&T (data plan), and HTC (phone manufacturer); plus privacy policies for each app downloaded. Have you read all policies that apply to your mobilde device(s)? have you kept up with changes to those policies? I doubt it.
  • Few website privacy policies disclose the names of partners and licensess that a company shares location data with. The list of company names should be disclosed and updated as things changes. This lack of transpatency is not new, and it applies to Apple and all of the companies operating in the mobile marketplace.
  • Companies have a responsibility to explain how they make anonymous consumers' location data. Why? Trust is at the core of mobile usage, and consumers that are concerned about their privacy need to feel confident that their privacy is maintained. For example, anonymity could easily be broken by comparing a heat map of a single person's location to home/work data listed in a social networking site profile.
  • Companies have a resonsibility to more accurate explain in their website policies exactly what location data is collected (e.g., exact GPS coordinates or triangulated position estimates) and how often. Precision matters. Most of the policy language BGR listed included "may collect" and didn't disclose transmission frequency.
  • Now that consumers know more about the tracking, many may (or probably) want a choice. I know that I do. I want the option to turn on/off the tracking, and to delete this tracking data file. Current news reports indicate that consumers don't have this choice.
  • Companies have a responsibility to adequately protect the sensitive data they collect. In the case of the iPhone, it copies the unencrypted data tracking file to the user's computer when the user syncs their iPhone. Malware can easily access and transmit the data files from either the iPhone or computer/laptop/desktop. Unencrypted files in multiple locations strike me as sloppy or poor data security.
  • The data tracking has highlighted the WiFi collection issue again, in that Apple/Google may be using consumers' mobile devices to build databases of WiFi locations and details. You may recall that Google was caught doing WiFi data collection last year with its StreetView cars.
  • I'd like to see device manufacturers fund an independent analysis to verify compliance that apps are not accessing this sensitive location data file. This goes to trust. Now that everyone knows the file exists, I imagine some iPhone and Droid apps will attempt to access the data file.
  • Besides opt-out, it seems wise to provide considerations for certain mobile device users (e.g., children, stalking victims)
  • I am sure that law enforcement would find this location data particularly useful, if they haven't already downloaded it after traffic stops.

Obviously, the issues are far from settled. Sadly, it seems that some consumers have concluded that it is impossible to protect their privacy. As one person commented on the I've Been Mugged Facebook page:

"Someone always know where I am unless I give up electricity, pick up a shovel and head for the hills."

That is an attitude I hope can be eliminated. If this tracking bothers you (and I sincerely hope that it does), contact Apple, Google, and contact your elected officials to demand opt-out and encryption protections.

I am sure that law enforcement would find this real-time location data particularly useful, if they haven't already downloaded it after traffic stops.


Smartphone Apps That Listen: A Crime Or A Feature?

ComputerWorld reported about three iPhone and Droid apps that use the microphone on consumers' smartphone to listen to whatever you are doing:

"The apps use ambient sounds to figure out what you're paying attention to... The apps are Color, Shopkick and IntoNow, all of which activate the microphones in users' iPhone or Android devices in order to gather contextual information that provides some benefit to the user."

The Color app reportedly uses both the smartphone microphone and camera to:

"... detect when people are in the same room. The data on ambient noise is combined with color and lighting information from the camera to figure out who's inside, who's outside, who's in one room, and who's in another..."

The app makers promote these listening apps as a feature. to me, it's a crime.

Do consumers really need a smartphone app that listens to what you are doing, or watching on television, to serve up the appropriate social networking website? This seems like a bridge too far. Way too far.

Now, some apps, like Shazam on the iPhone, are appropriate. When engaged, this app identifies a song a consumer can't readily identify. Then, the consumer can presumably go buy the song.

And, I do like the voice-activated Bing search on my Windows smartphone. When I engage it, the app makes searching easier and faster -- provided I am in a fairly quiet location.

Me? I want more privacy, not less. Listening apps should work only in the foreground when activated, not sneakily and constantly in the background. And, when I visit somebody, I shouldn't have to worry about whether their smartphone is listening in or not. Notice and opt-out both seem impossible in these situations.


Phishing Attack Targets Epsilon Breach Victims

Fraudsters have begun phishing attacks as a result of the Epsilon data breach.

