Previous month:
May 2011
Next month:
July 2011

19 posts from June 2011

New ATM Scam Tactic: Glued Keyboards

The San Franciso Examiner reported a new ATM scam where thieves used glue to disable the "Clear," "Enter," and "Cancel" buttons on bank ATM machine keyboards. Apparently, the scam works like this:

  1. A bank customer visits an ATM as they normally would. After entering their PIN on the keyboard, the customer realizes that certain keys don't work
  2. The customer abandons the ATM machine without canceling the "live" transaction session, and goes inside the bank branch for assistance
  3. While the customer is inside the bank branch, the thief walks up to the ATM machine and uses the "live" transaction session to drain the victim's bank account of cash

In this scam, thieves didn't have to steal your debit card and PIN. They just used a "live" ATM transaction session that the customer didn't cancel appropriately.

What consumers should do if you encounter an ATM machine with a tampered keyboard? Experts advise consumers to:

  • Use the touch-screen selections to cancel your ATM transaction session. Then, go into the bank branch for assistance
  • Many ATM machines have a phone for assistance. Use that phone, if you don't want to leave the ATM machine
  • Use ATM machines in protected, well-lighted locations; idealy inside bank branches during normal banking hours
  • Use ATM machines with controls that you are familiar with. Know both the keyboard and touch-screen options to complete (or cancel) a transaction session
  • Monitor your bank accounts for fraudulent entries
  • Learn how to recognize ATM machines that have been tampered
  • Watch this video of a thief installing an ATM machine skimming device
  • Be alert, since some thieves attach skimming devices to the ATM booth door-entry mechanisms
  • If you see or encounter the thief, do not approach him/her. Instead, call local law enforcement

Have you encountered an ATM machine with a tampered keyboard? What did you do?


Privacy Crusader: Protecting Children From Tracking Kids Apps

A new class-action lawsuit highlights the privacy issues where mobile devices, gaming, and children intersect. OpenFeint, Inc. and GREE International were named in a class-action lawsuit which alleged that OpenFeint singularly and together with third-party app developers conducted unfair and deceptive business practices and privacy violations that (bold emphasis added):

"... gained unauthorized access to, and unauthorized use of, Plaintiffs’ and Class Members’ mobile devices to access, collect, monitor, and remotely store, without notice or consent, Plaintiffs’ and Class Members’ mobile device’s Unique Device Identifiers, Personally Identifiable Information, OpenFeint user account, GPS “Fine” co-ordinates, and Facebook/Twitter profiles..."

GPS fine coordinates are consumers' exact latitude and longitude (to within a few inches), as opposed to estimates of your GPS location to the nearest cellular tower. It is important for mobile device users to know whether the app tracks your precise or estimated GPS location.

UDID is the "Unique Device Identifier," a 40-digit code embedded in all mobile devices. It identifies your mobile device and when matched with your cellular phone number, allows companies to identify your mobile device, location, and app usage as uniquely you.

I don't need to explain the wealth of sensitive personal information available in Facebook profiles. Facebook members typically upload into their profiles address data, online contact information, family information, education, employment, photographs and videos, hobbies, websites of interest, television shows of interest, and with location-based check-ins the time, date, frequency, and duration of visits to various retailers.

The complaint alleged that OpenFeint violated the Computer Fraud And Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), California's Computer Crime Law, the California Invasion of Privacy Act, and the Consumer Legal Remedies Act (CLRA).

While prior lawsuits have focused on tracking and privacy issues, this suit deserves attention because the allegedly affected mobile device users also included children -- as young as 4 years of age. The complaint describes how OpenFeint offers a huge mobil e social gaming network with at least 5,300 game applications and alleged:

"... many of the downloaded applications affiliated with Defendant OpenFeint involved the unauthorized tracking of minor children."

And:

"... OpenFeint targets minor children with free affiliated gaming applications designed and promoted as “Kid apps,” purposely including storybook tales, friendly animals, and child-like game scenarios to attract children, so that the child’s parents would be more likely to allow for the app download, relying in part on the posted children app ratings. Many of Defendant OpenFeint’s gaming applications are rated 4+, for ages four (4) and up, rated 9+ for ages nine (9) and up, and rated 12+ for ages twelve and up."

The gaming market is huge. Google/Android and Apple/iOS mobile devices are capturing a larger share of the $7.3 billion global mobile gaming market.

OpenFeint is a social gaming platform that app developers use to develop games for the Apple iPhone, iPad, iTouch and Google/Android mobile devices. The game apps typically provide users with the capability to import friends from their Facebook and Twitter profiles. Earlier this year, GREE International acquired OpenFeint for about $104 million. OpenFeint was previously known as Aurora Feint.

The suit was filed in Northern California District Court by attorneys Parisi & Havens LLP, and the Law Office of Joseph H. Malley, P.C. While reading the complaint, I recognized Malley's name, since he is often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, Malley has plenty of experience with online privacy and tracking issues.

The complaint cited a May 2011 investigation by Cortesi about how companies collect UDID and consumer information from mobile device apps. That investigation included both encrypted and unencrypted Internet traffic for about 94 iPhone apps:

"84% of apps tested contacted one or more domains during use... Three big aggregators of UDID-related data dominate: Apple, Flurry, and OpenFeint. Each one of these companies has the vast majority of UDIDs on file, linked to a rich set of privacy-sensitive information. OpenFeint's ubiquity is one of the reasons why UDID de-anonymization using their API is so serious."

