5 Things You Should Know About Prepaid Cards

Right now, there probably are three different types of plastic in your wallet or purse. Each type has different rules, disclosures, government regulations, and fees. So, wise consumers use the best type of plastic instead of cash.

Most consumers are familiar with credit cards and debit cards -- the first two types of plastic. Credit cards include an interest rate applied to all purchases, plus a variety of fees (e.g., overdraft, annual usage). Debit cards are offered by banks to their account-holders to access money in their checking and savings accounts.

Prepaid cards often look like debit cards but have several important differences. Prepaid cards must have value stored or "loaded" onto them before they can be used. Usually, consumers use cash to add value to a prepaid card. Then, the consumer uses the prepaid card for purchases, which are deducted from the balance on the card until there is no value left on the prepaid card. Then, more value must be added to the card before it can be used again.

Retail stores, restaurants and malls offer prepaid cards, usually called gift cards. Chances are you may have already received a prepaid card as a gift. I've received and given several prepaid cards as gifts. Customers use the Dunkin' Donuts prepaid card are the chain's retail stores. Prepaid cards from The Old Spaghetti Factory, Starbucks, and Target all operate similarly. Some retailers use their prepaid cards to track customers' purchases for rewards for loyalty programs.

Besides retail stores, many other companies and entities offer prepaid cards. Some employers pay their employees via prepaid cards, often called payroll cards. These payroll cards are designed for employees who don't have checking and savings accounts. Behind every payroll card is a bank that handles the transactions.

Some employers offer their employees prepaid cards only for qualified healthcare spending purchases. Some golf clubs offer prepaid cards for their members to use at the club's golf store and restaurant.

Some banks offer prepaid cards, too, for consumers who lack checking and savings accounts. With all of these prepaid cards in use, it is important for consumers to to know the advantages and disadvantages. There is a pretty good CNN Money article that discusses what consumers should know about prepaid cards:

"Watch out for the fees: The average prepaid card charges nearly $300 in basic fees a year, such as monthly charges, ATM fees and reloading fees, a recent NerdWallet study found... many prepaid cards also charge activation fees, transaction fees, bill payment fees, declined transaction fees, inactivity fees, customer service fees and paper statement fees."

"They don't build credit: Using a prepaid card doesn't help you build credit with the three major credit bureaus... don't be fooled into thinking they are doing anything to boost your credit score."

To browse the entire list of five tips, read the CNN Money article. To learn more about the differences between the three types of plastic in your wallet/purse, read the FDIC alert about consumers' rights. You can also select Prepaid Cards in the tag cloud in the near right column.

What has been your experience? What prepaid cards have you used?

Consumer Reports Reviews Facebook And How To Use It Safely

If you haven't read it, there is a good review by Consumer Reports of the Facebook social networking website. The news media has focused on some of the controversial aspects of the report. For example, CNN reported, like many other news organizations, the survey finding that about 25 percent of Facebook users lie about information in their Facebook profile to protect their identity.

While lying about profile information may seem like an effective privacy strategy, the Consumer Report review of Facebook highlights the various ways Facebook tracks its members. Some Facebook members have made conscious choices to share personal data, and do so in status messages, sharing items, and commenting upon others' status messages. Yet other tracking methods exist.

The Consumer Reports review is a good reminder that its members are the products:

"... the company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account."

One tracking method is the facial-recognition software used to "tag" (e.g., identify) people (and places) in both photos and videos. Members who aren't careful to turn off the geo-tagging feature in their smart phones or tablets will provide even more personal data with photos and videos uploaded to Facebook.

Another method are the Facebook apps member use for music, news, and games -- which are loosely managed by Facebook:

"... according to Kevin Johnson, security consultant at Florida-based Secure Ideas, who has developed apps and tests their security. The sole credential needed to create an app is a verified Facebook account, including a cell phone number or credit card. And the company doesn’t have to review your source code (programming instructions) before it goes live..."

So, there seems to be little to no verification of apps for security or compliance when those apps have a privacy policy.

A method Facebook uses to track both members and non-members includes those "Like" buttons you have see on websites across the Internet:

"... Facebook keeps track of the other websites [its members] visit. That happens via the “Like,” “Recommendations,” and similar buttons that so many sites include. In addition to reporting your presence, the “Like” button sends along the date and time of your visit and your IP address, whether or not you click on it. The company has acknowledged that this happens even when Facebook users are logged out, a practice that had prompted class-action lawsuits in the U.S. If you’re logged in to Facebook, it can collect even more data. The company also said that it collects data from people who are not its users and have never visited its site..."

The review is also a good reminder of the scope of data Facebook collects:

"... thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook's Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list... Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff..."

If you want to learn more about Schrems, visit Europe Versus Facebook. The review ends with a list of nine ways consumers can use Facebook (and similar social networking sites) safely:

"1. Think before you type. Even if you delete an account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.

3. Protect basic information. Set the audience for profile items, such as your town or employer. And remember: Sharing info with “friends of friends” could expose it to tens of thousands.

4. Know what you can’t protect. Your name and profile picture are public. To protect your identity, don’t use a photo, or use one that doesn’t show your face.

5. “UnPublic” your wall. Set the audience for all previous wall posts to just friends.

7. Block apps and sites that snoop. Unless you intercede, friends can share personal information about you with apps. To block that, use controls to limit the info apps can see."

Read the complete review of Facebook.com by Consumer Reports.

Slamming And Your Home Energy Bills

Recently, an I've Been Mugged reader wrote asking me about what to do with their home energy bill. The reader was concerned that they had been "slammed" -- their energy supplier had been switched without their approval. When thinking about situations like this, it is important for consumers to understand your rights first.

Each state in the USA has a Public Utility Commission (PUC) or state agency to govern and regulate which companies are licensed to sell energy (e.g., electricity, natural gas). So, to understand your rights a good first step is the PUC website for the state where you live.

