Previous month:
January 2015
Next month:
March 2015

11 posts from February 2015

Prepaid Card Phone Scam: How To Spot It And Not Get Duped

Rite-Aid prepaid card phone scam alert. Click to view larger image

Earlier this month, a Rite-Aid Pharmacy store in Boston posted the above alert for its customers. It read:

"Boston Police
Attention Prepaid Card users

There are numerous scams victimizing members of the community where they are being contacted by phone and instructed to buy pre-paid cards such as Green Dot and Vanilla Reload.

The caller is telling the victims that their heat or electricity will be shut off, they owe the I.R.S. taxes, and they will be arrested, that they have just won a lottery or prize, and need to pay taxes, or a relative is being held until money is paid. The victims are told to buy the cards and then call the scammer back and give them the code number off the card. The money is then electronically withdrawn and the card is empty.

DON'T BE SCAMMED

Before you buy the card, contact the Boston Police at 617-343-4700 if you received one of these possible scam phone calls."

Green Dot and Vanilla Reload are real, valid prepaid cards used by consumers. Many consumers use prepaid cards to avoid the high overdraft fees banks impose on checking account debit card users. Some employers use a version of prepaid cards, called payroll cards. It is important to realize that many fees apply to repaid cards. You can learn more in the Prepaid Cards section of this blog.

It is good for retail stores to warn their customers of phone scams. This notice described several current variations of the phone scam. Most versions include are threats (e.g., owe taxes, kidnapped relative, utilities will be shut off) to make the victim act quickly without thinking.

Sadly, this scam is not new. The Boston Mayor's Office warned consumers in 2012 about an early version of this prepaid-card phone scam:

"Victims are then told by the caller (suspect) that they have won a prize which includes a large amount of money, a new car or property. Victims are then instructed by the caller to go to a local convenience store and purchase a Green Dot Money Pack (reloadable credit card). After the reloadable credit card is purchased, victims are instructed to contact the caller (suspect) and provide the serial number to the prepaid card. Once that occurs, the suspect is given access to the account and the money. Officers would like to take this opportunity to alert potential victims that there is no prize. This is a scam."

Obviously, when criminals find a scam that is successful, they will continue with it and add new versions to make it more difficult to recognize. Criminals will also move the scam and call consumers in other areas or states.

Have you received a phone call about this prepaid card scam? If so, tell us when and the town where you live.


Senator Releases Report Calling For Greater Automobile Security And Privacy

Earlier this month, Senator Edward Markey (D-MA) issued a report calling for greater automobile security and privacy for consumers. The "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk" report included questions Senator Market posed to 16 automobile manufacturers during 2014. The questions focused upon how vehicles might be vulnerable to hackers, and how driver information is collected and protected.

Senator Markey sent letters to the following automobile manufacturers:

Automobile Manufacturers Queried
1. Aston Martin The Americas
2. Audi of America**
3. BMW North America*
4. Chrysler Group LLC*
5. Ford Motor Company*
6. General Motors*
7. American Honda Motor Co. Inc.*
8. Hyundai Motors North America*
9. Jaguar Landrover LLC*
10. Automobili Lamborghini America
11. Mazda North American Operations*
12. Mercedes-Benz USA*
13. Mitsubishi Motors North America*
14. Nissan North America*
15. Porsche Cars of North America*
16. Subaru Motors America*
17. Tesla
18. Toyota North American Region*
19. Volkswagen Group of America*
20. Volvo North America
*Provided responses to Senator Markey's inquiry letters.
** Audis response was included with Volkswagon's submission.

Some of the questions asked:

  • How does the company assess whether there are vulnerabilities related to technologies it purchases from other manufacturers as well as wireless entry points of vehicles to ensure malicious code or other infiltrations cannot occur? 
  • Does the company utilize independent third parties to test for vulnerabilities to wireless entry points? 
  • Do any vehicles include technology that detects or monitors for anomalous activity or unauthorized intrusion through wireless entry points or wireless control units? And how are reports or unauthorized intrusion or remote attack responded to? 
  • Has the company been made aware of any intentional or inadvertent effort to infiltrate a wireless entry point, and what, if any, changes were made to protect vehicles from vulnerabilities in the future? 
  • What types of driving history information can be collected by navigation technology or other technologies, and is this information recorded, stored, or sold? 
  • Has the company received any request for data related to the driving history of drivers, and what were the reasons and final disposition of the requests? 
  • Which vehicles include technologies that can enable the remote shutdown of a vehicle, and are consumers made aware of this capability before purchase, lease ore rental of the vehicle?

