FTC Seeks Information From The Public About How Identity Theft Impacts Elders

The U.S. Federal Trade Commission (FTC) seeks information from the public about how identity theft and fraud impact senior citizens. According to the Bureau of Justice statistics, 11.7 million people, about 5 percent of the population ages 16 or older, were victims of identity theft between 2006 and 2008. The FTC is concerned that:

"... seniors may be particularly susceptible to identity theft. They are often targeted for phishing scams; some seniors have granted powers of attorney giving wide access to their personal information; and most seniors' Medicare cards list their Social Security numbers. In addition, the personal information of senior citizens may be vulnerable in hospitals, nursing homes, and other care facilities."

To learn about the problem, the FTC seeks:

• Original research about the scope of identity theft and elders,
• The types of scams (e.g., phishing, tax, power of attorney, door-to-door) targeting elders,
• Obstacles to fighting or preventing this identity theft,
• Solutions by both the public and private sectors, and
• Any related issues

The FTC focuses upon enforcing laws, sharing its identity-theft complaint data with local law enforcement, and educates both consumers and businesses about data security. The FTC has brought actions against 35 companies for failing to adequately safeguard the sensitvie consumer data stored. In the summer of 2011, the FTC held a forum on the impacts upon children of identity theft. In September 2011, the FTC testified before Congress (Adobe PDF) about the problem and the actions it was taking.

Comments and submissions must be received by July 15, 2012. Information can be submitted in electronic or paper formats. Submissions should be mailed or delivered to:

Federal Trade Commission
Office of the Secretary
Room H-112 (Annex L)
600 Pennsylvania Avenue, N.W.
Washington, DC 20580

Submissions received will be made public on the FTC website.

The FTC helps consumers to prevent fraudulent, deceptive, and unfair business practices. It also provides information to help consumers spot, stop, and avoid them. If you have been a victim of identity theft and fraud, you can file a complaint in English or Spanish at the FTC Complaint Assistant website, or call 1-877-FTC-HELP (1-877-382-4357). The FTC compiles complaints it receives into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad.

Slamming And Your Home Energy Bills

Recently, an I've Been Mugged reader wrote asking me about what to do with their home energy bill. The reader was concerned that they had been "slammed" -- their energy supplier had been switched without their approval. When thinking about situations like this, it is important for consumers to understand your rights first.

Each state in the USA has a Public Utility Commission (PUC) or state agency to govern and regulate which companies are licensed to sell energy (e.g., electricity, natural gas). So, to understand your rights a good first step is the PUC website for the state where you live.

I'll use the state where I live as an example. In Massachusetts, some private companies are licensed to sell only electricity, some only gas, and some both. The Executive Office of Energy and Environmental Affairs (EEA) provides the lists of licensed energy sellers in Massachusetts. Obviously, this is a list consumers would use to verify any private company selling energy in the state, especially door-to-door sales people.

The same EEA website describes consumers' various rights about energy services. For example, the "Cooling Off Period" describes the length of time consumers can change their mind after switching to a new energy service provider:

"Your choice of a competitive power supplier will not take effect for at least three business days. Should you change your mind during that three day period, you will not incur any charges."

The site also describes consumers' rights about slamming:

"A competitive power supplier may not switch you to its service without your consent. Your consent must take the form of either: 1) a written letter of authorization signed by you; or 2) your oral statement to an independent third party, such as a separate verification company. If you are switched without your authorization, you may file a complaint with the Massachusetts Department of Telecommunications and Energy by calling 1-800-392-6066."

Historically, slamming happened a lot with phone services, but lately it can happen with energy services, too. In 2011, the Georgia Public Service Commission (PSC) fined gas marketer Energy America with a $400,000 penalty for customers it "slammed." While some companies approach consumers at home, others perform phone solicitations.

Before accusing a company of slamming your energy service, I would first check with other members in the home, or a landlord, to see if somebody else signed an order to switch service. Then, I would contact the new energy supplier to get the sales person's name and a copy of that new-service order.

If slamming is still a concern, other steps I might perform in order:

1. Check the website of my existing energy supplier to see what they advise about slamming
2. Check my state's PUC website to understand my rights and what they advise about slamming
3. File a complaint with the PUC in the state where I live
4. File a police report with local law enforcement, since it is fraud to forge another person's signature
5. File a complaint with the Federal Trade Commission
6. Consult with an attorney to see what other options there may be for consumers

Having difficulty finding the website for your state's PUC? This list may help.

Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

• During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
• During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

“Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

1. Be ready to give out some personal information.
2. Know that a third-party will gain access to your personal information.
3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).

Hackers Target Facebook Users With New Malware Tool To Steal Credit Card Information

In case you haven't heard, scammers and identity thieves have targeted social networking users. Trusteer reported a new scam by identity theives using a new version of the "Ice IX" malware.

After a Facebook member (within an infected computer) has logged into their Facebook account, the "Ice IX" malware spawns a new browser with a fake Facebook page which prompts users to enter credit card information for supposed additional data security protection. Of course, no security protection is provided, and the malware steals both the consumer's credit card information and other sensitive personal data stored on your computer.

This is another fine example of the creativity and persistence of scammers and identity thieves. Visit the Trusteer website to view screen images of the fake Facebook page. To learn more about how to protect yourself when using Facebook.com and its mobile apps, see the links in the "Using Facebook Safely" module in the near-right column.

The Bright Side of Identity Theft And Fraud For Consumers

In a New York Times article titled, "The Bright Side Of Being Hacked," reporter Somini Sengupta described several benefits for corporations of a data breach via hacking. The article concluded:

"Rather, what Anonymous has done, experts said at the big RSA computer security conference here last week, is raise the alarm about the unguarded state of corporate computer systems."

Yes, raised awareness is a good thing, as was recently discussed about unsecured corporate video conferencing systems. Sengupta's articles reminded me of a blog post I wrote in 2010 which listed six benefits for consumers of being an identity theft victim:

"1. Awareness: After an identity thief has stolen your personal data, account credentials, and/or money consumers seem to have a new awareness of of the value of their sensitive personal data.
2. Acceptance and curiosity: after having their identity information and/or money stolen, there is an acceptance that identity theft is a problem. There is a curiosity to learn about other ways identity thieves and criminals might harm them, so they can avoid this painful experience in the future.
3. Willingness to change behaviors: Not knowing how to protect yourself is terrifying to most people. The pain from this terror seems to be sufficient incentive for consumers to change their habits (e.g., practice safe online shopping habits, check their credit reports for accuracy, use strong passwords at online sites, maintain anti-virus software on their home computer, etc.). Of the people I have talked with, after being an identity-theft victim, none want to return to their old ways.
4. Stronger consumer interest: along with this awareness about identity theft is an interest in products, services, processes, and/or laws that address and protect the needs and assets of consumers. Getting good customer service seems to become more important, too.
5. Gratitude and appreciation: before becoming a victim of identity theft and fraud, many consumers perceive warnings by consumer and privacy advocates to be unnecessary and overly cautious. Some have called me paranoid. After experiencing the pain of the theft and fraud, a different attitude emerges which includes a sincere appreciation for identity theft protection advice to help them fix their fraud problem, and a context for listening to future warnings.
6. Participation in our democracy: when the perception is that local or federal laws haven't kept up with business practices, some been motivated to write to their Congressional reps to demand action."

While, identity theft and fraud are painful experiences for consumers, these events can be a huge wake-up call for consumers to change their habits and practice better data security habits at home, at work, at ATM machines, at their doctor's office, at social networking websites, and with their mobile devices.

Former MLB Player Jailed On Fraud And Identity Theft Charges

This story caught my attention for reasons you might find surprising. It did not catch my attention because it involves a celebrity. It caught my attention because it shows how employees and independent contractors can become identity theft and fraud victims via an employer.

The Sports Illustrated article, "How Lenny Dykstra Got Nailed" explains how former Major League Baseball player Lenny Dykstra was jailed on identity theft and fraud charges. To fund a lavish lifestyle, Dykstra allegedly asked his employees to use their credit cards, never repaid them for the purchases, and used without authorization their sensitive personal information (e.g., Social Security Number) to apply for loans.

This story also highlights the importance of filing identity-theft and fraud complaints with both local law enforcement, the FTC, and the CFPB. Filed complaints allow law enforcement to discover patterns they might not discover otherwise.

Wilberto Hernandez, a personal credit repair consultant in Los Angeles had phoned local police after he received a notice from a credit agency that his Social Security number had been presented for credit checks at two car dealerships. Hernandez had helped one of Dykstra's business associates with credit repair services. Local police quickly saw a pattern among police reports filed:

"By Christmas 2010, [the police detective] had spoken with 17 people—personal assistants, drivers, private jet pilots and housekeepers—who claimed that Dykstra did not pay them for services, used their credit cards or got hold of their Social Security numbers and opened credit cards in their names."

