Previous month:
September 2011
Next month:
November 2011

19 posts from October 2011

8 Ways To Avoid The New Banking Fees

Some consumers have decided not to move their money to a credit union or community bank. If you are one of those customers, you are probably wondering what you can do to avoid those new, hefty fees including the new debit card fees.

There is an article at Bankrate.com which provides eight tips on how to avoid these new banking fees. If you can, to avoid the new monthly debit-card fees use your debit card only only at your bank's ATM machines. Don't use your debit card to make purchases at retail stores or online websites. Bankrate.com advises:

  • Know the rules at your bank for when fees are applied and to which accounts
  • Read all notices you bank sends. Things change and you have to keep up
  • Consider moving your money to an online bank (e.g., a bank that does not have any brick-and-mortar branch offices
  • Add services like direct deposit and paperless statements
  • Consolidate your accounts to meet any minimums for accounts that aren't charged fees
  • Talk with a bank representative in-person and ask them to waive the fees

To learn more, read the Bankrate.coom article.


A Primer: Finding A Credit Union To Move Your Money To

Many consumers feel "mugged" by the big banks and their many banking fees, and are moving their money to a community bank or credit union. If you are looking for a credit union, there are a few things you should know. I am looking for a new bank or credit union, given the new debit card fees and poor treatment.

To learn about credit unions, first I visited the National Credit Union Administration (NCUA) website. The NCUA is the independent federal agency that regulates and supervises federal credit unions. The NCUA operates the National Credit Union Share Insurance Fund (NCUSIF), which insures deposits at federal credit unions and most state-chartered credit unions. Deposits are insured up to $250,000 per account.

The NCUA website explains what a credit union is and how they operate. Some consumers like credit unions because they believe all banks will ultimately add fees for checking accounts. Besides offering low and no fees compared to the big banks, the attraction of a credit union is:

"... cooperative financial institution that’s owned and controlled by the members. Since they’re not-for-profit, they exist to serve you, the member. Not for profit, not for charity, but for service is a credit union motto. As a member, you have a say in how the credit union is run..."

I like the idea of having a say, since that is not happening at the big bank where my accounts currently are. At the NCUA website, I used the find a credit union to develop a short list of three or four credit unions located near where I live. The tool delivers summary information about each credit union: name, address, phone, CEO name, credit union type, number of members, charter number, status, and other pertinent data. I found this information useful with creating my custom list of prospective credit unions to apply to.

To join a credit union, you have to apply. Some have specific membership criteria; others do not. You will probably want to find credit unions located near you, since their network of ATM machines is not a broad as the big banks. To me, that is a small consequence to avoid the numerous fees charged by the big banks.

To learn more, you can also follow the NCUA on Facebook. Or you can also visit the National Association of Federal Credit Unions (NAFCU) website. While the NCUA website focuses on the needs of consumers, the NAFCU website provides information for both its members and for consumers. You can also follow the NAFCU on Facebook.

The NAFCU also provides a credit union locator tool to find a credit union, and a compare rates tool, to compare the interest rates by type (e.g., savings, mortgages, consumer loans, and credit cards) at credit unions. I found the compare rates tool not very useful, since it only lets you compare all interest rates in a state by type, or rates by type nationally. The compare rates tool doesn't let you compare rates by type within a state.

To be fair, while I like a lot of the information about banks in articles at Bankrate.com, its compare rates tool includes interest rates for a variety of financial products (e.g., checking, savings, CDs, credit cards, mortgages, auto, student loans) at banks, but lacks relevant checking and savings fees. In 2009, this blog first covered the Move Your Money Project (MYMP) website. At that time, the search tool only included community banks. The search tool was upgraded last year and includes both community banks and credit unions.

The Find a Better Bank (FBB) website lets consumers search across both banks and credit unions. I found many of the questions in the FBB search tool intrusive on privacy, and just wanted the site to simply display a list of nearby banks with their key check/savings interest rates and relevant fees.

What search tool have you used to find a credit union or a community bank to move your money to? If you have used any of the above search tools, please share your experiences: good or bad.

[November 1, 2011 Update: In a Facebook message, the NCUA announced today, "We have launched the completely restructured and redesigned www.ncua.gov and rolled out phase II of our consumer-focused website www.MyCreditUnion.gov. The site www.ncua.gov is now exclusively tailored toward the business aspect of the agency, whereas consumer content moved to www.MyCreditUnion.gov with an identity aimed at attracting web-surfing consumers who either want to learn about credit unions or need help with their credit union. The new site incorporates the latest functionality in web technologies and features."]


Citigroup To Pay $285 Million To Settle An SEC Lawsuit About Mortgage Backed Securities

Citibank logo On Wednesday, the U.S. Securities and Exchange Commission (SEC) announced that Citigroup will pay $285 million to settle a lawsuit regarding allegations that the company misleading investors about mortgage-backed securities. The lawsuit was filed in U.S. District Court for the Southern District of New York.

The lawsuit alleged that the bank's broker-dealer subsidiary misled investors to purchase about $1 billion in collateralized debt obligations (CDOs) based on repackaged home mortgages, many of which were sub-prime. Citigroup allegedly didn't disclose the risk to investors, and then bet against its investors. When the CDOs defaulted, investors lost most or all of their money while Citigroup made about $160 million in fees and trading profits.