Regarding automobile data security, the report found four trends:

  1. Almost all vehicles (nearly 100 percent) include wireless technologies that could pose vulnerabilities to hacking.
  2. Most manufacturers were unaware of or unable to report on past hacking incidents,
  3. Security measures to prevent unauthorized, remote access are inconsistent and haphazard across manufacturers.
  4. Only two manufacturers were able to describe any capabilities to identify, diagnose, and/or respond to unauthorized access or hacking in real-time. Most said they rely on technologies that cannot be used for this purpose at all.

Regarding privacy, the report found:

  • Auto manufacturers collect large amounts of data about driving history and vehicle performance
  • A majority of automakers offer technologies that collect and transmit wirelessly driving history information to data centers, including third-party data centers. Most did not describe effective means to secure the information collected.
  • Manufacturers use the data collected in several ways with vague descriptions, such as to “improve the customer experience,” and involve third parties. How long the data collected is retained varies greatly across manufacturers
  • Often, customers are not told about the data collection. When they are told, often they cannot decline or opt out of the data collection without disabling valuable features (e.g., navigation)

Download the "Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk" report (Adobe PDF). After reading it, I had several reactions. First, I would love to know why Aston Martin, Lamborghini, and Tesla failed to respond. Are data security and privacy not important to them? If they are important, then does their failure to respond indicate some internal disorganization?

Second, I was struck by the lack of focus on data security among the respondents. Websites and mobile apps provide terms of use and privacy policies. Mobile device manufacturers (e.g., laptops, tablets, smart phones) also provide these policies. Telecommunications providers do, too. Many mobile apps do, too. Why not auto manufacturers? Do they consider themselves a special, exempt class? All auto manufacturers should provide consumers before purchase with terms-of-use and privacy policies that fully discuss data collection, data retention, and data sharing. After purchase, they should inform consumers of changes to those policies

Third, the lack of focus by auto manufacturers on data security and privacy is an alert to the hackers, identity thieves, and fraudsters worldwide that these autos are vulnerable. While writing this blog, I have learned that the bad guys are persistent, creative, and posses the same equipment, software, and technologies as the good guys. Autos contain computing technologies that are similar to other mobile devices (e.g., laptops, smart phones, tablets, fitness devices, and wearables). Autos should have the same data security protections: firewalls, anti-virus software and updates, and so forth. So, it makes sense to keep a strong focus on data security and privacy.

Fourth, the lack of focus by auto manufacturers on data security and privacy is an alert to governments and spy agencies worldwide. Why? They already perform surveillance using other mobile devices. Autos are just another mobile device they'll add to their lists.

The lack of  focus represents a data security and privacy disaster of epic proportions in the making.

What do you think of the automobile security and privacy report?


Anthem Breach Update: Free Services For Consumers Affected, Class Action Lawsuits

Anthem Anthem, Inc. has announced that it will provide 24 months of free identity-theft repair and credit monitoring services for breach victims by the health care insurer's massive data breach announced on Friday, February 6, 2015. In its latest announcement, Anthem stated that breach victims include both current and former customers as far back as 2004. It also said:

"This includes customers of Anthem, Inc. companies Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore, Unicare and HealthLink. Additionally customers of Blue Cross and Blue Shield companies who used their Blue Cross and Blue Shield insurance in one of fourteen states where Anthem, Inc. operates may be impacted and are also eligible: California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Virginia, and Wisconsin."

Founded in 2004, AllClear ID, Inc. is headquartered in Austin, Texas. In 2012, Debix changed its company name to AllClear ID. Experts predict that the data breach could cost Anthem $100 million or more. Earlier this month, the Attorney Generals in 10 states sent a joint letter to Anthem urging it to step up its post-breach response and notices to breach victims. Connecticut Attorney General George Jepsen said on February 10:

"My office has been flooded with phone calls from concerned Connecticut residents who are frustrated with the lack of information from Anthem, and their feelings are completely justified... Anthem started out well by publicly disclosing the breach relatively quickly, but its subsequent delay in providing information to affected individuals is flatly unacceptable."

