ID Watchdog and InComm To Jointly Produce New Identity Theft Products For Consumers

I found this video interesting:

After watching the video, I visited the ID Watchdog web site to learn more about their service. My first interaction with the site was a positive one. I found it easy to read and easy to understand the identity protection services it provides. ID Watchdog seems to be moving towards the comprehensive detection I look for in a service, since it monitors a dozen different databases that store consumers' sensitive personal data. ID Watchdog has a data-sharing agreement with Acxiom.

My experiences with other identity protection services hasn't been so positive. You can access reviews of other identity protection services on the Reviews page in this blog.

I hadn't heard of InComm before. They seem to make and distribute cards that have stored value... like the gift cards you'd buy in a big-box retail store chain or grocery store chain. I am sure that this blog will cover during the coming months reviews of products by InComm and ID Watchdog.

Why It Is Important Not To Disclose Certain Personal Data on Social Networking Sites

In an earlier post, I wrote about the risks of disclosing your birth date in e-mails and at social networking sites. It's a key piece of personal data for identity thieves and fraudsters. There are more personal data items you should not disclose to avoid identity fraud.

From a recent AARP Bulletin:

"Along with your birth date, your place of birth may help scammers guess most, if not all, of the nine digits of your Social Security number, suggests a recent study published in the Proceedings of the National Academy of Sciences. Those two pieces of information were all that Carnegie Mellon University researchers needed to discover patterns in how SSNs are issued, resulting in impressive success in guessing exact numbers."

The researchers documented how identity thieves could use your hometown information to guess your Social Security number:

"... The first three digits of the SSN are an “area number,” issued according to the ZIP code of the mailing address provided on a Social Security application form. High population states have many area numbers — New York has 85, for example — but Delaware and Alaska have only one... The fourth and fifth digits of the SSN are a location-based “group number”; those digits change periodically, usually in increments of 2. For instance, for people born in 1966 in Oregon, those middle numbers started at 47, and 60 days later, switched to 49. “Because of this, knowing a birth date and hometown makes the first five digits of a SSN the easiest digits to guess... The last four digits, the ones most often used as identifiers on accounts, are issued sequentially. But they’re harder to guess because they depend on how long it took to process a Social Security application..."

So, security experts advise consumers not to disclose both their birth date and hometown information on social networking sites. Now, you know what to do and why.

Two important Events For Consumers To Avoid Identity Theft

The Better Business Bureau (BBB) announced its Secure Your ID Day events for October 17, 2009. The nationwide event includes free shredding services (for your old checks, junk mail, bank statements, old files, etc.) and educational programs by local BBB's in each state to help consumers avoid identity theft. Browse the Secure Your ID Day site to learn more about events in your area. Canadian residents should visit the BBB Canada site.

This BBB event coincides with the second annual National Protect Your Identity Week events October 17 - 24, sponsored jointly by the the Council of Better Business Bureaus (CBBB) and the National Foundation of Credit Counseling (NFCC). The event site is available in English and Spanish.

I strongly urge consumers to learn more and attend both events.

Lifelock And The Credit Monitoring Industry Struggle To Protect Consumers

This past weekend, Todd Davis, Lifelock's Chairman and CEO, announced in a video message the company's intention to release new services during the coming weeks. This was prompted by a court ruled in May 2009 in favor of Experian to stop companies like Lifelock from setting Fraud Alerts on behalf of its customers. Lifelock had appealed the decision.

In February 2008, I've Been Mugged reported the Experian v. Lifelock lawsuit. The fight between Experian and Lifelock was like two five-year-old kids arguing over who gets the last brownie on the kitchen table while there is a fire burning in the living room. There are bigger issues. Fraud Alerts are a relatively weak tool, since it doesn't force lenders to contact consumers. Credit monitoring service that include a Fraud Alert tool still do not stop:

• Criminal identity theft: when a criminal uses another person's identity during a crime
• Medical identity theft and fraud: when a person uses another person's identity to gain free medical care, and wrecks the victim's access to health care they rightfully paid for
• Data breaches and fraud at outsourcing vendors and at offshore outsourcing vendors
• Poor data security practices by companies and employees
• Insider identity theft and fraud

To be clear, I am no fan of Lifelock. Much of what the company charges for, consumers can (and should) do for themselves for free. In April of 2008 Consumer Reports gave Lifelock a less than stellar review.