I'll use the state where I live as an example. In Massachusetts, some private companies are licensed to sell only electricity, some only gas, and some both. The Executive Office of Energy and Environmental Affairs (EEA) provides the lists of licensed energy sellers in Massachusetts. Obviously, this is a list consumers would use to verify any private company selling energy in the state, especially door-to-door sales people.

The same EEA website describes consumers' various rights about energy services. For example, the "Cooling Off Period" describes the length of time consumers can change their mind after switching to a new energy service provider:

"Your choice of a competitive power supplier will not take effect for at least three business days. Should you change your mind during that three day period, you will not incur any charges."

The site also describes consumers' rights about slamming:

"A competitive power supplier may not switch you to its service without your consent. Your consent must take the form of either: 1) a written letter of authorization signed by you; or 2) your oral statement to an independent third party, such as a separate verification company. If you are switched without your authorization, you may file a complaint with the Massachusetts Department of Telecommunications and Energy by calling 1-800-392-6066."

Historically, slamming happened a lot with phone services, but lately it can happen with energy services, too. In 2011, the Georgia Public Service Commission (PSC) fined gas marketer Energy America with a $400,000 penalty for customers it "slammed." While some companies approach consumers at home, others perform phone solicitations.

Before accusing a company of slamming your energy service, I would first check with other members in the home, or a landlord, to see if somebody else signed an order to switch service. Then, I would contact the new energy supplier to get the sales person's name and a copy of that new-service order.

If slamming is still a concern, other steps I might perform in order:

1. Check the website of my existing energy supplier to see what they advise about slamming
2. Check my state's PUC website to understand my rights and what they advise about slamming
3. File a complaint with the PUC in the state where I live
4. File a police report with local law enforcement, since it is fraud to forge another person's signature
5. File a complaint with the Federal Trade Commission
6. Consult with an attorney to see what other options there may be for consumers

Having difficulty finding the website for your state's PUC? This list may help.

How To Get Help And File Complaints About Private Student Loans

To complete college and/or graduate-level study, many consumers took out student loans. According to the Consumer Financial Protection Bureau (CFPB):

"Student loans have now surpassed credit cards as the largest source of unsecured consumer debt... unlike federal student loans, private student loans do not generally have the same borrower protections such as military deferments, discharges upon death, or income-based repayment plans."

More help is available. The CFPB announced that it provides assistance for consumers who are experiencing problems with taking out a private student loan, repaying their private student loan, or managing a student loan that has gone into default and may have been referred to a debt collector:

• Before applying for loans, students should read the financial aid shopping sheet. Some consumers have already submitted feedback to the CFPB about what they want in this draft disclosure sheet. The CFPB will use this feedback in crafting future disclosure guidelines for lenders.
• Students who already have loans can use the Student Debt Repayment Assistant interactive, online tool to discover new repayment options.
• Borrowers who are experiencing difficulties paying loans, managing loans, or loans that have gone into default can now submit complaints at the CFPB website about private student loans. the types of complaints include: payment difficulties, confusing advertising or marketing terms, billing disputes, deferment issues, debt collection problems, and credit reporting issues.

Borrowers can also submit complaints to the CFPB via a toll-free phone number (1-855-411-2372), via fax (1-855-237-2392), and via postal mail (CFPB, P.O. Box 4503, Iowa City, Iowa 52244).

Private student loans are issued by banks, credit unions, schools, and similar lending institutions. If you aren’t sure what kind of loans you have, the CFPB advises students to visit the National Student Loan Database System for Students and select “Financial Aid Review” for a list of all federal loans made to you. Click each individual loan to see who the company is that collects payments from you.

Complaints about federal student loans (e.g., Direct, Stafford, Perkins, etc.) should be submitted to the U.S. Department of Education. The CFPB will automatically forward complaints it receives about federal student loans to the Department of Education.

Hackers Target Facebook Users With New Malware Tool To Steal Credit Card Information

In case you haven't heard, scammers and identity thieves have targeted social networking users. Trusteer reported a new scam by identity theives using a new version of the "Ice IX" malware.

After a Facebook member (within an infected computer) has logged into their Facebook account, the "Ice IX" malware spawns a new browser with a fake Facebook page which prompts users to enter credit card information for supposed additional data security protection. Of course, no security protection is provided, and the malware steals both the consumer's credit card information and other sensitive personal data stored on your computer.

This is another fine example of the creativity and persistence of scammers and identity thieves. Visit the Trusteer website to view screen images of the fake Facebook page. To learn more about how to protect yourself when using Facebook.com and its mobile apps, see the links in the "Using Facebook Safely" module in the near-right column.

The Bright Side of Identity Theft And Fraud For Consumers

In a New York Times article titled, "The Bright Side Of Being Hacked," reporter Somini Sengupta described several benefits for corporations of a data breach via hacking. The article concluded:

"Rather, what Anonymous has done, experts said at the big RSA computer security conference here last week, is raise the alarm about the unguarded state of corporate computer systems."

Yes, raised awareness is a good thing, as was recently discussed about unsecured corporate video conferencing systems. Sengupta's articles reminded me of a blog post I wrote in 2010 which listed six benefits for consumers of being an identity theft victim:

"1. Awareness: After an identity thief has stolen your personal data, account credentials, and/or money consumers seem to have a new awareness of of the value of their sensitive personal data.
2. Acceptance and curiosity: after having their identity information and/or money stolen, there is an acceptance that identity theft is a problem. There is a curiosity to learn about other ways identity thieves and criminals might harm them, so they can avoid this painful experience in the future.
3. Willingness to change behaviors: Not knowing how to protect yourself is terrifying to most people. The pain from this terror seems to be sufficient incentive for consumers to change their habits (e.g., practice safe online shopping habits, check their credit reports for accuracy, use strong passwords at online sites, maintain anti-virus software on their home computer, etc.). Of the people I have talked with, after being an identity-theft victim, none want to return to their old ways.
4. Stronger consumer interest: along with this awareness about identity theft is an interest in products, services, processes, and/or laws that address and protect the needs and assets of consumers. Getting good customer service seems to become more important, too.
5. Gratitude and appreciation: before becoming a victim of identity theft and fraud, many consumers perceive warnings by consumer and privacy advocates to be unnecessary and overly cautious. Some have called me paranoid. After experiencing the pain of the theft and fraud, a different attitude emerges which includes a sincere appreciation for identity theft protection advice to help them fix their fraud problem, and a context for listening to future warnings.
6. Participation in our democracy: when the perception is that local or federal laws haven't kept up with business practices, some been motivated to write to their Congressional reps to demand action."