The SEC press release announced:

"... Citigroup Global Markets structured and marketed a CDO called Class V Funding III and exercised significant influence over the selection of $500 million of the assets included in the CDO portfolio. Citigroup then took a proprietary short position against those mortgage-related assets from which it would profit if the assets declined in value. Citigroup did not disclose to investors its role in the asset selection process or that it took a short position against the assets it helped select."

The only penalty announced was the settlement payment by Citigroup, which is about 7.5% of the bank's $3.8 billion third-quarter 2011 net income. No bank executives were sent to jail, although:

"The SEC also charged Brian Stoker, the Citigroup employee primarily responsible for structuring the CDO transaction. The agency brought separate settled charges against Credit Suisse’s asset management unit, which served as the collateral manager for the CDO transaction, as well as the Credit Suisse portfolio manager primarily responsible for the transaction, Samir H. Bhatt... Credit Suisse also was responsible for the disclosure failures and breached its fiduciary duty to investors when it allowed Citigroup to significantly influence the portfolio selection process."

The SEC's complaint alleged that Citigroup staff started discussions in 2006 about the possibility of taking a short position:

"... in a specific group of assets by using credit default swaps (CDS) to buy protection on those assets from a CDO that Citigroup would structure and market. After discussions began with Credit Suisse Alternative Capital (CSAC) about acting as the collateral manager for a proposed CDO transaction, Stoker sent an e-mail to his supervisor. He wrote that he hoped the transaction would go forward and described it as the Citigroup trading desk head’s 'prop trade (don’t tell CSAC). CSAC agreed to terms even though they don’t get to pick the assets.' ”

This blog post includes a video that explains briefly and clearly what a CDO is and how they were created. A Citigroup press release this week stated:

"We are pleased to put this matter behind us and are focused on contributing to the economic recovery, serving our clients and growing responsibly. Since the crisis, we have bolstered our financial strength, overhauled the risk management function, significantly reduced risk on the balance sheet, and returned to the basics of banking,"

Citigroup is one of several banks with plans to end free checking accounts by charging consumers monthly fees to use their debit cards. Citibank directly notified its customers during early October about the upcoming fee, while Bank of America has not yet directly informed its customers, who learned of the new fee from news reports.

In my opinion, the settlement payment was far too light. This type of corporate behavior will only stop when executives are jailed.


A 24 Year Old Student Issues The Challenge: Europe Versus Facebook

Whether you use Facebook or not, this bears watching. After researching the issues, a 24 year-old student from Vienna is challenging how Facebook treats members' personal information: data collection and deletion. Not liking what he found, his next steps were a series of 22 clear and well-reasoned complaints submitted to the Irish Data Protection Commissioner, since European users have a relationship with the Facebook subsidiary located in Ireland.

According to Kim Cameron's blog:

"Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel. As part of the documentation, they publicised the procedure Max used to get his personal CD... So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement..."

The article confirms what I found in this prior post about Facebook social plugins: they monitor your usage across the Internet whenever you visit a site with the Like button (or other Facebook social plugins). Using a different web browser may or may not provide the privacy you seek.

For English, click on both the CC and annotation icons to see subtitles in English.


Houston Identity Theft Theft Ring Arrested After Ordering Smart Phones

The Houston Examiner reported the arrest of members of an identity theft ring that used the stolen identities of Sprint customers to order fraudulent replacement smart phones, which they resold:

"Customers are routinely asked for their secret PIN numbers when they walk into Sprint stores, and federal agents say employees of the store were giving that information to thieves who were using it to get replacement phones that could be sold online."

What I found interesting about this case were the three points where data security failed. Better security at any one of these points could have stopped this theft ring before it started.

First, insider identity theft by employee facilitated the thefts. Using the stolen identities, the thieves ordered replacement smart phones from the insurance company, Asurion, used by Sprint mobile customers. A data breach like this highlights the need for a mobile service provider to implement a Red Flags program to identify and address problem data-security areas.

Second, the insurance company didn't seem to notice the rise in replacement phones within a specific geographic area:

"After filing the insurance claims, Secret Service agents say brand new phones were mailed out to hotels throughout the Houston area."

Most banks regularly flag purchases outside a consumer's normal credit card purchase patterns. Mobile service providers and mobile device insurers could and should do the same; especially where insurance claims include a different delivery address than the customers' home address. The new overage alert features by mobile service providers is a good first step in this direction, but it shouldn't require prodding by the FCC.

Third, several Houston area hotels seem to routinely accept and deliver packages to people who routinely made reservations but never checked in. This is like airlines accepting luggage for passengers who make reservations but never buy a ticket. Airlines have identified this security risk, and so too should hotels. Accept packages if you want, but deliver them only to customers have they have registered and checked in; or make it a perk only for loyalty program members.