However, on one point Davis and I agree. This court ruling is a setback for consumers. It limits choice in the marketplace at a time when data breaches and identity theft have increased. The ruling means that consumers must go directly to Experian (and other credit reporting agencies) to establish a Fraud Alert.

It will be interesting to hear during the coming weeks about Lifelock's new services. Hopefully, the company has done its homework and developed a set of truly innovative and more comprehensive identity protection tools.

It is in consumers' best interest for a comprehensive identity protection service. Why? Many consumers I've talked with have no idea what to do about identity after their sensitive personal data has been stolen. Many consumers need all the help they can get. Few know the difference between credit monitoring and credit restoration. Few understand the limitations (e.g., see the bullet list above) with credit monitoring services. Then, it's a rush to learn what to do to protect themselves, and establish some preliminary protections.

It is sad that the identity protection industry so fragmented and disorganized.

There's a gap in the marketplace and a truly comprehensive identity protection service would go a long way towards helping consumers. The credit reporting agencies don't offer a comprehensive service; they focus narrowly on monitoring (usually their own) credit reports, and providing credit scores. Regional credit reporting agencies are essentially ignored, along with insurance reporting services like ChoiceTrust.

All of these regional credit reporting and insurance companies' reports are high-value targets by identity criminals. The credit monitoring services by independent companies are somewhat better than the credit reporting agencies' service, but that is not a high bar to leap. As I wrote in May 2009:

Since I started this blog, I have searched for a truly comprehensive identity protection service, which should include:

• Unlimited access to the full text of all of my credit reports from both the major credit reporting agencies and from the smaller, regional credit reporting agencies (e.g., Innovis)
• Unlimited access to the full text of all of my C.L.U.E. insurance reports
• Unlimited access to the full text of all of my sensitive personal medical information
• Monitoring of my identity across social networking sites
• Instant e-mail, text messaging, Twitter, or RSS alerts about status changes to any of the above
• Tools and calculators to help me evaluate these reports
• The ability for to customize alerts based on my individual needs
• Options to add Fraud Alerts to any or all of the above reports
• Options to add Security Freezes to any or all of the above reports
• Criminal fraud monitoring (if my identity is used by thieves during a crime)
• Identity fraud assistance when traveling outside the USA
• Identity resolution services and insurance for all of the above reports
• 24/7, and easy access to a real person in customer service via phone
• Arrangements with employers so that after a data breach, I get reimbursed for my monthly fee for this service, rather than receive an offer for another credit monitoring service I don't need

Consumers can't get all of the above. To get large portions of it, you'd have to cobble together at least five or six different services. The Experian v. Lifelock court ruling adds to the problem, since Fraud Alerts will now be available only at the major credit reporting agencies.

It shouldn't be this hard for consumers. Maybe Lifelock has tackled this problem with their new services. We shall see during the coming weeks, and I've Been Mugged will report on it.

IRS Phone Forum About Online Fraud and Identity Theft

It's good to see the U.S. Internal Revenue Service (IRS) taking action about fraud and identity theft.

On August 19, the IRS will host a free phone forum (e.g., that's a large, public conference call) titled "Everyone's at Risk - Combating the Increasing Threat of Online Fraud and Identity Theft." Th event is for practitioners: tax professionals, attorneys, payroll professionals, small businesses, the IRS' industry partners, and both state and local governments.

Participants will learn about identity protection efforts by the IRS, the process for reporting tax-related identity theft, victim assistance, how to report phishing schemes targeted at taxpayers, and IRS efforts to combat online fraud targeted at taxpayers. Advance registration for the event is required.

You can learn more and register for the event at the IRS site.

It's Time To Enforce the Privacy Of Consumers' Medical Prescriptions

It was infuriating to read this New York Times article, "And you Thought A Prescription Was Private:"

"Like many other people, Ms. Krinsk thought that her prescription information was private. But in fact, prescriptions, and all the information on them — including not only the name and dosage of the drug and the name and address of the doctor, but also the patient’s address and Social Security number — are a commodity bought and sold in a murky marketplace, often without the patients’ knowledge or permission. That may change if some little-noted protections from the Obama administration are strictly enforced. The federal stimulus law enacted in February prohibits in most cases the sale of personal health information, with a few exceptions for research and public health measures like tracking flu epidemics. It also tightens rules for telling patients when hackers or health care workers have stolen their Social Security numbers or medical information..."