Since consumers have no way to stop apps from collecting their UDID, and if consumer data can de-anonymized, then consumers effectively have no online privacy regardless of companies' claims to anonymize the data they collect. That means companies can compile databases rich with value, and make money by selling that information to others.

So, I also read the Cortesi article about de-anonymizing the OpenFeint data. Since Cortesi was able to de-anonymize the data OpenFeint collected, it means that companies could have done so, too, and compiled databases of greater value than otherwise:

"... I was able to link roughly 30% of UDIDs to GPS co-ordinates, 20% of users to a weak identity (e.g., OpenFeint profile picture, user-chosen account name), and 10% of UDIDs directly to a Facebook profile... Although the Facebook and GPS de-anonymization issues have been repaired, we have to consider the possibility that these vulnerabilities have already been used to de-anonymize a database of UDIDs."

While much of API data leakage has been fixed by OpenFeint since the Cortesi article, the fact remains that the data leakage occurred. That makes me wonder how effective OpenFeint's quality control process really is, what other OpenFeint API data leaks haven't been found, and which other companies used their access to OpenFeint data leakage to improve their database value.

The complaint also cited several studies about consumer tracking and sensitive data collection, including the Wall Street Journal Cellphone Testing Methodology, which allegedly included several OpenFeint gaming apps. This cellphone analysis is part of the Journal's What They Know series.

Download the Hines v. OpenFeint complaint (3,782 K Bytes, Adobe PDF format).

It is good to see a focus on tracking and data collection issues related to children. Since teenage children give little or no attention to privacy issues, it is logical to assume that younger online users don't either. Young children -- ages 4 thru 8 -- are too young to read and understand the privacy and terms of use policies at websites.

I like how the complaint mentioned the various costs to consumers. One cost is the value of the stolen sensitive personal information. Another cost is the larger data downloads, since consumers typically pay monthly fees for data plans with their mobile devices. The more data captured and downloaded without notice, the greater the financial impact upon consumers.

It is important for all mobile-device users, especially parents, to research the mobile device apps they or their children want use before purchasing and downloading the apps. There are several helpful resources, including the Wall Street Journal mobile, CNet, MacWorld, and PC World websites.

What are your opinions of Open Feint and this lawsuit? What do you think of companies tracking minor children online?


New Content Categories For I've Been Mugged Blog

Good news! For readers to find content more easily and faster, I have added several new categories in the tag cloud in the near right column:

  • Australia and South Pacific: issues and events in this geographic region
  • Mobile: includes mobile devices such as smart phones, tablet computers, and laptop computers
  • Retail: issues and events about retailers, retail stores, and supermarkets
  • Social Networking: issues and events about blogs and websites such as Facebook, Twitter, LinkedIn, Groupon, and others
  • Teens/Youth: issues affecting teens and youth of interest to parents (and grandparents)

If you would like to see new categories, please share your suggestions below.


The Next War May Well Be About User Data

[Editor's Note: Today's blog post is by guest author Meeta Mathur. Meeta is a UX designer focused on designing and understanding virtual social environments. She blogs at MeetaMathur.Tumblr.com and looks forward to your feedback. I have known Meeta for several years, as previously we were coworkers at a digital agency.]

By Meeta Mathur

The next War may well be about user data.

We live in a world where we are increasing our digital footprint daily by connecting with various social networks and engaging in liking, sharing and commenting with several brands and domains. Every URL we visit we leave behind traces of ourselves, sometimes unknowingly, and more and more due to the power of social plugins these traces follow us around even when we're well aware of it.

With the world population at 6 billion and Facebook alone at 500+ million users, it is no wonder then that the next riches waiting to be mined are not the glittering blood diamonds of Africa or harvesting the oil wells of the Gulf. The next frontier is the gleaming gold mine of user data. And it won't be unthinkable given the history of the human race, that one day we may very well fight over this very data. Not a common brawl, but a full-blown war just like nations in the past have fought.

We may have very well seen a preview of things to come with the Facebook PR disaster a few weeks back when they failed miserably at a smear campaign against Google over user privacy issues.

Likewise, the brouhaha over location data tracking that both Apple and Google have run into in recent months.

We've only just seen the tip of the iceberg, though. The stakes no doubt are huge, as we can see from the interest each of these companies have, with Google tying each employees bonus to the success of its social agenda. On the flip side, this is an equally big opportunity for it to be misused. There's a lot that can be gleaned from this data - from credit card info to where you live, work, your shopping habits and your friends.

In fact Google search results may soon be a mirror of our immediate network, their worries, their issues and what's important to them. They will be a reflection of the environment we live in....and marketers as always are the first to grab on to that, perhaps even your doctor, insurance and others might tap into that in the near future.

The Google Social Circle knows who your friends are.

Corporations going after user-data are one thing. But what happens when a country itself makes it their agenda. This recent article about China making cyber-warfare their military priority is most worrisome.

Are you worried? What are or will you be doing to protect yourself? Fortunately, there are more than just a few of us worried, and already a few tools being designed to tackle this menace head on.


© 2011. Meeta Mathur. Reprinted with permission.


Privacy Commission of Canada Investigates Online Dating Websites

In a report (PDF format) to the Canadian Parliament earlier this week, the Privacy Commission of Canada announced that it is investigating online data websites for privacy abuses. The investigation results from a complaint filed with the Privacy Commission office by a Canadian woman who attempted to delete her eHarmony account:

"A woman who had been a member of eHarmony complained to our Office that, upon ending her membership, she had asked eHarmony to delete her online account. Days later, she went online to check that her instructions had been carried out. She discovered, however, that she could still sign in and that the account contained all the personal information she had previously provided."