The Occupy Wall Street Protests

What do #occupywallstreet protestors want? First, five facts you should know about the wealthiest 1% of the U.S. population:

  1. The Top 1 Percent Of Americans Owns 40 Percent Of The Nation’s Wealth
  2. The Top 1 Percent Of Americans Take Home 24 Percent Of National Income
  3. The Top 1 Percent Of Americans Own Half Of The Country’s Stocks, Bonds, And Mutual Funds
  4. The Top 1 Percent Of Americans Have Only 5 Percent Of The Nation’s Personal Debt
  5. The Top 1 Percent Take In More Of The Nation’s Income Than At Any Other Time Since The 1920's

Second, browse these fact-filled charts which further explain the situation: trickle-down economics have not worked. Period. Third, this blog has documented many of the excesses of banks and Wall Street firms:

Third, watch the video below. Alan Grayson sums up quite nicely the protestors' demands:


TD Ameritrade Settles Class Action Lawsuit About 2007 Data Breach

SC Magazine reported that a U.S. District Court judge has approved a settlement agreement about a 2007 data breach at TD Ameritrade that affected six milion consumers:

"The settlement, which recently received a final sign-off after being approved by a California federal judge last month, allows individuals who fell victim to identity theft to collect between $50 and $2,500, according to an Associated Press report. TD Ameritrade will pay between $2.5 million and $6.5 million under the agreement."


Latest Sony Data Breach Affects 93,000 Customers

On Tuesday, Sony announced In its Playstation blog that the entertainment company experienced another data breach affecting 93,000 of its Sony Entertainment Network (SEN), PlayStation Network (PSN), and Sony Online Entertainment (SOE) customers. While the affected customers are less than one tenth of one percent (0.1%) of total PSN, SEN and SOE customers, the affected customers include about 60,000 PSN/SEN customers and about 33,000 SOE customers. In response to the intrusion, Sony has temporarily locked down those accounts.

"We are currently reviewing those accounts for unauthorized access, and will provide more updates as we have them. Please note, if you have a credit card associated with your account, your credit card number is not at risk. We will work with any users whom we confirm have had unauthorized purchases made to restore amounts in the PSN/SEN or SOE wallet."

During May and June of 2011, Sony announced multiple data breaches at its PSN, Canadian eShop, Greece, and Thailand websites, affecting over 77 million customers worldwide, plus another 24 million SOE customers. Several Sony executives apologized publicly for the data breaches. After those attacks, several security experts concluded that Sony used obsolete data security software.

It would appear that with the latest attacks, security at Sony online sites is far from optimal or desired.

 


Services To Remotely Lock, Locate, And Retrieve Your Lost Or Stolen Mobile Device

If you seek a way to protect your mobile device, there seem to be plenty of choices for consumers. Ubergizmo recently reported that Symantec has launched its Norton Anti-Theft service to help consumers remotely lock, locate, and retrieve lost or stolen mobile devices.

What I really like about the Ubergizmo article is its list of mobile device anti-theft services:

"... such as Find My iPhone by Apple, GadgetTrak, AccuTracking, SeekDroid that use location-based software, or StuffBak and TrackitBack that use a coded recovery label placed on the device. AT&T now offers the Mobile Locate app in its Mobile Protection Pack and Verizon offers Asurion’s Mobile Recovery app."

This blog recently covered the smartphone insurance plan from Verizon and Asurion.


OnStar Reverses Decision About Proposed Terms And Conditions Policy Changes

In a General Motors press release, the company's OnStar unit announced a reversal of proposed changes to its Terms and Conditions policy that were to go into effect December 1st. The proposed changes included the GPS tracking of autos where the owner had cancelled the OnStar subscription. The press release stated:

"We realize that our proposed amendments did not satisfy our subscribers,” OnStar President Linda Marshall said. “This is why we are leaving the decision in our customers’ hands. We listened, we responded and we hope to maintain the trust of our more than 6 million customers.”

Jonathan Zdziarski documented well in his blog the problems with OnStar's proposed Terms and Conditions policy:

"OnStar’s latest T&C has some very unsettling updates to it, which include the ability to now collect your GPS location information and speed “for any purpose, at any time”. They also have apparently granted themselves the ability to sell this personal information, and other information to third parties, including law enforcement. To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling. This could mean that if you buy a used car with OnStar, or even a new one that already has been activated by the dealer, your location and other information may get tracked by OnStar without your knowledge, even if you’ve never done business with OnStar."

Zdziarski cancelled his OnStar subscription after receiving this notice. What were GM and OnStar executives thinking? Did they really think that this would fly with consumers? Consumers demand control over their personal data. And when consumers cancel a service, "no" means "no."

It is good to see that the company's executives now value an opt-in program, although they had to learn the hard way via public embarrassment. The company's press release also stated:

"If OnStar ever offers the option of a data connection after cancellation, it would only be when a customer opted-in, Marshall said. And then OnStar would honor customers’ preferences about how data from that connection is treated."

Hopefully, executives at other companies will learn from this case study, too. Scan the business landscape and ask your customers what they want, before making significant policy changes.


Secret Memo Describes How Long Mobile Service Providers Store Your Sensitive Personal Information

The North Carolina Chapter of the ACLU recently obtained through a Freedom of Information Act request a U.S. Department of Justice document that described the length of time mobile phone service providers archive consumers calling and location information. The duration varies by both the type of information, and by the service provider (e.g., AT&T, Sprint, Verizon).

The types of information archived:

  • Subscriber information (e.g., name, address, SS#, etc.)
  • Call detail records (e.g., phone number dialed, duration, time)
  • Cellular towers used by the caller (e.g., date, time, duration)
  • Text message detail
  • Text message content
  • Pictures and photos
  • IP session information
  • IP destination information
  • Copies of subscribers' monthly mobile statements/bills
  • Payment history: amounts, dates, payment method
  • Store surveillance videos
  • Service applications

Sprint, Nextel, and Virgin Mobile keep subscriber information forever. Most service providers keep both call detail records and cellular tower location data for one to two years. While most providers don't store "text message content," Virgin Mobile retains "text message details" as briefly as 60 to 90 days, while AT&T keeps it for five to seven years. I not sure what the difference is as both text-message categories sound very similar.

