109 posts categorized "Identity Protection" Feed

Consequences And New Threats From The Massive Equifax Breach

Equifax logo To protect themselves and their sensitive information, many victims of the massive Equifax data breach have signed up for the free credit monitoring and fraud resolution services Equifax arranged. That's a good start. Some victims have gone a step further and placed Fraud Alerts or Security Freezes on their credit reports at Equifax, Experian, and TransUnion. That's good, too. But, is that enough?

The answer to that question requires an understanding of what criminals can do with the sensitive information accessed stolen during the Equifax breach. Criminals can commit types of fraud which credit monitoring, credit report alerts, and freezes cannot stop. Consumer Reports (CR) explained:

"Freezing your credit report specifically at Equifax will also prevent crooks from registering as you at the government website, my Social Security, and block them from attempting to steal your Social Security benefits. But taking these steps won't protect you against every identity fraud threat arising from the Equifax data breach."

Sadly, besides credit and loan fraud the Equifax breach exposed breach victims to tax refund fraud, health care fraud, and driver's license (identity) fraud. This is what makes the data breach particularly nasty. CR also listed the data elements criminals use with each type of fraud:

"With your Social Security number, crooks can file false income tax returns in your name, take bogus deductions, and steal the resulting refund. More than 14,000 fraudulent 2016 tax returns, with $92 million in unwarranted refunds, were detected and stopped by the Internal Revenue Service (IRS) as of last March... Data from the Equifax breach can be used to steal your benefits from private health insurance, Medicare, or Medicaid when the identity thief uses your coverage to pay for his own medical treatment and prescriptions... Using your driver’s license number, identity thieves can create bogus driver’s licenses and hang their moving violations on you...."

The CR article suggested several ways for consumers to protect themselves from each type of fraud: a) request an Identity Protection PIN number from the IRS; b) request copies of your medical file from your providers and review your MIB Consumer File each year; and c) request a copy of your driving license record and get your free annual consumer report from ChexSystemsCertegy, and TeleCheck -  the three major check verification companies.

Never considered reviewing your tax account with the IRS? You can. Never heard of a Consumer MIB File? I'm not surprised. Most people haven't. I encourage consumers to read the entire CR article. While at the CR site, read their review of TrustedID Premier service which Equifax arranged for breach victims. It's an eye-opener.

Do these solutions sound like a lot of preventative work? They are. You have Equifax to thank for that. Will Equifax help breach victims with the time and effort required to research and implement the solutions CR recommended? Will Equifax compensate breach victims for the costs incurred with these solutions? These are questions breach victims should ask Equifax and TrustedID Premier.

Consumers and breach victims are slowly learning the consequences of a data breach are extensive. The consequences include time, effort, money, and aggravation. You might say breach victims have been mugged. Worse, consumers are saddled the burden from the consequences. That isn't fair. The companies making money by selling consumers' credit reports and information should be responsible for the burdens. Things are out of balance.

What are your opinions?


Hacking Group Reported Security Issues With Samsung 8 Phone's Iris Recognition

Image of Samsung Galaxy S8 phones. Click to view larger version The Computer Chaos Club (CCC), a German hacking group founded in 1981, posted the following report on Monday:

"The iris recognition system of the new Samsung Galaxy S8 was successfully defeated by hackers... The Samsung Galaxy S8 is the first flagship smartphone with iris recognition. The manufacturer of the biometric solution is the company Princeton Identity Inc. The system promises secure individual user authentication by using the unique pattern of the human iris.

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method."

The Samsung Galaxy S8 runs the Android operating system, claims a talk time of up to 30 hours, has a screen optimized for virtual reality (VR) apps, and features Bixby, an "... intelligent interface that is built into the Galaxy S8. With every interaction, Bixby can learn, evolve and adapt to you. Whether it's through touch, type or voice, Bixby will seamlessly help you get things done. (Voice coming soon)"

The CCC report also explained:

"Iris recognition may be barely sufficient to protect a phone against complete strangers unlocking it. But whoever has a photo of the legitimate owner can trivially unlock the phone. "If you value the data on your phone – and possibly want to even use it for payment – using the traditional PIN-protection is a safer approach than using body features for authentication," says Dirk Engling, spokesperson for the CCC."

Phys.org reported that Samsung executives are investigating the CCC report. Samsung views the Galaxy S8 as critical to the company's performance given the Note 7 battery issues and fires last year.