Attorney generals from Arkansas, Illinois, Kentucky, Maine, Mississippi, Nebraska, Nevada, Pennsylvania and Rhode Island signed the joint letter. On February 11, John Shegerian, Chairman and CEO of Electronic Recyclers International (ERI), warned health care companies to better protect consumers' sensitive information:

"This is more than a simple invasion of privacy, although it is that as well... With the theft of medical records comes a whole new host of problems and concerns, perhaps even worse than other forms of cybercrime. Whereas credit card fraud may be corrected in a relatively straightforward manner, it can be tougher to identify that medical data has been breached. Maximum insurance payout limits may be reached as a result of fraudulent claims, and this might only be discovered when a consumer's claims for legitimate services are denied. Plus, there’s the problem that people’s private health information and medical records are out there and vulnerable, which undoes everything the HIPAA Privacy Rules were designed to protect."

ERI processes the electronic waste produced by health care and other companies. Several class-action lawsuits have already been filed:

  • Aswad Hood v. Anthem, Inc., No. 2:15-cv-00918 (Adobe PDF). Filed Feb. 9, 2015. U.S. District Court, Central District of California
  • Samantha Kirby v. Anthem Inc. et al., No. 2:15-cv-00820. Filed Feb. 5, 2015. U.S. District Court, Central District of California
  • Danny Juliano v. Anthem Inc., No. 2:15-cv-00219. Filed Feb. 5, 2015. U.S. District Court, Northern District of Alabama.

Anthem has arranged for services provided by AllClear ID. No enrollment is necessary, Breach victims who have already experienced fraud and financial theft receive the free AllClear Secure identity repair service. To use these services:

"... call 877-263-7995 and a dedicated investigator will do the work to recover financial losses, restore your credit, and make sure your identity is returned to its proper condition. Call centers are open Monday to Saturday from 9 a.m. to 9 p.m. ET. From Monday, Feb. 16 to Friday, Feb. 20, the call center will be open extended hours from 9 a.m. to 11 p.m. ET."

Breach victims who also want the AllClear PRO credit monitoring and insurance services, should call 877-263-7995. or enroll online at https://anthem.allclearid.com/. Some breach victims included children under the age of 18. Anthem has also arranged for AllClear ID ChildScan services. See the Anthem Breach FAQ page for details.


Samsung Updates Its Smart TV Privacy Policy. What Consumers Need To Know

If you haven't noticed the technology trend, many smart televisions include voice recognition features. So, similar to smart phones the smart televisions include embedded microphones. This week, television maker Samsung updated the privacy policy for its smart televisions. Previously, the policy did not name the third-party company providing the voice recognition features.

Many consumers are concerned about their privacy. Consumer Reports explained the privacy concerns:

"Manufacturers have been producing smart TVs with voice recognition since 2012... many televisions have come to market that even monitor the viewing habits of their owners. Are these TVs capturing and transmitting highly personal conversations from inside consumer's homes and and logging their channel-surfing behavior? Plenty of people have registered exactly this concern, including this British blogger back in 2013, as well as Michael Price, of NYU's Brennan Center for Justice... an article last week in The Daily Beast has caused a new uproar..."

So, Samsung attempted to addressed these concerns in its blog with a change to its privacy policy. Yesterday, Samsung stated in its blog:

"Some Samsung Smart TVs offer voice recognitions functions. These functions are enabled only when users agree to the separate Samsung Privacy Policy and Terms of Use regarding this function when initially setting up the TV. Apart from initial setup, users are given the choice to activate or deactivate the voice recognition feature at any time."

Consumers enable or disable the voice recognition features through the Settings menus on their television. Samsung admitted that the text of its privacy policy caused some confusion. The old privacy policy text:

"Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition."

That sounds confusing and intrusive to me. The revised privacy policy text:

"If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some interactive voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service provider (currently, Nuance Communications, Inc.) that converts your interactive voice commands to text and to the extent necessary to provide the Voice Recognition features to you. In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features. Samsung will collect your interactive voice commands only when you make a specific search request to the Smart TV by clicking the activation button either on the remote control or on your screen and speaking into the microphone on the remote control."

"If you do not enable Voice Recognition, you will not be able to use interactive voice recognition features, although you may be able to control your TV using certain predefined voice commands."

That's an improvement. It's good that Samsung explicitly named the feature provider, since many manufacturers don't. Interested consumers might go the next step and visit the Nuance Communication site to see who they share data with.