When you enter a retail store, mobile service providers retain that information ranging from two weeks to two months. You can browse the DOJ chart here.

This is important for several reasons. First, should any of the mobile service providers suffer a data breach this document highlights the amount of information that could be lost or stolen. Second, the document outlines the type of information mobile service providers can provide government law enforcement when requested.

In my opinion, companies should disclose these data retention policies in their website policies. Why the secrecy? We consumers know you are collecting and archiving the data.

What is your opinion of these companies' data retention policies?


Attention All Borders Customers! October 15 Deadline Approaches

Attention all customers of the Borders book chain! The Saturday October 15 deadline approaches quickly.

You must act and opt out by the deadline if you do not want your personal contact information and purchase history transmitted to the company which is buying Borders' assets. According too the U.S. Federal Trade Commission (FTC):

"... as part of Borders’ sale of assets in a bankruptcy proceeding, Barnes and Noble is acquiring customer information from Borders, including email addresses and purchase histories. Consumers can opt out of having Borders share that information, but they must do it before the October 15 deadline. An email from Barnes and Noble with a subject line that reads “Important Information Regarding Your Borders Account” explains how you may opt out of having your information transferred to Barnes and Noble."

Opt-out information is also available at Borders.com and BarnesandNoble.com.


Details And Transparency Matter As Banks Introduce New Debit Card Fees

While many news sources reported about the plan by Bank of America (BofA) to charge its customers a new $5.00 monthly debit-card fee starting next year, details seem to be scarce. Early reports were short on details, such as this Chicago Tribune report on September 30:

"Customers will pay $5 each month they use a debit card for a purchase. No charge for using BofA automated teller machines. Fee to be phased in starting early next year. Doesn't apply to customers with, for instance, a BofA mortgage or $20,000 in combined BofA and Merrill Lynch accounts..."

As a bank customer, I want to know:

  • The exact start date in 2012 the new fees start
  • Which checking account customers will be affected
  • The rollout schedule (e.g., nationwide or selective by state) for the new fee
  • Ways to avoid the new fee
  • The actions, if any, the bank took to try to avoid charging customers the new fee

Supposedly, customers who use their debit cards only at ATM machines would not be charged the new monthly fee. Now that BofA has raised the issue of monthly debit-card fees, other banks are considering similar new fees. MSN Money reported:

"Wells Fargo begins testing a $3 monthly fee on Oct. 14 in Georgia, Nevada, New Mexico, Oregon and Washington; JPMorgan Chase is testing a $3 fee in Wisconsin; Regions Bank will impose a $3 fee beginning Oct. 1; and SunTrust is already charging a $5 monthly fee for using a debit card."

USAA Bank used these events as an opportunity to emphasize that its checking and debit-card accounts will remain free.

To learn more so I can decide what to do, I visited the Checking Accounts section of the BofA website to read about the new fee. It didn't mention the new fee. I also checked the BofA online Newsroom which did not include any content or press releases about the new fee. When I signed into my online BofA account, the website didn't display any notices about the new fee.

So, I visited a local BofA branch to learn more. The customer service representative I spoke with was very polite and asked me what I knew. I summarized the news reports I had read and asked her for details. She mentioned that the new fee will apply next year to debit-card customers with basic checking accounts, who use their debit card for purchases. I explained to her that I do not use my debit card for purchases due to skimming devicies at many retailers, such as supermarket terminals and gas station pumps.

She then explained briefly that customers with premium and platinum level accounts would not be charged the new monthly debit-card fee, even when using their debit cards for purchases. There was nothing in writing, and the chart of various checking account plans she pointed to did not mention the new fee.

She then asked for my account number so we could review my account. It turned out that I have a Platinum level account, so my account won't be charged the new monthly debit-card fee. While this was good news for me, I know that not everyone has a premium-level account which exempts them from the new fee.

Regardless, I feel that BofA has done an extremely poor job of communicating details about the new debit-card fee to its customers. Maybe other banks have done a better job. BofA used the news media instead of communicating directly to customers, first. Either a bank values its customers or it doesn't. I have the impression that it doesn't.

The BofA hasn't disclosed what percentage of its customers will be affected by the new fee. My guess: Most. After preforming several online searches and reading through at least 16 news reports, I finally found this Time Magazine report which confirmed what I had heard:

"In an email, BofA spokeswoman Anne Pace said the fee applies to MyAccess, Essentials, eBanking and Enhanced accounts. Customers with Platinum Privileges, Premium and Advantage accounts won’t have to pay the fee; these are all accounts aimed at customers with five-figure balances or other big-ticket ties to the bank like a home mortgage. “In addition, Wealth Management/Merrill Lynch and US Trust clients will not be charged the fee...”

So, if you have are rich, have a mortgage or investments with, or have several accounts with BofA, you can avoid this new fee -- and many other fees. If you are poor or don't have much money, well tough luck.

Many BofA consumers are concerned. Some are furious. Some feel resentful because the BofA and other banks received bailouts during the recession, and senior bank executives have received huge bonuses and compensation.

Some view this new fee as expensive. Given high employment in many parts of the country, I agree with this. About 120,000 BofA customers in 50 states have signed an online petition demanding that the bank cancel the new fee.