Some consumers might conclude from the CCC report that the best defense against against iris hacks would be to stop posting selfies. This would be wrong to conclude, and an insufficient defense:

"The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed... Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems."

So, more photos besides selfies could reveal your iris details. The CCC report also reminded consumers of the security issues with using fingerprints to protect their devices:

"CCC member and biometrics security researcher starbug has demonstrated time and again how easily biometrics can be defeated with his hacks on fingerprint authentication systems – most recently with his successful defeat of the fingerprint sensor "Touch ID" on Apple’s iPhone. "The security risk to the user from iris recognition is even bigger than with fingerprints as we expose our irises a lot. Under some circumstances, a high-resolution picture from the internet is sufficient to capture an iris," Dirk Engling remarked."

What are your opinions of the CCC report?


Connected Cars: 4 Tips For Drivers To Stay Safe Online

With the increasing dominance of the Internet of Things (IoT), connected cars are becoming more ubiquitous than ever. We’ve long heard warnings from the media about staying safe online, but few consumers consider data hacks and other security compromises while driving a car connected to the internet.

According to the inforgraphic below from Arxan, an app protection company, 75 percent of all cars shipped globally will have internet connectivity by 2020, and current connected cars have more than 100 million lines of code. Connected features are designed to improve safety, fuel efficiency, and overall convenience. These features range from Bluetooth, WiFi, cellular network connections, keyless entry systems, to deeper “cyberphysical” features like automated braking, and parking and lane assist.

More Features Means More Vulnerability
However, with this increasing connectivity comes risks from malicious hacking. Today, connected cars have many attack points malicious hackers can exploit, including the OBD2 port used to connect third-party devices, and the software running on infotainment systems.

According to Arxan, some of the more vulnerable attack points are mobile apps that unlock vehicles and start a vehicle remotely, diagnostic devices, and insurance dongles, including the ones insurance companies give to monitor and reward safe drivers. These plug into the OBD2 port, but hackers could essentially access any embedded system in the car after lifting cryptographic keys, as the Arxan page on application protection for connected cars describes.

Vulnerabilities are usually demonstrated in conferences like Black Hat. Example: in 2010, researchers at the University of Washington and the University of California San Diego hacked a car that had a variety of wireless capabilities. The vulnerable attack points they targeted included its Bluetooth, the cellular radio, an Android app on the owner’s phone that was connected to the car’s network, and an audio file burned onto a CD in the car’s stereo. In 2013, hackers Charlie Miller and Chris Valasek hijacked the steering and brake systems of both a Ford Escape and Toyota Prius with only their laptops.

How To Protect Yourself
According to the FBI and Department of Transportation in a public service announcement, it’s crucial that consumers following the following recommendations to best protect themselves:

  1. Keep your vehicle’s software up to date
  2. Stay aware of recalls that require manual security patches to your car’s code
  3. Avoid unauthorized changes to your car’s software
  4. Use caution when plugging insecure devices into the car’s ports and network

With the latest remote hack of a Tesla Model S, it seems that the response time between finding out about a breach and issuing a patch to correct it is thankfully getting shorter. As more automakers become tech-oriented like Tesla, they will also need to cooperate with OEMs to make sure the operating-system software in their vehicles is designed securely. It seems, this will take time, coordination with vendors, and money to bring these operations in house.

Arxan connected vehicles infographic

What do you do to protect your Internet-connected vehicle? What security tools and features would you prefer automakers and security vendors provide?


Lifelock to Pay $100 Million To Settle Charges By FTC That Company Violated A 2010 Court Order

Lifelock logo During the run-up to the holiday season, the U.S. Federal Trade Commission (FTC) announced a settlement agreement where Lifelock will pay $100 million to settle charges that it violated a 2010 federal court order to properly secure customers' sensitive personal information, and stop performing deceptive advertising. The identity protection service has featured notable spokespersons, including radio talk-show host Rush Limbaugh, television personality Montel Williams, and former New York City Mayor Rudy Guliani.

The company's stock price plunged in July 2015 when news of the FTC investigation broke. The FTC's charges against Lifelock included four components. The FTC alleged that:

  1. From at least October 2012 through March 2014, LifeLock failed to establish and maintain a comprehensive data security program to protect users’ sensitive personal information (e.g., Social Security numbers, credit card payment information, bank account information, etc.).
  2. LifeLock falsely advertised that it protected consumers’ sensitive information with the same high-level protections used by banks.
  3. From January 2012 through December 2014 LifeLock falsely advertised  that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft.
  4. Lifelock failed to comply with the recordkeeping requirements in the 2010 court order.