Samsung's new privacy text is an improvement, but it is not 100 percent clear. Either the voice recognition feature is on or off; enabled or it isn't. There shouldn't be a halfway state, where the consumer turns the feature off but the television still accepts some predefined verbal commands. That is dumb and dishonest.

According to Consumers Reports, Nuance Communications works with:

"... Samsung developers to bring voice control applications to wearable devices such as Samsung’s Gear series of smart watches. Nuance is also behind Apple’s Siri personal assistant—or, at least Nuance CEO Paul Ricci said it was back in 2011. Through its Dragon Drive platform, Nuance brings voice control and smart phone integration to the telematics systems of Audi, Lexus, BMW, and Mercedes-Benz vehicles. And Nuance also has products that allow doctors to dictate and manage patient medical records..."

Data collection (or surveillance) by smart televisions is a disturbing trend. Consumers have paid good money for smart televisions. Manufacturers should be able to make sufficient profits from sales without having to resort to data collection. If the smart TVs were free, then I would expect data collection. But consumers pay good money for smart TVs. The data collection shouldn't be needed. Why the data collection Samsung?

This presents some challenges for consumers. As i see it, smart, informed consumers should be aware of several issues and exercise the following choices:

  1. View smart televisions with voice recognition features just as you would voice-activated smart phones, video games, and automobiles. Make smart, informed purchases. Don't buy any products that lack privacy policies, which has been the case with too many mobile apps.
  2. View smart televisions like social networking sites. Just like many social sites collect and save both your published and unpublished posts including edits, smart televisions are headed in the same direction. Why? First, companies want to collect as much data as they can about you, your preferences, and attitudes. Second, developers believe that consumers talking to devices builds relationships with those devices.
  3. Before purchase, read both the privacy and terms of use policies. If you don't like them, don't buy the product.
  4. After purchase, know how to turn voice recognition features on and off. You may turn it on at certain times and then leave it off at all other times. Read any and all privacy policy updates the manufacturer sends so you know what data is collected and shared.
  5. Know that any feature the "good guys" develop can be hacked by "bad guys.
  6. Your home should be a safe place where consumers can have truly private conversations. Several technologies threaten that. You may have to go to another room (or unplug and disconnect the Internet-connected device) to have a truly private conversation.
  7. If you are a parent, you know best when to explain privacy to your children (or grandchildren) based upon their ages and capabilities. Doing nothing does not seem to be a wise option.
  8. If you have questions, visit both the manufacturer's web site and trustworthy sites. (Hopefully, this blog is one.) The Resources page in this blog contains links to many trustworthy sites.
  9. Contact your elected officials and tell them about your concerns.

What are your opinions about smart televisions? Samsung's new privacy policy? What do you do to ensure private conversations in a room with a smart television?


Massive Data Breach At Anthem Affects 80 Million People. Latest In A Series Of Incidents

Anthem On Friday, Anthem, Inc. announced that identity thieves had gained unauthorized access to its computer network and stole the sensitive personal information of patients and staff. Joseph R. Swedish, the President and CEO, stated in a letter to its members that the data elements compromised included personal information about:

"... current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data... Based on what we know now, there is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised."

Affected patients included the following health care plans: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, and Unicare. BlueCard members were also affected. While the Anthem breach notice did not mention 80 million affected patients, several news sources mentioned that statistics, including the Los Angeles Times and Forbes.

Anthem said it took steps to fix and close the data breach. It contacted the Federal Bureau of Investigation (FBI), and hired Mandiant, a respectable computer security firm, to evaluate its computer systems, networks, and data security processes. The health care provider launched the Anthem Facts website to keep members informed about the data breach and answer many questions. The site includes Mr. Swedish's breach notification letter. Members with questions can call the health care provider at 1-877-263-7995.

This is a massive data breach. Nor is it good news for several reasons. First, the data elements stolen are sufficient to allow criminals to commit financial fraud using the victims' identities. To the good, Anthem stated it wiil contact affected members and provide free credit monitoring services. However, the health care company's announcement did not state the number of years of complimentary credit monitoring services. Many companies provide one or two years, even though the stolen information retains value for a far longer period.