One victim's situation was particularly instructive:

"Christopher Gavanis, then 30, had just moved to Los Angeles from Pennsylvania. Gavanis... couldn't afford a car to help him find work—but he did have a sterling credit rating. According to an interview police conducted with Gavanis on April 14, 2011, Dykstra promised him the car he desperately needed in return for the use of his credit... Dykstra also promised Gavanis a job with Home Free Systems once clients started rolling in..."

High Value Targets

CFPB Reports List Of Consumer Complaints About Financial Products

In its annual report, the new Consumer Financial Protection Bureau (CFPB), a federal agency designed to ensure that financial products and services for consumers are beneficial for consumers, listed the leading complaints submitted by consumers. The CFPB accepts complaints about credit cards and mortgages.

The CFPB began operation on July 21, 2011. In its annual report (Adobe PDF) to the U.S. Congress, the CFPB reported that by December 31, 2011, it had received 13,210 complaints from consumers, including 9,307 credit card complaints and 2,326 mortgage complaints. 44% of all complaints were submitted through the CFPB website, and about 15% via telephone calls. The leading types of credit-card complaints received:

Leading Credit Card Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Billing Disputes	1,278	13.7%
2. Identity Theft / Fraud / Embezzlement	1,014	10.9%
3. APR or Interest rate	950	10.2%
4. Other	854	9.2%
5. Closing / Cancelling Account	478	5.1%
6. Credit reporting	437	4.7%
7. Credit Card Payment / Debt Protection	383	4.1%
8. Collection Practices	378	4.1%
9. Late Fee	364	3.9%
10. Other Fee	334	3.6%
Total for Top 10 complaint types	6,470	65.9%

The types of mortgage complaints received:

Mortgage Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Problems when you are unable to pay (Loan modification, collection, foreclosure)	889	38.2%
2. Other	540	23.2%
3. Making payments (Loan servicing, payments, escrow accounts)	501	21.5%
4. Applying for the loan (Application, originator, mortgage broker)	235	10.1%
5. Signing the agreement (Settlement process and costs)	96	4.1%
6. Receiving a credit offer (Credit decision/Underwriting)	65	2.8%
Total Mortgage Complaints	2,326	100.0%

The FTC advises consumers who experience identity theft or fraud with financial products to both submit a complaint to the CFPB and submit a complaint to the FTC.

I like the CFPB's mission and its website. The agency's consumer response mechanisms are still new and in their infancy. They will become more beneficial as the agency identifies and resolves problems. What is your opinion of the CFPB?

10 Tips To Recognize And Avoid Scams That Target Elders

In it's Winter issue of Consumer News, the FDIC provided several tips for consumers to recognize and avoid scams, identity theft, and fraud that target elders:

1. Choose an advisor carefully: perform research of any new broker, attorney, accountant, or other professional you are considering to hire. Meet with the professional and ask questions before making a hiring decisions. Also, check with the local consumer protection agency in your state.
2. Use the powers-of-attorney legal document carefully: FDIC experts want that this document can easily be abused by the appointed person. Review and discuss the document with a lawyer before signing.
3. Protect your personal financial information: Don't disclose bank account numbers, Social Security numbers, PINs (personal identification numbers), passwords or other sensitive information without first verifying the identity of the person requesting the information. Don't give out this information over the phone to unsolicited callers. Don't give out this information to door-to-door sales people.
4. Files at home: store your checkbook, account statements, and other sensitive information in a safe place. Shred paper documents containing sensitive information (e.g., Social Security numbers, bank account numbers, health care plan numbers, etc.) that is no longer needed.
5. Monitor financial accounts activity: closely review monthly credit card and bank account statements when you receive them. Look for unauthorized or suspicious transactions, and report them to your bank immediately.
6. Don't rush major financial or investment decisions: take your time to fully understand the offer. Ask questions if you don’t. If you need it, ask a lawyer or financial advisor to help you review any documents. Reject immediately anyone saying that you must make a decision immediately.
7. Be aware of reverse-mortgage scams: reverse mortgages allow homeowners ages 62 or older to borrow money from the equity in their homes. However, these arrangements have several risks and costs. The U.S. Department of Housing and Urban Development’s Federal Housing Administration (HUD or call 1-800-569-4287) provides guidance about how to use reverse mortgages and locate approved lenders or counselors.
8. Telemarketing calls: beware of unsolicited callers asking for money or personal information. Consider the national Do Not Call Registry (call 1-888-382-1222) to register to opt out of telemarketing calls.
9. Sending money: don’t comply with requests from strangers to wire money to a foreign location or to deposit a check into your account (perhaps as part of an online sale). the checks are usually bogus.
10. Social networking site use: if you use social networking websites, don't post the names of relatives, home addresses, and birth dates. Scam artists troll social networking sites looking for personal information to pretend to be a friend or family member.