Unfortunately:

"The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased... Ms. Krinsk was never able to find out who sold her information, but companies that have been accused in lawsuits of buying and selling personal medical data include drugstore chains like Walgreens and data-mining companies like IMS Health and Verispan. CVS Caremark, which handles prescriptions for corporate clients, has also been accused of violating patients’ privacy.

Once again, California leads the way:

"The ban on marketing is even more strict in California, where Walgreens is fighting off a class-action lawsuit filed on behalf of customers who received the subsidized mailings before the state outlawed them in 2004... The data mining industry, meanwhile, is challenging laws in New Hampshire, Maine and Vermont that ban collecting and selling prescription information to drug makers, which use it to decide which doctors to market to. The companies in the case, IMS Health and Verispan, now part of the private company SDI Health, said the identities of patients were removed."

These companies claim that patients' names are removed or encrypted before data is sold, but who verifies this? How are consumers to know if these companies are doing as they claim?

If this infuriates you (and I sincerely hope that it does), I encourage you to write to you elected officials in Congress today and demand prescriptions privacy, stiff penalties for violators, and enforcement of existing laws. Write to your elected state officials and demand local state laws guaranteeing the privacy of your medical prescriptions. Insist that the transition to electronic medical records (EMR) happens only after privacy is guaranteed.

10 Things You Should Know To Protect Yourself From Identity Theft

Over at WalletPop, there's a good list of tips for consumers about how to avoid identity theft and fraud:

1. Thieves don't need your credit card number in order to steal it. Conversely, they don't need your credit card in order to steal your identity.

2. The non-financial personal information you reveal online is often enough for a thief. Beware of seemingly innocent personal facts that a thief could use to steal your identity. For example, never list your full birthdate on Facebook or any other social-networking Web sites.

5. If an ATM or store terminal looks funny, don't use it. "Make sure there is no device attached to any ATM card slot... As a general rule, the mouth of a card receptacle on an ATM machine should be flush with the machine or have only a very slight lip.

8. Pay attention at the checkout line. If a cashier or salesperson takes your card and either turns away from you or takes too long to conduct what is usually a normal transaction, she may be scanning your card into a handheld skimming terminal to harvest the information. But they... can take a picture of the front and back of your card with a cell phone or merely swap out cards.

One protection tip that hadn't occurred to me when traveling on vacation or on business:

"... cut up your used hotel key cards when you check out... since these keys contain important information about you and your finances, including your name, address, phone, and the credit card you used to pay for your room. When you toss them out or leave them lying in the hotel room, anyone can pick them up and use them to steal your identity,"

To read the entire list, visit the WalletPop site.

Teach Your Dad About 'Phishing' This Father's Day

To help consumers avoid identity theft, the U.S. Federal Trade Commission has developed an electronic Father's Day card with tips about how to spot bogus phishing e-mail messages. Versions of the FTC e-card are in English and in Spanish.

To learn more about phishing, whaling, v-phising and other scams, browse the Scams and Threats section of this blog. Or, take one of these online identity theft quizzes.

If you or a parent have been the victims of identity theft and fraud, you should report it to both local law enforcement and to the FTC. To file a complaint in English or Spanish, visit the secure FTC Complaint Assistant site, or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad.

FTC Grants Another Delay in Red Flag Rule Enforcement

Last week, the FTC released this press release:

"The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs... The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed financial regulatory agencies, including the FTC, to promulgate rules requiring “creditors” and “financial institutions” with covered accounts to implement programs to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft. FACTA’s definition of “creditor” applies to any entity that regularly extends or renews credit – or arranges for others to do so – and includes all entities that regularly permit deferred payments for goods or services.”

This was the second delay. In October 2008, the FTC granted a six-month delay which moved the deadline to the prior date of May 1, 2009. Now, the deadline is August 1, 2009. From Network World:

"The Red Flag program is one of the major ways the government plans to fight the growing identity theft blight. Banks and other financial institutions typically account for about half of the identity theft complaints filed with the FTC... That's one of the reasons why under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft."