Second, since e-mail addresses and names were stolen, it means that breach victims are at risk of receiving e-mail spam and phishing attacks as the hackers resell the stolen data to other criminals worldwide. The FAQ page in the Anthem Facts site acknowledged this risk and advised members to:

"... be aware of scam email campaigns targeting current and former Anthem members. These scams, designed to capture personal information (known as "phishing") are designed to appear as if they are from Anthem and the emails include a "click here" link for credit monitoring. These emails are NOT from Anthem.DO NOT click on any links in email. DO NOT reply to the email or reach out to the senders in any way. DO NOT supply any information on the website that may open, If you have clicked on a link in email. DO NOT open any attachments that arrive with email."

Anthem also confirmed this in several tweets:

Anthem tweets about phishiing. Click to view larger image

Opening e-mail attachments from unknown persons can spawn computer viruses and malware on your desktop, laptop, tablet, or smart phone. So, it is wise to learn how to spot phishing e-mails. There is plenty of information in this blog.

Third, security experts are concerned that Anthem applied data encryption only to information during transit and not will it was "at rest" and stored in databases. Forbes reported:

"Encryption, which scrambles data so only authorized parties can read it, is considered the most effective way to achieve data security. Several data experts say the lack of encryption made it easier for hackers to gain access to up to 80 million customer records including Social Security numbers, e-mail addresses and other personal information... The Health Insurance Portability and Accountability Act, known more commonly under its acronym “HIPAA,” doesn’t require health care companies to encrypt such data."

Fourth, it is good that Anthem has hired a reputable, skilled computer security firm to help it understand exactly how the breach occurred and then apply the necessary fixes. After studying several breaches and companies' post-breach actions during the 7+ years I've written this blog, I've noticed that post-breach fixes don't happen quickly. The breach investigation takes time. Hence, you see in the announcement cautious words, such as "Based upon what we know now." The fixes often include a mixture of technical solutions and staff training. During the coming months we will see how transparent Anthem will be with sharing data about the breach and the fixes it applies to its networks, computers, and staff training.

The fact is: there is nothing to stop criminals from repeatedly attacking the company's networks. Hopefully, Anthem will implement fixes fast enough and sufficient enough to both identify and thwart future attacks.

Fifth and perhaps more troubling is the history of data breaches at Anthem. Anthem, Inc. was formed in 2004 with the merger of Anthem and WellPoint Health Networks. The company changed its name from WellPoint to Anthem in 2014. A March 2008 WellPoint breach affected 130,000 patients and a 2006 breach affected about 200,000 patients when backup computer tapes were stolen from a vendor.

In 2011, Wellpoint settled data security allegations with the State of Indiana Attorney General after a data breach during 2009-10 affected 32,000 Indiana residents. A faulty website security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide. Wellpoint made a $100,000 payment to the state.

In 2013, WellPoint paid $1.7 million to the U.S. Department of Health and Human Services (HHS) to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules:

"The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by WellPoint as required by the Health Information Technology for Economic and Clinical Health, or HITECH Act. The HITECH Breach Notification Rule requires HIPAA-covered entities to notify HHS of a breach of unsecured protected health information. The report indicated that security weaknesses in an online application database left the electronic protected health information (ePHI) of 612,402 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule."

Sixth, In its breach notice, Mr. Swedish said:

"Safeguarding your personal, financial and medical information is one of our top priorities, and because of that, we have state-of-the-art information security systems to protect your data... I want to personally apologize to each of you for what has happened, as I know you expect us to protect your information. We will continue to do everything in our power to make our systems and security processes better and more secure, and hope that we can earn back your trust and confidence in Anthem."

The health care company's history suggests otherwise. Safeguarding patients' data may not be a top priority. An apology is nice, but actions speak louder than words. In 2012, Anthem settled a lawsuit with the Office of the California Attorney General. Terms of the settlement included a $150,000 payment, technical fixes to its computer networks, restricting access only to certain employees, and data-security training of all employees. Anthem allegedly printed Social Security numbers on letters it mailed to more than 33,000 persons from April 2011 and March 2012; a clear privacy and data security no-no. The lawsuit claimed that this practice violated state law prohibiting the disclosure of Social Security numbers. After that 2012 breach, Anthem offered affected members one year of free credit monitoring services.

The latest data security lapse at Anthem/WellPoint causes one to wonder if data security is truly a top priority, if the state-of-the-art systems Mr. Swedish described have truly kept pace with Internet and software developments, and if adequate employee training about data security stopped after terms of the 2012 settlement were fulfilled.