Some BofA customers have moved their money to local community banks or to credit unions. One Arizona credit union has seen a 20% increase in new applications over the weekend. I would imagine that a larger number of customers are considering a move of their money to a community bank or to a credit union.

I contacted BofA's Public Relations department about this. Spokesperson Betty Riess emphasized the bank's commitment to transparency and clear communications. She mentioned that, "... it's still early on" and the new fee wouldn't start until "early next year." She said that the bank would notify affected customers at least 30 days before the new fee goes into effect, and that the new fee would be rolled out in phases across the country.

Just to be clear, I am not defending any of the banks that plan to charge this new monthly fee. While banks have a right to make a reasonable profit, we consumers have a right to demand quality customer service at reasonable prices. We consumers have experienced lots of price hikes, starting with huge credit-card interest rate increases in 2009. And, the debit-cards distributed by American banks use obsolete technology.

Frankly, the banks have broken consumer trust. BofA hasn't provided me anything in writing about the new debit fees, so they could still change the terms of deal between now and next year. This situation does not promote trust.

What else might be going on? The issues I see:

  1. Double Charges
  2. Lack of Transparency

Double Charges

Consider this: Online transactions are what make the Internet go. In other words, electronic payments are what make buying and selling on the Internet possible, and attractive. With this new fee, banks are screwing around with the electronic economy.

Think of it this way: When you use your debit card to pay online at a retailer's website, the new debit-card fee adds a cost to that transaction for consumers, even though the cost of that online transaction was, in theory, already included into the cost of the retailer's product or service. You could say consumers are getting charged twice.

The double charges definitely apply if retailers don't lower their prices commensurate with the new, lower swipe fees. Will retailers lower product prices given the lower debit-card swipe fees?

The National Retail Federation commented about this, since its members benefited from the legislation that lowered debit-card swipe fees:

“Retailers across the nation are developing a wide range of innovative ways to pass these savings along to their customers with lower prices and better value... Change won’t come overnight, but consumers will definitely benefit... Every time Congress takes a step to protect consumers, the banks use it as an excuse to raise fees. We’ve seen it when Congress limited late fees and overdraft fees and now we’re seeing it with swipe fees. Just as merchants and consumers are about to get some relief, they’re doing it again. That doesn’t mean Congress shouldn’t pass consumer protection laws. It speaks more to the nature of the card industry than to whether swipe fee reform should have been passed.”

I am hopeful that retailers will lower their prices. Lower prices mean greater product sales. And greater sales could translate into more jobs for consumers. So, we'll see during the coming months what happens. If retailers don't lower their product prices, then consumers have been "mugged" yet again.

Lack of Transparency

Since the previously higher swipe fees were paid to the banks by retailers or merchants, the banks seemed to have made a calculation that since they can't charge merchants more, they can charge consumers more to make up the lost revenues. This caused me to think about who receives the debit-card swipe-fee revenues.

So, I searched online for "merchant services," since that is the business function where banks provide banking services to businesses. One link I found was the Merchant Services section of the BofA website, where BofA provides checking accounts to businesses. That read like pretty standard stuff.

A more interesting link I found was a link to a description of "Banc of America Merchant Services LLC" at the Hoovers website, which stated:

"The next time you swipe your card and it clears, you might thank Banc of America Merchant Services. A 2009 joint venture between Bank of America and First Data, it is one of the largest processors of electronic payments in the US. The firm handles more than 7 billion check and credit, debit, stored value, payroll, and electronic benefits transfer card transactions..."

Screen image of Hoovers public page about Banc of America Merchant Services LLC When banks claim that the "economics of debit cards have changed," it's a reference to the banking legislation that capped swipe fees at about 21 cents per debit transaction, from a prior high of 43 cents. Does each online transaction really use 21 cents worth of electricity? I doubt it. Are their administrative costs that high? I doubt it. If their costs are that high, what are they doing to lower those costs? And if they aren't doing anything to lower those costs, then maybe they shouldn't be in business anyway.

So, the BofA outsources its debit-card transaction function to another company: Banc of America Merchant Services. Many consumers might be surprised to learn that BofA outsources this function to another company. Companies often claim that outsourcing is done to lower costs, but in this instance that doesn't seem to be the case, since this outsourcing isn't discussed.

My point: BofA partnered with another company to create a separate company that actually processes debit-card transactions, and it shares in those debit-card transaction revenues. Some people might call this double-dipping. I recognize its partner's name from prior blog posts: First Data.

This raised more questions for me than it answered. I now wonder who gets the revenues from the new debit-card fees the banks plan to charge consumers. Does the revenue from this new fee go to the BofA or to Banc of America Merchant Services? Or does it all go to First Data?

Also, there is the ethical question: Is it right for banks to charge consumers for a transaction function that previously was a merchant services function? It seems to me that the banks should resolve the profitability of their merchant services operations between themselves, transaction processors, and merchants. How might banks do this?

The banks seem very creative at introducing new fees. The banks could have created another new fee for their merchants, and charged merchants directly with this new fee. Or the banks could have lowered their internal costs by outsourcing to different vendors. Perhaps the costs the banks pay to outsourcing vendors for debit transaction costs is too high.