I hope that there are no more delays. The Red Flag Rules are one tool to help protect consumers' sensitive personal data. And, identity thieves aren't delaying their activities.

Social Media Is Forever

Whatever you post online probably stays forever. From the Huffington Post:

"Maybe what goes in Vegas, stays in Vegas, But what goes on the Internet, goes everywhere and stays there forever. Since disconnectedness causes more problems than connectedness, the good probably does outweigh the bad when it comes to social networking via Twitter, Facebook, Linkedin, MySpace and beyond. But beware (and you especially may want to tell this to your children), whatever you put up on the Internet becomes viewable to anyone, anytime, anywhere."

I agree with this 1,000%. And, what social media sites you join, remember that so goes your sensitive personal data, photos and videos.

A word to the wise: read the Terms of Use carefully at any Web site you use -- especial social media Web sites. If it doesn't feel right or if it doesn't contain the protections you expect, don't use that site.

The Red Flag Rules Deadline Fast Approaches

I've written about this before, but it is so important it needs to be emphasized. There's a really good post at the Ephemeral Law blog about the fast-approach Red Flag Rules deadline (links added):

"The May 1, 2009 deadline for creating and implementing an Identity Theft Protection and Prevention Program required by FTC Rules is fast approaching. The Identity Theft Red Flag Rules apply to all organizations with accounts primarily for personal, family or household purposes that permit multiple payments. Creditors subject to these rules include utilities, retailers, local governments, and car dealers, if such organizations carry consumer accounts permitting multiple repayments. Many hospitals and patient care facilities extend credit to patients for deferred payment of treatment costs. These health care entities must implement an Identity Theft Protection and Prevention Program to identify, detect and respond to the possible existence of identity theft with respect to these accounts. Health care entities must also take care to ensure that these programs do not conflict with other Federal and State laws, rules and regulations such as EMTALA. The FTC Rules require all such organizations to develop and implement a proactive identity theft prevention program, and provide detailed guidelines intended to provide assistance in creating such a program. Financial institutions regulated by a regulatory agency other than the FTC were required to adopt and implement an Identity Theft Protection and Prevention Program no later than November 1, 2008."

If you are a small business owner, this affects you. If you are a consumer, this compliance is important given the push to digitize patients' medical records. If you are a consumer, it's good to know about the Red Flag Rules, so you shop at retail businesses that properly protect the sensitive personal data they use. To learn more, follow all of the above links.

Consumers Should Care What Personal Data Search Engines Collect

Prior posts covered behavioral advertising: opt-in versus opt-out system structure and notification issues, and the role of Internet Service Providers (ISPs). If you are new to the topic (or new to the Internet), there is a good primer article by CNN Money which highlights the issues consumers should know about search engines:

"Alone with just your computer screen, these searches can feel very private. But Google & Co. gather a lot of information about you as you surf, including the date and time for your search, your search terms, and your IP address, which is an 11-digit number that identifies your computer and, more important as far as advertisers are concerned, your location."

Internet users as young as teenagers need to know that:

"There are many free online tools, but they're not really free," explained Greg Conti, a professor of computer science at West Point and the author of Googling Security: How Much Does Google Know About You? "We end up paying for them with micro-payments of personal information..."

This is important because data breaches happen. Companies participating in targeted advertising will have consumers' data stolen or lost. It's important because consumers' privacy needs to by adequately protected:

"... Yahoo said it would keep personally-identifiable information in its database for no more than 90 days, down from 13 months previously... Google said it would keep your data for nine months instead of 18 months. Microsoft retains your information for 18 months... There are big differences, however, in the way that companies make user information anonymous. Google and Yahoo, for instance, block the last three digits, known in tech circles as the "last octet," of your IP address. Microsoft says it deletes the entire address."

Who knows what is really going on? The problem is: there isn't oversight. There isn't an independent audit. There is no way for consumers to know if the companies are honoring their data security as promised. This is critically important also because so much of consumers' sensitive personal data is outsourced overseas.

I am not saying that more government is the solution. Perhaps an an audit group partially funded by the search engine industry is the answer. Perhaps state and federal ID-theft legislation should be amended to require proper anonymizing of consumer data by search engines and other companies participating in targeted advertising. Perhaps amended FTC guidelines is the answer.