The woman then did what any of us would have done. She didn't give up. She contacted eHarmony again and requested that the company delete her profile. The company's response:

"... eHarmony replied that her account was now inaccessible to other members. However, eHarmony told her that it could not entirely delete her record of having joined, or remove her personal information."

The Privacy Commission investigated and found that while 40% of online dating users reactivate dormant accounts, a larger portion -- 60% -- do not. It's investigation of eHarmony also discovered:

"... that the option to “close” an account was not readily accessible on the eHarmony website. Nor was there a clear explanation of what eHarmony meant by that term."

The Privacy Commission suggested to eHarmony that it provide both profile "deactivation" and "deletion" options. And the difference between these two options should be cleared explained in the website privacy policy. Consumers should stay in control of their personal information. The company's response:

"... eHarmony confirmed that it had taken, or was in the process of taking, steps to address our concerns, including:
1. Establishing a two-year retention period for personal information that the site collects from the users of its service;
2. Providing a clear and efficient process for users to request removal of their personal information; and
3. Providing users with clear information about the difference between deactivating an account and deleting an account as well as information about how long eHarmony retains personal information."

The retention period is important because it introduces the risk of data breaches: when unauthorized people access consumers sensitive personal information. The Privacy Commission reviewed other online dating websites and found ths some lacked a privacy policy.

What should users of online dating services do to protect themselves and their sensitive personal information? The Privacy Commission advises consumers to:

  1. Verify that the website has a privacy policy and read it before registering
  2. The policy should use easy-to-understand language, and clearly state what personal information the website collects, how it is used, and how it will be safeguarded
  3. Look for both account deactivation and deletion options. Look for definitions of any alternative words used "close," to determine if this is deactivation or deletion.
  4. Look for a statement about how long the website retains your personal information, and if it anonymizes your information after that.

My take on this: if the website doesn't have a privacy policy, don't register with that website (or app). If the website has both a privacy policy and a terms of use policy, read both documents. If the documents are difficult to understand, don't register with that website. The documents should cover all of the devices you plan to use with the website. If there are different privacy policies for different mobile device, look for another dating service.

If the data retention period is longer than two years, skip that website and look for another service. If you are savvy about data anonymization, look for a definition of that. If you don't like what you read, don't register with that website.

As I think about it, the above consumer tips are good for any social networking website, and not just online dating websites.

Are you an online dating service user? What do you think?


Smart Phones Still Don't Deliver The Privacy, Data Security, And Trust Consumers Want

Consumers love their smart phones. Over at Column Five Media, there is a really good infographic that displays the problem with today's smart phones. Some of the key statistics highlight the problem:

  • When using their smart phones, 99% of consumers consider their privacy as Extremely Important, Very Important, or Important
  • 99% of consumers rate knowing what data their smart phone apps collect as Extremely Important, Very Important, or Important
  • 99% of consumers rate access to controls about what information is shared as Extremely Important, Very Important, or Important

Yet, trust isn't there yet. Not for any of the brands. The portion of consumers who feel safe with each brand smart phones:

  • Apple/iPhone: 28%
  • Blackberry: 28%
  • Google/Android: 22%
  • Windows Mobile: 18%
  • All Other brands: 12%

From what I have read, the above statistics include adults as teens give little to no thought, consideration, or priority to privacy. Google/Android users may find the My Data Manager app helpful at tracking what data your apps collect and share. Read the entire Lookout Mobile Security inforgraphic.


Alabama County Swamped By Debt From Corrupt Local Officials And Banks

This highlights corruption and greed. JP Morgan "mugged" the residents of Jefferson County, Alabama. You can read the sordid details in the Rolling Stone:

"The House Financial Services Committee has just voted to delay the scheduled implementation of reforms in the Dodd-Frank bill that would limit the ability of banks to pull Jefferson-County style scams in the future. Among other things, the new rules would have required banks to act in the best interests of their clients, and disclose daily pricing information about swaps, making it harder for banks to gouge clients... Wall Street is making a killing similarly overcharging states and cities and counties (and even countries like Greece) for interest-rate swaps..."


12 Tips For Consumers To Avoid Identity Theft And Fraud

First, to avoid identity theft and fraud consumers need to first know the ways which identity thieves try to steal your sensitive personal information:

  • Skimming-thieves attach devices to ATM machines, ATM booth doorways, and gas-station pumps
  • Phishing e-mail messages
  • Change of Address: thieves divert your billing statements to another location by completing a change of address form at the post office
  • Old-fashioned theft: stealing your wallet or purse
  • Pre-texting: thieves pretend to be you and contact (online or via phone) your bank or financial institution to obtain your personal information and money
  • Fishing: accessing unlocked snail-mail mail boxes, or lowering "pieces of cardboard covered with glue down blue mail boxes and open envelopes that stick looking for personal information they can steal"
  • Dumpster diving for financial statements and "convenience checks" you've thrown out in the trash without shredding them
  • Discarded computers, with hard drives that contain personal information, that haven't been properly erased or destroyed before disposal
  • Online research of government registers, Internet search engines, and public records to gain pieces of your personal information
  • Remote-theft with portable readers that scan and read your contactless (e.g., RFID) debit/credit cards
  • Shoulder surfing: simply looking over your shoulder when you make ATM transactions in public places
  • Malware: using computer viruses to accesses the personal information on your (home) computer
  • Employment scams: thieves advertise fake job openings and use the personal information submitted by applicants
  • Social networking sites: thieves access profile pages left publicly open by consumers who ignore privacy settings, produce bogus quizzes, and/or hack a friend's account to gain access to your sensitive personal information

To combat these theft methods, the Los Angeles County Sheriff's Department suggests these 12 tips for consumers to protect themselves:

1. Identity theft starts with the misuse of your personal identifying information such as your name, Social Security number, credit card numbers, or other financial account information.