In 2010, about 950 thousand consumers received refunds from Lifelock results from deceptive advertising claims. In a 2014 review of the service, Consumer Reports advised consumers to ignore the hype and consider whether you are like to lose or have stolen as much money as Lifelock's annual service fees: $99 to almost $250 a year. Consumer Reports said:

"LifeLock’s latest commercial shows folks happily sharing personal information on smart phones, laptops, and tablets, oblivious to LifeLock’s claim that “identity theft is one of the fastest-growing crimes in America.” That’s why you need LifeLock.. True, existing debit- and credit-card fraud, aka card theft, makes up the largest part of what is trumped up as identity fraud, and it jumped 46 percent last year. But consumer-protection laws and zero-liability policies limit the actual cost of that crime for most consumers to zero. Those who had out-of-pocket costs in 2013 lost only $108, on average. The incidence of new-account fraud... has fallen to historic lows. Your chance of getting hit last year was only one-half of 1 percent. Again, you’re generally not liable if a creditor lends money to a crook posing as you, but costs for consumers who were liable somehow averaged $449. LifeLock’s terms-and-conditions agreement requires that you also work to protect your personal information “at all times.” Why pay someone for DIY defense?"

Regular readers of this blog know that after my personal information was disclosed during a prior employer's data breach, I placed Fraud Alerts for free on my credit reports on my own. Later, I upgraded to Security Freezes for greater protection. The only cost I incurred for the Security Freezes was the $5 fee (which varies by state) each credit reporting agency charged. I monitor my credit card and bank statements monthly (for free) for fraudulent charges, and when they occur get them removed without incurring any costs. For me, DIY protection works.

Terms of its settlement agreement with the FTC require Lifelock to:

"... deposit $100 million into the registry of the U.S. District Court for the District of Arizona. Of that $100 million, $68 million may be used to redress fees paid to LifeLock by class action consumers who were allegedly injured by the same behavior alleged by the FTC. These funds, however, must be paid directly to and received by consumers, and may not be used for any administrative or legal costs associated with the class action. Any money not received by consumers in the class action settlement or through settlements between LifeLock and state attorneys general will be provided to the FTC for use in further consumer redress. In addition to the settlement’s monetary provisions, record-keeping provisions similar to those in the 2010 order have been extended to 13 years from the date of the original order."

Consumers who did not participate in the class action can still sue the company. Congratulations to the FTC for the enforcement and holding Lifelock accountable.


FTC Alleged Lifelock Violated 2010 Settlement Agreement. Company Stock Price Plunged

Lifelock logo You've probably seen the advertisements on television. Lifelock provides identity protection services. Last week, the U.S. Federal Trade Commission (FTC) took action against Lifelock for allegedly violating the terms of its 2010 settlement. The FTC press release:

"... from at least October 2012 through March 2014, LifeLock violated the 2010 Order by: 1) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; 2) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and 3) failing to meet the 2010 order’s recordkeeping requirements... from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem..."

The 2010 settlement resulted after FTC allegations that LifeLock used false claims to promote its identity theft protection services. The settlement stopped the company and its executives from making such claims, and required the company to take stronger measures to protect customers' personal information. The 2010 settlement included a $12 million payment for consumer refunds.

Todd Davis, Chairman and CEO, responded to the FTC allegations in Lifelock's blog:

"LifeLock has been up front and transparent that we have been in a dialogue with the Federal Trade Commission for more than 18 months. During this time, we have worked with agency staff and commissioners, striving to come to a satisfactory resolution. Despite our efforts, we were unable to do so. As a result of our unwillingness to agree to an unreasonable settlement, the agency has decided to litigate its claims. We disagree with the substance of the FTC’s contentions and are prepared to take our case to court."

The legal motions were filed under seal. Lifelock is based in Tempe, Arizona. AZCentral reported:

"LifeLock shares fell more than 49 percent after the FTC accused the company of violating terms of a 2010 settlement by continuing to deceive customers and failing to protect their data... Their assurances did little to stave such a massive sell-off of shares. Because of the plunge, the New York Stock Exchange was twice forced to suspend trading of LifeLock as the share price dropped from $16.05 to close at $8.15."