Websense warned last week of an attack targeting consumers affected by the Epsilon breach. The phishing or fake Epsilon website looks like the official Epsilon website, and presents a bogus press release update that tries to get unsuspecting consumers to download a file that contains malware:

"The fake update goes on to state that people can check to see if their personal information was lost by downloading and installing an "Epsilon Secure Connect Tool." The downloaded file is called EpsilonSecureConnect.exe and has little detection as a Trojan dropper."

The malware can comprise consumers' computers, and potentially download more malware and/or steal sensitive personal information. The Websense site includes images of the attack page.

Consumers should know that phishing threats take the form of both bogus e-mails and websites.


Senators Request Investigations About The Epsilon Breach And Smart Phone Privacy

Senator Mark Pryor, from Arkansas, has sent a letter to the U.S. Federal Trade Commission asking for an investigation into the Epsilon data breach. The Senator is both concerned about a potential rise in phishing attacks and:

"... whether Epsilon's data security procedures and actions post-breach are consistent with its obligations under the Federal Trade Commission Act or other laws you enforce... This breach underscores the importance of requiring strong data security safeguards and data breach notification standards..."

You can download the Senator's entire letter (PDF format). Other Senators are concerned.

In a separate action, Senators Al Franken (Minnesota) and Richard Blumenthal (Connecticut) sent a joint letter to the U.S. Justice Department listing their concerns about data security and privacy, that were prompted by both the Epsilon data breach and:

"... an investigation by the U.S. Attorney's Office of New Jersey into allegations that certain smart phone applications were collecting sensitive consumer information and disclosing it to third parties unbeknown to consumers..."

That investigation reportedly includes subpoenas served at several Internet companies, including Pandora and Google, about smartphone privacy. The Senators are concerned about posible violations of the Computer Fraud and Abuse Act (CFAA), and limitations of the CFAA that need to be strengthened:

"... we ask that you clarify the Department's understanding of the scope of the CFAA's consumer protection provisions, update the Department's prosecutorial guidance for the statute, and indicate to us where additional funding or legislation may be needed."

Those potential CFAA limitations include not only on insider identity theft -- where employees assist or participate in the data breach or hacking-- but only on digital privacy and smart phone. The Senators asked this about smart phones:

"... we also think it is important for all prosecutors to be aware that the Computer Fraud and Abuse Act protects more than traditional desktop and laptop computers. The definition of "computer" in the CFAA is a broad one and the U.S. Court of Appeals for the Eighth Circuit recently affirmed that the CFAA protects smartphones and a broad range of other electronic devices."

You can download the letter from Senators Franken and Blumenthal (PDF format).


Subpoena Served To Pandora About The Privacy of Its iPhone and Android Apps

Earlier this month, Pandora Media reported it its S-1 Filing with the U.S. Securities and Exchange Commission:

"... in late 2010 and early 2011, we were named as a defendant in several class action lawsuits alleging, among other things, violations of computer fraud, computer trespass and privacy laws. In addition, in early 2011, we were served with a subpoena to produce documents in connection with a federal grand jury, which we believe was convened to investigate the information sharing processes of certain popular applications that run on the Apple and Android mobile platforms. While we were informed that we are not a specific target of the investigation, and we believe that similar subpoenas were issued on an industry-wide basis to the publishers of numerous other smartphone applications, we will likely incur legal costs related to compliance with the subpoena..."

Pandora.com is a very popular music and free Internet radio website. There are Pandora apps (e.g., applications) for several smart phones: Android phones, Blackberry phones and the Apple iPhone. Pandora has partnerships with the manufacturers of over 200 consumer electronics devices, including Alpine, Panasonic, Pioneer, Samsung and Sony.

The Register reported:

"The probe, according to an unnamed person familiar with the matter, is examining whether app makers provided adequate legal notice before tracking information such as the user's geographic whereabouts and the unique identifier of their phone.

From Ars Technica:

"Pandora's Android app transmits a plethora of personal information to third parties after all, at least according to an analysis done by security firm Veracode... and found that data about the user's birth date, gender, Android ID, and GPS information were all being sent to various advertising companies... Pandora's [Android] app seems to be integrated with five separate ad libraries: AdMarvel, AdMob, comScore (SecureStudies), Google.Ads, and Medialets.

This is a most interesting topic to monitor.