Whatever the solution, companies must protect consumers' personal data like nuclear fuel. What do you think?

The Risks of Disclosing Your Birthday on Facebook And Other Social Networking Sites

Here in Boston, Channel 7 television news broadcast an interesting identity-theft report which I believe all consumers of popular social networking sites -- like Facebook, MySpace, Twitter -- should be aware of:

"When you're connecting online - and filling out your profile - experts say you could be leaving yourself vulnerable. The trouble can start with something as simple as your birthday... It seems harmless putting your birth date in your profile - but with that one bit of info we found identity thieves can actually get a copy of your birth certificate - a key document. And it's not hard to do."

The news broadcast showed how the reporters were able to get a valid copy of consumers' birth certificates. Some states, like Massachusetts, have lax procedures for distributing birth certificates. The bottom line: your complete birthday (e.g., March 12, 1984) is one of the valuable pieces of sensitive personal data which identity thieves can (and do) use. Here's how consumers can protect their identity information:

"Experts say, to keep safe - Never list your birthday publicly. Online - you should only become "friends" with people you know. And make sure your profile page is set to "private" or "friends only."

Should consumers display a partial birthday (e.g., March 12)? I've noticed that some Facebook users display a partial birthday. I don't disclose my birthday at all. Why? It still seems risky to display a partial birthday, because a determined identity thief can pretty easily deduce your birth year from your high school (or college) graduation.

It's important for consumers to practice safe identity-protection habits when using social media sites. Interested consumers can view the video or read the transcript at the Channel 7 site. Want to learn more? Read this prior post about birth dates.

Santa Fe Group And ID Experts Announce 'Bill of Rights' For ID-Theft Victims

Last week, the Santa Fe Group and ID Experts announced a 'Bill of Rights' for Identity theft victims. The document includes five basic rights to help consumers who are victims of identity theft and data breaches to protect and correct their personally identifiable information (PII) records:

1. Assessment of the nature and extent of the crime that removes the procedural “Catch-22s” when validating identity
2. Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
3. Freedom from harassment from collection agencies, law enforcement and others
4. Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
5. Restitution that includes repayment for financial losses and expenses

For people who are unfamiliar with the issues, the white paper provides a background on the issues and trends about identity theft and identity restoration -- the challenges to consumers when fixing damage done by identity thieves. The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts. Kam noted:

“Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses. We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.”

The Santa Fe Group is a consulting company to financial institutions and related infrastructure companies. ID Experts provides services to companies and to consumers covering identity restoration. Consumers and companies can download for free the Bill of Rights white paper, titled "Victims’ Rights: Fighting Identity Crime on the Front Lines" (364 K Bytes, Adobe PDF format; registration required).

This "Bill of Rights" is an excellent idea for several reasons. As Kam said above, consumers receive inconsistent treatment within and across States. First, most but not all States have laws defining what is personally identifiable information, and how companies and government agencies should protect that information. Second, most but not all States have laws requiring companies and government agencies to notify consumers after a data breach.

Third, most states do not define the content of what the components should be in a credit monitoring service offered in a company's post-breach response. This places consumers in a difficult situation thinking that their state has provided them with some protection, when in fact that protection is far weaker than they realize. Fourth, most consumers have no idea what to do to restore their identity information after damage by identity thieves.

Fifth, only a handful of states have laws protecting consumers against ID-theft involving RFID cards. There are so many ways identity thieves can steal consumers' sensitive data, that it makes sense to strengthen laws to help consumers fix the damage done by identity thieves. Sixth, only a couple states -- Maryland and New Hamsphire -- post online the breach notices received to help consumers verify breach notices.

The 500 Worst Passwords Consumers Use

Prior posts have emphasized the importance for consumers to use robust passwords. Unfortunately, for their online accounts many consumers still use passwords that are easy for identity thieves to guess. Boing Boing lists the 500 worst passwords. Here are the top 25 worst passwords:

1. 123456
2. password
3. 12345678
4. 12345
5. pussy
6. 1234
7. dragon
8. qwerty
9. 696969
10. mustang
11. letmein
12. baseball
13. master
14. michael
15. football
16. shadow
17. monkey
18. abc123
19. pass
20. fuckme
21. 6969
22. jordan
23. harley
24. ranger
25. iwantu

I used to work at Harvard Business School, and during the five years I worked there a coworker never changed his password. For another five years after I had left HBS, this coworker still had not changed his password. A word to the wise: change your password periodically -- like every 3 months.