While writing this blog, I have learned that identity criminals are both creative and persistent. The "bad guys" possess the same computer skills and equipment as the "good guys." In my opinion, repeated security lapses will stop only when company executives go to prison. Fines are not enough.

What are your opinions of the Anthem breach? Of the company's statements and actions so far? If you receive a breach notice from Anthem, please share details (but exclude any information that would further compromise the security of your personal information).


Considering A Cruise Ship Vacation? What Consumers Need To Know

It's the middle of Winter, and you are probably tired of the cold, the snow, or both. At this time of year, many people consider warm weather vacations.Last week, a friend asked about cruise ship vacations:

"Do you have a travel agent you use for cruises? A group of us who are turning 60 this year are thinking of taking a cruise to celebrate. Maybe a repositioning cruise. Are there suites for 5 people? Any advice is most welcome."

Cruise ship vacations are popular. A cruise is a good way to sample several destination ports, and return to the ports you like for a longer, land-based visit. You can board a cruise ship near where you live, or sail from a popular travel destination.

According to the industry group Cruise Lines International Association (CLIA), about 20 million consumers went on cruise ship vacations globally during 2012.There are about 60 cruise lines with 400 total ships. The industry generated about 356,000 jobs paying $17.4 billion in wages to American workers.

It's not just more people cruising. Experienced cruise customers also book cruise itineraries with longer durations. The CLIA surveyed travel agents and 37 percent reported an increase in books of longer cruises (e.g., 14 to 100 days duration). If you have the time and money, several cruise lines offer itineraries of 30 days or longer.

I was happy to answer my friend's questions. Nobody wants to overpay or have their wallet "mugged" during a vacation. My wife and I have sailed on 22 cruise ship vacations to many parts of the world. For several years, i ran a cruise group of interracial couples and families. At a major creative advertising agency, I worked on web projects for a cruise line client. Interesting publications include the book, "Devils On The Deep Blue Sea," a history of the cruise industry, and industry magazines such as Porthole and Cruise Travel. So, I know the industry well and feel pretty qualified to give advice and answer my friend's questions.

1. Your interests. Decide what type of vacation you and your group like. Some people like as much beach time as possible. Others like golf. Others like Eco-tours. Others like active sports, such as hiking, bicycling, surfing, snorkeling, and scuba diving. Some like motorized excursions including off-road vehicles. Pick a cruise line and itinerary that fits your interests. Royal Caribbean focuses upon active sports.

2. Themed cruises. If you group has a specific interest, there is often an itinerary for that. So you can find singles cruises, NASCAR cruises, cruises for nudists, gay/lesbian cruises, and so forth. Carnival has the best night clubs and discos. It also has the best Las Vegas style shows. Celebrity Cruises is known for having the best food. Disney focuses upon families with children. All ships in Royal Caribbean's fleet feature rock-climbing walls. Some include specialize pools you can surf in. A good place to start looking for theme cruises is www.cruisecritic.com. Other places to look include Cruise Addicts and Cruise 411.

3. Cruise lines. Just like land-based hotels, there are entry/discount, mid-range, and luxury cruise lines. Entry/discount: Carnival, Royal Caribbean, Disney, Costa, and Norwegian. Mid-range: Holland America, Princess, Celebrity, and MSC. Luxury: Crystal, Cunard, Seabourn, Silversea, Windstar, Viking, and Avalon. The entry/discount cruise lines focus upon people under 40. The mid-range cruise lines focus on people 55+. The luxury cruise lines tend to have smaller ships with 150 or 200 passengers. The entry/discount cruise lines tend to have larger ships, with as many as four or five thousand passengers.

The primary language spoken varies by cruise line. For example, when we sailed on Costa and MSC in the Mediterranean, we noticed that the primary language spoken on board was Italian. We do not speak Italian and felt we had a poor experience on board these two cruise lines.

4. River or ocean cruises? My friend and her group seemed interested in ocean cruises. There are also river cruises. The two types are ENTIRELY different. Rive cruises are all about the shore excursions: you get off the ship every day, Usually, the shore excursions and tips are included in one cruise price. Viking River Cruises and Avalon Waterways focus on river cruises. Some destination ports are only acessible via river cruises.

5. Departure ports. When selecting an itinerary, some people start with the departure port because that is often a city you may want to explore its land-based attractions, restaurants, and sights. Then, you can get good and juiced before you board the cruise ship. When traveling in Winter, it is always wise to arrive at the departure city 2 days before the ship sails, in case your flight is delayed by bad weather. Departure ports we have sailed from: Amsterdam, Boston, Ft. Lauderdale, Honolulu, Los Angeles, Miami, New Orleans, San Juan (Puerto Rico), Seattle, and Venice (Italy).