Texas Government Breach Affects 3.5 Million Consumers

Apparently, there is a serious dust-up in Texas. On Monday of this week, the Texas Comptroller's office began notifying consumers affected by the state government's data breach:

"The records of about three and a half million people were erroneously placed on an agency server that was accessible to the public. This incident only affects individuals whose information was included in data transferred by the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS)."

The breach was discovered March 31, 2011. Some records were exposed as far back as January 2010. That is plenty of time for identity criminals to do damage. InformationWeek reported more details, including the distribution of breached records by state agency and by date:

"The 3.5 million breached records include 1.2 million records, posted in January 2010, of education employees and retirees from the Teacher Retirement System of Texas. In addition, 2 million records from the Texas Workforce Commission (TWC), which provides unemployment benefits to Texas residents, were posted in April 2010. Finally, 281,000 records from the Employees Retirement System of Texas, involving state employees and retirees, were posted in May 2010."

The data exposed during the breach included names, addresses Social Security numbers, birth dates and driver license numbers. The sensitive personal data exposed is exactly what criminals use to open fraudulent bank accounts and obtain fraudulent loans. So, breach victims need to take steps to protect themselves.

Affected consumers should visit the www.txsafeguard.org website set up by the Texas government. According to some news reports, consumers have swamped the toll-free hotline about the breach. Reportedly, the hotline received 33,500 calls during its first two days of operation.

The Dallas Morning News reported that several employees in the comptroller's office had been fired as a result of the breach. After a breach of this magnitude, most organizations typically offer breach victims one or two years of free credit monitoring services. So far, the Texas Comptroller's office has not made any statements about offering breach victims such services.


Better Business Bureau: 2010 Annual Report

The Better Business Bureau, a private, nonprofit organization, is best known for its complaint system. During 2010, consumers submitted about 1.1 million complaints about businesses they had difficult with, or felt cheated by.

While the BBB does not have any policing or enforcement powers, a company's record of complaints are one method for consumers to research a company they are considering doing business with. Companies with lots of complaints, or with lots of unresolved complaints, can be viewed by consumers as untrustworthy. The topic of BBB ratings was raised in this Just Energy blog post, with comments from several readers. In February, the BBB released a report about the top scams of 2010.

In March 2011, a BBB press release summarized its annual report:

"... consumers filed 1.1 million complaints against North American businesses in 2010, reflecting a ten percent increase over the previous year. Consumers also turned to the non-profit more than 87 million times for help researching businesses across North America, a whopping 37 percent more than in 2009."

The industries with the most complaints:

  1. Cable & satellite TV: 30,985 complaints, down 5% from 2009
  2. Cellular phone companies: 27,293 complaints, down 29.6%
  3. New car auto dealers: 24,698 complaints, down 8.1%
  4. Banks: 22,648 complaints, down 24.3%
  5. Collection agencies: 15,876 complaints, up 0.5%
  6. Used card auto dealers: 14,520 complaints, up 6.1%
  7. Auto repair & service: 13,178 complaints, up 3.5%
  8. Retail furniture: 13,018 complaints, down 1.1%
  9. Internet shopping: 12,950 complaints, down 39.8%
  10. Mortgage brokers: 9,545 complaints, up 17.8%

As I mentioned above, complaint resolution matters:

"While the cable and satellite TV industry, cell phone industry and new car dealers received a high volume of complaints, the BBB report shows that they also have a higher rate of resolution with consumers than the average rate (78 percent) across all industries in 2010."

The complaint resolution rates for selected industries

  • 98.6% - Cable & satellite TV
  • 98.5% - Banks
  • 95.8% - Natural gas companies
  • 92.1% - Cellular phone companies
  • 90.8% - Insurance companies
  • 87.4% - New car auto dealers
  • 85.3% - Multi-level selling companies
  • 82.1% - Dating services
  • 81.0% - Mortgage brokers
  • 80.2% - Collection agencies
  • 79.1% - Retail furniture
  • 75.1% - Business & vocational schools
  • 72.6% - Attorneys
  • 70.6% - Used car auto dealers
  • 65.6% - Auto repair & service
  • 65.4% - Credit & debt counseling
  • 61.4% - Internet shopping
  • 54.1% - Painting contractors
  • 53.9% - Landscape contractors
  • 51.8% - General contractors
  • 51.7% - Work-at-home companies
  • 48.6% - Credit/Debt consolidation services
  • 48.0% - Paving contractors
  • 47.6% - Tattoos
  • 45.3% - Payday loans
  • 45.0% - Locks & locksmiths
  • 42.3% - Foreclosure resuce
  • 42.0% - Vacation certificates & vouchers

Large industries that do a lot of business will tend to get more complaints. So, when evaluating a company's trustworthiness, consumers can compare that company's complaint resolution percentage against the 78% average across all industries.