Consumer Reports reviewed the Lifelock service in 2013:

"The bottom line: Protect yourself for less. Monitor your financial statements and credit reports for suspicious activity that can lead to identity theft. If your credit cards are lost or stolen, you don’t need LifeLock to notify your financial institutions to cancel and replace them. If your Social Security number is out there, we suggest that you put a security freeze on your credit reports at the big three credit bureaus–Equifax, Experian, and TransUnion. That will prevent creditors from accessing your file if a crook tries to open a new account in your name... But there is usually no charge if you’re already a victim of ID theft. Credit bureaus consider credit- and debit-card theft as identity theft, so it should be easier for you to get free freezes."

Past pitch persons for Lifelock have included former prosecutor and New York City Mayor Rudy Giuliani, and radio personality Rush Limbaugh.

July 24 view of Rush Limbaugh site


A Fight Brews After Retailers Demand From Congress Better, Stronger, And Consistent Data Breach Laws

The National Retail Federation and 43 other retail associations sent a letter dated November 6, 2014 to Congressional leaders in House and Senate demanding laws that promote stronger data security, eliminate exemptions to certain industries from data breach notification laws, and provide consistent data breach notification rules.

There are currently 47 different breach notification laws across the states. The makes for a complicated, patchwork of state laws that retailers must navigate when informing affected shoppers about data breaches. The laws vary in defining the data elements to be protected, data formats, the methods of notification, and when affected consumers must be notified by.

The retail associations' letter to Congress (Adobe PDF) stated:

"Organized groups of criminals, often based in Eastern Europe, have focused on U.S. businesses, including financial institutions, technology companies, manufacturing, retail, utilities and others. These criminals devote substantial resources and expertise to breaching data protection systems... Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information. Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit. Equally important, a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

The letter cited current banking practices:

"... the recently reported data breaches have taught us, it is that any security gaps left unaddressed will quickly be exploited by criminals. For example, the failure of the payment cards themselves to be secured by anything more sophisticated than an easily-forged signature makes the card numbers particularly attractive to criminals and the cards themselves vulnerable to fraudulent misuse. Better security at the source of the problem is needed. The protection of American’s sensitive financial information is not an issue on which sacrificing comprehensiveness makes any sense at all."

The letter described the threats retailers face data breaches at banks and payment processors:

"... some recent examples are instructive. This summer, it was reported that JPMorgan Chase had suffered a data security breach... affecting 83 million accounts that had been accessed online or through mobile devices. The criminals involved reportedly took over computers around the world... Given the sophistication of the attack, even months after initial disclosure, it is not clear whether the bank’s system is free of the hackers involved. It has also been reported that nine other banks suffered similar data breaches and there is evidence that there is a focused effort to breach financial institutions by these criminals... Despite all that reporters have uncovered to date, however, financial regulators have not required financial institutions to provide the same detailed notice to their customers as is required of other businesses under law... it was revealed in September that over 100 account subscribers to Apple’s widely-used iCloud service had suffered a series of targeted attacks that ultimately led to the unlawful acquisition of sensitive photographs stored on the iCloud servers. Merchants have also been attacked by criminals employing sophisticated and previously unseen tools to steal payment card numbers. Payment card data has been targeted by criminals in data breaches at every type of entity that handles such data – from financial institutions to retailers, card processors, and telecommunications providers."

The letter also cited a key industry study about where data breaches occurred:

"The Verizon Data Breach Investigations Report is the most comprehensive summary of these types of threats. The 2014 report (examining 2013 data) determined that there were 63,437 data security incidents reported by industry, educational institutions and governmental entities last year and that 1,367 of those had confirmed data losses. Of those, the financial industry suffered 34%, public institutions (including governmental entities) had 12.8%, the retail industry had 10.8%, and hotels and restaurants combined had 10%."

The Online Trust Alliance supports the retailer associations' letter with calls for better, stronger, consistent data breach laws. The American Bankers Association and several financial services groups responded with their own letter (Adobe PDF) to Congress dated November 12, 2014. The banking groups' letter said the retail associations' letter was:

"... inaccurate and misleading, and recommends solutions that leave consumers vulnerable to enhanced risk of data breaches... As evidenced by the massive breaches at Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen and others, retailers are being targeted by cyber criminals. While merchants and financial institutions are both the targets of these attacks, a key difference is that financial institutions have developed and maintain robust internal protections to combat criminal attacks and are required by Federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk. In contrast, retailers are not covered by any Federal laws or regulations that require them to protect the data and notify consumers when it is breached."