While, identity theft and fraud are painful experiences for consumers, these events can be a huge wake-up call for consumers to change their habits and practice better data security habits at home, at work, at ATM machines, at their doctor's office, at social networking websites, and with their mobile devices.

Your Rights And The Differences Between The Three Types Of Plastic In Your Wallet Or Purse

While this blog has covered a variety of banking issues, one of the more important issues is that consumers need to know about the three types of "plastic" in your wallet or purse. Otherwise, you are likely to be "mugged" by your bank or card issuer.

As part of National Consumer Protection Week, the U.S. Federal Deposit Insurance Corporation (FDIC) listed the differences between credit, debit and prepaid cards. There are important differences about how interest rates, fees, and your liability apply. Your rights vary greatly with the type of "plastic" you choose to use.

What protections do consumers have with prepaid cards? How are prepaid cards different? The first thing you need to know is that there are several types of prepaid cards:

• "General purpose reloadable" (GPR) cards: these carry a brand of a card network (e.g., Visa, MasterCard) and can be used wherever that brand is accepted
• Payroll cards
• Gift cards

Prior blog posts have discussed payroll cards from Bank of America and the Walmart MoneyCard. How prepaid cards work:

"... allow consumers to spend only the money deposited onto them, can have a number of different features. For instance, some gift cards may be used only at a single merchant; most GPR cards may be used to pay for purchases and access cash at ATMs."

When using a prepaid card, your liability is different from a credit or debit card:

"Liability depends on the type of funds on the card. If the card is a payroll card, then the liability rules are the same as for debit cards. But if the card is a general purpose reloadable card or a gift card, then there are no protections to limit your liability under federal law."

What prepaid card issuers (e.g., retail store, employer, bank) must tell you in the prepaid card agreement varies:

"Disclosures depend on the type of card. For example, payroll cards must disclose any fees and the error resolution process, but a GPR card does not have any disclosure requirements. In addition, gift cards must disclose the terms of dormancy fees, whether there is an expiration date, and any other associated fees."

Similarly, your rights and access to statements are different with prepaid cards:

"Payroll cards must provide either a periodic statement or account balance by telephone as well as electronic transaction history. GPR cards and gift cards do not have periodic statement requirements under federal law."

When terms change for a prepaid card, your rights about advance notice of changes are different, too. With prepaid cards, you generally don't get as much advance notice as with credit cards (45 days):

"Payroll cards must provide 21 days notice before making changes to fees charged or the liability limits for unauthorized transactions. GPR cards and gift cards are not required to do so under federal law."

Some people like prepaid cards because they can avoid interest rates. It is wise for consumers to fully understand the types of fees that apply to prepaid cards:

"GPR cards and gift cards have certain restrictions on dormancy fees charged. There are no specific requirements related to payroll cards under federal law."

So, you are probably wondering if prepaid cards are a good deal, or not. That answer depends upon your financial situation and the type of prepaid card you expect to use.

Since I already have checking and savings accounts at a bank, prepaid payroll cards are of no value to me. I find extremely troublesome the lack of restrictions on payroll cards, which means the banks can change terms, fees, and interest rates whenever they want; and as high as they want.

If you don't have a checking account, then a payroll card may benefit you. (Given the fee schedules and lack of restrictions, payroll cards will definitely benefit the banks but not necessarily consumers.) However, closely read the card agreement and fee schedule first. You may be better off (e.g., fewer fees, lower rates) opening a checking account instead at a community bank or credit union.

I still find retailers' prepaid gift cards (e.g., Dunkin' Donuts, Stop 'n Shop, Cheesecake Factory) useful for some holiday or birthday gifts, but the lack of agreements with many prepaid gift cards is troublesome. The lack of an agreement means the card issuer can change things whenever they want and not notify you. I will likely reduce my use of prepaid gift cards to only those that have card agreements.

What's your opinion? Do you use prepaid cards? If so, which types? If not, why not?

National Consumer Protection Week

March 4 - 10, 2012 is national Consumer Protection Week (NCPW). About 30 federal agencies and the U.S. Federal Trade Commission (FTC), plus consumer groups, state, county, and local government agencies are participating with the goal to:

"... focus attention on the importance of consumer information and provide people with free resources explaining their rights in the marketplace."

During the week, various groups will share information and tips about how to:

• Avoid identity theft, and scams,
• Protect your privacy, and
• Manage your money

NCPW began 14 years ago. The website has materials in both English and Spanish. David Vladeck, Director of the FTC's Bureau of Consumer Protection, said:

"The information on NCPW.gov can help consumers understand their rights, protect their privacy online and off, manage credit and debt, avoid identity theft, recognize foreclosure rescue scams, and report fraud... Visitors can download and print materials to share with friends and neighbors, or use the toolkit to plan a larger community event."

To learn more, visit NCPW.gov.