In 2009, the BBB changed its rating system from satisfactory/unsatisfactory to a graded system. The AARP Magazine explored the issues about this new grading system, which featured a:

"... complex point system that results, as in school, in a single grade of A+ through F for each business. Companies that get a B or better — and that pay membership dues of a few hundred to several thousand dollars a year — are "BBB accredited" and can display its torch insignia."

While the BBB asserts that the new grading system provides consumers with more information, critics claim that:

"... the BBB isn't equipped to award grades based on its extensive standards: 17 criteria that cover everything from licensing to truth in advertising."

For me, I prefer to check several websites besides the BBB website including The Consumerist, Epinions, Consumer Reports, and industry-specific review websites (example: Cruise Critic for cruise ship vacations). BBB complaint volume, types, and resolution will continue to be important statistics to me for judging a company.


Video: Smart Phone Pictures Pose Privacy Risk

Earlier today, a friend forwarded an email message with a link asking about the news video below. KSHB-TV (Kansas City, MO) originally broadcast this news segment on November 9, 2010. About 2.4 million people have already viewed the video. My friend asked my opinion about the privacy risk.

This is a valid concern. Today’s smart phones automatically embed the location information (a/k/a GPS coordinates) into every photo and video you take. So, a stalker could harvest the location information from photos and compile your daily routine with specific street addresses.

The way to avoid this privacy risk is to DISABLE the location settings for the camera applicaton in your smart phone. See the user manual for your phone if you don’t know how to do this. If you lost the user manual, visit the store where you purchased your smart phone. Many store representatives will be happy to help.

It's also wise for parents to disable the camera location settings in both their and their children's smart phones. Of course, this is also a teaching opportunity to explain to children the importance of this while disabling the camera GPS feature. Now, the news video:


Video: Invasion Of The Data Snatchers

If you want an explanation of the role and scope of data mining companies and information brokers, the video below provides a pretty good overview, with engaging graphics. It highlights all of the various ways companies collect personal information about consumers. And, "invasion" is an accurate description.

This blog does not endorse the online service mentioned. Consumers should shop around and read the contractual fine print and terms of any online service before purchase, to determine if the product or service meets your needs.


Epsilon Breach Exposes Millions Of Consumers To Email Spam Attacks

Epsilon logo You have probably heard about it in the news. In perhaps the largest data breach ever, a marketing e-mail company, Epsilon, has exposed the e-mail addresses of millions of consumers. Basically, a hacker broke into the company's e-mail computers and stole millions of e-mail addresses. The breach highlights several implications for consumers.

In a press release on April 1st about the breach, Epsilon, a unit of Alliance Data Systems Corporation, said:

"On March 30th, an incident was detected where a subset* of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway."

Epsilon is one of several companies that companies outsource with to send out e-mail offers and deals. Epsilon sends out about 40 billion e-mail messages annually. This outsourcing (and the minimal amount of disclosure) is a fairly common business practice.

The list of Epsilon's clients include several brands you know: Capital One, Citibank, Best Buy, Disney, Home Shopping Network, JPMorgan Chase, Marriott Rewards, Ritz-Carlton Rewards, US Bank, Walgreen's, The College Board, Tivo, and others. On Monday, Epsilon released a very general update that:

"The affected clients are approximately 2 percent of total clients and are a subset of clients for which Epsilon provides email services."

Is that two percent of clients, or two percent of all clients' e-mail addresses? usually when a company is vague about details in a breach notice, things are bad. Plus, the investigation is not finished, so the two percent is probably an estimate and not a final number. I expected more details in the breach notice, including a description of Epsilon's data security actions to prevent a repeat data breach, and to find/prosecute the criminal(s).

You could say this breach notice is vagueness as usual.

