7 Tips To Avoid A Rejected Credit Card During Vacation Travel

Today, banks are more vigilant than ever about spotting potential fraud. One way banks spot potential fraud includes charges outside of the cardholder's normal usage pattern -- the area where you live, work, and use your credit card. Often, when consumers go on vacation you intentionally travel outside of your area. Nobody wants a credit card purchase denied while traveling, especially when you don't have the cash with you.

So, what can consumers do to avoid having your credit card denied while shopping during vacation? Banks and credit card issuers advise consumers to:

1. Understand where your credit card is accepted outside of the United States. You can visit the customer service section of your bank's or credit card issuer's website. For example: the Help Center in the Discover site lists the regions where that credit card is accepted, including an international Country Acceptance Map. This is also helpful to understand any exchange rates used, and/or any fees or surcharges that might apply for purchases in different currencies. The Visa Travel Preparation Page provides similar information for cardholders traveling internationally.

2. Decide which credit cards you will bring. You may decided to leave at home the credit cards with high foreign transaction fees, don't offer purchase protection insurance, doesn't offer frequent-flyer mileage, and/or aren't accepted in the countries which you will visit. Experts advise consumers to bring at least two credit cards, and use one as a back-up in case your primary card doesn't work.

3. Notify your bank or credit card issuer of your upcoming travel, and the specific locatons where you will use your credit card. For example, Capital One directs its Visa cardholders to call its Customer Service department (1-800-955-7070) before their trip to provide the following information:

• Credit card number
• Travel destination(s): states and/or countries
• Travel start and stop dates
• Which cardholders will be traveling (if multiple people have accounts)

In Capital One's automated voice system, cardholders speak to enter and select voice prompt options. Say "More Options" and then "Report Upcoming Travel" to access the relevant option. Then, you can enter all of the necessary information, or you can speak with a human representative.

Obviously, if your vacation travel itinerary includes several cities and/or countries, you will want to have all of that information ready. When you contact your bank or credit card issuer, they will provide an international customer service phone number you can call while traveling outside the United States, should you have any problems. Last month before my vacation, I used Capital One's automated voice system. My travel itinerary included about six countries, and I found the system pretty easy to use to enter the necessary information.

4. Watch out for PINs. In some regions, automated kiosks require credit cards with smart chips. If your credit card doesn't have this new technology, it may not work.

5. If you want to use your debit card instead, first contact your bank, credit union, or card issuer to report your travel itinerary. Visit their website to find their office and ATM locations in the states or countries you will visit, any other banks they have partnerships with, any fees (e.g., conversion, foreign transaction) that apply, and any PIN number limitations (e.g., fewer digits). Generally, in-network ATM machines have lower fees than out-of-network ATM machines.

Experts advise consumers to keep sufficient cash with you for smaller purchases. The fewer times you use your debit card, the less you expose it to identity theft and fraud risks. If you read this blog regularly, then you already know that I use my debit card only at my bank's ATM machines. To me, it is too risky to use a debit card in a local retail store or gas station, especially in another country. There is no way to know if the card entry pads (or gas station pumps) has been compromised with skimming devices.

6. If you want to use a prepaid card instead, CardHub advises consumers:

"As long as your prepaid card bears the MasterCard or Visa logo and you notify your issuer of your travel plans, you should be able to use it abroad...”

Wise consumers will still check with their card issuer to get a copy of their prepaid card agreement, to find ATM locations in the states or countries you will visit, any other banks they have partnerships with, and any fees (e.g., conversion, foreign transaction) that apply. Again, in-network ATM machines generally have lower/fewer fees than out-of-network ATM machines. Compare the fees for your prepaid card against fees for your credit/debit cards. Understand your rights, protections, and the differences between credi, debit, and prepaid cards. If decided to use a prepaid card, make sure you load enough money onto it before you leave for your trip.

If you are unsure about whether prepaid cards are for you or not, there are plenty of online resources to help you decide. You can learn more by browsing the Prepaid Cards section of this blog. The posts in this blog section contain plenty of links to external sites and resources.

7. Check for foreign travel advisories. These may suggest additional precautions you should take in the countries you will visit.

Having done all of this, you can then travel with peace of mind.

CBC Interactive Map Of Foreign Travel Advisories

I like to travel to different countries. So do many people. If you plan to travel to other countries, then you might find this resource helpful to avoid getting mugged, your identity information stolen, or worse during foreign travel.