6. How the industry works: pay their minimum deposit. Buy travel insurance at that time, too. The full amount is typically due 90 days before the ship sails. You will probably set up an account through the cruise line’s website to indicate in your profiles any preferences (e.g., non smoking, diets, physical limitations, etc.). After you have paid for your cruise, then you can select (and pay for) the optional shore excursions in each destination port.

Similar to airlines, all of the major cruise lines have rewards programs for frequent travels. Some consumers book travel with a single cruise line to generate as many rewards points as quickly as possible. Some pick itineraries based upon where they want to go, and then look for cruise lines sailing there.

Some consumers wait until the last minute and book whatever empty cabins are available. This is a good strategy for consumers (e.g., retirees) with flexible schedules who can travel on a moment's notice. It's a good way to get a cabin cheap, but you may not get the cabin location you want on a ship. This strategy works well if you live reasonably close to the departure port. If not, what you saved on a low-priced cruise may be eaten up by higher, last-minute, air fares.

7. Selecting your cabin: there is no single correct way. After selecting a ship or itinerary, some people select a cabin type: inside, outside, balcony, suite. Others pick a specific cabin on a ship they already know. All of the cruise lines have websites that present deck plans. My advice: no matter what type of cabin, you do NOT want a cabin underneath the disco, dining room, or lido deck pool... unless you like hearing footsteps overhead.

8. Use a travel agent? Some in your group will likely ask: are travel agents necessary? While you can do it all yourself and book your cruise through a cruise line’s website, you may want more service or have questions. Travel agents are there to answer your questions. They can give you the kinds of advice I mentioned above, recommend hotels in departure cities, often get you a lower price than the cruise line’s website, and book all elements of your vacation: the cruise, hotels, air travel, and transfers between airports, hotels, and cruise ship terminals. Whenever we work with a travel agent, we have in mind a budget and the probable retail price for the itinerary we want. We use a travel agent located nearby, so we can visit their office.

9. Read cruise reviews. Once you've selected 3 or 4 itineraries and ships, then it makes sense to read cruise reviews about the ships or itineraries you are considering. Many passengers write and post online their reviews. This is a good way to learn about the advantages and disadvantages of a ship or itinerary. A good place to read passenger-written cruise reviews is the Community section at the Cruise Critic site. Select the cruise line and then the cruise ship you are interested in.

As I said above, my wife and I have sailed on 22 cruises; both ocean and river cruises; and to most parts of the world: Mediterranean, Alaska, Hawaii, Bermuda, Panama Canal, the Caribbean, and northern South America. We have sailed on almost all of the above entry and mid-range cruise lines. We’ve only sailed on one of the luxury cruise lines.

Learn more: 8 tips about cruise ship vacations.

My friend really appreciated this detailed reply. If you have sailed on cruise ship vacations, what are your favorite itineraries? Your favorite destinations? Favorite ships? Any advice you have for new cruisers?


Verizon To Pay $5 Million To Settle Charges It Failed To Investigate Complaints By Rural Phone Customers

Verizon logo Last week, the Federal Communications Commission (FCC) announced a settlement agreement with Verizon where the telecommunications company will pay $5 million to resolve charges that it ignored the complaints of rural land-line phone customers who were unable to receive both long-distance and wireless phone calls.

Terms of the agreement require Verizon to pay immediately $2 million to the U.S. Treasury, $3 million over the next three years to fix the rural phone call completion problems, appoint a Rural Call Completion Ombudsman within the company to analyze rural call completion problems, file a report with the FCC at the end of the three years, host workshops and fund academic studies about ways to solve rural phone call completion problems, and develop a system to identify customers' complaints about rural call completion problems.

Verizon filed notices during 2014 that it planned to cease copper phone network services in at least six wireline centers: Belle Harbor (NY), Orchard Park (NY), Farmingdale (NJ), Hummelstown (PA), Lynnfield (MA), and Ocean View (VA). For example, the Farmingdale, New Jersey notice by Verizon (Adobe PDF) stated:

"Verizon intends to retire all copper facilities (feeder, distribution and drop) in the Farmingdale, New Jersey wire center and to serve all customers over a fiber infrastructure... After the retirement of the copper facilities, Verizon will: (1) no longer offer services over copper facilities; and (2) cease maintaining the copper facilities. However, to the extent required by applicable agreements and federal law, Verizon will offer to requesting carriers a 64 Kbps voice-grade channel over fiber loops that have been deployed where copper was retired..."