Identity thieves are smart and persistent. So, if your sign-in credentials include any of the above passwords, you can basically say bye-bye to your identity, sensitive personal data, and the money in your bank accounts. Consumers should use strong passwords. Here is one example of what happens consumers don't use strong passwords and identity thieves take over your e-mail account.

Is Mint.com As Safe And Secure As It Says It Is?

Last week, a coworker asked me what I thought about the Mint.com personal finance service site. Deanna asked me because, in her own words, "George, you are more paranoid than me." I spent several days researching and reviewing the site. Afterward, I began to wonder how safe and secure it really is.

If you aren't familiar with the site, it is an online service to help consumers manage their money. It is a free alternative for consumers who don't have the money to hire a personal financial adviser. Many consumers like Mint.com since it mostly eliminates the manual data entry of financial transactions at your bank. According to the site, 600,000 people+ use Mint.com with 2,000+ daily users, $50 billion in transactions, and $15 billion in assets. The site publishes an impressive list of reviews and awards, too.

My question is this: how safe is it to store all of your personal financial information in a single online site? Shelley Elmblad at About.com answered the first part of that question with a comparison of desktop and online financial services software. The second part of the answer is specific to the Mint.com site, which says:

"Mint does not ask for its customers' names, addresses or Social Security numbers. It establishes a one-way connection with the bank so that no money can be moved around... Mint works for you without requiring any personally identifiable information from you. Your Mint account is anonymous; set up requires only an email, password and zip code."

That sounds good. Mint.com says that it uses the same physical and encryption security as the banks. While that might sound good, it's not 100% bullet-proof since some banks and financial companies (e.g., Ameritrade and Bank of America) have had data breaches, and some reports have documented flaws in the financial system. Plus, all of that online security won't necessarily prevent a a data breach by an inside job -- data stolen by an employee.

The Mint.com site says that it's account setup doesn't allow Mint.com to move money. It's a "read-only" service. That sounds good, but how safe is it really?

My skepticism with a service like this is that in order for a consumer to enjoy the full benefits of Mint.com, he/she still must submit their bank sign-in credentials (e.g., ID and password) repeatedly so the Mint.com software can import their latest financial transactions. And, a consumer must provide those credentials for every bank account and credit card account he/she wants to evaluate.

To learn more, I read several online reviews of Mint.com at About.com, TechCrunch, the Well-Rounded Woman, the Consumerist, the New York Times, and Brit Gardner. Afterward, I wished that all of these reviews had focused less on the features and more on the data security.

Since I started writing this blog, one thing I've learned is that my financial, bank account, and e-mail sign-in credentials are just as valuable as the sensitive personal data companies archive about consumers. An identity thief in possession of my sign-in credentials can still do lots of damage. They could use a brute-force method to determine which other sites they could sign in with the stolen sign-in credentials; and then sign in and steal the remainder of my sensitive personal data and money.

And, a data breach at Mint.com would clearly be a huge disaster. While writing this blog, I also learned that identity thieves are smart and persistent. They will hack into sites that don't maintain current and effective security measures. They will hack into the electronic transmissions between sites and third-party sites. They will identify and attack both high-value sites and the consumers that use those sites.

One area that seems murky is what happens when things go bad when a consumer submits their Site B sign-in credentials at site A to use information retrieved from site B. What happens when site A suffers a data breach where site B sign-in credentials are stolen? Which site's company is liable: A or B? Which company will help the user with credit monitoring and recovery services? It seems unlikely that site B would provide assistance due to a breach at site A.

Think of it this way: when there's a credit card theft, I know that the credit card issuing bank will stand by me with help. Another example, when IBM suffered a data breach that exposed the sensitive personal data of its employees and former employees, it provided one year of free credit monitoring and recovery services to the other data-breach victims. What can I expect from a small start-up like Mint.com? Does Mint.com have the resources to help, should things go bad? For me, it is important to know this upfront when deciding whether or not to register with a new financial services site, since data breaches unfortunately happen.

