Previous month:
February 2014
Next month:
April 2014

18 posts from March 2014

Organizations Sent Letter To The FCC Urging It To Restore Net Neutrality

Last week, the Save the Internet site reported that more than 40 organizations sent a letter to the Federal Communications Commission (FCC) urging it to reclassify Internet Service Providers (ISP) and restore Net Neutrality rules. Without net Neutrality rules, experts predict several changes to your Internet access including higher prices and degraded service.

The organizations that sent the letter included governments, journalism, and advocacy groups:. Some of the organizations that signed the letter: the American Civil Liberties Union, the Center for Media and Democracy, Free Press, the Government Accountability Project, the National Hispanic Media Coalition, the PEN American Center, the Project on Government Oversight, Reporters Without Borders, the Society for Professional Journalists, the Sunlight Foundation, and the Writers Guild of America East.

Excerpts from the letter:

"Dear Chairman Wheeler:

The D.C. Circuit’s decision in Verizon v. FCC dealt a huge blow to the open Internet, press freedom and our right to access information... we appreciate your agency’s role in protecting our free speech rights online and call on you to use your clear authority under Title II of the Communications Act to protect the open Internet... With the court’s decision, however, broadband providers are now free to block or discriminate against online content, services and applications. Allowing broadband providers to control this once-open platform shifts power away from communities and individuals and toward entrenched companies like AT&T, Comcast, Time Warner Cable and Verizon. This will have a chilling effect on our rights to access, report and share information... U.S. laws and leaders have protected these rights, acknowledging the fundamental need for our speech to be delivered without discrimination. Freedom of the press was not simply the freedom to print, but also the freedom to distribute speech across the country through a common-carrier network: the postal service. Our ability to utilize that network (and its successors) is central to our ability to self-govern... Free speech depends on access to open and nondiscriminatory platforms for that speech. Without such principles governing online networks, we cannot guarantee the exercise of this most fundamental right."

Freepress.net, a project of Free Press and the Free Press Action Fund, operates the Save The Internet site.

I am sure that some readers are thinking, "I'll wait and see what new prices my ISP releases. If it's bad, then I'll complain." Well, you don't have to wait. East Buchanan Telephone Cooperative (EBTC), an ISP in Iowa, released two months ago a metered pricing scheme that looks a lot like your mobile phone bill:

Each Buchanon Telephone Cooperative registration form for DSL Internet access. Click for larger image

You pay more for a faster connection and more for how much you download. Go over in usage and your monthly Internet bill goes up a lot higher. The new pricing has hit hard many residents, including students, elders, and people who work at home. Many people have already complained.

This metered pricing scheme is one view of a future without net neutrality. I see mostly bad news. The tiny bit of good news: this Iowa ISP isn't directing users (yet) to specific search engines, video, and/or media sites. Internet users should and must have the freedom to surf where they please. It is censorship if ISPs restrict users to specific search engines, media sites, and/or news sites; or block other sites. It is the "World Wide Web" and not the "ISP Selected Web."

The bad news I see:

  1. Metered pricing hits certain people hard, especially those on fixed incomes
  2. This pricing scheme included DSL which is at the slow end of the range of broadband speeds. It encourages other ISPs with faster broadband speeds to implement even higher prices
  3. The pricing scheme is designed for users to exceed the thresholds. Stream a couple movies and you've already maxed out the 5 GB limit.
  4. The pricing scheme doesn't reflect costs. Remember the marginal cost concept from economics in college? Since the ISP has already built out their system, it doesn't cost much to serve one subscriber one more movie after they have already served 1,000 other subscribers 8,000 movies during the past day. ISPs incur hardware costs more like a step or stairway function with hardware costs amortized over the useful life of the equipment. So, the pricing scheme maximizes revenues rather than reflect the ISP's costs.
  5. The pricing scheme is counter to consumers' reality. Visit any of the big-box chain stores and buy toilet paper. The more you buy, the less you pay per roll. ISP pricing should work the same way. The more you download, the less you pay per gigabyte download. (Banks and payment processors have tricked consumers similarly with per transaction costs never decrease with volume, but that is a discussion for another blog post.)
  6. The pricing scheme forces subscribers to subsidize other ISP businesses. The Independence Bulletin Journal reported, "... EBTC’s DSL and line of sight broadband customers appear to be subsidizing the cost of EBTC’s IPTV service, and that an argument could be made that this could be considered anticompetitive..."
  7. This metered pricing scheme presented absolutely no innovation, just price increases.

FCC Chairman Wheeler promised innovation. Where's the innovation? Where's the beef?

It looks like a big, fat zero to me.

What are your opinions of the Free Press letter? Of the FCC's actions regarding net neutrality? Of the metered pricing scheme by EBTC?


New York City McDonald's Restaurant Owner Settles Wage Theft Charges

Earlier this month, the New York State Attorney General's office announced a $500,000 settlement with the owner of seven McDonald's restaurants about wage theft allegations. The settlement resolves charges that Richard Cisneros failed to pay legally-required laundry allowances for employees' uniforms, for uncompensated work time, and for unlawful deductions from wages when cashiers were required to cover cash register shortfalls.

New York State Attorney General Eric T. Schneiderman said:

"Like every other business in New York State, fast food employers must follow our labor laws... Our lowest wage workers deserve the same protections of the law as everyone else. It’s critical, for them and for their families as well as for our economy, that we remain vigilant so that no New Yorkers are cheated out of their hard won earnings."

The seven restaurants are all located in the borough of Manhattan: 280 Madison Ave., 1499 3rd Ave., 1872-74 Third Ave., 809 Sixth Ave., 427 Tenth Ave., 871 Second Ave., and 18 East 42nd Street. The investigation found that from 2007 to July 2013, about 700 cashiers weren't paid for time periods they were required to work “off-the-clock” before and after shifts. Other violations included failure to pay workers an extra hour of pay at minimum wage when they worked more than 10 hours in a day, as required by New York law.

1,600 workers will receive the settlement money, which includes damages and interest.More than half of the settlement money will reimburse workers who weren't paid the uniform allowance.

Fortune/CNN Money reported on March 14:

"McDonald's workers claimed in six separate lawsuits filed in three states on Thursday that the company and some of its franchisees systematically shorted them pay... when pointing at alleged culprits of wage theft, the finger ought to extend beyond McDonald's... A report by Anzalone Research Group published by Fast Food Forward, the campaign behind the fast food strikes in New York, found that of the 500 fast food workers it surveyed in New York in April 2013, 84% said that their employer had committed at least one form of wage theft in the past year. Two-thirds said their employer had perpetrated two forms of wage theft, and nearly half said they'd suffered wage theft in three different ways."

The other states include Michigan and California. What's really going on? KTLA in Los Angeles reported:

" "We’ve uncovered several unlawful schemes, but they all share a common purpose — to drive labor costs down by stealing wages from McDonald’s workers," said Michael Rubin of Altshuler Berzon LLP, an attorney who represents California workers."

This is the second settlement from investigations into the fast-food industry. In December 2013, the Attorney General secured reinstatement for twenty five workers at a Domino's pizza franchise located in Washington Heights, in New York City. The National Mobilization Against Sweatshops (NMASS) has helped workers in pizza shops fight wage theft and sweatshop-like conditions.

During 2012, the U.S. Labor Department's EBSA division recover $1.2 billion in unpaid and stolen money by employers in benefits and retirement plans. Last year, the National Employment Law Project released the results of a wage theft study that described in detail the obstacles and weak laws preventing workers from collecting unpaid and stolen wages. Unfamiliar with wage theft? To learn more, select the "Wage Abuse" topic in the right-column tag cloud.

About a year ago, a conservative friend commented that workers no longer need to mobile (e.g., in formal and/or informal groups) since companies no longer abuse their employees. Obviously, that fuzzy thinking is inaccurate since there is plenty of abuse. This trend makes it critical for workers to know their rights and mobilize.