The Canadian Broadcasting Corporation (CBC), based upon data from the Canada's Department of Foreign Affairs, produced an interactive map of travel advisories for consumers. The map highlights places to avoid and places to take extra security precautions.

In the United States, the Bureau of Consular Affairs within the State Department provides similar information with alerts and warnings for foreign travel.

17 Privacy Groups Tell US To Stop Lobbying The European Union As It Considers Stronger Privacy Protections For Consumers

Yesterday, about 18 privacy advocacy groups sent a letter to U.S. Government officials which asked for a meeting and requested assurances that the U.S. not hinder new consumer privacy protections being considered by the Europe Union. The group believes that both the U.S. and Europe need to update and modernize their privacy protections for consumers.

The letter, addressed to the U.S. Attorney General, the Secretary of State, the Acting Secretary of Commerce, and two ambassadors who oversee trade with Europe, was signed by the ACLU, the Center For Digital Democracy, the Electronic Privacy Information Center (EPIC), the Patient Privacy Rights Foundation (PPR), the Privacy Rights Clearinghouse, and a dozen other advocacy organizations. The letter (Adobe PDF, 67k bytes) stated:

"Users around the world are experiencing increases in identity theft, security breaches, government surveillance, and secretive, discriminatory profiling. Users find that personal information given for one purpose is often used for another purpose, often without their knowledge or consent. Our personal data -­‐ our privacy -­‐ is being abused by both the commercial sector and governments... Europeans are working together to update and modernize their framework for privacy protection... There are many important, innovative proposals, as well as the recognition that the process of data protection can be simplified to the benefit of all. Europe is considering both an overarching Data Protection Regulation and a Directive on Law Enforcement..."

After a meeting in Brussels with several of the privacy groups, European Parliament members expressed concerns:

"... that both the US Government and US industry are mounting an unprecedented lobbying campaign to limit the protections that European law would provide... They were concerned about the absence of safeguards for personal data stored in the Cloud..."

The Telegraph reported in February 2012 about the intensive lobbyingby U.S. companies. Reportedly, U.S. lobbyists represent several tech companies including Google, Facebook, and Apple. Earlier this month, a leading privacy expert warned citizens in Europe not to use U.S.-based cloud services due to privacy and spying concerns with the FISA Amendments Act of 2008.

As I see it, the privacy letter accurately described the threats to consumers' information and privacy. This blog has reported about numerous instances of corporate data breaches, mobile apps that collected consumers' sensitive data without notice nor consent, developers that fail to provide privacy policies with their mobile apps, app developers that failed to provide privacy notices for parents about apps for their children, secret tracking of online users, software foisted on users without notice during maintenance updates, and a variety of technologies (e.g., Zombie HTTP cookies, Flash cookies, Zombie E-tags, behavioral exchanges, deep packet inspection, e-readers) used by a variety of companies to snoop and track users' online habits often without notice and consent.

More recently, a company has allegedly collected, stored, shared, and manipulated the metadata associated with photos and videos shared at social networking websites. Data privacy laws clearly have not kept pace with Internet and digital technologies.

The group's letter stated several principles in the proposed EU laws that should guide privacy efforts in both the U.S. and Europe:

"... (1) individual control over the collection and use of personal data; (2) transparency; (3) respect for the context in which data is collected; (4) security; (5) access and correction rights for consumers; (6) data limitation; and (7) accountability... These principles reflect many of the same goals contained in the European privacy initiative. But the key is that these principles must be given legal force..."

A copy of the letter is also available here (Adobe PDF, 67k bytes). Visit the CPDP website to learn more about the meeting held in Brussels last month.

5 Online Privacy Tips To Keep You And Your Family Safe

Monday will be Data Privacy Day (DPD), with celebrations in North America and Europe to raise awareness and provide consumers with education about privacy. DPD was started in 2008. This year's theme is, "Respecting Privacy, Safeguarding Data and Enabling Trust." This year's events will be started with a privacy forum at the George Washington University Law School in Washington, DC. Federal Trade Commissioner Maureen Ohlhausen is the keynote speaker. More events are scheduled nationwide throughout February.

To support this event, Anchorfree and the National Cyber Security Alliance have developed together a list of tips for consumers to maintain their privacy when connected to the Internet via your smart phone, tablet, or laptop/desktop computer:

"1. Risky business - Make sure all family members understand the public nature of the Internet and its risks. Any digital information they share -- emails, photos or videos -- can easily be copied and pasted elsewhere, and is almost impossible to take back. Anything that could damage their reputation, friendships, wallet or future prospects should not be shared electronically."