10 Tips To Recognize And Avoid Scams That Target Elders

In it's Winter issue of Consumer News, the FDIC provided several tips for consumers to recognize and avoid scams, identity theft, and fraud that target elders:

1. Choose an advisor carefully: perform research of any new broker, attorney, accountant, or other professional you are considering to hire. Meet with the professional and ask questions before making a hiring decisions. Also, check with the local consumer protection agency in your state.
2. Use the powers-of-attorney legal document carefully: FDIC experts want that this document can easily be abused by the appointed person. Review and discuss the document with a lawyer before signing.
3. Protect your personal financial information: Don't disclose bank account numbers, Social Security numbers, PINs (personal identification numbers), passwords or other sensitive information without first verifying the identity of the person requesting the information. Don't give out this information over the phone to unsolicited callers. Don't give out this information to door-to-door sales people.
4. Files at home: store your checkbook, account statements, and other sensitive information in a safe place. Shred paper documents containing sensitive information (e.g., Social Security numbers, bank account numbers, health care plan numbers, etc.) that is no longer needed.
5. Monitor financial accounts activity: closely review monthly credit card and bank account statements when you receive them. Look for unauthorized or suspicious transactions, and report them to your bank immediately.
6. Don't rush major financial or investment decisions: take your time to fully understand the offer. Ask questions if you don’t. If you need it, ask a lawyer or financial advisor to help you review any documents. Reject immediately anyone saying that you must make a decision immediately.
7. Be aware of reverse-mortgage scams: reverse mortgages allow homeowners ages 62 or older to borrow money from the equity in their homes. However, these arrangements have several risks and costs. The U.S. Department of Housing and Urban Development’s Federal Housing Administration (HUD or call 1-800-569-4287) provides guidance about how to use reverse mortgages and locate approved lenders or counselors.
8. Telemarketing calls: beware of unsolicited callers asking for money or personal information. Consider the national Do Not Call Registry (call 1-888-382-1222) to register to opt out of telemarketing calls.
9. Sending money: don’t comply with requests from strangers to wire money to a foreign location or to deposit a check into your account (perhaps as part of an online sale). the checks are usually bogus.
10. Social networking site use: if you use social networking websites, don't post the names of relatives, home addresses, and birth dates. Scam artists troll social networking sites looking for personal information to pretend to be a friend or family member.

To learn more about common frauds targeting seniors, visit the FBI Common Fraud Schemes site, the FDIC Consumer News site, or MyMoney.gov.

After reading this list of tips, I must say that it is good advice for consumers of any age.

Use Caution With Bill-To-Your-Cell-Phone Services

Lots of people like to try new services as they become available. It's generally a good idea as those new services can save time, effort, and/or money.

There is a good article at the Consumer Reports website which advises consumers to use caution when using bill-to-your-cellular-phone services. Perhaps, you have heard of the phrase: "digital wallet." There are several services available to pay with your cellular phone.

The magazine recently analyzed wireless carriers' contracts for bill-to-your-cell-phone services, and found:

"... consumer rights can vary widely between wireless carriers and the protections carriers claim to provide are often not spelled out in the contracts..."

The contracts outline consumers rights and responsibilities -- especially when bad things happen (e.g., bill problems, fraud). If the contracts aren't clear or complete, then you may encounter problems. The magazine used several secret shoppers to survey customer service representatives at:

"... Verizon, five from AT&T, and two each from Sprint and T-Mobile... Our test results show that, on average, cell carriers' customer service representatives are not aware of their company's policies."

Again, if the customer service representatives are unfamiliar with their employer's bill-to-your-cell-phone services, then you may encounter difficulty getting any bill problems resolved. Inspect your monthly bills closely for accurate charges.

How To Evaluate A Health Care Debit Card Plan From Your Employer

A blog post on Tuesday described Caren's experience with her United Healthcare Consumer Accounts Card, a specialized debit card her employer provided for Flexible Spending Account (FSA) expenses. That blog post highlighted what can go wrong with a health care debit card.

I wanted to take a closer look at the card agreement, and see what broader issues might apply in general. Today's blog post includes my findings about several items employees should be aware of when considering a health care debit card plan. I am not an attorney, so this is not legal advice -- just my observations and opinions as a consumer -- like you tyring to navigate a complex world. If you need legal advice, hire an attorney.

First, healthcare debit cards are similar to traditional debit cards, but with several important differences. Employees must understand how they work and when fees apply, just as you would with a traditional debit card with your bank checking account. So, it is important to closely read all appliable agreements, terms, or policies y to know your rights and responsibilities -- especially when bad things happen.

The introduction to the United Healthcare Consumer Accounts Card agreement (Adobe PDF; which is also available here) lists some important warnings:

"At the register or cashier: This is not a credit card, but you will need to choose “credit” when making purchases... At the pharmacy, supermarket or other retail store: Pay for eligible over-the-counter (OTC) supplies and materials. Please note: The card will be rejected if purchasing OTC medicines, even when prescribed..."

Select "credit" at the point-of-sale even though the card says "Debit" on its face? Prescribed OTC medicine will still be rejected? These exceptions sound like a recipe for employee confusion and rejected purchases. While the agreement states that it is a MasterCard Debit, I wonder if the bank tweaked a traditional credit-card payment solution for health care purchases and rushed it to market without removing all the bugs first.

What comes to mind is that old saying: never buy the first year of a new car production (and wait until the manufacturer gets all of the bugs out). Seems to apply to payment solutions, too.

Section #2 of the same agreement states:

"When you use the Card, you represent and warrant that you will not submit, and have not previously submitted, a claim for reimbursement for the same expenses under any other plan or program. You agree to save all invoices or receipts that are provided to you by merchants and service providers when you use the Card. You agree to provide a copy of any such receipt to us or United Healthcare, promptly on request. If you fail to submit a receipt when it is requested, under IRS rules, the amount in question may not be excluded from your gross income for federal tax purposes or may otherwise result in financial penalties to you. Your use of the Card is subject to the terms and conditions of the Plan, as well as the terms and conditions of this Agreement..."

So, employees must still save all purchase receipts. The health care debit card doesn't eliminate all paperwork. The last sentence in the above clause is important because it highlights the fact that several policies apply. It would be helpful if this agreement listed all applicable policies. My estimate is that at least five different policies apply:

1. Consumer Accounts Card Agreement,
2. United Healthcare HIPAA Privacy Policy,
3. Any additional policies at myUHC.com,
4. Employee handbook or manual,
5. Optum Bank policy

Employees should not have to guess which policies apply. It would be best for employees if a single, consolidated policy applied, but unfortunately American business does not operate that way today.