In the state where I live, companies are required to notify its customers after a data breach. While I could reasonably expect notification from Mint.com if a breach happens, the law doesn't specify the level of post-breach help. So, I took a closer look at the Mint.com Terms of Use policy to see what else a consumer can expect should things go bad:

"Mint cannot always foresee or anticipate technical or other difficulties which may result in failure to obtain data or loss of data, personalization settings or other service interruptions. Mint cannot assume responsibility for the timeliness, accuracy, deletion, non-delivery or failure to store any user data, communications or personalization settings... You agree and understand that you are responsible for maintaining the confidentiality of your password which, together with your LoginID e-mail address, allows you to access the Service... Your access and use of Mint.com may be interrupted from time to time for any of several reasons, including, without limitation, the malfunction of equipment, periodic updating, maintenance or repair of Mint.com or other actions that Mint, in its sole discretion, may elect to take... you grant Mint a limited power of attorney, and appoint Mint as your attorney-in-fact and agent, to access third party sites, retrieve and use your information with the full power and authority to do and perform each thing necessary in connection with such activities, as you could do in person."

So, Mint.com customers authorize the site to act fully on their behalf, and assumes all risk for maintaining the security of all of their bank and financial service sign-in credentials. Nothing surprising there. However, there's more (bold added for emphasis):

"YOU EXPRESSLY AGREE THAT YOUR USE OF THE SERVICE IS AT YOUR SOLE RISK. MINT MAKES NO REPRESENTATIONS, WARRANTIES OR GUARANTEES, EXPRESS OR IMPLIED, REGARDING THE ACCURACY, RELIABILITY OR COMPLETENESS OF THE CONTENT ON MINT.COM OR OF THE SERVICE... MINT MAKES NO REPRESENTATION, WARRANTY OR GUARANTEE THAT THE CONTENT THAT MAY BE AVAILABLE THROUGH THE SERVICE IS FREE OF INFECTION FROM ANY VIRUSES OR OTHER CODE OR COMPUTER PROGRAMMING ROUTINES THAT CONTAIN CONTAMINATING OR DESTRUCTIVE PROPERTIES OR THAT ARE INTENDED TO DAMAGE, SURREPTITOUSLY INTERCEPT OR EXPROPRIATE ANY SYSTEM, DATA OR PERSONAL INFORMATION... MINT SHALL IN NO EVENT BE RESPONSIBLE OR LIABLE TO YOU OR TO ANY THIRD PARTY, WHETHER IN CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, FOR ANY INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, EXEMPLARY, LIQUIDATED OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFIT, REVENUE OR BUSINESS, ARISING IN WHOLE OR IN PART FROM YOUR ACCESS TO MINT.COM, YOUR USE OF THE SERVICE OR THIS AGREEMENT, EVEN IF MINT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES."

Well, that seems pretty clear. If Mint.com is hacked or breached, they aren't liable and the consumer is on their own to resolve the problem. While Mint.com has every right to protect itself, there has to be a better balance with the needs of consumers. Based on the above copy, Mint.com customers are on their own should a data breach happen.

Should you register for Mint.com? That's your decision and a decision only you can make. Only you know how much risk you are willing to tolerate.

My take: a consumer that uses any financial services site like Mint.com absolutely has to make sure that their personal computer is properly protected, and that he/she creates and uses strong passwords. It'd be foolish to use the same sign-in credentials at Mint.com that you use for your e-mail or at your online banking site.

Seems to me that sites like Mint.com are high-value targets. Time will tell how effective Mint.com's data security methods are. I hope that they are as effective as advertised.

7 Blunders Consumers Make That Invite Identity Theft

Consumer Reports has published a really good article about the seven mistakes consumers make that invite identity theft:

• Assuming the anti-virus software on your home computer is active and current, when it isn't
• Clicking on a link in an e-mail message to access your bank or financial accounts
• Using the same ID and password for all of your online accounts and web sites you visit
• Assuming that you are automatically protected because your home computer is an Apple or MacIntosh

To read the complete list of 7 common mistakes, visit the Consumer Reports web site. Frequent readers of I've Been Mugged are aware of these common blunders, and keep their home computer's anti-virus software active and current. To learn about more protection tips and advice, click on the "Advice/Tips/Solutions" link in the tag cloud in the right column.