Part of mobilizing includes demanding that federal officials stop awarding contracts to companies that repeatedly violate wage laws, and for elected officials in your state enact stronger laws to protect workers.

What are your opinions of wage theft? Have you experienced wage theft? What did you do to recover the money owed?


Security Warning For Microsoft Word Users

On Monday, Microsoft issued a security warning about attacks where hackers could embed malware in RTF (Rich Text Format) documents. When opening a hacked RTF file, the malware launches. This could allow hackers to take over victims' computers, use victims' computers to send out e-mail spam, or  use victims' computers in coordinated botnet attacks.

.To avoid having your computer get infected with malware, don't open any RTF files until Microsoft ways it is okay to do so. Until a permanent fix is available, Microsoft provided this automated tool fix.

It is a good security habit for consumers to never open e-mail attachments from strangers, regardless of the file format. To learn more, read this Reuters news story on Yahoo Finance.


AT&T Argues Against Net Neutrality And Why You Should Care

There is an excellent post at the BoingBoing site about AT&T, the communications company, arguing against Net Neutrality:

"AT&T Senior Executive Vice President of Legislative Affairs James Cicconi has written a monumentally stupid attack on Reed Hasting's call for Net Neutrality. Cicconi says, "there is no free lunch, and there’s also no cost-free delivery of streaming movies. Someone has to pay that cost..."

Cicconi's comments are misleading and so very wrongheaded. Here's why:

"... Netflix is paying its ISPs to be connected to the Internet. And AT&T's customers are paying to be connected to the Internet. And AT&T's customers are asking to have the service they are paying for to be connected to the service Netflix is paying for. AT&T is then demanding that Netflix pay it a bribe in order to carry out the service that its customers are paying for."

This analogy makes it easy to understand how the loss of Net Neutrality will impact all consumers directly in your wallet (or purse):

"Imagine if AT&T was a city-bus with an exclusive contract to serve your town, and it noticed that a lot of passengers were getting off at a certain stop every day to visit a restaurant. What AT&T is doing is saying "We will no longer stop near that restaurant unless it pays us a bribe," (and they're hinting, "We will stop at a competing restaurant if they do pay a bribe"). When the restaurant objects, AT&T says, "Hey, there's no such thing as a free lunch." This isn't "just business" -- it's extortion."

Well said. I agree. Extortion indeed. Contact your elected officials today and demand that Net Neutrality be restored.

Related posts:


Questions About The Target Data Breach And How Hackers Broke In

Target Bullseye logo A prior blog post discussed the Target data breach, the retailer's security preparations, and management's post-breach response. Months before the breach, Target installed robust breach-detection software. During the breach, that software provided alerts which management missed. That blog post referenced a Bloomberg Businessweek article which reported breach details.

The Businessweek article went further and explored possible links between the breach and Russian hackers operating in Odessa, Ukraine. First things first. There will be plenty of time later to profile the hackers. Today, stay focused on breach details, the retailer's post-breach response, and the breach investigations. The goal is to report what happened so things can be fixed. Consumers want and need to know they can trust banks and retailers to protect their payment card information.

The article also published this flow diagram:

Bloomberg Business flow diagram of Target data breach. Click to view larger image.

See box #1 which mentioned a HVAC vendor and used the word "probably." The conclusion seems to have been based upon an email attack described in this KrebsOnSecurity article:

"... investigators believe the source of the Target intrusion traces back to network credentials that Target had issued to Fazio Mechanical... Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers. Two of those sources said the malware in question was Citadel – a password-stealing bot program..."

Fazio confirmed that it experienced an attack (Adobe PDF). The KrebsOnSecurity article included a "theory" about how hackers with billing credentials accessed systems with point-of-sale cashiers. I expected something more definitive than a "theory." I expect something more definitive than "investigators believe" -- ideally, "investigators analyzed" or "investigators found."

Knowing the exact scenario is important, so relevant fixes can be applied to prevent a massive breach like this from happening again. Hopefully, Target's final breach investigation report will clarify and explain things.

I wonder about the investigators' conclusions. How do investigators know with 100 percent certainty that (only) this specific HVAC vendor breach was the setup? How do the investigators know that credentials weren't stolen from any other Target vendors? How do investigators know that no other vendors experienced data breaches allowing hackers access to Target's systems?

During the past 6+ years I've written this blog, I've learned that online thieves are smart, persistent, and go where the money is. A January 2014 Let's Talk Payments article mentioned several of Target's major partners:

"Companies performing these [payments processing] roles for Target were identified in a research note by Robert W. Baird & Co analysts on Dec. 19... the merchant acquirer used by Target for credit and debit card transactions is Bank of America Merchant Services, a joint venture of Bank of America and KKR’s First Data Corp... The note also identified Vantiv of Cincinnati as processing transactions for Target customers who type in personal identification numbers for debit transactions... Target-branded payment cards are issued by Toronto’s TD Bank Group."

Regular readers of this blog recognize First Data and understand how much information the processor collects about consumers. (New to this blog? To learn more, select "Data Breaches," "Payment Procesors," or "Retail" in the right-column tag cloud. Or enter a company name in the right-column search mechanism.) Regular readers of this blog also recognize Bank of America Merchant Services, and its joint venture with First Data to process the payment transactions of the bank's retail (e.g., checking, debit card, credit card) customers. Other banks probably have similar arrangements with First Data.

Target's REDcard loyalty program includes the Target-branded credit and debit payment cards. According to a quarterly filing with the S.E.C., REDcard penetration increased from 12.8 to 18.6 percent during 2013. That's huge growth in one year. Good for Target: its shoppers like using REDcards. Bad for Target: its data breach has threatened that growth, REDcard usage by shoppers, and payments processors' revenues (and profits).

Smart hackers would focus on vendors with the best credentials; credentials that provide the best access to Target's computer systems and network. Another question: which vendor probably has the best credentials: a small HVAC vendor or a key business partner? The KrebsOnSecurity article discussed how Target required two-factor authentication for some vendors and not others. Maybe a small HVAC vendor was the easiest way in for the hackers. Maybe not. I hope that the formal Target breach investigation clarifies and explains things. Maybe the answers will be the same as reported in the KrebsOnSecurity article. Or maybe not.

In a January 2014 new story by SC Magazine, a First Data Corp representative denied that the processor's systems were breached:

"First Data processes some transactions for one of Target's acquirers, but we have no indication that our systems were involved in any of the incidents reported by Target,"

"No indication" doesn't sound to me like a resounding, definite "no" with 100 percent confidence. Reportedly, the First Data representative also said:

"The situation being reported by Target is a concern to all of us in the payments industry... data security is of paramount importance to First Data, which is why we work closely with our clients to protect cardholder data through our own system monitoring and the risk management solutions we offer our clients.”

Hmmm. Payments processors have had data breaches... massive ones. You may remember the Global Payments and Heartland breaches. First Data Corp has experienced a data breach too, at its Western Union unit.

Reportedly, the U.S. Secret Service is also investigating the Target data breach. That implies an interest in any systemic retail or banking security issues affecting the country's money supply. Systemic issues that come to mind are breaches at multiple retailers, the obsolete technology for payment cards, weaknesses in retail payment processes, and breaches at banks or payments processors. To me, a breach at a tiny HVAC vendor don't seem to rise to level of systemic.

Again, this is all speculation. I'm not saying one of Target's partners was breached. I don't have access to the data investigators have. All I'm saying is that a thorough, broad breach investigation needs to ask the question: was anyone else breached? The Target breach shook consumers' trust, and the breach investigation needs to address that. Trust matters. Consumers want to trust that banks and retailers can protect their card payment information.

Maybe the answer to this question will be the same; a small HVAC vendor's breach was the setup. Maybe not. A lot has happened since January. When 110 million records are stolen, one has to ask... one has to look, thoroughly.