To learn more about common frauds targeting seniors, visit the FBI Common Fraud Schemes site, the FDIC Consumer News site, or MyMoney.gov.

After reading this list of tips, I must say that it is good advice for consumers of any age.

FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

Earlier this week, the U.S. Federal Trade Commission (FTC) released its annual report of the leading complaints filed by consumers. During 2011, identity theft (again) led the list of complaints. This is the 12th consecutive year that identity theft has led the list:

Type of Complaint or Scam	Number	% Of Total
1. Identity Theft	279,156	15%
2. Debt Collection	180,928	10%
3. Prizes, Sweepstakes and Lotteries	100,208	6%
4. Shop-at-Home and Catalog Sales	98,306	5%
5. Banks and Lenders	89,341	5%
6. Internet Services	81,805	5%
7. Auto Related	77,435	4%
8. Imposter Scams	73,281	4%
9. Telephone and Mobile Services	70,024	4%
10. Advance-Fee Loans and Credit Protection/Repair	47,414	3%

Other notable findings:

• Fraud: 990k of the 1.8 million complaints were fraud-related. 68% of consumers reported a fraud complaint where they paid an amount. The total amount paid was $1.5 billion, and the median amount paid was $537. 43% of consumers were contacted via email. The five states with the highest per-capita fraud reported were Colorado, Delaware, Maryland, Nevada, and Virginia.
• Identity Theft: Government documents/benefits fraud (27%) was the most common form reported, followed by credit card fraud (14%), phone or utilities fraud (13%), bank fraud (9%), and employment fraud (8%). 45% of consumers reported they contacted local law enforcement. The five states with the highest per-capita identity theft were Florida, Georgia, California, Arizona, and Texas.
• Countries: the top five countries were the USA (80%), Canada (4%), the United Kingdom (4%), Nigeria (2%), and Jamaica (2%).
• Age: consumers that filed complaints during 2011 were ages 50-59 (23%), followed by ages 40-49 (20%), ages 30-39 (17%), ages 60-69 (15%), and ages 20-29 (15%).
• Military: members from all four branches plus the Coast Guard reported complaints. For this group, identity theft ranked as the number one complaint, followed by Debt Collection. Mortgage Foreclosure Relief and Debt Management ranked as fourth for this group, compared to 13 for all consumers.

During 2011, consumers submitted about 1.8 million complaints, an increase of 24% over 2010. All complaints submitted by consumers are collected in the FTC Consumer Sentinel Network database, which contains 30 different categories of complaints. Download the 2011 FTC Consumer Sentinel Network Data Book (Adobe PDF).

Foreclosure Abuse Widespread

Last week, the San Francisco Assessor-Recorder office released the results of an audit (Adobe PDF) of about 400 home that were foreclosed on during 2009, 2010, and 2011. The audit found that about 84% of the homes had at least one violation of California foreclosure laws.

The office began the audit last Fall with Aequitas, a mortgage investigation firm, after problems surfaced in mortgage records requested by homeowners facing foreclosure. Assessor-Recorder Phil Ting said,

“When it became clear that property records were severely undermined, a red flag was raised... Those records are supposed to be filed with this office and many were simply missing or had serious inconsistencies..."

It's difficult to impossible for a homeowner to fight foreclosure when mortgage records are inaccurate or incomplete. Ting emphasized the need for state legislation to guarantee compliance with California foreclosure laws by the mortgage industry.

The register of deeds in Guildford County, North Carolina, examined 6,100 mortgage documents last year, and found signature irregularities in 4,500 (xx%). Experts see this as a clear indicator of the illegal practice of "robosigning" documents.

Seems to me it is time to both fine companies and send bankers to prison nationwide. Only then will this madness stop. Demand action from your elected officials.

Scammers Target American Airlines Customers With Phishing Emails

Earlier this week, a reader wrote about an email message he had received. The email message included a confirmation for tickets purchased through the American Airlines website. The reader was concerned that his bank information had been hacked, because he had not purchased any airline tickets.