I asked Riess about this and she said that the debit-card fee revenes go to the BofA. She didn't elaborate beyond that general answer. She said she couldn't discuss what actions BofA might have taken to lower its costs before adding the new debit-card fee. She said that she couldn't discuss the questions I raised about Banc of America Merchant Services. I don't know if she couldn't discuss due to a lack of knowledge, or an internal directive.

Consumers might want to ask their banks to explain what debit-card transaction processing venture their bank engages in, and exactly where the money collected from debit-card fees go.

I am not a banking expert, but something funky is going on. It just doesn't pass the smell test.

It seems that rather than try to lower their debit-card transaction costs, the banks "punted the football" and simply want to charge consumers to make up the lost revenues, without explaining to their customers first:

  • Their debit-card transaction processing ventures,
  • The steps they have taken to cut costs so they don't have to raise prices, and
  • The steps they have taken to make up their alleged revenue shortfall with merchants rather than with consumers

This lack of communication indicates that the banks are not being honest nor transparent about what is really going on.

What else might be going on? The New York Times reported:

"Bank of America probably has bigger problems than any of its competitors. So it stands to reason that it would make a bolder move. After all, it is dealing with a pile of troubled mortgages, legal fallout from the sales of bonds made from those loans and questions about how it serviced its home mortgages."

Perhaps, but this does not give the banks a free pass on the questionable merchant-services revenue situation I described above. I'd like to see BofA and its executives act in a more respectful and transparent manner to customers. That means communicating to customers first about what is happening, and acting in an accountable manner for past decisions (e.g., Countrywide, foreclosure documentation shortcuts) without penalizing its customers for poor decisions its executives made.

Resources

If you have decided to move your money out of BofA or your current bank, MSN Money advises consumers to look for banks with "switch kits," and to follow these five steps:

  1. Choose your new bank
  2. Open your new bank account first
  3. Change your direct deposit
  4. Close your old bank account after all outstanding checks have cleared.
  5. Set up automatic payments online at your new bank

More resources to help you find a new bank:

What is your opinion of the new debit-card fees? Or about the double charges and lack of transparency? If you have moved your money to a community bank or credit union, share your experience below.


How To Protect Your Sensitive Personal Data When Using Public WiFi Networks

Last week, I met a friend for lunch to discuss her new business venture. After lunch, we moved our discussion to a nearby coffee shop. While there, my friend surfed the Internet using her mobile device and the coffee shop's public WiFi network.

When we finished our discussion, I suggested that she change her passwords for the websites she visited, since she had signed into with HTTP connections instead of HTTPS connections. (My friend had not heard about PrivateWiFi.) During the subway ride home, I began to wonder what a comprehensive list for consumers would be of tips about how to securely use public WiFi networks, at places like airport lounges and coffee shops.

If you aren't familiar with the identity-theft threat, about a year ago there were many articles about the Firesheep Web browser plugin, which allows hackers at public WiFi hotspots to monitor nearby consumers' online sessions and steal account log-in passwords. A recent tweak of Firesheep allows it to steal your Google web history. Not to be outdone, the newer Droidsheep app allows hackers to monitor and steal from mobile devices running the Android operating system.

With tools like these, the identity-theft and fraud damages can be extensive. Thieves can send spam from your email and/or social networking website accounts, or steal money from your bank accounts.

So what can a consumer do to protect their data? This Hot Spot Hacker article offers several good tips for using your mobile device securely at public WiFi networks:

"1. Set your laptop or smart phone so you have to manually select the Wi-Fi network. You may need to change the default setting

2. Make sure you know the exact name of the establishment's Wi-Fi network and connect only to it. Don't be fooled by look-alikes."

These two tips are good reminders because it is easy to set your mobile device to automatically connect at coffee shops you visit repeatedly, and forget about WiFi network security.

"3. Avoid any hot spot that your device lists as "unsecured." Keep in mind that even if a password is required, a hot spot can still be unsecured."

This tip cannot be over emphasized. Of course, it is preferable to use WiFi networks that require a password log-in, but that is just a start. A password log-in is not complete security. For full security, the entire session must be encrypted, because browser cookie and other files transmitted during the session contain personal data hackers can abuse:

"4. If your device shows the site as secured, pay attention to what kind of encryption it lists. WEP (Wired Equivalent Privacy) is an early system, dating from over a decade ago. If it's WEP, treat the network as not secure. WPA (Wi-Fi Protected Access) is better, and WPA2 is best of all."

Most people I know have no idea what brand of wireless encryption to look for and to use. Now you know. Here's what else you need to know about WiFi network security:

"5. If you send personal data over a Wi-Fi link, do so only to an encrypted website. You can tell a site is encrypted if you see the letters "https" (the "s" stands for "secure") at the beginning of its Web address. Also, look for a lock icon on the top or bottom of pages throughout the site."

So, what can a consumer do to use WiFi networks safely and securely? One suggestion:

"6. Before using a public Wi-Fi network, install such software as Force-TLS and HTTPS-Everywhere, which are free add-ons to the Firefox browser. They make sure you use encryption features available on websites you visit. Virtual private network software — some of it free, some not — can also add security."

You could also use PrivateWiFi. And, there are more WiFi network security tips. To learn more, visit the Hot Spot Hacker article. If your mobile device uses the Android operating system, watch this Droidsheep video.


Former Countrywide Financial Analyst Sentenced to 18 Months of Prison And Ordered To Repay $1.8 Million

The Los Angeles office of the Federal Bureau of Investigation (FBI) and the U.S. Attorney for the Central District of California announced that a former Countrywide Home Loan employee was sentence on September 28 to 18 months of prison and ordered to pay $1.8 million in restitution to Countrywide, now a unit of Bank of America.