I'd hate to think that the breach investigation stopped after finding the HVAC vendor breach and didn't look further for earlier breaches at other vendors or partners. If one wants to reassure consumers of secure card payment  processes, you have to look further... and thoroughly. And if there were other breaches, report them, too.

If a payments processor was also breached, then those partners would likely be added as defendants to any lawsuits. The Businessweek article mentioned 90 lawsuits. Several lawsuits have already been filed by banks and by shoppers.

What's your opinion of the Target breach? What questions do you have? How were you affected by the Target breach?


How To Recognize Shopping Email Scams

The scam artists and fraudsters seem to be getting bolder. Recently, I have received several bogus e-mail messages claiming that I am being evicted from my residence. Both messages include .ZIP file attachments, which probably include malware that either takes over my computer (e.g., "ransomware") or installs spyware to steal banking passwords.

The first spam message:

"From: "Amazon.com" (messagerusg@amazonseoeni.com)
To: (recipient 1), (recipient 2), (recipient 3), (recipient 4), (recipient 5), (recipient 6), (recipient 7), (recipient 8), (recipient 9), (recipient 10)
Subject: Your order report id 638
Date: Feb 3, 2014 12:26 PM

Good morning,

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com

ORDER DETAILS

Order CZ6775413 Placed on December 12, 2013

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides. We hope to see you again soon.

Amazon.com"

The scammers tried really heard and included some HTML formatting with the Amazon.com logo. I stripped off the HTML. The tried again a few minutes later with a second spam message:

"From: "Amazon.com" (messageni@amazonsemiye.com)
To: (recipient 1), (recipient 2), (recipient 3), (recipient 4), (recipient 5), (recipient 6), (recipient 7), (recipient 8), (recipient 9), (recipient 10)
Subject: Your order report id 877
Date: Feb 3, 2014 12:30 PM

Good morning,

Thank you for your order. We’ll let you know once your item(s) have dispatched.You can view the status of your order or make changes to it by visiting Your Orders on Amazon.com

ORDER DETAILS

Order MR4863706 Placed on December 13, 2013

Order details and invoice in attached file.

Need to make changes to your order? Visit our Help page for more information and video guides. We hope to see you again soon.

Amazon.com"

Of course, I did not open the attached .ZIP file. Doing so would have been dumb. Of course, I notified my Internet Service Provider that both messages were spam. How I recognized these e-mail messages as scams:

  1. The sender doesn't know my name.
  2. Both messages included ten (10) recipients, with e-mail addresses in alpha order. The real Amazon.com doesn't do this.
  3. The order number in the e-mail subject line does not match the order number listed in the message text.
  4. Both e-mail confirmations are about five weeks after the supposed order date. The real Amazon.com is not this slow. Not even close.
  5. The text in both messages tries to get the recipients to open the attachments. I never open attachments from strangers. Never. Nor should you.
  6. The only people that send .ZIP files to me are my consulting clients, and in those cases they notify me beforehand. Experienced, security-conscious Internet users do this and ask if it is okay to send .ZIP files.
  7. While Amazon.com is a real online shopping website, neither return e-mail address is the retailer's real e-mail address. Both have a few additional letters in the server name.

Don't be tricked by spam. Learn to spot it.


Los Angeles Area Police Try To Defend Mass Surveillance With Auto License Plate Readers

The Electronic Frontier Foundation (EFF) reported that in court documents, Los Angeles area police are trying to defend their current practice of un-targeted, suspicion-less mass surveillance on all drivers:

"The agencies took a novel approach in the briefs they filed in EFF and the ACLU of Southern California’s California Public Records Act lawsuit seeking a week’s worth of Automatic License Plate Reader (ALPR) data. They have argued that “All [license plate] data is investigatory.” The fact that it may never be associated with a specific crime doesn’t matter."

If you haven't followed the technology, automated license plate readers (ALPR), often called license plate scanners, allow law enforcement to scan, monitor and track all vehicles on public roads. Some devices are mounted on patrol cars. Other devices are stationary and mounted atop traffic-signal poles. ALPRs are used by law enforcment agencies in Georgia, other parts of California, and in 38 states.

The EFF article described how the technology works:

"The cameras are not triggered by any suspicion of criminal wrongdoing; instead, they automatically and indiscriminately photograph all license plates (and cars) that come into view. This happens without an officer targeting a specific vehicle and without any level of criminal suspicion. The ALPR system immediately extracts the key data from the image—the plate number and time, date and location where it was captured—and runs that data against various hotlists. At the instant the plate is photographed not even the computer system itself—let alone the officer in the squad car—knows whether the plate is linked to criminal activity."

So, the metadata that an ALPR device collects seems to be:

  • License plate number
  • License plate state
  • Vehicle, car, or truck owner
  • GPS location
  • Travel direction
  • Time and date
  • Road, street, or highway number
  • ALPR device ID number

Additional information about vehicle owners can be easily collected through searches of registry databases and commercial databases (e.g., Lexis-Nexis). The power of ALPR information is that it can be searched, to determine drivers' patterns: when and where you drive, and how often you have visited a particular destination.

Additional privacy concerns include how the long the data is archived, data sharing with other government agencies, access to information by defendants' lawyers, and methods to protect the information from hacks and data breaches:

"This sales video from Vigilant Solutions shows just how much the government can learn about where you've been and how many times you've been there when Vigilant runs their analytics tools on historical ALPR data. We can only understand how LA police are really using their ALPR systems through access to the narrow slice of the data we’ve requested in this case."

Last year, USA Today reported about the wide variance in archive policies: how long law enforcement departments archive ALPR data:

"... the lack of standardized procedures for dealing with license plate information. In Minnesota, pop. 5.3 million, the State Patrol purges scanned data after 48 hours and has fewer than 20,000 license-plate readings on file, the ACLU found. Milpitas, Calif., pop. 68,000, has 4.7 million license-plate scans on file and no policy for erasing them... a 2012 survey by the not-for-profit Police Executive Research Forum found that 71% of police agencies now use [ALPR]... many police departments are storing – for long periods of time – huge numbers of records on scanned plates that do not return 'hits.' For example, police in Jersey City, N.J., recorded 2.1 million plate reads last year. As of August 2012, Grapevine, Texas, had 2 million plate reads stored..."

This mass surveillance is an extreme over-reach, privacy violation, and problematic in several ways. As the EFF described:

"This argument is completely counter to our criminal justice system, in which we assume law enforcement will not conduct an investigation unless there are some indicia of criminal activity. In fact, the Fourth Amendment was added to the U.S. Constitution exactly to prevent law enforcement from conducting mass, suspicionless investigations under “general warrants” that targeted no specific person or place and never expired."

Government shouldn't be allowed to ignore the "probable cause" in the Fourth Amendment of the U.S. Constitution:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

What's your opinion of ALPRs? If this bothers you (and I surely hope that it does bother you), contact your elected officials and demand limits.


Update: Target Management Failed To Respond To Breach Alerts

Target Bullseye logo Six months before its data breach during and after Thanksgiving 2013h, Target installed malware detection software designed to alert the retailer's security team about such an incident. Bloomberg Businessweek reported:

"... the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon. Target had a team of security specialists in Bangalore to monitor its computers around the clock. If Bangalore noticed anything suspicious, Target’s security operations center in Minneapolis would be notified."

When the hackers commenced their attack during the Thanksgiving holiday:

"... FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then … Nothing happened. For some reason, Minneapolis didn’t react to the sirens."

The FireEye software is robust and the breach could have been stopped automatically:

"The system works by creating a parallel computer network on virtual machines. Before data from the Internet reach Target, they pass through FireEye’s technology, where the hackers’ tools, fooled into thinking they’re in real computers, go to work. The technology spots the attack before it happens... The system has an option to automatically delete malware as it’s detected. But according to two people who audited FireEye’s performance after the breach, Target’s security team turned that function off."