A recent study found that 30 percent of teenage girls meet in person strangers they met online. So, it is critical for parents and families to practice safe habits while connected to the Internet and in the physical world. If you are a parent, grandparent, or guarding who plans to buy a smart phone for a child, then you definitely should read this contract one smart parent created to help her manage her teen's online usage.

2. Keep it hidden, keep it safe - Make sure all family members are careful about sharing sensitive information such as birth date, addresses, phone numbers, location, financial information, social security numbers, passwords and vacation plans. Most reputable online services have privacy settings. Teach your kids how to use them, too."

3. Browse intelligently - Avoid using sketchy, unfamiliar websites, and delete suspicious emails, particularly those that ask for unnecessary personal information or request that you download something. These may be malware or phishing sites out to steal your personal data.

There are several products available to automatically delete browser HTTP cookies and other files (e.g., Flash Cookies, and other LSO's = Locally Shared Objects) websites use to track you while connected to the Internet. This blog has reviewed some of them, including the MAXA Cookie Manager. I use the BetterPrivacy plugin with the Firefox browser.

The next item is critical because smart phones and tablets save a ton of metadata with each photograph or video you take. The metadata with your photos include a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata combined with your GPS location, a company can tell a lot about you, your purchases, your lifestyle, plus what you did/spent when and where.

That metadata gets uploaded to your favorite social networking website whenever you upload photos. Some social networking sites collect, save, and share all of that metadata. Others use some of it. So, consumers should:

4. Turn off geolocation - Many apps' permissions include backdoor location trackers that are constantly streaming your location. If you're not actively using your phone to navigate, turn them off. The FTC recently noted that many apps aimed at children are disclosing location; make sure your kids are following this rule of thumb as well."

The last tip cannot be over emphasized. Public WiFi hotspots are everywhere. If you expect to perform sensitive tasks (e.g., online banking, access/use sensitive documents from your employer) while connected to a public WiFi hotspot, you should:

5. Get behind a shield - Use a VPN such as Hotspot Shield, which will help identify malware sites and provide a secure, encrypted connection to the Internet for desktop or mobile devices, protecting your browsing from hackers and snoops. This is particularly important when using public Wi-Fi or other unknown networks."

AnchorFree produces Hotspot Shield. There are other brands available. Take a look at Get Cocoon and PrivateWiFi.

The National Cyber Security Alliance is a nonprofit organization formed to educate and empower consumers about Internet privacy. It collaborates with government, corporate, other non-profit and academic entities. NCSA board members include: ADP, AT&T, Bank of America, EMC Corporation, ESET, Facebook, Google, Intel, McAfee, Microsoft, PayPal, Science Applications International Corporation (SAIC), Symantec, Trend Micro, Verizon and Visa.

Some of those board members have a ways to go regarding privacy in their products or services. As a business consultant, I regularly use VPN software to remotely and securely access my clients' networks and servers. This blog post is not an endorsement of Hotspot Shield, since I have not used it.

What's your opinion of this list of tips? What VPN software do you use?

Survey: Banking And Financial Executives Say Unethical Or Illegal Behavior Is Necessary To Succeed

A recent ethics survey of banking and financial executives in the USA and UK found that:

"Misconduct is still widespread... 26% of respondents indicated that they had observed or had firsthand knowledge of wrongdoing in the workplace. Nearly one-fourth of respondents believed that financial services professionals may need to engage in unethical or illegal conduct in order to be successful... 16% of respondents, would commit a crime–insider trading–if they could get away with it. Nearly one-third of all financial services professionals reported feeling pressured by bonus or compensation plans to violate the law or engage in unethical conduct. Nearly one-quarter of the respondents felt similar pressure from other sources... Only 41% of respondents reported that staff within their own organization had “definitely not” engaged in unethical or illegal conduct to be successful. 39% of UK respondents believed that others in their company have definitely not engaged in such misconduct to get ahead. 43% of US respondents had a similar view..."

Yes, you read that correctly. About a quarter of survey responds said it was okay and maybe necessary to perform unethical or illegal behaviors to succeed in business. And given the survey findings, some of the same respondents don't simply believe this, but also saw unethical/illegal behavior in the workplace.