Let's return to the Consumer Accounts Card agreement, which also states:

"You agree that you will only use the Card to pay for eligible expenses under the Plan... if you use the Card for anything other than an eligible expense, you will be liable for any taxes, penalties and other expenses payable under applicable law and any expenses we, United Healthcare or your employer may incur as a result of such impermissible use. Upon demand, you agree to reimburse us, United Healthcare or your employer, as the case may be, for any such use for non-eligible expenses..."

While employees may think that ineligible FSA expenses are automatically blocked at the point-of-sale, the agreement governs what really happens. The Consumer Accounts Card payment process may indeed block some ineligible purchases, but United Healthcare and the bank seem to have left themselves a convenient loophole where employees are still liable. It would be helpful if the agreement stated what those amounts of taxes, penalties, and other expenses could be. It seems risky to use a debit card when you don't know the exact amount of fees that might apply.

Second, employees should be aware of their responsibilities to avoid liability. The "Consumer Liability" portion of the agreement states:

"Tell us AT ONCE if you believe your Card has been lost or stolen. Telephoning is the best way of keeping your possible losses down. If you tell us within 4 business days, you can lose no more than $0 if someone used your Card without your permission. (If you believe your Card has been lost or stolen, and you tell us within 4 business days after you learn of the loss or theft, you can lose no more than $0 if someone used your Card without your permission.)"

This four-day time period seems unreasonably short. My bank allows 60 days from my statement to dispute a charge on that statement. Does United Healthcare expect employees to check their online FSA account every four days? The next portion of the agreement states what happens when employees provide notice after the four-day window:

"If you do NOT tell us within 4 business days after you learn of the loss or theft of your Card, and we can prove we could have stopped someone from using your Card without your permission if you had told us, you could lose as much as $50."

Now, the liability sounds more like the liability with a traditional credit card: $50. What I find troubling about this clause is that it assumes traditional theft or loss. This blog has documented numerous examples of identity thieves plant skimming devices inside point-of-sale terminals at gas stations, supermarkets, and other retail stores to steal consumers' data to clone debit cards. Since employees are forced to use health care debit cards at retail stores, a more relevant agreement would provide tips about what to do if they believe their card has been cloned. Perhaps the myUHC.com site explains this, but I don't have a myUHC.com account.

The agreement also states (emphasis added by me):

"... if the statement you receive from the Plan administrator shows transfers that you did not make, tell us at once. If you do not tell us within 90 days after the statement was mailed to you, you could lose as much as $50 if we can prove that we could have stopped someone from taking the money if you had told us in time."

Again, that sounds like traditional credit card liability (e.g., $50), but at least the window for notice is longer at 90 days. Why lead with the four day clause? It seems unnecessary. In Caren's case, it seems that United Healthcare is enforcing the 90-day clause. What I find troublesome about the above clause is that it assumes paper statements sent via postal mail. In reality, employees' statements are available online. Nothing is sent via postal mail. So, why write the agreement assuming this? It sounds like the card agreement was rushed to market without all the bugs removed.

Another portion of the agreement states:

"ALL QUESTIONS ABOUT TRANSACTIONS MADE WITH YOUR CARD MUST BE DIRECTED TO THE BANK, AND NOT TO YOUR EMPLOYER OR PLAN ADMINISTRATOR. The Bank is responsible for issuing the Card and for resolving any errors in transactions made with your Card. The transactions will appear only on the statements provided to you by the Plan administrator."

It would be helpful if the agreement listed the bank's phone and postal address information. I couldn't find it in the agreement. The agreement lists United Healthcare's phone and postal address information. In my experience, well-written agreements provide both phone and postal address information with any instructions where consumers should give notice. Perhaps, the other policies provide this information, but I don't have a myUHC.com account.

SO, let's see if I got this correct. The agreement directs employees to contact United Healthcare for transfers the employee didn't make, but contact the bank about statement "errors."What's the difference? How are employees to tell? This sounds confusing.

It troubles me that the above clause mentions "errors" and doesn't mention "fraud." I would expect any bank to aggressively investigate suspected fraud. The fact that Optum Bank's flow of funds page still presents a 2008 copyright does not give me much confidence in the bank:

If something this simple still says 2008, what else has this bank missed? Or, should consumers conclude that the Optum web site hasn't been updated in four years? Or is this flow-of-funds information that is four-years old and/or obsolete? I would expect more timely and current information from any bank -- especially one processing my extremely sensitive health care information.

The "Fees" section of the agreement states:

"OptumHealth Bank does not charge usage fees for this card."

No fees are good, because banks can apply a wide variety of fees to debit-card accounts.However, it means that employees should monitor any changes in the card agreement. Things might change with new fees introduced. So, employees should read any updates to the card agreements or policies with their health care debit cards.

Now, let's return to Caren's story. The fact that Caren never used the Medco online pharmacy should be a huge "red flag" to Optum Bank, Large HR Firm, and United Healthcare. It suggests that Caren's payment information was stolen. The payment data on Caren's Consumer Accounts Card could have been stolen via a skimming device, which identity thieves plant inside point-of-sale terminals at retail stores and gas stations -- not just at bank ATM machines.

If Caren's Consumer Accounts Card was not cloned via skimming device theft, then a couple other options are possible. The pharmacy may have re-submitted the purchases it originally rejected -- and if so, it should have notified Caren, and reimbursed her for the purchases she paid out-of-pocket. Caren could test this by using a different pharmacy. If the duplicate charges don't happen at the second pharmacy, then it is reasonable to assume a problem at the first pharmacy. If the duplicate charges continue, then it seems safe to assume that her debit payment data was stolen.

Insider identity theft is always a possibility. It's harder for employees to spot, but it does happen.