Some experts claim that turning off the software's automatic malware deletion feature is fairly standard, since it allows management to make decisions and act. It seems to me, if one turns off that feature, then that makes action by Target management even more important.

The Bloomberg article explored reasons why target management didn't react to alerts by the malware detection software. Target's CEO claimed the retailer complied with the PCI industry standard. The non-reaction to the alerts was significant:

"Poring over computer logs, Target found FireEye’s alerts from Nov. 30 and more from Dec. 2, when hackers installed yet another version of the malware. Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data out of Target’s network...

So, the theft of 40 million credit card numbers and sensitive personal information about another 70 million shoppers could have been avoided. Beth Jacobs, Target's Chief Information Officer (CIO) resigned earlier this month as a result of the data breach. There needs to be accountability and one person is not enough. Internal decision and communication processes need to be reviewed and improved so a non-reaction doesn't happen again. Hopefully, the new CIO will hold accountable responsible members within the retailer's security team.

With numerous lawsuits by banks and shoppers about the retailer's data breach and an ongoing breach investigation, this is far from over.

[Editor's Note: on March 20, I added two paragrahs about Target turning off FireEye's automatic malware deletion feature.]


10 Takeaways From The Privacy, Surveillance, And Technology Talk At SXSW

Edward Snowden, the former NSA contractor now exiled in Russia who leaked several documents about the government's spy programs, spoke through a Skype link during a panel discussion at last week's SXSW conference in Austin, Texas. The discussion focused upon the impact of NSA surveillance on the technology community. The panel included Christopher Soghoian, the American Civil Liberties Union’s principal technologist, and Ben Wizner, Director of the ACLU's Speech, Privacy & Technology Project. The public submitted questions via Twitter for Snowden.

I watched a video of the discussion afterwards, which gave me the opportunity to replay hard-to-understand sections of the discussion. Snowden's comments were garbled at times, due to a Skype connection routed through several proxy servers. I want to thank the SXSW conference organizers, ACLU, and Google for making this event happen. A huge hat-tip to Inside for providing a transcript of the discussion.

After listening to the discussion, I see ten important takeaways consumers should know:

1. Some elected government officials don't want American citizens to have any discussion about privacy and mass surveillance. Wizner said during opening remarks to the panel discussion:

"... you are joining us for the event that one member of Congress from the great state of Kansas hoped would not occur. He wrote to the organizers of SXSW urging them to rescind the invitation to Mr. Snowden. The letter included this very curious line, “The ACLU would surely concede that freedom of expression for Mr. Snowden has declined since he departed American soil.” Now no one disputes that freedom of expression is stronger here than there but if there is one person for whom that is not true, it’s Ed Snowden. If he were here in the United States he would be in a solitary cell subject to special administrative measures that would prevent him from communicating to the public and participate in the historic debate that he helped launch."

I imagine there are more elected officials who feels as this representative from Kansas felt. It is important to out them all. For the US government to be responsible to its citizens, there has to be openness and transparency about what it is doing. A poll earlier this year found that the public's confidence in online privacy has fallen for three straight years. Experts have warned that NSA mass surveillance could cost U.S.-based cloud-services vendors $35 billion in lost revenues.

There were protests worldwide and in the USA in February about government surveillance. This past week, we learned about the development by the NSA of more offensive malware surveillance weapons to infect consumers' computers. Consumers are starting to look at companies' privacy capabilities, as the industry grapples with transparency restrictions and projected revenue losses from mass surveillance. When a government forces corporations to lie, it breaks the public's trust with both. Perhaps more importantly, a government can't simply ignore or walk away from the Fourth Amendment of the U.S. Constitution:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

So, only a fool (or a spy-industry apologist) would ignore these facts and want to stop citizens from having any discussion about the role they want their government ot play in mass surveillance the appropriate democratic controls by all three branches of government: executive, legislative, and judicial.

I think that it's fair to conclude that without Snowden's disclosures about NSA spying programs, we American citizens probably would not have the discussion we've had about privacy, mass surveillance, and the role we want our government to play. So, thanks to Mr. Snowden.

2. The communications tools companies and consumers use today are not secure. There have been several news reports that spy agencies seek to break all online encryption methods. Wizner's opening remarks included:

"... conversation that you hear in conference rooms in technology companies. Particularly among people working on security issues. And those people are talking less about the warrant requirement for metadata and more about why the hell the NSA is systematically undermining common encryption standards that we all use. Why is the NSA targeting telecommunications companies, internet companies, hacking them to try to steal their customer data. Basically manufacturing vulnerabilities to poke holes in the communication systems that we all rely on..."

Snowden replied:

"... I will say SXSW and the technology community - people who are in the room in Austin they are the folks that really fix things who can enforce our rights for technical standards. Even when Congress hadn’t yet gotten to the point of creating legislation to protect our rights.. There is a policy response that needs to occur. There is also a technical response that needs to occur. It is the development community that can really craft the solutions and make sure we are safe..."

Soghoian emphasized that there are still privacy gaps with current products and services:

"In the last eight months the big Silicon Valley technology companies have really improved their security in a way that was surprising to many of us who have been urging them for years to do so... The companies have locked things down but only in a certain way. They have secured the connection between your computer and Google’s server or Yahoo’s server or Facebook’s server, which means that governments now have to go through Google or Facebook or Microsoft to get your data. Instead of getting it with AT&T’s help or Verizon’s help or Comcast’s..."

And the NSA simultaneously works with technology companies to undermine the security of online products and services:

"... there was a disclosure in the New York Times a report in the New York Times last fall revealing the NSA has been partnering with US technology companies to intentionally weaken the security of the software that we all use and rely on. The government has really been prioritizing its efforts on information collection. There is this fundamental conflict there is tension that a system that is secure is difficult to surveil and a system that is designed to surveil is a target waiting to be attacked. Our networks have been designed with surveillance in mind."

The bottomline: surveillance-friendly products and services don't really protect information. Vendors' resources need to be focused on information protection. You can read about the NSA's encryption-breaking efforts InfoWorld and at ProPublica sites.

3. Advertising companies are not interested in consumers' privacy. Since these companies offer services to consumers for free, they make money via mass surveillance: collecting, archiving, and manipulating consumers' sensitive personal information. Wizner said:

"... one of the problems with end to end encryption is that many of us get email service from advertising companies that need to be able to read the emails in order to serve us targeted ads. But what are steps that even a company like Google that is an advertising company but companies like that can do to make mass surveillance more difficult?"

Soghoian replied:

"I think it is going to be difficult for these companies to offer truly end to end encrypted service simply because it conflicts with their business model. Google wants to sit between you and everyone you interact with and provide some kind of added value. Whether that added value is advertising or some kind of information mining. Improved experience telling you when there are restaurants nearby where you can meet your friends. They want to be in that connection with you and that makes it difficult to secure those connections... "

Later during the discussion, in response to a viewer's question about data collection by companies, Soghoian added:

"... the web browser you are most likely using, the most popular browser right now is Chrome, most popular mobile operating system is now Android, many of the tools that we are using whether web browsers or operating systems or apps are made by advertising companies. It is not a coincidence that Chrome is probably a less privacy preserving browser. It is tweaked to allow data collection by third parties. The Android operating system is designed to facilitate disclosure of data to third parties. Even if you are okay with the data the companies are collecting you should also note that the tools that we use to browse the web and the tools that ultimately permit our data to be shared or prevent it from being shared are made by advertising companies. This makes the NSA’s job a lot easier. If the web browsers we were using were locked down by default the NSA would have a much tougher time. But advertising companies are not going to give us tools that are privacy preserving by default."