Survey respondents have a dim view of government regulators:

"Only 30% of all respondents felt that the SEC/SFO effectively deters, investigates and prosecutes securities violations... In the UK, 34% of financial services professionals felt that the SFO is effective... In the US, only 26% of financial services professionals felt the SEC is effective... With respect to FINRA and the FSA, only 29% of all respondents felt these agencies effectively deter, investigate and prosecute securities violations... In the UK, 32% of financial services professionals felt that the FSA is effective...In the US, 27% of financial services professionals felt FINRA is effective."

About the risks to whistle-blowers of exposing wrongdoing within their banks, the survey found:

"...14% of all respondents believed that their employers were likely to retaliate if faced with a report of wrongdoing in the workplace..."

Banking and finance seems to be an ethics-challenged industry. The researchers concluded:

"The best way to avoid corporate scandals is to establish and nurture a culture of integrity in the workplace. Too often, scandals result from a long chain of mistakes, where one breakdown in judgment cascades to another breakdown, and then another. In time, isolated and seemingly random unethical or illegal choices snowball..."

The survey (Adobe PDF), conducted during June 2012 by Populus and the law firm Labaton Sucharow, included 500 senior-level executives. Labaton Sucharow provides legal services to protect and advocate for whistle-blowers who report violations to the SEC. The firm also represents companies, institutional investors, and consumers in complex securities litigation.

Executives' attitudes extend far beyond finance. Recently, a Federal U.S. appeals court found that a bank's poor data security was responsible, after thieves used wire transfers to steal about $689,000 from a construction business. Among its failures, the bank also failed to notify the company about the wire transfers it was processing.

With attitudes like this among banking executives, now is not the time for politicians to argue for less regulation. Survey results like this are a call for agencies like the FTC, DOL, and SEC to step up their monitoring programs.

Credit Reporting Agency Wants Access To Your Facebook, LinkedIn, And Twitter Information

The leading credit reporting agency in Germany wants access to your personal data at popular social networking websites. Spiegel Online reported that business documents leaked to the news media describe the interest by Schufa to access and data-mine consumers' profile, messages/posts, and connections information at Facebook.com, LinkedIn.com, and Twitter.com data to evaluate consumers' creditworthiness.

Schufa's interest seems to focus on both the relationships between consumers (e.g., who you know), residential addresses, and address changes. Reportedly, there are about 20 million Facebook users in Germany, and Schufa has credit files on about 66 million consumers.

Data Breach At LinkedIn.com Exposes Passwords of 6.5 Million Users

Several news sources have reported a data breach at LinkedIn.com, which affected as many as 6.54 million users' passwords. According to The Next Web:

"Norwegian IT website Dagens IT reported the breach, with 6.5 million encrypted passwords posted to a Russian hacker site. Security researcher Per Thorsheim has also confirmed reports..."

Even though the passwords were encrypted, about 300,000 had already been cracked. At press time, LinkedIn had not issued an announcement. LinkedIn is a popular social networking website for professionals to find jobs and establish business contacts.

Experts advise LinkedIn.com users to change their passwords. And, if you use the same password at other websites, you should change those, too. That means, you will need to change the passwords for any mobile apps, too.

This potential breach is in addition to other bad news. Earlier today, researchers at Skycure Security discovered that the LinkedIn.com apps for iPhones and iPads leak sensitive, complete meeting details without notice to users, a potential violation of Apple's privacy policy. Plus, the apps don't really need the full meeting details collected and transmitted.

Read more about this breach at the New York Times.

I already changed my LinkedIn.com password, and I am glad that I don't use the same password everywhere. I look forward to hearing from the LinkedIn.com management about their breach investigation and data security fixes.

Update {2:30 PM EST]: The LinkedIn blog advises its users to change their passwords.

Update [8:00 PM EST]: after several news sources reported that the hackers had stolen passwords from both LinkedIn.com and the eHarmony.com dating website, eHarmony also advises its users to change their passwords.

Update [10:00 PM EST]: Forbes correctly warns that if LinkedIn doesn't fix its data breach and detect ongoing threats, then users changing passwords may not be enough.

Update [11:30 PM EST]: LinkedIn confirms breach.