This breach highlights several implications consumers should be aware of:

  • Breach victims can expect to receive e-mail spam, where fraudsters and identity thieves send phishing e-mails to the stolen e-mail addresses to try to trick consumers into revealing financial information (e.g., credit card numbers, debit card numbers, Social Security numbers, bank account sign-in credentials). So, consumers should know how to recognize phishing e-mails.
  • Many news stories mentioned the threat of "spear phishing," where fraudsters target e-mails at a specific company. Yes, that is a real risk. So, the bogus e-mails from spammers may be better crafted than usual and harder to spot.
  • Companies regularly share consumers' personal information with other companies they do business with
  • Website terms and privacy policies don't always disclose these other companies' names
  • The recent trend is for advertising networks to collect more data about consumers. So, future breaches could expose more consumer data than e-mail addresses
  • Everyone was lucky this time. The breach didn't include any personal financial or payment information
  • Breach notices are often skimpy on details. that makes it tough for consumers to evaluate how security conscious the retailer (and the retailer's outsourced companies) is. Consumers must pressure their Congressional and State representatives for legislation that requires greater disclosures.
  • If you are one of those newbie Facebook members with a profile page that is both open to the public and displays your e-mail address, then you are probably already receiving phishing e-mails and this Epsilon breach will just add to the volume in your e-mail inbox.

An I've Been Mugged reader shared the breach notice Walgreen's sent to its affected customers:

"From: Walgreens <Walgreens@email.walgreens.com>
Subject: A Message from Walgreens
Date: Monday, April 4, 2011, 9:17 PM

Dear Valued Customer,

On March 30th, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Walgreens customers were accessed without authorization.

We have been assured by Epsilon that the only information that was obtained was your email address. No other personally identifiable information was at risk because such data is not contained in Epsilon's email system.

For your security, we encourage you to be aware of common email scams that ask for personal or sensitive information. Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. If ever asked for this information, you can be confident it is not from Walgreens.

We regret this has taken place and any inconvenience this may have caused you. If you have any questions regarding this issue, please contact us at 1-855-814-0010. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Walgreens Customer Service Team"

That's all Walgreens has to say? How can Walgreens be confident when Epsilon isn't finished with its investigation? I expected Walgreens to say much more. Is Epsilon the best e-mail outsource vendor with data security? How is Walgreens working with Epsilon so this doesn't happen again? What updates about the breach investigation are Walgreens executives demanding? How many Walgreens customers were affected?

What's your view of this breach and the breach notices? Were you affected by the breach?

[Note: April 7 -- TechCrunch published the breach notice from The College Board. The CEO of Alliance Data apologized for the breach at its Epsilon unit.]

<a href="http://ivebeenmugged.typepad.com/my_weblog/photos/logo_epsilon.jpg">Download logo_epsilon.jpg (3.7K)</a>

Anonymous Web Surfing: Get Cocoon

With all of the online threats, malware, and tracking some consumers have turned to anonymous web browsing. To learn more, I discussed the Cocoon anonymous web browsing service with Brian Fox, cofounder and Chief Technology Officer at Virtual  World Computing (VWC), producer of Cocoon.

I've Been Mugged: What is your position and duties at Get Cocoon?
Brian Fox: I am co-founder and CTO of VWC. I am the principal inventor of the technology and process in the Cocoon service. Jeff Bermant is the other co-founder, and the primary owner of the itch that needed scratching.

Mugged: How and why did Virtual World Computing start offering anonymous web browsing?
Fox: We believe everyone has a right to use the Internet securely and privately, and without the risk of getting malware. We see that the Internet is the next generation of communication, after Pony Express, Telegraph, and Telephone. Why should we as a society accept that this form of communication be less private and secure than its previous forms?

Mugged: How secure are your company’s web servers?
Fox: Today, our servers are housed in a tier 3 secure facility. Our servers run SE Linux, which is the Linux that was modified by the NSA to increase security and compartmentalization. Because we run Linux, we are not vulnerable to Windows-based viruses. Because we run SE Linux we are not vulnerable to any currently known linux-based attack. We believe that our servers are extremely secure.

What consumer data is retained on your servers and for how long?
That's up to you. You can choose to not save any data in your Cocoon account, and that's your prerogative. We feel there are benefits to having your history stored securely, encrypted and available to you, and only you, whenever and wherever you want. Everyone has experienced the scenario of having found some piece of information while on one computer, say at home, and then had difficulties finding that same info when they want it at work. With Cocoon, your history, bookmarks, logins, passwords, notes, are all available to you on any computer where you've installed Cocoon. And you are the only one who has the key to unlock that encrypted information. But it's your call, never save the data or leave it there as long as you like and delete it when you close your account, it's up to you.