Given the frequency and large size of data breaches, in my opinion, both groups have failed at adequately protecting consumers' sensitive personal and financial information. Neither is in a position to criticize the other.

The financial groups' letter cited "Strong Federal Oversight and Examination" and:

"Financial institutions on their own are aggressively implementing new systems and leading the development of new technologies like tokenization to combat the ever-changing criminal threat."

Banks may lead the way upon defending against external threats, but seem to have failed miserably against internal threats. Several examples illustrate my point. Banks have settled lawsuits about data breaches, settled lawsuits about residential mortgage back securities abuses, paid massive amounts ($128 billion and counting) in settlement payments and fines where terms are often kept secret and payments are tax deductible, and failed to solve their growing ethics problem where young bankers feel they must break the law to get ahead. Nobody forced banks to violate laws resulting in these lawsuits, settlements, and fines.

Rather than fight, both groups should stay focused on their shoppers and account holders: collaborate on better data security. Otherwise, they both look silly; like children at the dinner table arguing over who gets the last slice of chocolate cake.

View the full text of the retail associations' letter to Congress (Adobe PDF). Download the 2014 Verizon Dat Breach Investigations Report. Learn more about hacking attacks against Apple iCloud services.


ID Experts Introduces Medical Identity Theft Service To Detect And Lower Health Care Fraud

ID Experts Corporation logo Just before the holidays, ID Experts Corporation introduced Medical Identity Alert System (MIDAS), a new service to help health care plan providers, employers, and consumers prevent and reduce medical identity theft and fraud. The F.B.I. estimated health care fraud at $80 billion each year. The 2013 Survey on Medical Identity Theft by Ponemon found:

"... most cases of identity theft result not from a data breach but from the sharing of personal identification credentials with family and friends. Or, family members take the victim’s credentials without permission."

About 1.84 million people in the USA are currently affected by medical identity theft and fraud. This can lead to misdiagnoses, mistreatments, delayed treatments, and wrong prescription medications. Only 54 percent of patients review the Explanation of Benefits (EOB) statements from their health care providers.

MIDAS uses real-time text messages and emails to alert users when a healthcare transaction is submitted to their health plan. The alert links to a secure wesite where the member can validate the transaction, or flag it as “suspicious.” Then, MIDAS resolution experts follow up on the flagged transactions.

The MIDAS website lists several benefits:

  • Lowers health care costs
  • Detects health care fraud and medical identity theft
  • Engages patients for Affordable Care Act (ACA) compliance
  • Uses proven fraud reduction strategies
  • Simple yet powerful
  • Accessible from anywhere with an Internet connection
  • Service is backed by experienced identity protection experts

Bob Gregg, CEO of ID Experts said:

“Consumers have easy access to their personal financial data yet their medical care transactions are a closed door... MIDAS will change this by bringing transparency to healthcare transactions, engaging members as the first line of defense in protecting their identities and uniting health plans with their members to combat fraud.”

PHIprivacy investigated the service, and reported that ID Experts does not share MIDAS users' information with other companies.

This service appeals for a three reasons:

  1. Lowering health care fraud should translate into lower health care costs and premiums for consumers,
  2. Most credit-monitoring solutions focus only upon financial transactions, and do not cover nor monitor for medical identity theft and fraud, and
  3. MIDAS can help more patients review their medical transactions; something experts advise patients do to, just like financial institutions and credit reporting agencies advise consumers to review their accounts and credit reports for fraud.

Note: this is not an endorsement. It is simply a news article to inform readers of a new service. I do not have any arrangements or relationship with ID Experts. If you subscribe to MIDAS, please share you opinions and experience below.


How To Lock Down Your Facebook Privacy Now That Old Posts Are Searchable

Facebook logo If you have used Facebook for several years, then you have a lot of posts in your timeline. A lot. With the new Facebook Search feature, those old posts are searchable. And many of those old posts probably have weak privacy settings: the "Public" or anyone can search and view them. You probably don't want those old posts and photos of you high or drinking (to excess) to be searchable. It could cost you a job, result in a rejected college application, or affect your credit-worthiness.

What to do? You could spend the next week 24/7 non-stop deleting all of your old posts and/or changing the privacy setting on each old post to "Friends Only." A faster method to protect your privacy is to use Facebook's "Limit Past Posts" privacy setting. I'll bt you didn't know that this security setting exists, since Facebook makes its interface difficult to find and use for security settings.