Why Cyber Criminals Attack: For The Money

Last week, the Ponemon Institute and Check Point Software Technologies released the results of a joint survey, "The Impact of Cybercrime on Business" (Adobe PDF), conducted to better understand the nature of online attacks which businesses of all sizes face. The survey included executives from companies in several countries. Key survey findings:

• Companies experience an average of 66 cyber attacks per year
• Mobile devices (e.g., smart phones and tablets) present an increased breach risk
• Cyber crime is expensive, costing companies on average
• Criminals attack for the money

Almost all survey participants said:

"... the primary goal for cybercriminals is financial fraud and/or access to the company’s financial records. In the U.S. and UK, financial gain is followed by theft of customer data. Approximately five percent of security attacks are motivated by political or ideological agendas."

So, identity thieves and cyber criminals attack employers to steal money: the employer's and/or yours. And, the criminals will attempt to use your mobile devices to gain access to employer's networks:

"... Hong Kong and Brazil report on average the highest percentage of mobile devices infected an act of cyber crime... the lowest average of infected mobile devices and machines connected to the network at 11 percent in the U.S. and nine percent in Germany."

The Ponemon/Check Point survey included more than 2,600 experienced business leaders and IT security practitioners from commpanies located in the United States, United Kingdom, Germany, Hong Kong and Brazil.A similar study by Symantec found that 50% of cyber attacks focused on businesses with fewer than 2,500 employees, and targeted mobile device and social networking users.

The Ponemon Institute helps both public sector and privbate sectors by performing independent research on privacy, data security, and information protection. Check Point Software Technologies provides organizations with a veriety of solutions to secure online networks and data.

Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

• During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
• During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

“Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

1. Be ready to give out some personal information.
2. Know that a third-party will gain access to your personal information.
3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).

ICO Updates Requirements For Data Breach Disclosures

The Information Commissioner’s Office (ICO) recently updated its data breach disclosure regulations for ISPs and telecommunications providers in the United Kingdom. To make reporting requirements easier for businesses, the ICO suggests that companies submit a list of data breaches monthly.

However, companies would still need to report major breaches in detail and separately. The existing regulations require companies' breach disclosures to include:

"The nature of the breach; the consequences of the breach; and the measures taken or proposed to be taken by the provider to address the breach."

The existing regulations require companies to maintain a log of any breaches affecting consumers personal information, and to provide affected consumers or customers with a breach notification covering:

"The nature of the breach; contact details for your organisation where they can get more information; and ow they can mitigate any possible adverse impact of the breach."

Companies do not have to report data breaches where the data is protected by encryption. The ICO describes itself as:

"... the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals."

A 24 Year Old Student Issues The Challenge: Europe Versus Facebook

Whether you use Facebook or not, this bears watching. After researching the issues, a 24 year-old student from Vienna is challenging how Facebook treats members' personal information: data collection and deletion. Not liking what he found, his next steps were a series of 22 clear and well-reasoned complaints submitted to the Irish Data Protection Commissioner, since European users have a relationship with the Facebook subsidiary located in Ireland.

According to Kim Cameron's blog:

"Europe versus Facebook, which seems eventually to have become an organization, then opened its own YouTube channel. As part of the documentation, they publicised the procedure Max used to get his personal CD... So many people applied for their own CDs that Facebook had to send out an email indicating it was unable to comply with the requirement..."

The article confirms what I found in this prior post about Facebook social plugins: they monitor your usage across the Internet whenever you visit a site with the Like button (or other Facebook social plugins). Using a different web browser may or may not provide the privacy you seek.

For English, click on both the CC and annotation icons to see subtitles in English.

France Isses New Breach Notificaton Law for ISPs And Telecommunications Companies

Information Age reported that Internet service providers and telecommunications companies operating in France must report data breach to both the affected consumers and government regulators. The France lesgislation defines a data breach as:

"... any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure or unauthorised access to personal data."

ISPs operating in France must report data breaches to their regulator, the the Commission nationale de l'informatique et des libertés (CNIL). Violators face both prison time and a Euro 300,000 fine. Germany and Spain have similar breach notification laws, but the fines are far lower -- less than one percent of the fine in France.

Hays Apologizes For Email That Caused Breach At Royal Bank of Scotland

An employee at Hays, a global staffing and recruitment company used by the Royal Bank of Scotland (RBS), apparently sent an email which caused a data breach at RBS. According to the Kroll Ontrack Data Recovery blog, the email message:

"... detailed the pay rates of around 3,000 contract employees and was sent to some 800 RBS staff... Research by the Ponemon Institute earlier this year revealed that 19 per cent of data security breaches in the UK were caused by mistakes with emails..."

In 2009, the UK Office of Fair Trade fined hays 30.4 million pounds for price-fixing violations, allegedy to prevent a competitor from entering the construction industry.