4. Scure communication tools that are easy for the average Internet user are not yet available. Internet technology companies need to do more. Soghoian said:

"... tools that exist to enable secure end to end encrypted video conferencing are not very polished and particularly when you are having a conversation with someone who is in Russia and who is bouncing his connection through several proxies the secure communications tools tend to break. This in fact I think reflects the state of - the state of play with many services. You have to choose between a service that is easy to use and reliable and polished or a tool that is highly secure and impossible for the average person to use... the tools that are designed with security as the first goal are typically made by independent developers and activists and hobbyists and they are typically tools made by geeks for geeks."

Snowden added (links added):

"Whisper systems [unintelligible] of the world are focusing on new user experience, new UIs and basically ways for us to interact with cryptographic tools. This is the way it should be... We want secure services that aren’t opt in. It has to pass the Greenwald test. Any journalist in the world gets an email from somebody saying hey I have something the public might want to know about they need to be able to open it. They need to be able to access that information... The way we interact right now is not good. If you have to go to the command line people aren’t going to use it. If you have to go three menus deep people aren’t going to use it."

Faced with this choice, consumers (have and continue to) select the easy-to-use (and not secure) communications tools, products and services. There clearly is a hole in the marketplace for companies to provide consumers with easy-to-use and secure products and services.

5. Companies archive consumers' sensitive information online longer than necessary. Too many companies don't purge their Internet-connected systems of archived information when it is no longer needed. Snowden said:

"One of the things I would say to a large company is not that you can’t collect any data it is that you should only collect the data and hold it for as long as necessary for the operation of the business. Recently [unintelligible] one of the security [unintelligible] hacked and they actually stole my passport and my registration forms and posted them to the internet... I submitted those forms back in 2010. Why were those still on a web facing server? Was it still necessary for business?"

6. Mass surveillance on everyone is unproductive and wastes resources. When asked about whether mass surveillance programs are effective, Snowden answered:

"That is actually something I’m a little bit sympathetic to and we got to turn back the block a little bit and remember that [the NSA] thought [unintelligible] was a great idea but no one had done it before, at least publicly. So they went “hey! we can spy on the world all at once. It will be great, we’ll know everything.” But the reality is, when they did it, they found out that it didn’t work. But it was a [unintelligible] so successful in collecting data. So great at the contract that no one wanted to say no. But the reality is now, we have reached point where a majority of people’s telephone communication are being recorded - we got all these metadata that are being stored - years and years. But two independent White House investigations found that it is has not helped us at all, have not helped us. Beyond that, we got to think about what are we doing with those resources, what are we getting out of that? As I said in our European Parliament testimony, we’ve actually have tremendous intelligence failures because we’re monitoring the internet; we’re monitoring, you know, everybody’s communications instead of suspects’ communications. That lack of focus have caused us to miss news we should have had. Tamerlan Tsarnaev, the Boston Bombers. the Russians have warned us about it. But we didn’t a very poor job investigating, we didn't have the resources, and we had people working on other things. If we followed the traditional model, we might have caught that. Umar Farouk Abdulmutallab the underwear bomber, same thing. His father walked into a US Embassy, he went to CIA officer and said my son is dangerous. Don’t let him go to your country. Get him help. We didn’t follow up, we didn’t actually investigate this guy. We didn’t get a dedicated team to figure what was going on because we spent all of this money, we spent all of this time hacking into Google and Facebook to look at their data center. What did we get out of that? We got nothing. And there are two White House investigations that confirm that."

The panelists also discussed the fact that online products with truly strong encryption and security have the added benefit of forcing spy agencies to focus only on spying on true targets (e.g., terrorism suspects, wanted criminals, etc.) and not everyone. Why? Truly strong encryption makes it unfeasible and uneconomical to spy on everyone. Right now the spy agencies spy on everyone because they can.

7. Effective oversight is critical to balancing privacy versus surveillance needs. It is clear that spy agencies will continue to use the Internet for surveillance. When asked what oversight model could work, Snowden said that with accountability and transparency the US model could work:

"We have got a good starting point... We have an oversight model that could work. The problem is we overseers aren’t interested in oversight. When we’ve got seven intelligence communities, house intelligence communities that are [unintelligible] to the NSA instead of holding them accountable. When we have James Clapper the director of National Intelligence in front of [Congress] and he tells a lie that they all know is a lie because they are rigged on the program because they have the questions a day in advance. And no one says anything. Allowing all Americans to believe this is a true answer. That is an incredible dangerous thing... how do we fix our oversight model, how do we structure the oversight model that works. The key fact is accountability. We can’t have officials like James Clapper who can lie to everyone in the country. Who can lie to the Congress and face no not even - not even a criticism. Not even a strong worded letter, the same thing with courts. In the United States we have open courts that are supposed to decide and settle constitutional issues to interpret and apply the law. We also have the FISA court which is a secret rubber stamp court . But they are only supposed to approve warrant applications. These happen in secret because [spy agencies] don’t want people to know hey the government wants to surveil you. At the same time a secret court shouldn’t be interpreting the constitution when only NSA’s lawyers are making the case on how it should be viewed. The other thing is we need public advocates. We need public representatives. We need public oversight. Some way for trusted public figures sort of civil rights champions to advocate for us and protect the structure and make sure it is been fairly applied. We need a watch dog that watches Congress."

Things could work as long as the executive and legislative branches of the government don't all themselves to be lied to.

8. Snowden's disclosures have made the Internet more secure. Soghoian said:

"The PRISM story although there was a lack of clarity initially on what it really said, put the names of billion dollar American companies on the front page of the newspaper and associated them with bulk surveillance. You saw the companies doing everything in their power publicly to distance themselves and also show that they were taking security seriously. You saw companies like Google and Microsoft and Facebook rushing to encrypt their data center to data center encryption. Connections rather. You saw companies like Yahoo finally turning on SSL encryption, Apple fixed a bug in its address book app that allowed Google users’ address books to be transmitted over networks in unencrypted form. Without Ed’s disclosures there wouldn’t have been as much pressure for these tech companies to encrypt their information... his disclosures have improved internet security. And the security improvements we have gotten haven’t just protected us from bulk government surveillance. They have protected us from hackers at Starbucks who are monitoring our WiFi connections. They have protected us from stalkers and identity thieves and common criminals. These companies should have beene encrypting their information before and they weren't. And it really took you know, unfortunately the largest and most profound whistle blower in history to get us to the point where these companies are finally prioritizing the security of their users’ communications..."

9. The NSA's surveillance actions will encourage other countries' spy agencies to do the same. In response to a viewer's question about consequences, Snowden answered:

"This is actually one of the primary dangers not just of sort of the NSA’s activities but of not addressing and resolving the issues. It is important to remember that American’s benefit profoundly from this. Because again as we discussed we got the most to lose from being hacked. At the same time every citizen in every country has something to lose. We all are at risk of unfair, unjustified, unwarranted interference in our private lives. Throughout history we have seen governments sort of repeat the trend where it increased and they get to a point where they have crossed the line. We don't’ resolve these issues if we allow the NSA to continue unrestrained. Every other government in the international community will accept this as a sign, as the green light to do the same. And that is not what we want."

10. The spy agencies' actions have hurt national security, not Snowden's disclosures. Wizner said (link added):

"Last week, Ed, General Keith Alexander who heads the NSA testified that he believes that the disclosures of the last eight months have weakened the country’s cyber defenses."

Snowden replied:

"... there have been two officials in America who have harmed our internet security and actually our national security so much of our country’s economic success  is based on our intellectual property. It is based on our ability to create and share and communicate and compete. Now those two officials are Michael Hayden and Keith Alexander, two directors of the National Security Agency in the post 9/11 era who made a very specific change. That is they elevated offensive operations that is attacking over the defense of our communications... This is a problem for one primary reason - that is America has more to lose than everyone else... when you are the one country in the world that has sort of a vault that is more full than anyone else’s it doesn’t make sense because if you attack it... and it makes even less sense when the standards for vaults worldwide to have a backdoor anyone can walk into. When he says these [disclosures] have weakened national security no these are improving our national security... we rely on the same standards. We rely on the ability to trust our communications. Without that we don’t have anything. Our economy cannot succeed."