2. Check your credit report from each of the three major credit bureaus every year.

3. Open your credit card bills and bank statements right away. Review your statements and close unused accounts. Be aware if bills don’t arrive on time. It may mean that someone has changed contact information to hide fraudulent charges.

4. Don’t carry your Social Security card or PIN numbers in your purse or wallet because of what can happen if they fall into the wrong hands.

5. Avoid giving any personal information over the phone, mail, or Internet unless you know who you are dealing with. Give it to them in person instead.

6. Criminals pretend they are collecting money for victims of a natural disaster. Sometimes they claim to be police officers and ask for donations.

7. Elderly people are frequently targeted in money scams. Keep a helpful eye for elderly family members and vulnerable neighbors.

8. Make sure that you disconnect your laptop from a broadband or a shared connection when you are not using it.

9. Avoid offers and pop-up ads that sound too good to be true. They want you to enter your information so they can access all of your personal information.

10. Remove your name from mailing lists for pre-approved credit offers. Pre-approved credit card offers are a target for identity thieves who steal your mail. Have your name removed from credit bureau marketing lists. Call toll-free 888-5OPTOUT (888-567-8688).

11. Only enter personal information on secure Web pages that encrypt your data in transit. You can often tell if a page is secure if "https" is in URL or if there is a padlock icon on the browser window.

12. If you’re going to use a mail box, do so during or close to the posted pick up hours. Better yet, drop your mail off at your local post office. Retrieve mail promptly and discontinue delivery while out of town.


Teens Don't Give Any Thought Or Consideration To Online Privacy

If you are a parent, then this article is a must-read. This Washington Post article highlighted the fact that teenage children don't given any thought or consideration to online privacy. That is, they don't read privacy policies, terms of use policies, or consider the implications when registering at websites or when installing apps on their mobile devices.

This is great news for marketers and app developers. Terrible news otherwise:

"With few restraints, teens are creating digital records that also shape their reputations offline. All the status updates, tweets and check-ins to specific locations can be reviewed by prospective employers, insurance companies and colleges... the opportunities to share information online are so frequent and routine that [teens] hardly even stop to think about them."

The WP article described a 13-year-old teen who regularly paid for and installed mobile device apps and games with a credit card number his parents had provided. In my opinion, that is poor decision-making by both parents and the teen. Parents who won't let their children go to the mall alone will let their children go anywhere online. That is a recipe for disaster, as the same bad people who frequent pulbic spaces also go online, too.

The article included an honest and disgusting comment from a retailer about the placement of online privacy policies and warnings:

"... if we were to present them with additional warnings, cautions and terms and conditions in a form that is impossible to ignore or misunderstand, it will end up ruining the experience that they paid for."

Really? That attitude emphasizes making money despite the consequences and damages. They are selling services to children and that attitude isn't just helpful. It's counter-productive.

Having raised three children, teens' sloppy online habits are no surprise. When my grown children were teens, I saw this with their their computer usage. They regularly used computers without anti-virus software. and shared game software install disks that were often infected with malware. No thoughts to safe computing.

Unfortunately, peer pressure often rules. Teens will rush to register for a new game or at website to fit in with their peer group. While rushing, risks are ignored and privacy not considered. Teens often have an attitude of invincibility; that bad things won't happen. And when those bad things do happen, a parent will save them.

It's important to remember that they are teenage children, not teenage adults. Just as teens need to be taught good money management, they need to be taught safe online habits:


Citigroup Increases Number of Breach Victims To 360 Thousand

In a press release distributed late Wednesday evening, Citigroup announced that its data breach investigation had discovered about 360+ thousand customers were affected. Citigroup had previously announced that about one percent or 210+ thousand customers were affected.

Citigroup also explained further its post-breach actions:

"... internal fraud alerts and enhanced monitoring were placed on all accounts deemed at risk. Simultaneously, rigorous analysis began to determine the precise accounts and type of information accessed. The majority of accounts impacted were identified within seven days of discovery."

Various media sources reported that the hackers accessed Citigroups site by logging in as a cardholders, and then easily accessed other prohibited areas. Experts speculate that Citigroup's online protection methods weren't as strong as they should have been.

The number of affected customers by state:

Alabama: 1,588
Alaska: 353
Arkansas: 2,840
Arizona: 6,600
California: 80,454
Colorado: 6,361
Connecticut: 5,066
District of Columbia: 834
Delaware: 701
Florida: 20,303
Georgia: 4,147
Hawaii: 1,946
Idaho: 1,076
Iowa: 3,7990
Illinois: 30,054
Indiana: 6,069
Kansas: 1,910
Kentucky: 1,630
Louisiana: 3,220
Maine: 703
Maryland: 5,041
Massachusetts: 7,904
Michigan: 10,889
Minnesota: 5,764
Mississippi: 837
Missouri: 4,774
Montana: 839
North Carolina: 4,822
North Dakota: 608
Nebraska: 1,063
New Hampshire: 1,116
New Jersey: 8,791
New Mexico: 2,246
Nevada: 2,946
New York 25,312
Ohio: 5,547
Oklahoma: 5,208
Oregon: 3,839
Pennsylvania: 8,490
Puerto Rico: 105
Rhode Island: 827
South Carolina: 1,657
South Dakota: 886
Tennessee: 2,753
Texas: 44,134
Utah: 1,955
Virginia: 5,337
Virgin Islands: 79
Vermont: 509
Washington: 6,511
Wisconsin: 7,838
West Virginia: 525
Wyoming: 485
Other: 801

On May 24, Citigroup began notifying all affected customers and issuing replacement credit cards.