In 2008, a hacker broke into the computer systems of RBS' payment processing unit, RBS WorldPay. About 1.5 million records were stolen, including the Social Security Numbers of about 1.1 million consumers. Several class-action lawsuits resulted from that data breach.

A year ago this month, the UK Financial Services Authority (FSA) fined members of the Royal Bank of Scotland Group (RBSG) 5.6 million pounds (about US $8.9 million) for failing to have adequate processes and controls, when RBS allegedly performed money laundering to companies on the UK financial sanctions list.

Kroll Ontrack provides a variety of services for companies to search, analyze, and recover data, including computer forensic analyses. In 2007, IBM hired Kroll to assist with IBM's February 2007 data breach. Kroll provided credit monitoring services to IBM's data breach victims.

KPMG Survey: A Typical Corporate Fraudster Is...

KPMG recently released its 2011 Who Is A Typical Fraudster? report, describing the profile of a typical corporate fraudster, the impacts and amounts stolen, industries where fraud tends to concentrate, and the conditions which enabled the fraud. The report included 348 events in 69 countries. The fraud events included "white collar" crimes such as:

"... misstatement of financial results, theft of cash and/or other assets, abuses of expenses, and a range of other fraudulent acts."

The report excludes acts of no material value and misconduct.The report does not mention names. The average duration of the fraud was almost three and a half years from the start until its detection. In 74% of the incidents, fraudsters exploited weak internal controls. Companies fail to read and act quickly on the warning signs:

"The number of fraud cases preceded by a red flag rose to 56 percent of cases in 2011, from 45 percent in 2007... Just 6 percent of initial red flags were acted on in the 2011 analysis... Rarely is an act of fraud a one-off... In 2007, 91 percent of fraudsters were repeatedly fraudulent, compared with 96 percent in the 2011 analysis."

The average loss was $1.4 million in Asia Pacific, $1.1 million in the Americas, and $900k in Europe. The report described the following as one of the most interesting cases in the United States:

"At a U.S. financial institution, a larger-than-life chief executive surrounded himself with an inner circle of "yes men." The fraud, which involved subterfuge and complex bundling and unbundling of loans and transactions to make bad loans appear good... The investigation quickly uncovered conflicting stories told by the CEO's inner circle and the people working with the loans and customers. This case illustrates, in particular, how dominant and bullying behavior can coerce others to participate in fraudulent activity."

The corporate fraud includes identity theft. A case from Switzerland:

"Fraudsters attempt to extract money from dormant accounts or they assume the identity of a customer to trick advisers into making payments or transfers. Often this involves the collusion of an external party with an internal ally..."

I also found the consequences interesting:

• Disciplinary action: 40% of cases (54% in the Americas; 23% in Asia Pacific)
• Regulatory, legal enforcement: in 45% of cases
• Civil recovery: 23% of cases
• Resignation/voluntary retirement: 17% of cases (25% in Asia Pacific)
• Out-of-court settlement: 6% of cases
• No action taken: 3% of cases

The profile of a typical corporate fraudster:

• Male (87% were men)
• 36 to 45 years of age (41% were ages 36 to 45; 33% were ages 45 to 55)
• Committed the fraud against his own employer (90% committed the fraud against their employer)
• Works in the finance function or in a finance-related role (32% worked in finance; 26% were CEOs; 25% were in operations/sales)
• Holds a senior management position (29% were in management; 53% were in senior management)
• Employed by the company for more than 10 years (33% employed more than 10 years; 29% employed 3 to 5 years; 26% employed 6 to 10 years)
• Committed the fraud in collusion with another employee (61% acted with others)

The report mentioned this about collusion:

"... male perpetrators (64%) are almost twice as likely to collude than women (33%). After taking account of male dominance in the perpetrator group, collusive females account for just 4 percent of activity. Perpetrator groups are most typically all-male or mixed gender."

KPMG is a tax, auditing, and advisory firm operating in 144 countries. A KPMG auditor caused a data breach in May 2010 when the auditor lost a flash drive containing 4,500 unencrypted patients records.

German Teen's Facebook Party Invite Creates Out Of Control Party

If I had to pick only one story to highlight the need for good security settings on your social media accounts, I'd pick this story.

The Huffington Post reported that a teenage girl in Hamburg, Germany wanted a birthday party with a few friends and family, but didn't check her security settings for the party invite on Facebook. Instead, the Facebook invite was public and went viral.