By focusing upon offensive surveillance technologies, the NSA hasn't made our coutnry's systems safer with defensive techniques. Government officials have to have a broad perspective, since there are consequences. One consequence: attorney-client communications require privacy which mass surveillance interrupts, hampering a healty economy. Another consequence: experts have warned that the massive NSA government spying program could cost U.S.-based cloud-services vendors $35 billion in lost revenues. In simpler terms:

Lost revenues by U.S. high-tech companies = lost American jobs = lost tax revenues to U.S. federal, state, and local governments

I know some people believe that what Snowden did was wrong. Webster's Diction defines a patriot as:

"... one who loves and loyally or zealously supports one's country."

After considering the selective documents Snowden disclosed so Americans could have an informed discussion and debate about how we want our government to operate (a debate that Congress has failed at), and his reasoned, well-considered, and thoughtful answers during the SXSW discussion, the result has been a good thing. Snowden gave up his freedom and chance to live in his home country, so that the rest of us Americans could discuss what needs to be discussed to maintain our Constitution and democracy. That sounds like the actions of a zealous patriot to me. Thanks Ed.

Now, it's up to the rest of us to hold technology vendors, our government, and elected officials accountable; and demand transparency from them all.


Banks, Bankers' Huge Bonuses, and Low-Wage Workers

Former Labor Secretary Robert Reich posted on Facebook this morning:

"The $26.7 billion in bonuses Wall Street banks handed out just a few months ago during bonus season at the end of 2013, would be enough to more than double the pay for all 1,085,000 of America's full-time U.S. minimum wage workers (according to a just-released study by the Institute for Policy Studies, based on new data from the New York State Comptroller). Those giant bonuses weren't exactly the result of the bankers' extraordinary insights and skills. Most if not all came ...as a result of the hidden taxpayer subsidy given to Wall Street banks in the form of a virtual guarantee against failure that reduced their borrowing costs by .8 percent. Multiplied by the total liabilities of the 10 largest banks, that taxpayer subsidy was $83 billion last year, roughly equal to their profits. Get it? If we taxed that bank subsidy away and gave it to low-wage workers in the form of a wage subsidy instead, it would double the pay of minimum-wage workers."

Well said, Mr. Reich. I encourage everyone to read the Institute for Policy Studies article:

"... low-wage workers tend to spend nearly every dollar they make... All those dollars low-wage workers spend create an economic ripple effect. Every extra dollar going into the pockets of low-wage workers, standard economic multiplier models tell us, adds about $1.21 to the national economy. Every extra dollar going into the pockets of a high-income American, by contrast, only adds about 39 cents to the GDP."

So, rational people would pay low-wage earners more, based purely upon the economics. And we taxpayers continue to pay for the corporate welfare bankers receive:

"This immense GDP differential only speaks to one price we pay for our contemporary Wall Street bonus reward culture. Huge bonuses, we learned from the 2008 financial industry meltdown, create an incentive for high-risk behaviors that endanger the entire economy..."

Meanwhile, the American Bankers Association has the arrogance to lobby against the non-profit status for credit unions. I also find this extremely hypocritical since credit unions outperformed banks on customer loyalty.

What's going on here? Banks control about 94 percent of the market, and their attempts to weaken credit unions is clearly a plan to ultimately rasie prices to account holders. I say this to the bankers:

  • If you want to enjoy the benefits of non-profit status, start a credit union
  • Clean up your own house first before trying to tell others what to do

20 Things Parents Can Teach Children And Teens To Safely Use Mobile And Social Networking Sites

If you haven't read it, this Media Bistro article described how a daughter's post on Facebook breached the family's $80,000 settlement of an age discrimination lawsuit. That was an expensive and relevant lesson for the teenage daughter. I can only imagine the feelings and comments said during dinner in that family.

After reading this article, it occurred to me that there are several skills parents can teach their children to safely use mobile devices and social networking sites. Otherwise, the children are likely to breach the family's privacy and their own, by disclosing sensitive personal and financial information.

Many parents allow their children to use mobile devices, despite warnings by pediatric doctors to limit or ban mobile-device usage for children 12 years and younger. The minimum age for social networking sites is 13, but children under the age of ten are online. My children are all grown. If they were younger, below is the list of skills I would teach them to safely use mobile devices and social networking sites:

  1. Create strong passwords. "Password" and "12345" are terrible passwords that hackers and criminals can easily guess. Don't use your birth date, pet's name, street address, nickname, or similar personal details that hackers can easily find on your profile pages at social networking website. Don't use the same password at all online sites. If one site experiences a data breach, this makes it easy for thieves to hack your other accounts.
  2. Recognize phishing scams in all their forms: Web sites, e-mail messages, text messages, posts on social sites (e.g., the $1,000 free gift card, free airline tickets, etc.), and phone calls. Just because an online message says its your bank, school, store, local police, or a relative doesn't mean it's true. Thieves are smart, persistent, and want you to reveal your sensitive financial payment information. Read these tips for teens about how to avoid identity theft. Never open e-mail attachments from strangers.
  3. Know the data elements that comprise your sensitive personal and financial information. If you wouldn't share it with a stranger on the street, don't share it with a stranger online. And, don't share it online with a "friend" without first verifying their identity. It is difficult to fix the damage from a compromised Social Security number. Understand the eleven threats to your sensitive personal information.
  4. Don't share your passwords with friends and classmates. Too many teens and youth share passwords based on a warped sense of friendship or romantic relationship. Relationships end; sometimes painfully. And they may not remember which password they shared with whom.
  5. Don't practice risky behaviors online, that include porn, using mobile devices to cheat on tests in school, cyber bullying, sexting, and hiding activity (e.g., deleting browser history) from parents. One study found that 30 percent of teen girls met in person strangers they'd met online. Another study found that mistreated girls are more likely to engage in risky online behaviors. Parents who monitored online behavior and encouraged open communication reduced this risk.
  6. Don't use parents' credit cards for online purchases. Teens may or may not know where their parents' credit cards are stored at home. Even if they do, using those payment cards online is not acceptable. Never. See this money guide by the FDIC for teens and young adults.
  7. Turn off the geo-location feature on mobile devices. Just because devices have this feature, doesn't mean you have to use it, or use it with all apps. Some apps collect and report your movements even when the app isn't running. Your mobile devices automatically embed GPS coordinates in the photographs and videos you take. Social networking sites love to collect this geo-location data, and use it to both track your movements in the real world and predict your patterns.
  8. Install and update anti-virus software on all devices. I am amazed at consumers who believe that their Apple devices are immune from computer viruses, and don't use anti-virus software. The device may have been clean when you purchased it, but your online habits matter. If you visit risky sites, your device could get infected. Most software companies provide packages to easily cover all of your devices (e.g., smart phone, tablet, laptop, desktop).
  9. If you use it, keep it updated. This applies to operating system software, anti-virus software and apps on your devices. Developers frequently issue security patches. Update your devices regularly.
  10. If you don't use it, delete it. If you have installed apps on your devices that you no longer use, delete them. Keeping them is an unnecessary security risk, since many apps perform risky behaviors. This applies to apps on social networking sites that exhibit risky behaviors.
  11. Read online policies. Learn what to look for in policies. This includes both privacy and terms-of-use policies for products, services, and apps. Read the policies before signing up, or before installing the app. Read all updates. If you don't, then you are likely to do something that violates the policies. Learning how to read policies is a habit and skill you will need and use the rest of your life.
  12. Use privacy controls with online profiles. I am amazed at the number of people who don't lock down and make private their profiles on social networking websites. Their personal data is out there and accessible by the general public, making it easy for thieves to impersonate you. If you are concerned about your privacy, tell your friends not to tag you in photographs and follow the seven things you should stop doing on Facebook.
  13. Learn how to use search engines. Be an informed searcher. On search results pages, learn how to distinguish paid advertisements from natural search results, since some search engines co-mingle them. Know what the search bubble is and how search engines collect data about you.
  14. Know the cost of mobile. This includes fees, data plans, and cloud services. Today, many cloud services are free, but they won't always remain free. When our children were teens, the rule in our home was they could drive the family car if they met four conditions: a) paid their auto insurance; b) paid us the deductible so if they crashed the family car everything was covered; c) we parents saw their driving skills; and d) if they drank or drugged and drove, they lost the privilege. This approach can apply to mobile and social networking site usage in your home. If your children violate your family's privacy rules and disclose sensitive personal financial information, then they lose the privileges.
  15. Read data breach notices. Most states require companies to notify you of a data breach involving your personal information. Read these notices. If passwords have been stolen, update your passwords for the affected sites.
  16. Learn what metadata is and why it is important. It's valuable. Many companies and governments want to collect metadata to track you and your habits both online and in the physical world. Some politicians will claim that collecting metadata is harmless. Don't be fooled.
  17. Know the data elements that comprise your sensitive personal health information, and guard them closely. It is very difficult and time consuming to undo the damage from medical identity theft and fraud. Learn seven ways to protect your medical records. The HIPAA Privacy Rule exists for several reasons to ensure that health care providers keep patients' personal health information secure. A lot of non-healthcare companies (e.g., fitness apps) would love access to this sensitive personal information. You can learn more about the HIPAA Privacy Rule here.
  18. Learn about the options to avoid online tracking. Many companies and advertisers want to track your movements online. There are a variety of tools top stop the tracking, including Web browser add-ons.
  19. Know the difference between credit, debit, and prepaid cards. There are several types of prepaid cards. Some social networking sites ask for payment. Your rights and responsibilities differ with each type of plastic. The decisions teens make today could have impacts over the coming years. The FDIC produced this money guide for teens and young adults.
  20. Learn how to communicate with elected officials and government agencies. This means knowing who your elected officials are, and government agencies at both the federal and state levels (e.g., consumer protection, complaints about products or services, attorney generals), the  CFPB)  than can provide assistance on product purchases and identity theft.