Rene Rebollo, 39, of Pasadena, was arrested in 2008 after an investigation discovered that he had downloaded from Countrywide databases and sold the sensitive personal and financial information of about 2.5 million consumers. Rebollo was employed as a senior financial analyst for Countrywide’s subprime mortgage division in Pasadena. He admitted that that he saved the stolen information to a personal thumb drives and distributed consumers' Social Security numbers in at least 50,000 instances.

"As a result of the data breach, Countrywide underwent considerable expenses, including notification of individuals whose information was improperly disclosed, at a cost of approximately $1.2 million, and providing free credit monitoring for those individuals at a cost of approximately $15.75 million. Countrywide has also estimated that it has expended approximately $13.4 million in civil litigation, including several class action lawsuits, arising from the data breach."

This is a classic case of insider identity theft and the costs companies can incur from a breach. The case also highlights the importance of companies, small and large, to adopt data security measures and comply with Red Flag Rules.


Congressional Representatives Ask FTC To Investigate Companies Online Tracking Practice With "Supercookies"

On September 27, Congressional representatives Joe Barton (R-Texas) and Edward J. Markey (D-Mass.), Co-Chairmen of the House Bi-Partisan Privacy Caucus, sent a letter to the U.S. Federal Trade Commission (FTC) asking the agency to investigate “supercookies,” files that can be installed on consumers' computers without their knowledge or consent. Websites use supercookies to collect detailed personal information about consumers and to track consumers' online usage across the Internet.

Supercookies represent the latest effort in the Internet technology race for companies to track consumers' online behaviors versus consumers' need for privacy. First there were browser cookies, which were fairly simple text files websites used to recognize whether or user had visited that website before -- without requiring the user to identify their self.

As consumer awareness increased about the tracking and privacy issues with web browser cookies, some companies began to use the Flash cookies, with the Flash technology, to track and store consumer information data, since most consumers have the Flash plugin installed with their web browsers. As consumers supported "do not track" legislation and began using "do not track" options with their web browsers to delete standard browser cookies, some companies began using "zombie cookies"-- a tracking method to both save tracking information within other folders on consumers' computers and to continually regenerate standard web browser cookies deleted by consumers.

Most recently, some companies began using "zombie e-tags." The term "supercookies" seems to be a catch-all term for both covert tracking approaches: "zombie cookies" and "zombie e-tags." According to PrivateWiFi:

"... supercookie files can store more information than a normal cookie and can sometimes be stored in different places than regular cookies, such as a file used by a plugin (such as Flash), which makes them harder to identify and remove. In addition, some supercookies have the capability of regenerating regular cookies to prevent their removal. Supercookies track things differently from ordinary cookies. A normal cookie can be written, read and ultimately removed by the website that created it. However, the supercookie operates much more stealthily by tracking and recording user behavior across multiple sites. It’s ethically questionable that a website should be able to record a user’s actions beyond its borders. Websites that have been found to use supercookies include MSN.com, Hulu.com, and Flixster.com."

The ethics is definitely an issue. Is it ethical for a website, like Hulu.com or Facebook.com, to track consumers' usage beyond their websites and across the entire Internet? Perhaps, it is okay if the website policies are transparent, provide legible notice, and gain consumers' opt-in consent first. So, the letter by Barton and Markey is very timely and appropriate. Their September 26 letter read in part:

"As C-Chairs of the Congressional Bi-Partisan Privacy Caucus, we believe this new business practice raises serious privacy concerns and is unacceptable. We are also very concerned about the extent of this practice by websites as well as the impact supercookies have on consumers. Furthermore, we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for the misuse of personal information, and provides another way for consumers to be tracked online. In an effort to protect consumers, we are interested in any actions the Federal Trade Commission (FTC) has taken or plans to take to investigate the usage and impact of supercookies on the Internet and consumers. We believe that an investigation of the usage of supercookies would fall within the FTC’s mandate as stipulated in Section 5 of the Federal Trade Commission Act with respect to protecting Americans from ‘unfair and deceptive acts or practices.’”

Read the full text of the letter by Barton and Markey (PDF).

What I'd really like to see is legislation that requires companies to fully disclose their tracking methods and the precise data collected, much like labels on food attempt to descibe what is in the packaging. Why? It's all about consumer trust.

Similar to food, ingredients will change. For the Internet, tracking technologies will change. And change quickly, too. Yesterday's browser cookies morphed into "zombie cookies" and "super cookies," which has morphed again into "zombie e-tags." So, the companies' website terms-of-use and privacy policy should explain in simple English:

  1. The tracking technologies (e.g., hardware and software) currently used,
  2. The names of all affiliate companies and business partners they do business with for #1,
  3. The services, products, software, and consumer dinformation exchanged in #2,
  4. The length of time the data collected in #3 is archived,
  5. The anonymization process used, and verified by an independent third-party, and
  6. A large, easy-to-find and easy-to-understand opt-in button, because the program only includes consumers who choose to opt-in or register.

Data Breach Affects 4.9 Million Active And Retired Military Personnel And Their Families

SAIC logo TRICARE Management Activity, the health care program for military personnel worldwide, reported last week a massive data breach involving the personal and medical records of 4.9 million active and retired military personnel and their families. The backup computer tapes, stolen from a contractor's automobile, included records from a military health system that captured patient data from 1992 to September 7, 2011. The lost/stolen information included:

"... Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information..."