The teenager and her parents quickly realized the problem when 15,000 people accepted the party invite. They cancelled the party, sent several party cancellation notices, and informed local police. The parents also hired a security service to protect their home. This was a wise move, since 1,500 people showed up for the party despite the cancellation notices. About 100 police officers managed to keep order.

Yet Another Data Breach At Sony; Playstation Network Returns Online in Phases

Several news organizations reported that hackers attacked Sony Ericsson's Canadian eShop website. This latest Sony data breach affected only about 2,000 consumers. The Canadian eShop website provides accessories and support for phone customers. At press time, portions of the Canadian eShop website were unavailable.

The Canadian eShop breach is more bad news for Sony after massive data breaches at its Playstation Network and Online Entertainment units. Sony forecasts its breach-related costs in the United States at $171 million for the coming fiscal year ending March 2012, excluding any lawsuits.

On Tuesday last week, Sony disclosed a breach at its Sony Music Entertainment Greece website, which affected about 8,500 customers. Sony also disclosed that an unauthorized user had accessed and changed its Sony Music Indonesia website, and a hacker may have accessed its Thailand website to send e-mail spam.

On Friday May 27, Sony announced a phased restoration of service at its Playstation Network unit:

"... Sony Network Entertainment International (SNEI, the company) will begin a phased restoration of PlayStation®Network and Qriocity Services in Japan and Asian countries and regions including Taiwan, Singapore, Malaysia, Indonesia, and Thailand*1 on May 28. A new identity protection program will also be offered in conjunction with the phased restoration for PlayStation Network and Qriocity customers in Japan..."

Second Sony Data Breach Exposes Personal Data of 24 Million Consumers

You've probably heard of the massive Sony Playstation Network data breach that affected 77 million customers. Well, there has been a second Sony data breach.

In a May 2 press release, Sony Online Entertainment (SOE) announced that hackers had breached its servers and stole consumers' sensitive personal information, including name, address (city, state, zip, country), email address, gender, birth date, phone number, sign-in credentials (e.g., login name and hashed password), and debit/credit card account information:

"Customers outside the United States should be advised that we further discovered evidence that information from an outdated database from 2007 containing approximately 12,700 non-US customer credit or debit card numbers and expiration dates (but not credit card security codes) and about 10,700 direct debit records listing bank account numbers of certain customers in Germany, Austria, Netherlands and Spain may have also been obtained."

The stolen bank account data included bank account number, account holder name, and account holder address. All of the above stolen personal data is sufficient for identity criminals to open fraudulent accounts and/or access existing accounts. SOE is notifying affected consumers via e-mail with Innovyx, their third-party email distributor. Reportedly, the e-mail notifications will contain either 'soe.innovyx.net' or 'soe.sony.com' in the sender field. SOE has also:

"Temporarily turned off all SOE game services; engaged an outside, recognized security firm to conduct a full and complete investigation into what happened; and quickly taken steps to enhance security and strengthen our network infrastructure..."

In a May 3 press release, SOE announced an update of their breach investigation:

"This information, which was discovered by engineers and security consultants reviewing SOE systems, showed that personal information from approximately 24.6 million SOE accounts may have been stolen..."

Since SOE gaming websites are down, SOE will add 30 days onto its customers' subscriptions and compensate them for each day of downtime. SOE produces popular, multi-player online games, including EverQuest, EverQuest II, Champions of Norrath, Clone Wars Adventures, and DC Universe Online.

Given that debit and credit card data was stolen, consumers should check their bank accounts for fraudulent entries and change their sign-in passwords. The SOE breach notification contains the usual disclosures advising consumers to check their credit reports for fraudulent entries and to contact the U.S. Federal Trade Commission's identity theft website for advice and tips about how to protect themselves and their bank accounts.

The Four Pillars of Online Data Privacy

A few weeks ago, I blogged about personal identity information values -- shopping and acting online consistent with what you deem important. eGov precently published comments by the European Union (EU) Justice Commissioner, Vivianne Reding, about privacy for individuals. Reding's view of privacy for individuals in an online digital world includes four pillars:

1. The “right to be forgotten” - a combination of consumers' right to withdrawn or opt-out of any data collection efforts by companies, and the burden on companies to prove first that they have a need to archive and store the sensitive personal information of consumers they have already collected.