This latest press release explained some of the actions Citigroup has taken since the breach:


Tips For Safe Online Banking

You've just purchased a new, shiny mobile device or smart phone and have decided to use it for online banking. You've heard that some people have had data security problems, so you want to bank online safely with confidence. What should you do?

Caution: one article isn't going to tell you everything you need to know. Why? First, technology changes quickly. When new tools become available, that may change what you do to protect yourself online. Second, the steps you take to bank online safely will vary by the brand or type of mobile device you use and the apps available for that device. During the coming weeks, I will use this blog to highlight relevant articles about mobile banking.

To start, there is a pretty good article at Infosec Island with tips for safe online banking:

"1. Never accept incoming communications purporting to be from financial institutions you do business with, whether by email or phone call."

I agree. It is simply too easy today for scam artists to create fake or phishing websites and e-mail messages. Smart consumers have learned how to recognize phishing e-mail messages and the variety of phishing attacks. If you are unsure about a message, contact your financial institution via their toll-free number.

"2. Update your security software on your computer."

I have written repeated blog posts reminding consumers to keep the anti-virus software on your home computer both current and active. That means you should also activate the anti-phishing features, too. This cannot be over-emphasized. If you think that the anti-virus software you current use is lacking, sites like Cnet and Consumer Reports rate the various anti-malware software products. Given the new smart phones and mobile devices (e.g., tablet computers), it is also important to:

"3. Check the security of your mobile device and your mobile banking apps."

I agree with Infosec Island that identity thieves and scam artists will follow the technology. As more and more consumers buy smart phones, an increasing number of phishing attacks will target those devices. Note:

"Andrew Hoog, chief investigative officer of viaForensics, a digital forensics and security company, found three unencrypted (i.e., less secure) passwords in apps for Foursquare, LinkedIn and Netflix on the Android in a recent round of app security testing. Citibank received a "pass" rating for its app..."

That means, consumer must do their research first. Don't blindly install the app with out researching it beforehand. Check your bank's website for a complete description of its online banking app. Or, check the website that provides apps for your mobile device. The app description should:

  • Fully describe how the apps works, including any limitations
  • Display any terms of use and privacy policies
  • Display screen images of the app so you can preview it
  • Share comments and ratings by existing app users

I like to research an app at one of the reputable technology websites, like CNet. Search the Cnet site by entering the name of the app if you know it, or the "mobile banking apps" keywords. You might also check Amazon.com for resources. Depending upon the brand of mobile device, you might try MacWorld or PC World. If the online banking app does not encrypt your sign-in credentials (e.g., user ID and password) or doesn't provide a privacy policy, then don't download and install the app.

"5. Use strong passwords and don't reuse your bank password elsewhere."

Today, consumers must know how to create strong passwords. Since we consumers have registered at so many websites, it is tempting to reuse the same passwords. Don't do this. Some more don'ts:

  • Don't use the same password at both your banking and social networking websites
  • Don't use a password that is an item in your social media profile. For example, if you've mentioned your pet's name in your Facebook profile don't use that name as a password anywhere online. Similarly, don't use your favorite color, TV show, or sports team as your password
  • See this list of passwords you shouldn't use

You can read the rest of the tips list at the Infosec Island blog.


Received Poor Customer Service? How To Complain Effectively

Recently, Consumer Reports published the results of its survey about customer service by several retailers. Many companies' customer service operations rated poorly. Consumers often left the store (or website or hung up the phone) in frustration without getting heard or their issue heard or resolved.

Consumers should not have to sue a retailer to get a response or the services they paid for. The CR report offered several suggestions for consumers to complain effectively to get heard and ideally get your issue resolved:

  1. Give praise: explain what the retailer did well. Whether on the phone or in-person, give the good news first and the bad news second. The customer service representative is human, is more likely to hear and act.
  2. Stuck in voice-mail hell? Consult websites such as such as dialAHuman.com and getHuman.com for the customer-service numbers to exit voice-mail to access a live representative.
  3. Keep a written record of the situation or problem. Keep any receipts. Make notes of the customer service representative's name, phone number and extension, date and time of your call -- or attempted call. If the representative provided a confirmation or service-request number, keep a record of that, and use that number later when following up online, via snail mail, or via phone.
  4. Escalate appropriately: if you have tried the above tactics without success, escalate the issue to the representative's supervisor. If you can't get resolution, politely ask the customer service representative to get his/her boss on the phone line.
  5. Don't give up. Speak firmly. Post your story on social-networking sites. Contact a consumer-advocate blogger. There are many around the country. If you use Twitter, use hashtags (examples: #custserv #fail; #sears #fail) to make your tweets searchable. 

How Telemarketers Get Your Mobile Phone Number

In May, I wrote about how easy it is to find online consumers' mobile phone numbers at websites like Intelius. A natural question from that blog post: how do these data-mining websites and telemarketers obtain consumers mobile phone numbers? That's a relevant question, since consumers have reportedly registered about 200 million phone numbers with the Do Not Call registry since 2004.