If your child going to learn all of this at once? Of course, not. It takes time and years to master the above skills. That means several conversations with your children. To learn more, read about social media parenting.


What Breach Victims Need To Know About Target's Credit Monitoring Service Offer

Target Bullseye logoAt least 70 million shoppers were affected by the Target data breach. To help breach victims protect themselves, Target arranged free credit monitoring services by Experian. Is the credit monitoring service offered by Target a good deal? To answer this question it is important to understand the risks.

Protecting yourself is important. Doing nothing is not wise. According to Consumer Reports:

"As we reported last February, a whopping 22.5 percent of consumers who received notice of a security breach, like the one that occurred at Target, subsequently became victims of identity theft, according to a survey of 5,000 consumers by Javelin Strategy and Research, a California consulting firm that has studied this crime for more than 10 years."

To protect themselves, Consumer Reports advised breach victims to do four things:

  1. Contact the bank or issuer of your credit or debit card. Tell them that your payment information has been stolen. You can do this yourself for free. The phone numbers are on your monthly statements.
  2. Place a 90-day Fraud Alert on your credit reports at the three major credit-reporting agencies: Equifax, Experian, and TransUnion. You can do this yourself for free with a phone call to at least one of the three credit reporting agencies. (The other two agencies usually follow.) Target's web site contains contact information for all three credit reporting agencies. When lenders order credit reports that have a Fraud Alert on them, they are supposed to take steps to verify that the person applying for credit (or a loan) is the real person. You can easily renew a Fraud Alert after 90 days.
  3. For more protection, place a Security Freeze on your credit reports at each of the three major credit-reporting agencies. This will prevent criminals from taking out new credit or loans in your name (unless the criminals fraudulently order credit reports from smaller, regional credit reporting agencies). Fees vary by state. There are fees to place a Security Freeze on your credit report, to temporarily remove an existing Security Freeze, and to permanently remove a Security Freeze. You can do this yourself by following the instructions available at each credit-reporting agency's web site.
  4. If you shopped at Target with your debit card, then you probably should get a new debit card and account at your bank, since a stolen debit card provides thieves with direct access to your checking account. If your bank hasn't provided a replacement card and account, you can demand it. Yes, you will probably have to go through the hassle of re-establishing your online payment settings.

Breach victims can do the above four actions on their own, and do most of them for free. To learn more about the Fraud Alert and Security Freeze tools, you can read this comparison, the experiences of other consumers with Fraud Alerts, my experience with a Security Freeze, and select "Fraud Alert" in the tag cloud in the right column.

However, breach victims interested in monitoring their credit reports need to monitor their credit reports at all three major credit reporting agencies. Deseret News reported last week:

"... each of the three major credit bureaus — Equifax, TransUnion, and Experian — can collect different information. So unless you're checking all of them, you can miss someone trying to steal your identity and open new credit..."

So, it is important to understand this when evaluating Target's offer of free credit monitoring service by Experian. Breach victims also need to understand:

"The credit monitoring service offered by Experian is an ongoing review of your current credit history. If an identity thief opens a new account using your name and personal information, you will receive an alert by email or text message. What the free credit monitoring service through Experian does not do is to monitor transactions — the actual, day-to-day purchases made on your credit and debit cards. That is something you must do yourself."

Breach victims also need to understand (emphasis added):

"The type of free credit monitoring offered by Target monitors only one credit reporting agency — Experian — and not the credit history files maintained by Equifax and TransUnion. This a huge disadvantage... Once consumers enroll in the “free” credit monitoring service, they are enticed with an offer to purchase an Equifax and TransUnion credit report for up to $74 more to supplement the free report provided by Experian."

So, to monitor credit reports at all three major credit reporting agencies, breach victims must pay more. The next judgment breach victims need to make is whether Target's offer of 12 months is long enough.

During the past six years while writing this blog, I have observed plenty of data breaches. There is no magic that stops criminals from using stolen card information after 12 months. Criminals will use stolen card information as long as they think they can use it to commit fraud. Criminals resell stolen card information to other criminals. Breach victims that want coverage longer than 12 months must pay more.

Is Target's credit monitoring service offer a good deal? Each breach victim should decide for their self, as people's needs and situation vary. Some have experienced fraud while others haven't. Hopefully, this blog post has highlighted the considerations for breach victims.

My opinion: Target cut corners with it credit monitoring offer. The retailer should have provided a service that covers credit reports from all three credit reporting agencies and provides coverage for a longer period (e.g., ideally, five years). Target's offer seems like an attempt to do the minimum to protect itself, which shifts the cost burden of credit monitoring services onto its breach victims.

Is this fair? I think not, since the retailer created the problem on its own by failing to protect shoppers' financial payment information. Target's motto applies here, too:

"Expect More, Pay Less."

With Target's credit monitoring offer, breach victims get less and pay more. Target should also pay for breach victims' Security Freeze costs. Will the retailer do the right thing and live up to its motto?


Have Questions? This Blog Has Answers!

If you have questions about privacy, identity theft, fraud, or related topics, this blog has plenty of answers. You can use the tag cloud in the right column to access blog posts by topic, and you can find answers on the following pages:

  1. Reviews Page: includes reviews of products and services of prepaid cards, credit monitoring services, and other items by this blog or by trusted sources.
  2. How-To Page: contains links to blog posts describing helpful tips and techniques covering several topics: mobile, social networking, Web browser privacy, online banking, moving your money from a bank to a credit union, evaluating healthcare debit/prepaid cardss from your employer, submitting complaints to the proper authorities, recognizing spam and phishing messages, and more
  3. Resources Page: contains many links to sites with information and assistance. Links are organized by topic: credit reporting agencies, credit monitoring, credit scores, general, federal government, medical, insurance, and more!