On my laptop, I use the Better Privacy add-on with Firefox to regularly delete the web browser cookies that websites save to my laptop. How is Cocoon different?
Cocoon prevents cookies from being stored on your computer at all. They are stored in your Cocoon account. Today, Cocoon doesn't offer an option to delete cookies on a periodic basis (which of course, can only happen while Firefox is running :-) Instead, we supply an option to delete your Cocoon stored cookies whenever you log out. We are building a feature that lets you specify for which websites Cocoon should not delete stored cookies. We feel this offers you the best of both worlds - you can keep the cookies that you want (e.g., login cookies for Gmail or sourceforge), and delete all of the other cookies (e.g., banking, etc.).

Version 3.0+ of the Firefox browser already has a feature called “Start Private Browsing.” How is Cocoon different?
Private browsing mode on Firefox does not provide you with anonymous browsing and only prevents your browsing and cookie history from being saved on your computer. On the other hand, Cocoon prevents both websites and your ISP from knowing what sites you've visited, as well as keeping all tracking information off your computer. It does this at the same time as giving you the option to keep that history or those cookies stored securely if you want.

Many consumers like to use free (unsecure) WiFi at places like coffee shops and airports. How does Cocoon protect consumers in these situations?
Cocoon makes every website on the Internet encrypted and secure, even on free open WiFi. When you log into Cocoon, you create a secure connection between you and Cocoon preventing man-in-the-middle attacks like Firesheep.

Version 4.0 of the Firefox web browser offers a Do Not Track feature. How does Cocoon compare  with this?
Firefox 4.0, like Chrome and IE9, all offer an option to be added to Do Not Track lists - but these lists rely on voluntary compliance by advertisers to join and/or honor - and the user is responsible for activating these systems. Cocoon's method is proactive - a service that lets you take control without needing advertisers to agree to anything.

What types of consumers or professionals (e.g., attorneys, financial advisors, etc.) can best benefit by using Cocoon?
Although anyone can benefit from features such as stopping spam by using Mailslots (disposable anonymous email addresses), professionals such as lawyers, doctors, and financial advisors –- who work with highly private data– can directly benefit from the protection Cocoon offers stopping malware from infecting their computers and potentially stealing personal data, and having secure connections while on WiFi networks. Everyone deserves the peace of mind that comes from knowing their information is private, secure and malware-free.

How might a consumer use Cocoon while traveling on business or vacation?
In addition to being protected on open WiFi networks, I've appreciated that once I securely log into Cocoon I have access to all my login and passwords even on my wife's computer - and once I log out I know that that information is not on her computer, it's still safely stored in my account on Cocoon.

How flexible is the Cocoon configuration, so consumers can switch to normal browsing mode when visiting trusted websites, like their bank?
The configuration of Cocoon is so seamless it is almost invisible. There's actually no need to turn off Cocoon when visiting any site. If you choose to bypass the protections of Cocoon, there is a "pause" or "un-lock" button right on the toolbar for you.

Many consumers like comprehensive services/software. What are Get Cocoon’s plans to provide an umbrella service covering a user’s computer, tablet, and smart phone?
Great question, and it's definitely in the works. We've tested Cocoon with the Firefox browser on various systems and will be offering other options soon. IE is the next to roll out and others to follow. We are particularly focused on the needs of the mobile user, and have products and service enhancements in store for them.

What do you see in the future for anonymous web browsing software?
While anonymity is an important feature of Cocoon, we feel that it is only one part. We feel that privacy is not synonymous with anonymity. For instance, I am happy to do this interview, but there is a limit to what information I will divulge. That is because my personal privacy is important to me. In the future, we feel that both inward and outward facing privacy will be de rigueur, and we know that Cocoon customers will be enjoying that -- as well as additional features that will be necessitated by changes in online behavior, such as voting, reviews, and the like.

Is there anything else you want consumers to know about Cocoon and/or your company?

Cocoon is created by a team of people who strongly believe in the rights of people to use the Web privately and securely. We believe that the Internet is a resource for the world, and not just for a select few. Our mission is to enable access, privacy, and security on the Internet to anyone who desires it. Our feature creation is driven by the needs of our users, and we ensure that there are many ways to communicate with us - even anonymously!

Thanks to Brian Fox for discussing Cocoon with the I've Been Mugged blog.