What should employees do if your employer offers a specialized debit card for healthcare expenses? I suggest the following steps:

• Read all applicable policies to know your rights and responsibilities -- especially before registering for a FSA with your employer. Your employer may have negotiated a really good deal for its employees, or not. Don't blindly assume so; read the fine print in the agreement first. Part of evaluating if it's a good deal is looking for certain clauses in the agreement -- like the ones listed above. If you have difficulty reading contracts, get help from a trusted friend, family member, or attorney if you can afford one.
• Use the Internet to find reviews written by employees about their health care debit card plan. Places I like to look include Consumer Reports, The Consumerist, and Epinions.
• File a police report with local law enforcement. (In Caren's case, somebody spent money from her FSA account without her authorization. That is theft.) Insist on law enforcement accepting the report. Make several copies. Attached the police report to any complaints filed with your employer, the FSA healthcare administrator, and the bank,
• Use a different pharmacy. If the duplicate charge problem stops, it is reasonable to assume a problem at the first pharmacy, and file a police report accordingly,
• If you feel that you aren't getting the services promised by the bank which processes your health care debit card transactions, learn about how to file a complaint against your bank.
• File a fraud complaint with the U.S. Federal Trade Commission (FTC) including any relevant documents (and non-action by employer, HR Firm, health care firm, and bank). This will help the FTC track any emerging theft trends with health care debit cards.
• If there is no action by the employer, HR Firm, healthcare firm, and/or bank), write a letter to your federal or state elected officials asking for help. It's part of their jobs -- to help their constituents.

Is the United Healthcare Consumer Accounts Card a good deal? Only you can decide for yourself, as everyone's needs are different. Hopefully, I have highlighted the things consumers should look for in any health care card agreement, so you can make an informed decision.

If you use a specialized debit card for health care expenses, what has been your experience?

New Features Available On I've Been Mugged

I am pleased to announce several new features available on this blog. Perhaps, you have already noticed them.

In the near right column, the "Greatest Hits: Facebook" module has been renamed to "Using Facebook Safely" to better reflect the focused blog posts content in this module. The far right column includes two new modules: "George's Picks" and "Popular Discussions."

The "George's Picks module includes investigative and controversial blog posts which I believe that you won't want to miss. Consider them gems with emerging issues. The "Popular Discussions" module includes blog posts with lots of comments activity.

To explore this blog and find discussions, you can use the tag cloud in the near right column. In the far right column, you can use either the "Recent Comments" or the "Recent Posts" modules.

Thanks for visiting I've Been Mugged. Tell your friends and come back soon!

Technical Support Phone Scam Poses As Microsoft Windows Affiliate Company

Yesterday, i received a telephone call from "Dean Thomas" (probably not his real name) who said he was from the "Technical & Maintenance Department of Windows." The phone number he gave was (209) 813-0133, which I assume was bogus, too.

Immediately, I recognized this phone scam as I had read about it previously in Consumer Reports:

"The scam has become so widespread that Microsoft has studied the problem in four countries, including the U.S. The study found that scammers stole an average of $875 from victims and caused $1,730 in damage to their computers."

Plus, I follow the Better Business Bureau on Twitter, which issued this alert months ago. I decided to listen to the scammer's pitch so I could report about it on this blog.

Basically, the scam artists pretend to be from a reputable company that is seriously interested in protecting you from virus software that can damage your computer. The first part of the pitch is an attempt to gain your confidence -- that they have received error messages already from my computer. After gaining your trust, they will ask you to visit a website, not with your web browser, but the "Run Software" dialog box. Doing so would give them access and control over your computer -- and the freedom to steal any files with passwords and bank accoount sign-in credentials.

With his heavy Southern Asia accent, "Dean" asked me to browse various system registry files (e.g., the Event Viewer, the Command level interface) on my computer, in a bogus attempt to convince me that my computer is already infected with malware. At one point during the call, "Dean" asked me to verify the CLSID number of my computer. Of course, I refused -- all the while acting like a dumb computer user so I had enough time to perform several Yahoo.com searches to confirm the scam.

One way to recognize these phone scams is that they never ask you if you alraedy have anti-virus software installed on your computer. "Dean" never asked and I never volunteered an answer.

"Dean" soon became frustrated and transferred me to his supervisor, who said he was from a company called, "Software Network Communications For Windows." Another sign that this was a scam: the company name kept changing. This new jerk wanted me to open the Run Software dialog box on my computer and enter the "www.support.me" website address. I asked him why the website address was different if he was from Windows. He answered that he was with an affiliate company.

Of course, I wasn't believing any of this nonsense -- nor should you. Of course, I didn't enter anything into the Run Software dialog box - nor should you. I told the jerk that I needed to know more about his company before visiting any website. Then, he hung up.

Later, I reported this phone fraud to the U.S. Federal Trade Commission (FTC) -- which you should too, if you receive such a phone call.

To learn more and avoid these technical support phone scams, read this Consumer Reports article, and this Microsoft alert. Other consumers have received technical support scam phone calls. Here is one that is both entertaining and serious:

How To Dispose Of Your Old Smart Phone Or Tablet

It seems that about every few months, manufacturers introduce a new smart phone or tablet mobile device. Perhaps, you received a new mobile device recently as a Christmas or birthday present. Maybe, you are a consumer who must have the latest technology. Regardless, your collection of old and obsolete mobile devices can quickly pile up.

What should consumers do with their old mobile devices? Or more precisely: how should consumers dispose of their old mobile devices to avoid identity theft and fraud?

The U.S. Federal Trade Commission (FTC) advises consumers to, first, permanently delete all personal information from your old smart phone or mobile device:

"Permanent data deletion usually requires several steps. Remove the memory or subscriber identity module (SIM) card from the phone. That’s an important first step in deleting information, but you likely will need to do more to erase all the sensitive data on your device. You can command a cell phone to delete certain data, but that will only delete the references to where the data is located; the actual information stays on the phone’s operating system."