The email message:

Subject: Your Order#647842534
Date: 15 Jan 2012 07:14:55 -0000
From: American Airlines (news-nr221@aa.com)
Reply-To: American Airlines (news-nr221@aa.com)
To: XXXXXXXX@XXXXX.com

Hello
FLIGHT NUMBER AA683
ELECTRONIC 885741402
DATE & TIME / JANUARY 30, 2012, 10:22 PM
ARRIVING / Raleigh
TOTAL PRICE / 395.22 USD

Please find your ticket attached. You can print your ticket. Thank you for your attention.
American Airlines.

The email included a ZIP file attachment. Clearly, this was a phishing email scam since it included an incomplete itinerary and the ZIP file attachment. A real airline wouldn't do either. Like most phishing emails, this one tries to trick consumers to open the ZIP file attachment which installs a computer virus on the victim's computer to collect password data, directs the victim's web browser to a fake American Airlines website to collect personal data, or both.

If you receive a phishing message like this, or from any other airline, experts advise consumers to:

• Don't click on any links within the email message,
• Don't open any files attached to the email message,
• Don't send a reply email message to the sender,
• Manually enter the website address into your web browser to visit the airline's official website to verify the email message, and
• Check your credit card or bank statement for any fraudulent charges

The official American Airlines website has a page devoted to phishing email scams. It provides examples of various email scam messages, and advises consumers:

"American Airlines will never ask you to perform security-related changes to your account in this fashion or send emails to collect user names, passwords, email addresses or other personal information. If you receive an email claiming to be from American Airlines, that asks for account information, it should be considered fraudulent... do not click on any links, open any attachments, call any phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to webmaster@aa.com so that we can investigate further."

The Snopes.com website also contains information verifying email phishing scams, including the above scam.

Zappos Data Breach Affects 24 Million Consumers

Several news organizations and USA Today reported about the data breach at Zappos.com, an online shoe and clothing retailer. Identity thieves hacked into the Zappos website and stole the names, street addresses, email addresses, telephone numbers, the last 4 digits of credit card numbers, and the online passwords of 24 million customers.

The Zappos CEO advised his employees via email that affected customers would receive the following notice, which read in part:

"... there may have been illegal and unauthorized access to some of your customer account information on Zappos.com... The secure database that stores your critical credit card and other payment data was NOT affected or accessed. For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail... We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there..."

While the company has reset online passwords and notified affected customers about how to create stronger passwords, the types of personal data stolen are sufficient for identity thieves to create plenty of damage. The damage can include spam using stolen email addresses, spam to/from linked mobile phone numbers, and further hacking into consumers online accounts.

How might further hacking happen? Too many consumers still use the same password for all of their online accounts. Simply, identity theives could access your debit/credit card numbers at other online retailer or bank accounts where you use the same password.

It is important for consumers to remember that identity criminals are persistent and re-sell stolen personal information. So, the thieves that attempt to hack into your online accounts probably won't be the same thieves that stole your personal information. Re-sold stolen personal information creates a situation where many thieves can ultimately create further damage.

Experts advise:

• Immediately change your passwords at other online accounts/retailers where you have used the same password you used at Zappos.com,
• Change your online passwords every 90 days,
• Don't use the same password for all of your online accounts,
• Don't use passwords that are easily guessable, or match items on your profile page at Facebook or other social networking website,
• Learn how to create strong passwords,
• Don't use any passwords on this list, and
• Learn how to protect your sensitive personal information at public WiFi locations.

Addendum - January 18: After further consideration, I found the above breach notice and response by Zappos far from satisfactory for consumers. Their response assumes breach victims won't experience any identity fraud, since their message does not include any instructions about what consumers should do if they do experience identity fraud. And, the Zappos breach notice does not seek to explain to their customers the final results of their breach investigation, including why a breach like this won't happen again. The whole event can be summed up as "ooops, we lost a few passwords. reset them and everything will be okay." Not necessarily so.

Addendum - January 19: At least one lawsuit has been filed again Zappos and its parent company, Amazon.com.

Plenty Of Collateral Damage From a Credit Card Theft

There is a good article in PC Magazine that describes the scope of damages from identity theft when credit cards, smart phones, and spammers intersect. Jacqueline, a sales manager, had her credit card stolen and cloned, which resulted in over $2,000 in fraudulent charges. (Damages #1.) Her bank cancelled the exisitng credit card account and issued her a new credit card account. You would assume that was the end of the story, but sadly it wasn't.