Here is how to find and use the "Limit Past Posts" security setting:

  1. Sign into Facebook and click on the Security Shortcut icon in the upper right corner. That's the thingy with the lock icon.
  2. A drop-down menu will appear. Select "See More Settings"
  3. On the next page, select the "Limit Past Posts" link
  4. The page will expand to reveal two links. Select the "Learn about changing old posts" if you want to learn more about this security feature. Otherwise, select the the "Limit Old Posts" button.
  5. Facebook will try to dissuade you from making this security change by, a) asking if you are sure you want to proceed, and b) telling you that this change cannot be undone. Yes, you are sure. Proceed and select the "Confirm" button.
  6. On the next screen, select the "Close" button and you are done.

If these instructions aren't clear, see the Gizmodo article with screen images.


How To Opt Out Of Tracking Programs And Keep As Much Privacy As Possible

Your online activity is tracked by a wide variety of technologies, not just web sites. For example, all of the major search engines (e.g., Google, Bing, Yahoo) track your search history. If you use one of the major search engines, then you will need to opt-out of the search engine history tracking at each search engine. This Mashable article contains instructions plus links to the opt-out mechanisms for each search engine.

Me? I use the DuckDuckGo search engine instead. There is nothing to opt-out of because DuckDuckGo doesn't collect anything.

Simiilarly, the social networking websites you use track your online activity and will use your name and photo in their online advertisements if you let them. To avoid this, you'll need to opt-out of the advertisement features at each social networking website you use. For example: sign in to Twitter and navigate to Settings, and then Security and Privacy. On that page, uncheck the boxes next to Promoted Content and Tweet Location. For Facebook, navigate to General Account Settings, and then to Ads. Clcik Edit and select "No one" for Third Party Sites. Click Edit and select "No one" for "Ads and Friends."

This Masahable article contains instructions for how to opt out of advertisements on Google services.

The web browser you use also tracks your online activity. So, the steps you must take to deactivate HTTP cookie tracking depends upon which web browser you use. According to Masahable, to opt out of cookie tracking Mozilla Firefox users must:

"In Firefox's Privacy panel, click on the area next to Firefox will: and select Use custom settings for history. Once selected, remove the checkmark in the Accept Cookies box."

See the Masahable article for instructons for Google Chrome users. I also use the Better Privacy add-on for Firefox to regularly delete HTTP and other Locally Shared Objects (LSO) cookies.

Also, there may be settings on your mobile device to turn off any sharing with your mobile device manaufacturer, mobile operating system manufacturer, and/or telecommunications provider. None of the above methods will stop sharing of your purchases with your bank, credit-card, debit-card, and/or prepaid card provider.

Remember, all of these services and technologies, including your mobile device (e.g., tablet, smart phone), that collect data also collect metadata. All of this online data collection can make the Internet a pretty frustrating tool at times. In response to the perceived (and real) lack of online privacy, more and more users in Australia provide fake information while online to blunt companies' data collection and tracking. And, if infected with the appropriate computer virus, your smart phone may continue to track you even when turned off.


April 20 Is 'Secure Your ID Day'

April 20, 2013 is "Secure Your ID Day." To learn more about how you can protect yourself and your sensitive personal information, visit the Better Business Bureau website. The site lists participating BBB groups in various states.

If you can't attend a local event, then browse these tips and suggestions from the BBB to keep your sensitive personal information secure. Other resources that consumers may find helpful:


DuckDuckGo: A Search Engine For Privacy

Last week, a reader suggested the DuckDuckGo.com search engine. Like most people, through the years I used a variety of search engines: first Yahoo, then Alta Vista, Google, and most recently Bing. DuckDuckGo has a very simple, easy-to-read privacy policy:

"DuckDuckGo does not collect or share personal information. That is our privacy policy in a nutshell..."

The DuckDuckGo privacy policy also explains why you should care about what other search engines do:

"... when you search for something private, you are sharing that private search not only with your search engine, but also with all the sites that you clicked on (for that search). In addition, when you visit any site, your computer automatically sends information about it to that site..."

Other search engines collect your search terms. And, the list of information your computer sends to them includes its operating system brand and version, screen size and resolution, your ISP, and your IP address. And that information may also be shared with affiliates or partner companies. DuckDuckGo.com doesn't do any of this.