In its press release, TRICARE stated that it will take about four to six weeks to notify directly all breach victims. A breach investigation is underway. The contractor company is Science Applications International Corporation (SAIC). SAIC is operating an Incident Response Call Center, which breach victims can call. Breach victims should monitor their credit reports, and report any fraud to the U.S. Federal Trade Commission and to local law enforcement.

While TRICARE estimated the risk to breach victims as low, and stated in its press release that special computer hardware and software are required to access the data on the backup tapes. Based on this estimate, TRICARE is not offering breach victims complimentary credit monitoring or credit resolution services. In my opinion, that is unacceptable and not the way to support the troops. It places the burden on troops who are busy defending the country, often at risk of life. It is a time consuming and burdensome process to fix medical records that co-mingle both the victim's and the fraudster's health history. TRICARE and SAIC are responsible for maintaining adequate data security, and should do the right thing: provide free credit monitoring and credit resolution for two to five years to breach victims.

If there is one thing I have learned while writing this blog is that identity thieves and fraudsters are persistent, and often have access to the same computing resources that everyone else has. Simply, it may take time for the criminals to access the stolen data, and the criminals have the time. The value of the stolen data is unquestionable, and is sufficient for identity thieves to obtain medical care fraudulently, assume others' identities, and/or reuse the Social Security numbers for other identity fraud acts or fraudulent employment.

SAIC describes itself as:

"... a FORTUNE 500® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding."

Refusing to help breach victims by avoiding to pay for credit monitoring and resolution services does not demonstrate any type of "commitment to ethical performance" or problem solving. Rather, it is hoping the problem will simply go away, and leaves the breach victims with the monitoring and cleanup burden. To use an American football analogy, TRICARE and SAIC have simply punted the football.

Interested military personnel and families should read the TRICARE press release with accompanying questions and answers (PDF).

If you agree and believe that both TRICARE and SAIC should do more, share your opinions below and at:


Lawsuit Alleges Hulu.com and KISSmetrics Used "Zombie E-Tags" To Track Consumers Without Notice And Consent

Last month, a lawsuit was filed in Central California District Court against Space Pencil and Hulu.com, alleging that the companies tracked consumers online usage without notice or consent using "Zombie Etags," a newer Internet technology. According to the complaint, consumers:

"... that accessed Hulu's website had HTTP cookies respawn via Flash shared objects, HTML 5 Local Storage, and/or cache/ETags after they had been deleted."

"Zombie ETags" refers to the latest combination of Internet technologies used to track online usage: HTML 5 local storage, and/or cached Etags. The Zombie Etags allegedly regenerate any HTML cookies the user has deleted, removing control from the user and preventing privacy. Entity Tags, also known as "Etags," are a mechanism to verify that the page components a web browser displays match the components on the web server hosting the URL or original web page.

According to the complaint (PDF - 6.3 MBytes), Space Pencil is the company doing business as KISSmetrics. Hulu.com is a popular website that streams video of television shows from ABC, CBS, Fox, NBC, and other networks and studios. This is at least the second class-action lawsuit filed against both companies.

This class-action lawsuit (Couch et al versus Space Pencil et al) was filed, in part, because the consumers:

"... accessed the Hulu website, relying on the Hulu's Terms of Service and Privacy Policy which provided assurances against unauthorized tracking..."

What makes this lawsuit a little different from prior lawsuits (e.g., "zombie cookies), is the technology and hacking allegations:

"... Internet users who accessed Hulu's website, and knowingly, without the user's knowledge or consent, "Hacked" the Plaintiffs' and Class Member's Computing Devices in order to conduct covert surveillance of Plaintiffs and Class Members online activities, using web analytics to collect and de-anonymize Plaintiffs' and Class members' online data, providing the mechanism for Hulu to conduct perpetual online tracking of its users and a method to use cross domain tracking..."

This alleged tracking technology allowed Hulu and KISSmetrics to track Hulu.com users' online usage across the Internet and beyond the Hulu.com website. The complaint referenced several working papers about tracking technologies:

The 2009 working paper documented the extent of company websites using Flash cookies to regenerate HTTP cookies. The 2011 working paper documented the regenerated HTTP cookies practice:

"In our follow-up study, we found that Hulu was still respawning deleted user cookies using homegrown Flash and Javascript code present on the Hulu.com site. Additionally, Hulu, Spotify, and many others were also respawning using code provided by analytics firm KISSmetrics. Hitten Shah, the founder of KISSmetrics, initially confirmed that the research surrounding respawning was correct in an interview with Ryan Singel although he later criticized the findings after a lawsuit was filed."

Both companies supposedly stopped their Zombie Etag tracking on July 29, 2011. KISSmetrics published this response to the July 2011 lawsuit. The class-action plaintiffs want the tracking software and data files removed from their computers. The sensitive personal information:

"... compiled and misappropriated included sensitive information, such as users' video viewing choices revealing personal interests, his/her sexual preference, political views, and even more specific information like health conditions, such as DEPRESSION..."

The attorneys representing the plaintiffs in this class-action lawsuit include Strange & Carpenter, and a name I recognize: the law office of Joseph Malley.

If you want to learn more, I recommend reading this Wired story.