There is a good article at TMC.net that answers this question. First some surprising statistics:

"... despite the registry, an estimated 150 million telemarketing calls are made each day in the United States, an estimated 20 percent, or 30 million, of which are potential violations..."

So, a lot of the calls you receive at home are potential violations if you have registered at the Do Not call registry. Many are not violations since there are a multitude of ways your mobile phone number can leak out to telemarketers and data brokerage companies:

  1. Debt Collection Agencies: will contact you whether or not your phone is listed in the Do Not Call registry. Debt collectors will contact you directly or will contact a family member to find your address and phone number.
  2. The United States Post Office: will sell for a small fee a box holder's residential address, if available.
  3. Social media sites: will display your phone number and e-mail, especially where many consumers haven't made their profile page private and accessible only by friends.
  4. Product warranty cards: when you register online or via snail mail that new product you've purchased, you have helped the manufacturer assemble a database of names, addresses, e-mails, and phone numbers that can be sold to marketers and data brokers
  5. Data brokers: regularly sell consumer information, including residential addresses, e-mail addresses, and phone numbers to telemarketers

What consumers can do to minimize this leakage of your mobile phone number:

  • Don't be so quick to disclose your mobile phone number. Ask yourself if you really want this company to know your mobile phone number. Maybe your-email address or landline phone number is enough
  • Register your mobile phone number at the Do Not Call registry, if you haven't already
  • Be careful about the sweepstakes and contests you enter. Read the fine print or contest terms closely, as that document will indicate whether the contest operators will sell your information to other companies
  • Read the privacy policy at websites you visit and have registered at. This document will indicate whether the website operator will sell your personal information to other companies
  • Read the privacy policy for mobile phone apps before you install the app. If the app developer does not have a privacy policy, then that should be a strong clue
  • If you owe money, know your rights regarding debt collection
  • You can file a complaint at the Do Not Call website

To read the full list of ways your mobile phone number can leak out to telemarketers and data brokers, see the TMC.net article.

The author of the TMC.net article suggested that consumers with the Droid and Blackberry brand smart phones use the PrivacyStar app to block and report unwanted telemarketing calls. I have not used this app and cannot verify its accuracy. If you use PrivacyStar app, let us know what you think of it.


Citigroup Data Breach Affects At Least 200,000 Customers

On Thursday, various news sources reported a data breach at Citigroup affecting a couple hundred thousand credit card account holders. Citi debit card customers were reportedly not affected. According to InformationWeek, the data stolen included:

"... names, account numbers, email addresses, and contact details... customer's social security number, date of birth, card expiration date, and card security code (CVV) were not compromised..."

Since similar data breaches have happened before in the financial services industry, some experts wonder if banks are doing enough to protect sensitive consumer information.

The bank is notifying affected customers. Details are sparse, as Citigroup did not disclose an exact number of breach victims, nor details about exactly how the unauthorized access happened. At press time, a check of the Citigroup website did not produce any press releases about the data breach.

The data stolen is sufficient for scam artists and spammers to target breach victims with phishing attacks via e-mail and phone. Citigroup markets the Identity Monitor credit monitoring service and Identity Theft Solutions support services for identity-theft victims.

It will be interesting to see what, if any, identity theft and fraud resolution services that Citigroup arranges for its breach victims.


McAfee Anti-Virus Software Rated Poorly By Consumer Reports

I have been a happy and satisfied McAfee Internet Security Suite user for the past 12+ years on several desktop and lately laptop computers at home. I have written in this blog about anti-virus software, anti-phishing softare, and the need for consumers to keep the anti-virus software on their home computer current. I do.

Given this, I was concerned to read in the June 2011 issue of Consumer Reports magazine about an extremely low rating of the McAfee Internet Security 2011 software. The 31-point rating was far below the 65-point rating of BitDefender. This low rating was the opposite of my experience with the McAfee anti-virus software. I really like and use heavily the McAfee SiteAdvisor browser plugin.

So, I wrote to McAfee asking them what they thought of this low rating by Consumer Reports, and their plans to address it. I received this reply via e-mail:

"From: McAfee NA Customer Service
Sent: Wednesday, May 11, 2011 8:43 PM
Subject: RE: McAfee Customer Service - SR-xxxxxxxxx

Dear George,
Thank you for contacting McAfee Customer Service. I understand that you are disappointed with the McAfee ratings that has provided by Consumer Reports magazine.

George, I would like to inform you that the results in the area of virus and firewall protection in this one particular review, are disappointing to us as we always strive to earn top ratings and therefore the rankings for our various products.

However, the review results are a direct opposite of the test results shown in reviews performed across the top anti-malware vendors by other testing organizations like NSS Labs and AV-Comparatives. Also, the article in Consumer Reports shows nothing more than an overview chart of ‘their findings’ and it is not clear how the various products were specifically tested by Consumer Reports.

In spite of this, let me assure you that McAfee takes this test seriously and remains dedicated to further improving threat detection. In doing so, we are continually working to enhance our malware detection processes including through our Global Threat Intelligence, and through our company-wide Trust & Safety Initiative. Please be confident that McAfee remains relentlessly focused on security.

You may also contact us by phone by dialing 1-866-622-3911. Our business hours are from 8 am to 8 pm CST, daily. xxxxxxxxx is the Service Request number for this issue. You can quote this number in your further contacts. For all your future Service and Support needs, please visit http://service.mcafee.com. Thank you for contacting McAfee Customer support!