Seeking Submissions Of Your Favorite Privacy Films

For a while, I have thought about compiling a list of favorite films about privacy and related topics. Now that the Oscars are done, I am happy to announce the creation of the list of favorite privacy films. What I need next are suggestions from readers with your favorite films.

Submission Guidelines

Submissions can include any genre: action, drama, fiction, science-fiction, thriller, or documentaries. Submissions must meet the following criteria:

  • Films include one or more of the following topics: identity theft and privacy, fraud, surveillance, data breaches and hacking, and whistle-blowers
  • Films may not be about these topics, but should include good, relevant scenes
  • Films that add to our understanding of these topics

To submit a film, leave a comment below or send your submission to George: ivebeenmugged AT earthlink DOT net. If a film is in a language other than English, please indicate the language with your submission. If you think that a film in the list has been mis-categorized, let me know and I'll consider an update.

View the list of favorite flicks.

Thanks in advance to taking the time to submit your favorite films.

George
Editor


Former NSA Contractor To Speak Via Live Video Feed At SXSW Conference

Organizers of the SXSW conference announced that Edward Snowden, a former NSA contractor who leaked documents about secret spy programs by the United States government, will speak at the conference via a live video feed on March 10:

"Our communications are not secure. Our telephone calls, emails, texts, and web browsing activity are largely transmitted without any encryption, making it easy for governments to intercept them, in bulk. Likewise, the mobile devices, apps, and web browsers that we use do not protect our data. In many cases, they intentionally give it to third party companies as part of the sprawling online advertising ecosystem. This only makes the NSA's task easier.

Join us for a conversation between Edward Snowden and Christopher Soghoian, the American Civil Liberties Union’s principal technologist, focused on the impact of the NSA's spying efforts on the technology community, and the ways in which technology can help to protect us from mass surveillance. The conversation will be moderated by Ben Wizner, who is director of the ACLU's Speech, Privacy & Technology Project and Edward Snowden’s legal advisor."

According to the ACLU:

"A live stream will be available on The Texas Tribune's website, and the video will be available here afterwards."


Investigation At Sears Focuses Upon Possible Data Breach

The St. Louis Post-Dispatch reported that a "security investigation" is underway at Sears retail stores to determine the severity and scope of a possible data breach. The U.S. Secret Service is involved, and the investigation so far has not determined if one or multiple stores were affected:

"The security review is still at an early stage as Verizon's digital forensics unit and the U.S. Secret Service sift through the company's computer data to look for traces of hackers and the extent of any incursion, according to two people familiar with the matter... The security review is still at an early stage as Verizon's digital forensics unit and the U.S. Secret Service sift through the company's computer data to look for traces of hackers and the extent of any incursion, according to two people familiar with the matter..."

It is critical to determine what exactly happened because (links added):

"... attacks on Target and Neiman Marcus that exploited retailers' point-of-sale [systems], which process more than $3 trillion in U.S. transactions a year, according to David Robertson, publisher of the Nilson Report, an industry newsletter..."

In January 2014, a TechCrunch article explored reports that the Target and Neiman Marcus data breaches were part of a larger, coordinated holiday attack that included data breaches at three other unnamed U.S. retailers. It seems that Sears is one of the three unnamed retailers.


Facebook, WhatsApp, and Fitness Apps. Data Collection on Steroids?

LinkedIn.com logo The acquisition of WhatsApp by Facebook has received a lot of attention in the news media. I recommend reading this LinkedIn article article by Bernard Marr about the combined power of Facebook.com and WhatsApp:

"WhatsApp doesn’t really fit into the Facebook business model because it has always promised its users that it won’t sell ads. So how will Facebook get a return on their $19 billion? I believe that the answer is: by mining the data within WhatsApp."

In my opinion, social networking sites that insist on being free for users have already made the decision to (heavily) mine their customers' data. It's their business model. (This also applies to Google.) Marr wrote this about the extensive amount of information Facebook has already collected about its users:

"... what we look like, who our friends are, what our views are on most things, when our birthday is, whether we are in a relationship or not, the location we are at, what we like and dislike, and much more. This is an awful lot of information (and power) in the hands of one commercial company. Facebook is only beginning to leverage all their data and I believe that even if we all stopped using Facebook today (which is very unlikely), the company would still have more information about people than any other private company on the planet..."

I would add more items to this list of data collected by Facebook:

  • Geo-location data about where (and when) you are in the real world. when you, a) check in from various physical, locations; b) use the Facebook mobile app; and c) upload photos and/or videos with geo-location metadata embedded
  • Health information you share with fitness apps (e.g., RunKeeper, Strava, MapMyRide, FitBit, etc.). Below are actual posts on Facebook. I have masked the names and images to protect users' privacy. Click on an image to view a larger version:

Fitness tracking with the Strava app     Fitness tracking with the MapMyRide app

I briefly reviewed the privacy polices for several fitness apps. MapMyRide and MapMyFitness use the same privacy policy, which seems to be more transparent and honest than other apps about the data collected and shared (emphasis added):

"Personal information is any information that identifies a User personally, either alone or in combination with other information available to us... For certain Services, MapMyFitness requests a User furnish certain financial information, including but not limited to, a credit card or other payment account information that we maintain in encrypted form on secure servers..."

The MapMyFitness Privacy Policy also stated (emphasis added):

"MapMyFitness and our partners and licensees may collect, use and share a User’s precise location information, including the real-time geographic location of a User’s mobile device. For some third-party partners, such as Google, this location information will be shared automatically. For others, such as Facebook, this information will only be shared with a User’s explicit permission or if you choose to share it... Location information... may be collected from a User’s wireless carrier, certain third party service providers, or directly from the mobile device that the User previously registered for use with MapMyFitness. The collection and tracking of a User’s location information may occur even when the MapMyFitness mobile phone application is not actively open and running... MapMyFitness may receive certain personally non-identifiable information about the User’s use of the Services. Such information, which may be collected passively using various technologies, or via submission of data by fitness devices the User may have configured to work with the Services, cannot presently be used to specifically identify the User. MapMyFitness may store such information ourselves or it may be included in databases owned and maintained by our affiliates, agents or service providers."

I interpret the last paragraph to include cloud storage vendors and fitness devices in athletic clubs (and gyms) that interact with the mobile app. The policy advises users to use the "Private" privacy setting so data is not shared with friends and the general public. The wording implies that the data is shared ("Private" setting or not) with affiliates, partners, and licensees.

Relationship status on Facebook.com Marr also summarized Facebook's abilities to predict things about its users:

"... Facebook revealed that it can now safely predict when a user is about to change their relationship status from ‘single’ to ‘in relationship’. The insights come from analyzing the way we exchange messages and post on our timeline just before we 'commit'. Read the details here... a recent study shows that it is possible to accurately predict a range of highly sensitive personal attributes simply by analyzing the ‘Likes’ we have clicked on Facebook. The work conducted by researchers at Cambridge University and Microsoft Research shows how the patterns of Facebook ‘Likes’ can very accurately predict your sexual orientation, satisfaction with life, intelligence, emotional stability, religion, alcohol use and drug use, relationship status, age, gender, race and political views among many others."

Marr's warning to consumers and to users of social networking sites:

"WhatsApp's data would reveal who we are sending messages to, how often we do that, what pictures we share and most importantly what we are talking about.Even though Facebook states that the two companies will run independently of each other, I think it is naïve to believe that this will continue for long..."

It is reasonable to assume that everything Facebook knows about your fitness, the NSA and GCHQ probably know, too. And, the HIPAA Privacy Rule exists for several reasons. Some really smart people put that law in place to ensure that health care providers keep patients' personal health information secure. Many consumers seem totally unaware of this, and share their personal health information with any and every social networking site. You can learn more about the HIPAA Privacy Rule here.

More images fitness posts from Facebook appear below:

Fitness tracking with the RunKeeper app      Fitness tracking on Facebook