Read the January 26, 2015 FCC announcement (Adobe PDF) and the Consent Order against Verizon (Adobe PDF).

Sadly, this is not the first time the FCC has had to take action to get a telecommunications company to support rural phone customers. The FCC announcement stated:

"This is the fourth major resolution of a rural call completion investigation and is part of a coordinated effort to address rural call completion problems. The Bureau entered into consent decrees related to rural call completion performance with Matrix Telecom, Inc. and Windstream Corporation in 2014 and with Level 3 Communications, LLC in 2013."

Some experts are concerned about the coming retirement of copper phone land lines. The Ars Technica blog reported in August 2014:

"The National Association of State Utility Consumer Advocates (NASUCA) asked the FCC to delay copper retirements in Belle Harbor and Ocean View until the FCC performs the investigation requested by Public Knowledge. NASUCA also wants the retirements to wait until after the completion of trial runs of all-IP phone networks. The FCC is expected to oversee the first such trials as early as next year in the AT&T wire centers of Kings Point, Florida, and Carbon Hill, Alabama. Verizon says it doesn't want to wait, because that process could take years."

What does this mean? All consumers should realize that phone companies want to get out of the traditional copper land-line phone business and support only wireless phone customers. They view maintenance of the copper infrastructure as costly. You may believe that everyone has already switched to mobile phones, but there are plenty of copper land-lines still in use. The Local Telephone Competition Report by the FCC stated that in June 2013:

"... there were 90 million end-user switched access lines in service, 45 million interconnected VoIP subscriptions, and 306 million mobile subscriptions in the United States, or 441 million retail local telephone service connections in total... Of the 135 million wireline retail local telephone service connections (including both switched access lines and interconnected VoIP subscriptions) in June 2013, 77 million (or 57%) were residential connections and 58 million (or 43%) were business connections..."

It is important for consumers to realize that traditional copper land-lines in homes (and businesses) are going away, probably sooner than you might expect. That means that Internet services that rely on those land lines (e.g., DSL Internet service) will also disappear. DSL customers will have to migrate to other service providers (e.g., cable or fiber) for high-speed connections.

USA today reported in April 2012:

"First it was street-corner phone booths and home delivery of telephone books. Now, land lines are on their way to becoming part of American telecommunications history. As consumers continue to move to wireless, states are passing or considering laws to end the requirement that phone companies provide everyone land-line service. Indiana and Wisconsin are the two most recent states to end the requirement, and many others — including Alabama, Kentucky and Ohio — are considering it..."

There are concerns that rural consumers lack sufficient access to affordable high-speed Internet services, and that high-speed Internet services in the United States don't offer the best value. A major worldwide study found that consumers in the United States pay more for high-speed Internet services than consumers in other countries and get slower speeds.

Rural residents often face multiple obstacles. Prior studies have found that many poor people in rural areas live in "banking deserts," places not served by any banks. According to a recent FCC report, 64 percent of rural Virginia residents don't have access to high-speed Internet services (as defined by the new benchmarks). In West Virginia the number of residents is 74 percent. More than half of rural residents nationwide lack access to high-speed Internet services. Now, add poor phone service to the list of obstacles.

What should rural consumers do about poor phone services? What should any consumer do if you can't contact rural consumers or businesses? Fight for your rights and the services you are paying for. The FCC advises consumers to first learn to recognize the problem:

  • Long distance or wireless callers may hear nothing or "dead air" for 10 seconds or more after they dial a rural number. Then, the call may drop or get a busy signal.
  • Or the phone may just ring for a long time.
  • Or, you may hear a recording such as "The number you have dialed is not in service" or "Your call cannot be completed as dialed" even though you know you dialed it correctly and it is in service.

Next, write down the date, time, and phone number(s) dialed, plus the name of the long-distance or wireless phone carrier. Then, report the problem to your wireless phone provider or to your long-distance service provider. If the problem remains unaddressed, file a Phone Complaint with the FCC.

What are your opinions of the FCC and Verizon settlement? Of land-lines going away? Of the problems rural residents face?