Then, the credit card theft and card cloning happened with the replacement credit card -- which suggests an insider identity-theft problem at the bank Jacqueline uses.  Her bank cancelled the replacement credit card account, and issued her a second replacement credit card. End of the story, right?

Wrong. Next, Jacqueline and her contacts began to receive a flood of text message and phone call spam from unknown phone numbers. Apparently, the identity criminals had also stolen Jacqueline's mobile phone number (Damages #2.) along with her credit card information. Jacqueline's company-issued Blackberry-brand smart phone had been spamming people and phishing for consumers' Sovereign Bank sign-in credentials.

Jacqueline doesn't work at Sovereign Bank. After more investigations by the IT department at Jacqueline's employer, her mobile carrier, Verizon, informed them that the text message spam wasn't coming from its network, but from a computer pretending to be Jacqueline. Apparently, the credit card thieves re-sold Jacqueline's personal data and mobile phone number to other identity criminals, which included a spammer (Damages #3.):

"Someone had gotten a hold of her mobile number and was spoofing other phones using her digits. It turns out there's software designed specifically for businesses to send bulk SMS to lists of phone numbers from a computer."

Wow! What a mess. This saga highlights several issues, including the:

• Creativity and persistence of identity thieves,
• Efficiency of online forums where consumers' stolen personal data is resold and traded,
• Value of consumers' (digital) personal information, and
• Duration of damages from identity theft and fraud.

The average consumer doesn't think about how valuable the various bits of their personal information are. But, identity criminals think about it deeply.

The good news in this story was that the IT department at Jacqueline's employer was able to rule out any leaky smart phone apps that could have compromised her data security.

Today, there's not much more Jacqueline or her employer's IT department can do. Her personal identity information is out there in the thieves' domain. As I see it, all she can do is file police reports to document the trail of theft, and lock down her credit reports to keep the damage from spreading to her financial accounts. If the thieves also have her Social Security number, then they can obain fraudulent identification cards and drivers licenses. And, there's nothing to restrict the thieves' action with the USA borders.

BBB: Top 10 Scams Of 2011

Earlier today, the Better Business Bureau (BBB) announced the top ten scams of 2011. With these scams, consumers can lose their money, personal identity and bank information, or both. The leading scams were:

1. Job Scams: included secret shopper schemes, work-from-home scams, and phony job offers. Typically, the scammers seek to trick victims to reveal bank account information.
2. Sweepstakes and lottery scams: supposedly you've won a lot of money. The pitch often includes a bogus celebrity participation.
3. Social networking and online dating scams: scammers may pretend to be on of your "friends" or have hacked the online accoount of one of your "friends." Typically, the pitch is to get you to click on a link -- sometimes a racey video-- which downloads a computer virus that invades your computer and steal sign-in credentials for several social networking accounts.
4. Home Improvement scams: contractors visiting your neighborhood offer a low price for the work, accept your deposit, and then never complete the job -- leaving your home in worse condition than before. Sometimes, the pitches come after a natural disaster.
5. Check cashing scams: scammers use legitimate companies (e.g., Craig’s List, Western Union) offering to buy something you are selling online. The scammer's check is larger than the price of the item you are selling. The victim sends the scammer a valid check for the difference, and the victim deposits the scammer's bogus check in their bank account. Of course, the scammer flees with money from cashing the valid check, the bogus check bounces, the victim still hasn't sold their item, and the victim's bank charges bounced check fees.
6. Phishing scams: these can be offers via phone, email, or a fake website. The typical pitch is to trick victims into revealing sensitive personal and bank account information. When you visit the bogus website to "verify" your account information, the website installs a software virus on your computer to steal more information.
7. Financial scams: these target consumers in tough situations, and include bogus offers about debt reduction and home mortgage modifications. The promised services are never delivered.
8. Sales scams: these include "penny auctions" or ways to supposedly pay far less than standard retail prices. Usually, there is a fee to bid. The BBB states clearly that not all penny auctions are scams, so consumers should treat these as a gamble and inspect closely the website policy and terms before entering.
9. BBB scams: a bogus email that looks like it's from the BBB, claims that a complaint has been filed against your business. To reply to the complaint, the email includes a link which instead downloads a document that spawns a software virus that can steal banking information, passwords and other sensitive personal information.