Sincerely,

Rengarajan K.
McAfee Customer Service-Tier 1

PC World reviewed McAfee Internet Security 2011 and rated it 3.5 of 5 stars. A prior blog post discussed some of NSS Lab's findings. I revisited the NSS Labs website and downloaded the Q3 2010 NSS Labs review of consumer anti-malware products. NSS Labs rated McAfee Internet Security highly on several measures, and recommended it plus two other products. You can download the NSS review for free (PDF).

I plan to continue using McAfee software and will watch for more test results by other independent labs.

What anti-virus software do you use/ Why?


Facebook Photo Tagging With New Facial Recognition Software: What You Need To Do About Your Privacy

Facebook logo Like many others, I use Facebook. Perhaps you do, too. A couple months ago, I noticed that Facebook uses facial recognition software. When uploading one or several photographs, the Facebook website automatically attempted to identify or "tag" the people in my photos from my list of "friends." I have mixed feelings about this feature.

Before, you had to manually tag each person in every photo you uploaded. Now, the upload process is a little faster and easier as the Facebook site automatically "tags" the people in your photos. How accurate is the tagging? I address that in detail later in this post.

For those unfamiliar with Facebook: when uploading photos, the Facebook website automatically tries to identify and "tag" the people in your photos from the list of people you are connected with as "friends." You can accept the suggested tags, modify them, or skip the automatic photo-tagging step entirely, which deletes any tags. The Facebook photo tagging page with facial recognition look like this:

The Facebook Photo Tagging page presented during photo upload

The automatic photo-tagging feature during photo upload is a convenience that can save time and minimize keystrokes; especially when the same people appear in multiple photos. When you post the photos, Facebook sends status messages to your friends that are tagged in your photos. The message includes a photo thumbnail and a link, so your tagged friends can view the photos. Your tagged friends can delete their "tags" in the photos, if desired.

I like the photo tagging feature because it produces status and Notification messages that make it easy for your tagged friends to access the photos. This is helpful for people with many "friends" or News Feeds with heavy message volume, making it easy to miss some messages. It's also helpful to alert infrequent Facebook users.

Facebook does not offer its members the option to approve photo tags about themselves before the photos are posted. Tagged members can only visit the photo and delete the tag after the fact.

I noticed that the tagging is far from 100% accurate. For example, the Facebook facial recognition software regularly confused my wife and my daughter, and repeatedly suggested one instead of the other. So, if you have family members (or friends) that look alike, this new Facebook feature may not operate as accurately as you'd expect. My advice: check the tagging suggestions for accuracy, and don't blindly accept all auto-tagging suggestions by Facebook.

The Sophos Naked Security blog reported about Facebook's facial recognition software:

"When Facebook revealed last year it was introducing facial recognition technology to help users tag their friends in photographs, they gave the functionality to North American users only. Most of the rest of us found the option in our privacy settings was "not yet available"... Well, now might be a good time to check your Facebook privacy settings as many Facebook users are reporting that the site has enabled the option in the last few days without giving users any notice."

So, you need to check your new privacy settings for photo tagging. To check your privacy settings, within Facebook select "Account > Privacy Settings." On the next page, select the "Customize Settings" link in the center of the page. On the next page, scroll down to the "Photos and videos I'm tagged in" privacy option and set it to "Friends Only;" or click "Customize" and open the drop-down menu and select "Only Me." Caution: this privacy setting only controls the photos in your profile. It does not control the photos of you that your friends post in their photo albums.

Next, there is the "Suggest photos of me to friends" security option. (Like everything else in Facebook, there are multiple privacy buttons scattered across several pages.) You probably will want to set this to "Disabled." Caution: even when you disable this feature, it won't stop your friends from tagging you in photos. It just stops the facial recognition software from suggesting your name in their (and your) photos.

Sophos highlighted the troublesome issue: Facebook forces its members who don't want to be tagged in photos to manually opt-out or delete the "tag" in each and every photo their "friends" have tagged them in -- even with the new privacy options. If your friends upload a lot of photos, then this quickly becomes unmanageable or impossible -- and you effectively have none or greatly reduced privacy on Facebook.

Surprised? I'm not, as it seems to be in Facebook's DNA for it to regularly find ways to leak your personal information despite your privacy settings.

Caution: you need to know that your friends' privacy settings with photos matter. How? According to the Facebook Help Center:

"I am able to view a non-friend's entire photo album by clicking through from a photo that my friend is tagged in. Is this violating their privacy settings?
It's important to remember that the "tagging" feature does not allow users to see photos that they wouldn't normally be able to see. If you're able to see photos that a non-friend uploaded through a photo that they tagged one of your friends in, it is because this person has most likely set his or her album privacy to the "Everyone" setting (so that everyone on the site is able to view it)."

"How does tagging a friend in a photo affect the photo’s privacy setting?
If you have the box checked next to "Let friends of people tagged in my photos and posts see them" on your Privacy Settings page, then friends of the tagged person will be able to see the photo. If this box isn't checked, the photo’s privacy setting will not be expanded. However, the person who is tagged will be able to see the photo, regardless of the photo’s privacy setting."

To change this setting, select "Account > Privacy Settings." On the next page, un-check the box next to "Let friends of people tagged in my photos and posts see them." I have always had this box unchecked in my privacy settings. Why? I did not want the expanded setting to override my privacy options. f you check this box it increases the the number of people who can see the photos you post. I prefer the narrow, limited privacy setting so I control who sees the photos I post on Facebook.