Consult the user manual for your smart phone (you kept it, didn't you?) for the exact steps to permanently delete contact information, lists of calls received and made, photos, passwords, and any payment information.

Second, you have several disposal options:

• Recycle: many cellular phone manufacturers, service providers, and non-profit organizations groups offer programs to recycle their components, including accessories like chargers. Visit the Environmental Protection Agency (EPA) to learn more about recycling programs. Consult Earth911 to find a nearby recycling center. The U.S. Postal Service operates a free “Mail Back” program for consumers to recycle small electronic products: smart phones, digital cameras, PDAs, and inkjet cartridges. Free envelopes are available at select Post Offices.
• Donate: some charitable organizations accept old mobile devices.
• Resell: Some individuals and organizations will buy your old mobile devices.
• Dispose properly: mobile device batteries should not be placed in the trash. Many cellular phones contain toxic metals, which can contaminate the environment. Instead, dispose when your town/city offers hazardous waste collection days.

If you operate a small business that collected the sensitive personal data of your clients, customers, contractors, and/or employees, then certain data security rules may apply. Check with your industry trade association of the FTC website. For example, certain rules apply for health organizations when disposing PHI data (PDF). Another example, the American Bar Association (ABA) advises its member attorneys:

"... However, the January 01, 2007 edition of the Federal Trade Commission's Disposal Rule (16 CFR Part 682) says that the responsibility to properly dispose of consumer information includes the sale, donation or transfer of any medium, including computer equipment, upon which consumer information is stored."

Why You Shouldn't Install Those Entertaining Apps On Facebook

There is an excellent Facecrooks blog post that explains the risks of installing most "fun and entertaining" apps on Facebook. First, you have to understand the extreme limitations of Facebook:

"... there is no formal review process for applications or developers on the Facebook platform. Anyone and everyone (scammers included) can create apps. This is far different from the “Walled Garden” approach taken by Apple. Many unsuspecting users might be under the impression that if it’s on Facebook then it must be legitimate. That is totally not the case."

Second, think long and hard before installing any app that requires you to give it permission to:

• Access all of the data in your Facebook profile
• Access all of your Facebook friends list
• Post as you
• Just because the app address starts with HTTPS doesn't mean it is safe
• Doesn't have a privacy policy
• Has a privacy policy you don't like

Third, it is wise for Facebook members to "like" Facecrooks and follow its posts, so you are aware of emerging threats and scams.

Learn About Credit Unions. Free Workshops At A Nearby City

While there hasn't been much mentioned lately in the mainstream news media, consumers are still moving their money out of the big banks to local community banks and credit unions. If you want to learn more about what a credit union is and its benefits, the National Credit Union Administration (NCUA) is hosting free workshops in several citys.

The NCUA is the independent federal agency that regulates and supervises federally chartered credit unions. The NCUA operates the National Credit Union Share Insurance Fund (NCUSIF), which insures deposits at federal credit unions and most state-chartered credit unions. Deposits are insured up to $250,000 per account.

Upcoming workshop dates and locations through June 2012:

• March 3: Phoenix, AZ
• March 10: Los Angeles
• March 22: Richmond, VA
• April 11: Chicago
• April 12: Portland, ME
• April 19: Philadelphia, PA
• May 3: Detroit, MI
• May 11: Minneapolis, MN
• May 19: New York, NY
• May 23: Albuguerque, NM
• May 30: Baltimore, MD
• June 2: Denver, CO
• June 7: Omaha, NE
• June 9: Dallas, TX

To learn more and register for a workshop, visit the NCUA website. The NCUA operates the MyCreditUnion.gov website for consumers, with plenty of resources, tips, and advice. This prior blog post includes basic information about how to find a credit union near where you live.

Scammers Target American Airlines Customers With Phishing Emails

Earlier this week, a reader wrote about an email message he had received. The email message included a confirmation for tickets purchased through the American Airlines website. The reader was concerned that his bank information had been hacked, because he had not purchased any airline tickets.

The email message:

Subject: Your Order#647842534
Date: 15 Jan 2012 07:14:55 -0000
From: American Airlines (news-nr221@aa.com)
Reply-To: American Airlines (news-nr221@aa.com)
To: XXXXXXXX@XXXXX.com

Hello
FLIGHT NUMBER AA683
ELECTRONIC 885741402
DATE & TIME / JANUARY 30, 2012, 10:22 PM
ARRIVING / Raleigh
TOTAL PRICE / 395.22 USD

Please find your ticket attached. You can print your ticket. Thank you for your attention.
American Airlines.

The email included a ZIP file attachment. Clearly, this was a phishing email scam since it included an incomplete itinerary and the ZIP file attachment. A real airline wouldn't do either. Like most phishing emails, this one tries to trick consumers to open the ZIP file attachment which installs a computer virus on the victim's computer to collect password data, directs the victim's web browser to a fake American Airlines website to collect personal data, or both.

If you receive a phishing message like this, or from any other airline, experts advise consumers to:

• Don't click on any links within the email message,
• Don't open any files attached to the email message,
• Don't send a reply email message to the sender,
• Manually enter the website address into your web browser to visit the airline's official website to verify the email message, and
• Check your credit card or bank statement for any fraudulent charges

The official American Airlines website has a page devoted to phishing email scams. It provides examples of various email scam messages, and advises consumers:

"American Airlines will never ask you to perform security-related changes to your account in this fashion or send emails to collect user names, passwords, email addresses or other personal information. If you receive an email claiming to be from American Airlines, that asks for account information, it should be considered fraudulent... do not click on any links, open any attachments, call any phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to webmaster@aa.com so that we can investigate further."

The Snopes.com website also contains information verifying email phishing scams, including the above scam.

Zappos Data Breach Affects 24 Million Consumers

Several news organizations and USA Today reported about the data breach at Zappos.com, an online shoe and clothing retailer. Identity thieves hacked into the Zappos website and stole the names, street addresses, email addresses, telephone numbers, the last 4 digits of credit card numbers, and the online passwords of 24 million customers.