Last month, I received one of these fake-BBB phishing emails, with the telltale bad grammar and other clues. So you are aware, here is the text of the phishing message:

Subject: Your customer complained to BBB
From: "Better Business Bureau"
Date: Tue, 20 Dec 2011 08:47:19 +0000

Good afternoon,
Here with the Better Business Bureau notifies you that we have been filed a complaint (ID 37975886) from a customer of yours in regard to their dealership with you. Please open the COMPLAINT REPORT below to find the details on this issue and inform us about your opinion as soon as possible. We are looking forward to your prompt reply.

Faithfully,
Fernando Grodhaus
Dispute Counselor
Better Business Bureau Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Timeline Security Hoax Circulates On Facebook

If you use Facebook.com, perhaps you have seen the following status message:

"With the new 'FB timeline' on its way for EVERYONE, please do both of us a favor: Hover over my name above. In a few seconds you'll see a box that says "Subscribed." Hover over that, then go to "Comments and Likes" and uncheck it. That will stop my posts -- and yours to me -- from showing up on the side bar (ticker) for everyone to see, but MOST IMPORTANTLY it LIMITS HACKERS from invading our profiles. If you re-post this I will do the same for you. Thanks! (Click like on this post so I will know you unchecked.)"

Beware. This status message is a hoax -- an effective one too, since it trades on consumers' security fears. To learn more about why it is a hoax, visit Snopes and Facecrooks.

I can share this from personal experience. A couple Facebook friends sent this status message to me, and this hoax tricked me, too. The whole experience is reminder:

• Don't believe everything you read on social networking sites, and
• Verify claims before forwarding them as status messages to your friends.

A Wide Variety of Scams Target Senior Citizens

The Detroit Free Press reported about a local workshop to help seniors stay alert about a variety of fraud schemes run by scam artists:

"Michigan AARP says, based on a recent survey, that 79% of its members are concerned about fraud... Seniors are losing $2.9 billion a year nationwide to financial abuse..."

Seniors are vulnerable, since many live on a fixed income and seek ways to to increase their income due to financial pressures and fears. Scam artists use these fears.

FBI agents spoke to seniors at the Fraud Fighter College workshop at Marygrove College. Linda Cena, a securities manager at the Michigan Office of Financial and Insurance Regulation also spoke. Cena advises seniors to call her office to verify brokers and investments before investing large sums of money. Residents in other states can often find identity theft and scam resources in the division of insurance, secretary of state, or attorney general offices in their state government.

Typical scams targeting seniors include:

"... con artists promising a shopping spree in return for a small processing charge on a debit card to crooked financial advisers talking someone into shifting retirement money from a 401(k) plan into a self-directed IRA, and then putting that money into some fraudulent movie scheme. And, yes, a grandson or granddaughter on drugs can become a predator, too."

Experts warn seniors, and their caregivers, that the best defense against identity theft and fraud is to not disclose personal and financial information -- especially over the phone. Another tip: don't leave papers with sensitive information lying on tables around the home where visitors can steal valuable data like Social Security numbers.

How To File A Complaint About A Bank

Recently, a friend posted this status message on Facebook:

"How does Bank of America stay in business? They continue to threaten and harass even after I have been assured that all issues have been resolved! Issues, by the way, created by their own incompetence! Who do I lodge a complaint with?"

Consumers have several resources to help them with filing a complaint about a bank. Since my friend lives in Massachusetts, first I directed her to the Massachusetts Division of Banks, which regulates banks that operate within the state. This can include help with or submitting a complaint about abuses involving mortgage foreclosures or checking/savings accounts.

If your "banking" problem includes stock or securities fraud, then consumers should consider filing a complaint with the Massachusetts Secretary of State. The responsibility of this administrative agency varies across states, and is based upon the constitution and laws of your state. In Massachusetts, the Secretary of State's office manages several important functions including investment securities, deeds, registration of corporations, elections, and public records.

If you live in a different state, then you can search online for the consumer protection bureau or consumer complaint board within your state that regulates banks. Most states have one.

A second resource is the Federal Deposit Insurance Company (FDIC), which insures banks and financial institutions operating within the USA. The link to the consumer complaint form is conveniently on the FDIC home page.

Sometimes, the problem includes both a bank and a retail company. Then, it is appropriate to submit a complaint the U.S. Federal Trade Commission (FTC), which regulates the activities of retail companies operating within the USA. It is appropriate for consumers to file complaints about deceptive marketing tactics, scams, identity theft, and other topics. The FTC operates a very comprehensive complaint process and database.