Similarly, if your friends have set their profile and photo album privacy settings to "Friends of friends," then many more people than you may realize can view photos of you. I have always had my privacy settings at "Friends Only," and hope that all of my friends do the same. Sadly, some don't and I often see photos posted by friends of my Facebook "friends" in my News Feed.

If your Facebook "friends" are sloppy with their privacy settings, and have set their Facebook profile and photo albums privacy settings to "Everyone," then any and all of the 600+ million Facebook members can view their photos (and any photos with you in them).

All of this can be embarrassing if your boss or clients are one of your Facebook "friends." While you may not post risky photos of yourself, your friends might. If you called in sick to work to attend a social event instead, well... the combined automatic photo tagging and "Let friends of people tagged..." privacy setting make it easier for those risky photos to be seen by a wider audience -- including your boss.

A simpler solution: don't "friend" your boss on Facebook.

A better solution: Facebook should provide members with a global opt-out privacy setting from tagging, so that you can't be tagged in any photos. This proposed privacy feature would automatically inform the member uploading the photo of your preference not to be tagged in any photos on Facebook.

A stronger version of this proposed privacy setting would require approvals for any photo tags by the person being tagged. Facebook already requires approvals by photo owners when you try to tag a photo posted by somebody who is not a "friend." (See: What is Photo Tagging?) So, Facebook could implement approvals system-wide if we users demanded it. An even stronger version of this feature could prevent a member from uploading an offending photo.

Will Facebook add any of the proposed photo-tagging approval features? Should it? What are your views of the new facial recognition software and photo tagging features? Have you experienced accuracy problems, too? Share your opinions below.


German Teen's Facebook Party Invite Creates Out Of Control Party

If I had to pick only one story to highlight the need for good security settings on your social media accounts, I'd pick this story.

The Huffington Post reported that a teenage girl in Hamburg, Germany wanted a birthday party with a few friends and family, but didn't check her security settings for the party invite on Facebook. Instead, the Facebook invite was public and went viral.

The teenager and her parents quickly realized the problem when 15,000 people accepted the party invite. They cancelled the party, sent several party cancellation notices, and informed local police. The parents also hired a security service to protect their home. This was a wise move, since 1,500 people showed up for the party despite the cancellation notices. About 100 police officers managed to keep order.


Wrongfully Sued Homeowners Foreclose On Their Bank Instead

On Friday, News-Press reported a story where a homeowner's attorney, assisted by two sheriff's deputies and a moving company, served a foreclosure notice and asset-seizure on a Bank of America branch in Naples, Florida. The bank was faced with a choice: open the branch doors so the moving company could haul furniture for a public auction, or pay $2,534 in attorney fees assessed by a court order.

After an hour of talks, a representative of the bank branch wrote the check.

What started this mess? Reportedly, the Bank of America had wrongfully foreclosed on a home owned by:

"... retired Bay Village, Ohio, police Sgt. Warren Nyerges and his wife, Maureen. Collier court documents show that they bought a house in Golden Gate from the bank for $165,000 in 2009. They paid cash, no mortgage. But somehow the bank and its attorney, the David J. Stern law firm, became convinced that the couple had a mortgage and was behind in the payments.

Yes, you read that correctly. The Bank of America tried to foreclose on a home with no mortgage where there obviously were no late payments. That's a corporate "mugging" if there ever was one.

Bank of America filed the foreclosure lawsuit on February 16, 2010 and later dropped the lawsuit, but never paid the homeowners' attorney fees, as ordered by a Circuit Court judge. After the bank ignored several requests for payment of the debt, the homeowners' attorney obtained the necessary legal authorization to proceed with the asset seizure.

A story like this makes you wonder how many other consumers have been wrongfully foreclosed by their banks. It is another warning for the U.S. Congress and states' attorney generals to get serious about wrongful foreclosures by banks, and send some bank executives to jail. Units of Bank of America and Morgan Stanley recently agreed to pay a $22 million settlement with the U.S. Justice Department regarding wrongful foreclosures on active-duty military members.

Several federal audits conducted earlier this year by the U.S. Department of Housing and Urban Development have charged several banks -- Bank of America, JPMorgan Chase, Wells Fargo, Citigroup and Ally Financial -- with cheating taxpayers on home foreclosures by submitting false claims to the Federal Housing Administration. Reportedly, Bank of America has refused to cooperate with this investigation.

This Naples, Florida incident has to be embarrassing for Bank of America, and it shows an astounding level of arrogance. You would think that the bank of America would be a lot more responsive given the above settlement, citizen action to move their money to smaller, local banks, and nationwide protests by consumers that the Bank of America doesn't pay its fair share of taxes.


Data Breach At Honda Canada Affects 283K Customers

Honda Canada announced that about 283,000 Canadian customers have been affected by a data breach at its myHonda and myAcura websites. The company had noticed unusually high website activity during February. The data stolen included names, addresses, and vehicle identificaton numbers. For some customers, financing account numbers were also stolen.

The customer data was collected by customer mail programs during 2009 to Honda and Acura automobile owners. Affected customers were notified in a letter dated May 13.

As data breaches go, this could have been much worse. The data stolen did not include birth dates, telephone numbers, email addresses, credit card numbers, bank account numbers, driver's license numbers, or social insurance numbers.However, the theft of vehicle identification numbers exposes breach victims to phishing attacks.

Also, this is not the first data breach at Honda. In 2010, about 2 million Honda customers in the United States were affected by data breach involving its Silverpop e-mail marketing vendor. The number of stolen records was later revised upwards to 4.9 million Honda customers. American Honda Motor Company provided this breach help site for its customers in the United States.