2. "Transparency" - to build consumers' trust, companies should fully disclose and inform consumers about what personal data they collect about consumers and why, how they use the personal data collected, the names of all third-party companies they share personal data with, the rights of consumers for remedies when consumers' rights are violated, and the risks with the personal data companies ask consumers to share.

3. "Privacy by default" - in too many instances companies build websites with privacy controls that are so complicated and convoluted that consumers can't effectively make their personal data private. In these websites, there really isn't any privacy and the websites' privacy controls don't reflect consumers' true consent. Reding believes that this situation must change, and that private should mean private.

4. "Protection by data location" - privacy standards for EU citizens should be consistent regardless of where consumers' personal data is stored. For example, if an EU resident's personal data is collected and stored by a U.S.-based company, then that company must comply with EU privacy standards, not U.S. privacy standards.

All of these pillars make perfect sense to me, but I see the fourth pillar being particularly tough. It's logical extension would force a website operator to konw, track and comply with a multitude of countries' varying privacy policies. My impression is that many corporate executives would be unhappy with having to work within the boundaries of all four pillars (not just the fourth), when they usually don't have to today.

I especially agree with Reding about the risks stated in the second pillar. Explanations about risks from sharing personal data apply to all consumers, but especially to youth who don't yet understand how business works and how companies use personal information. The risks and consequences should be explained to consumers about personal data that companies may make public permanently that consumers cannot make private again.

Over at the Guardian UK, columnist Mayes contests Reding's second pillar:

"But does the "right to be forgotten" really have a sound basis? In British law there is no right to be forgotten, but there are a host of laws to protect your identity and personal data... But to say there should be a right to be forgotten is to say we can live outside society. We can't."

To me, it's not about living "outside of society." For a lot of perfectly valid reasons, a consumer may decide to live off the grid, or entirely off-line. It is about consumers' control; the ability to control when and where your sensitive personal information is archived. Without the second pillar, there is no real control for consumers.

What do you think of these four pillars?

German Government Proposes New Data Breach Notification Law

In its "Privacy and Information Security Law" blog, the Hunton and Williams law firm announced that the German government has proposed a new data breach notification law:

"... telecommunications companies must report data breaches to the Federal Network Agency (the Bundesnetzagentur or “BNetzA”), and the Federal Commissioner for Data Protection and Freedom of Information. In the event the rights or protected interests of subscribers or other persons are affected by the data breach, such individuals also must be notified without undue delay."

While the notification of affected consumers is not required if the data is encrypted, the BNetza retains the right to require any telecommunications companies to notify consumers regardless of the data security protections in place at the time of the breach.

The new breach notification rules are part of broader changes under the European e-Privacy Directive, scheduled to go into effect in May of 2011. Other changes in these new European Union directives include tightened rules about how companies treat, collect consumers' data, and obtain consent with consumers' web browser cookies.

St. Petersburg Times Interview: Heartland's Chief Information Officer

Recently, the St. Petersburg Times interviewed Steven Elefant, the Chief Information Officer Heartland Payment Systems hired after its disastrous data breach in 2009. With 130 million debit/credit card numbers stolen, that data breach was the largest corporate data breach in history. Consumers at banks and credit unions were affected. Several class-action lawsuits resulted and Heartland paid numerous fines, as banks had to reissue debit/credit cards to affected breach victims.

Prior to joining Heartland, Elefant held positions within the U.S. Secret Service and the F.B.I. crimes tasks forces. I found some of Elefant's comments very interesting, as it highlights the global nature of identity theft and fraud. About the person caught and convicted of the breach:

"... Gonzalez was not the mastermind. He was working with organized criminal rings in Eastern Europe, Ukraine and Russia. They will sell your stolen credit card numbers today over the Internet for $5 to $20 apiece. U.S. law enforcement knows exactly who they are but cannot get them extradited. Some of these countries have no cyber crime laws, so they cannot arrest them there..."

Thieves make money with stolen debit/credit card account information when they:

"... sell the numbers to other bad guys who obtain blank cards and an imprinter — used ones are available on eBay or Craigslist — and print their own credit cards or make counterfeit gift cards. They use the cards to buy big-ticket items like a $1,000 TV they sell for $500 to people who don't realize it's stolen merchandise."

About how Heartland's retail clients have responded after the breach:

"We lost very few clients and have been flat since then. So far about 10,000 of our 250,000 merchants have adopted end-to-end encryption."

If you want to learn more about Elefant, there is a good article at BankInfo Security.