If your phone number is registered in the Do Not Call Registry and you belive a company has violated that telemarketing law, then you should file a complaint at the Do Not Call Registry website.

Related articles in this blog which you may also find helpful:

• How To Check Your Insurance Company's Complaint Record
• Received Poor Customer Service? How To Complain Effectively

ScanScout Settles With FTC About Flash Cookies Used For Tracking Consumers

ScanScout has agreed to settle with the U.S. Federal Trade Commission (FTC) about charges the company used deceptive marketing with a website privacy policy that claimed consumers could opt-out of online tracking, when they couldn't opt-out because the company's website used the Flash cookie technology to collect data which browser settings couldn't block. An FTC press release summarized the terms of the proposed settlement:

"... bars misrepresentations about the company’s data-collection practices and consumers’ ability to control collection of their data. It also requires that ScanScout take steps to improve disclosure of their data collection practices and to provide a user-friendly mechanism that allows consumers to opt out of being tracked."

During the lawsuit and before the settlement agreement, ScanScout merged with Tremor Video. The consent order (PDF), which applies to the merged company and its subsidiaries, stated:

"... officers, agents, representatives, and employees and all other persons in active concert or participation with any of them, who receive actual notice of this Order by personal service or otherwise, whether acting directly or through any entity, in connection with the online advertising, marketing, promotion, offering for sale, sale, or dissemination of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication: (A) the extent to which data from or about a particular user or the user’s online activities is collected, used, disclosed, or shared; or (B) the extent to which users may exercise control over the collection, use, disclosure, or sharing of data collected from or about them, their computers or devices, or their online activities."

The consent order also stated that within 30 days of the approved consent order, the company:

"... place a clear and prominent notice, including a hyperlink, on the homepage(s) of its website(s), which states, “We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements click here.” When selected, the hyperlink shall take consumers directly to the mechanism... that enables users to prevent respondent: from collecting data that can be associated with a particular user, or that contains any unique identifier, including user ID or Internet Protocol (IP) address; from redirecting users’ browsers to third parties that collect data, absent a click or other affirmative action by such user; and from associating any previously collected data with the user..."

For five years after the approved consent order, the companies must save and forward to the FTC both complaints from consumers and all company documentation proving compliance with the consent order.

During the summer of 2011, a class-action lawsuit was filed against AOL, Brightcove, and ScanScout about the use of the Flash cookies technology to secretly track consumers' online usage.

The proposed settlement agreement is open for comment by the public until December 8, 2011, after which the FTC will decide whether to make it final. To submit comments, follow the online comment instructions at this website. Comments submitted via postal mail should be sent to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

To learn more about the various tracking technologies, browse posts in this blog about browser cookies, "zombie cookies," Flash cookies, "super cookies," and etags. The FTC OnGuard Online website also contains a section about the various online cookies technologies.

Data Breach Via Insider Identity Theft at North Carolina Hospital

The Data breach cause that scares me most is insider identity theft because it involves employees that should be trustworthy, and aren't. It also emphasizes that the company, hospital, or government agency have an aggressive "red flags" program in place to monitor who accesses sensitive consumer information (e.g., customers, patients, clients, employees, contractors), and compliance with data security policies.

Yesterday, the News-Record reported a data breach involving protected patient information at High Point Regional Health System. An employee took home 47 patients' files, and later returned them. Officials believe the data breach occurred between September 14 and October 6. Hospital representatives learned of the breach last month by an employee at Premier Imaging LLC, a hospital subsidiary. The employee has since been fired.

The breached records included patients' names, residential addresses, dates of birth, Social Security numbers, driver's license numbers and insurance information -- all of the critical data elements for thieves to assume another person's identity and do significant damage with health or financial accounts. An investigation by the health system could not determine whether the former employee has any patient information in her possession or has used it in any way.The hospital has notified affected patients, and arranged an identity protection service for the affected consumers.

Specific data security rules exist for hospitals and health care organizations. According to the Health & Human Services website, the information that must be protected includes:

"Information your doctors, nurses, and other health care providers put in your medical record; conversations your doctor has about your care or treatment with nurses and others; Information about you in your health insurer’s computer system; billing information about you at your clinic; and most other health information about you held by those who must follow these laws."

The companies that must follow this law are called "covered entities," and include doctors, pharmacies, nursing homes, HMO's, health plans, health insurance companies, and vendors hired under certain conditions.