The Zappos CEO advised his employees via email that affected customers would receive the following notice, which read in part:

"... there may have been illegal and unauthorized access to some of your customer account information on Zappos.com... The secure database that stores your critical credit card and other payment data was NOT affected or accessed. For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail... We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there..."

While the company has reset online passwords and notified affected customers about how to create stronger passwords, the types of personal data stolen are sufficient for identity thieves to create plenty of damage. The damage can include spam using stolen email addresses, spam to/from linked mobile phone numbers, and further hacking into consumers online accounts.

How might further hacking happen? Too many consumers still use the same password for all of their online accounts. Simply, identity theives could access your debit/credit card numbers at other online retailer or bank accounts where you use the same password.

It is important for consumers to remember that identity criminals are persistent and re-sell stolen personal information. So, the thieves that attempt to hack into your online accounts probably won't be the same thieves that stole your personal information. Re-sold stolen personal information creates a situation where many thieves can ultimately create further damage.

Experts advise:

• Immediately change your passwords at other online accounts/retailers where you have used the same password you used at Zappos.com,
• Change your online passwords every 90 days,
• Don't use the same password for all of your online accounts,
• Don't use passwords that are easily guessable, or match items on your profile page at Facebook or other social networking website,
• Learn how to create strong passwords,
• Don't use any passwords on this list, and
• Learn how to protect your sensitive personal information at public WiFi locations.

Addendum - January 18: After further consideration, I found the above breach notice and response by Zappos far from satisfactory for consumers. Their response assumes breach victims won't experience any identity fraud, since their message does not include any instructions about what consumers should do if they do experience identity fraud. And, the Zappos breach notice does not seek to explain to their customers the final results of their breach investigation, including why a breach like this won't happen again. The whole event can be summed up as "ooops, we lost a few passwords. reset them and everything will be okay." Not necessarily so.

Addendum - January 19: At least one lawsuit has been filed again Zappos and its parent company, Amazon.com.

BBB: Top 10 Scams Of 2011

Earlier today, the Better Business Bureau (BBB) announced the top ten scams of 2011. With these scams, consumers can lose their money, personal identity and bank information, or both. The leading scams were:

1. Job Scams: included secret shopper schemes, work-from-home scams, and phony job offers. Typically, the scammers seek to trick victims to reveal bank account information.
2. Sweepstakes and lottery scams: supposedly you've won a lot of money. The pitch often includes a bogus celebrity participation.
3. Social networking and online dating scams: scammers may pretend to be on of your "friends" or have hacked the online accoount of one of your "friends." Typically, the pitch is to get you to click on a link -- sometimes a racey video-- which downloads a computer virus that invades your computer and steal sign-in credentials for several social networking accounts.
4. Home Improvement scams: contractors visiting your neighborhood offer a low price for the work, accept your deposit, and then never complete the job -- leaving your home in worse condition than before. Sometimes, the pitches come after a natural disaster.
5. Check cashing scams: scammers use legitimate companies (e.g., Craig’s List, Western Union) offering to buy something you are selling online. The scammer's check is larger than the price of the item you are selling. The victim sends the scammer a valid check for the difference, and the victim deposits the scammer's bogus check in their bank account. Of course, the scammer flees with money from cashing the valid check, the bogus check bounces, the victim still hasn't sold their item, and the victim's bank charges bounced check fees.
6. Phishing scams: these can be offers via phone, email, or a fake website. The typical pitch is to trick victims into revealing sensitive personal and bank account information. When you visit the bogus website to "verify" your account information, the website installs a software virus on your computer to steal more information.
7. Financial scams: these target consumers in tough situations, and include bogus offers about debt reduction and home mortgage modifications. The promised services are never delivered.
8. Sales scams: these include "penny auctions" or ways to supposedly pay far less than standard retail prices. Usually, there is a fee to bid. The BBB states clearly that not all penny auctions are scams, so consumers should treat these as a gamble and inspect closely the website policy and terms before entering.
9. BBB scams: a bogus email that looks like it's from the BBB, claims that a complaint has been filed against your business. To reply to the complaint, the email includes a link which instead downloads a document that spawns a software virus that can steal banking information, passwords and other sensitive personal information.

Last month, I received one of these fake-BBB phishing emails, with the telltale bad grammar and other clues. So you are aware, here is the text of the phishing message:

Subject: Your customer complained to BBB
From: "Better Business Bureau"
Date: Tue, 20 Dec 2011 08:47:19 +0000

Good afternoon,
Here with the Better Business Bureau notifies you that we have been filed a complaint (ID 37975886) from a customer of yours in regard to their dealership with you. Please open the COMPLAINT REPORT below to find the details on this issue and inform us about your opinion as soon as possible. We are looking forward to your prompt reply.

Faithfully,
Fernando Grodhaus
Dispute Counselor
Better Business Bureau Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Timeline Security Hoax Circulates On Facebook

If you use Facebook.com, perhaps you have seen the following status message:

"With the new 'FB timeline' on its way for EVERYONE, please do both of us a favor: Hover over my name above. In a few seconds you'll see a box that says "Subscribed." Hover over that, then go to "Comments and Likes" and uncheck it. That will stop my posts -- and yours to me -- from showing up on the side bar (ticker) for everyone to see, but MOST IMPORTANTLY it LIMITS HACKERS from invading our profiles. If you re-post this I will do the same for you. Thanks! (Click like on this post so I will know you unchecked.)"

Beware. This status message is a hoax -- an effective one too, since it trades on consumers' security fears. To learn more about why it is a hoax, visit Snopes and Facecrooks.

I can share this from personal experience. A couple Facebook friends sent this status message to me, and this hoax tricked me, too. The whole experience is reminder:

• Don't believe everything you read on social networking sites, and
• Verify claims before forwarding them as status messages to your friends.