National Protect Your Identity Week: October 19th to 25th

Tomorrow (Sunday) is the start of the national Protect Your Identity Week (PYIW). The National Foundation for Credit Counseling (NFCC) has started a campaign to provide help and guidelines for identity theft awareness and prevention. The NFCC also developed a web site for consumers:

• www.protectyouridnow.org

At the site, consumers can browse a map to find nearby PYIW events, test their knowledge with the ID-Theft Quiz, or browse the site section with tips and advice. If you are an identity-theft victim, the site has a section with helpful solutions.

The NFCC includes over 100 member agencies that offer credit counseling to consumers. Given the recent disruptions within the financial, banking, and mortgage sectors of the economy, it is important for consumers to make informed decisions about managing their finances. NFCC member agencies can be identified by the NFCC member seal. According to the NFCC web site:

"Each year, more than one million people receive counseling and educational services from NFCC member agencies. More than one-third of all consumers who come to an NFCC agency for counseling are able to manage their debt on their own after receiving financial education and counseling."

NFCC member agencies provide counseling and education about how to create and manage a household budget, how to manage your debt, financial literacy courses, and counseling about how to manage your housing costs and foreclosure. MSN Money, the 2008 PYIW National Media Sponsor, will host a community message board on Tuesday, October 21 where consumers can post their questions about identity theft and have them answered by an NFCC Member Agency Certified Credit Counselor.

Visa And Banks To Test Real-Time Fraud Alerts

In the ZDNet Zero Day blog, Ryan Naraine reported:

"Credit card giant Visa is teaming up with with eight North American banks to deliver fraud alerts in real-time via SMS (text messages) and e-mails to cell phones. The pilot program will allow about 2,000 Visa cardholders to set thresholds that will trigger an immediate transaction alert to a mobile device. Once an alert is received, a cardholders can verify the transaction details, and if the transaction appears to be irregular, can immediately contact their bank to help stop further transactions on the card."

According to Reuters:

"Participants may choose to be alerted to a variety of types of card usage, including ATM withdrawals, international transactions, Internet or phone transactions, and transactions above specified amounts."

While this sounds like a good idea, the details are critical. Will there be a monthly fee for this feature? I hope not. It should be included.

How "real-time" is real-time? I already have alerts with online banking and those arrive about 40 - 60 minutes after the transaction. That's not real-time. Not even close. I wonder if Visa and its banks really will be able to deliver real-time credit card alerts before the transaction is completed.

Also, consumers must have control over their alerts. It's important for consumers to be able to:

• Change the dollar threshold for their alerts
• Specify different dollar thresholds for cash withdrawals versus purchases
• Toggle on/off the cross-border alert, since people do travel on vacations and/or business
• Specify their default charge geographic area, since certain states and/or countries may be visited repeatedly
• Select the alert format of their choice: v-mail, SMS, e-mail, or any combination
• Integrated within the consumer's online banking

FTC To Host Radio Frequency ID Workshop

The U.S. Federal Trade Commission (FTC) will host a workshop on September 23, 2008 titled, "Transatlantic RFID Workshop on Consumer Privacy and Data Security." The purpose of the workshop:

"...to explore emerging applications of radio frequency identification technology and their implications for consumer protection policy. The workshop will bring together industry representatives, government officials, and consumer advocates from Europe and the United States to discuss security and privacy concerns associated with RFID technology."

If you are unfamiliar with radio frequency identification (RFID) technology, I suggest that you read these prior posts. As with any new technology, the proper installation and use of RFID -- with adequate data encryption -- is critical, since RFID cards usually contain sensitive personal information of consumers and employees. According to the news release:

"The workshop is being held in conjunction with the September 22, 2008 “Transatlantic Symposium on the Societal Benefits of RFID,” sponsored by the Trans-Atlantic Business Dialogue, the European-American Business Council, and EPCGlobal, with the support of the U.S. Department of Commerce and the European Commission."

The workshop is free and open to the public. If you cannot attend, a live webcast will be available at the FTC web site. The workshop will be held at the FTC Conference Center, 601 New Jersey Avenue, N.W.,Washington, DC 20001.

Maybe the three enterprising M.I.T. students will attend and contribute to the discussion.