ConsumerSearch lists the advantages and disadvantages of DuckDuckGo. In March 2012, PCWorld said:

"...[DuckDuckGo]t also doesn't track users: no personal information is collected, shared, or used to customize individual users' search results. So, anyone searching on a particular term in DuckDuckGo will get the same results... DuckDuckGo also offers benefits including the capability to use shortcuts to directly search many websites..."

And, there are DuckDuckGo mobile apps.

I ran several searches to see what DuckDuckGo retrieves. Its search results don't seem to missing any pages other search engines deliver. Besides the privacy benefits, I like the cleanness and lack of clutter at DuckDuckGo. A long time ago, the Google search engine used to be this way.

To learn more about DuckDuckGo.com, read about how it does not track your online usage. And, read this page about the Filter Bubble. Then, decide for yourself.

If you use DuckDuckGo, what's your opinion or experience with it?


Trouble In Smart Phone Land

Where I live and work, it seems that most people have smart phones, and love to use them. However, I am getting the impression that many, if not most, have no idea how to protect themselves and their sensitive personal data. While discussing good data security habits, I have been asked the following question by several smart phone users:

Where do I find anti-virus software for my smart phone?

While most people understand the need and take action to protect their desktop and laptop computers with anti-virus software, it doesn't seem to translate to mobile devices. Some feel that their smart phones are immune to computer viruses and malware. Actually, experts warn that malware can infect your smart phone in 4 ways: text messages, email, Bluetooth, and web surfacing. So, I spent a few minutes the other day showing a person how to find anti-virus apps for her new Samsung galaxy III smartphone.

To find anti-virus apps for your smart phone, start with the app store your device is configured with. You can also visit Androidapps.com and select:

Android App Directory > Tools > Security

Next, you'll see a list of familiar brands of anti-virus software providers. Kaspersky, McAfee, Norton, and others. Some brands offer bundle opportunities to protect several devices you might have at home: laptops, tables, and smart phones; or devices for several family members. Shop around, read the service agreements, and shop wisely.

Got an iPhone or iPad? Start shopping here for data security apps. For users with mobilde devices that run Windows® or other operating systems, start shopping here.

I wish that the industry called the devices "handheld computers" or "pocket computers" because that is what the devices are.The phrase "smart phone" seems antiquated for mobile devices that do so much more than make and receive telephone calls.


Unclear About Data Brokers But Wanting Control And More Disclosure

While the U.S. Senate probes data brokers and consumer privacy issues, a recent study by Trusted ID provides some insights into how consumers view data brokers:

  • 80% of respondents do not have a good understanding of what a data broker is, what they collect and how they use information
  • About 80% of respondents state that it is important to control their data collected and archived by data brokers
  • 76% of consumers feel that it is important to be notified about information that data brokers collect
  • 80% of respondents want a centralized website to manage their information that is collected and archived by data Brokers

The survey was conducted online between August 23 and September 5, 2012, with a national sample of 2,960 Americans.

Earlier this year, the data broker Spokeo paid $800,000 to settle charges by the U.S. Federal Trade Commission (FTC) that it allegedly violated the Fair Credit Reporting Act by operating as a credit reporting agency and by maketing consumers' profiles to companies in several industries without implementing methods to protect consumers as required by the FCRA. The complaint (Adobe PDF) filed by the FTC, in June 2012 in the Central District Court in California, read in part:

"Spokeo assembles consumer information from 'hundreds of online and offline sources,' such as social networking sites, data brokers, and other sources to create consumer... In its marketing and advertising, [Spokeo] has promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting. Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates' online activities. Spokeo has affirmatively targeted companies operating in the human resources, background screening, and recruiting industries... Spokeo profiles are consumer reports because they bear on a consumer's character, general reputation, personal characteristics, or mode of living and/or other attributes listed in section 603( d), and are "used or expected to be used... in whole or in part" as a factor in determining the consumer's eligibility for employment or other purposes specified in section 604."

Consumers can conclude a couple things from this. First, sloppy data practices by data brokers can abuse consumers' information. Second, what you share online in social networking sites can affect whether or not you get a job, or even get an interview. In the rush to make money and create new revenue streams, social networking sites now use your information in ways you didn't originally intend. The I've Been Mugged blog first reviewed Spokeo in 2010.

Download the Trusted ID survey results in the, "Consumer Perspectives - Data Brokers In Review" report (Adobe PDF).


National Protect Your Identity Week 2012

Not sure what you can do to protect your sensitive personal information? October 20 - 27, 2012 is "National Protect Your Identity Week" (NPYIW).

The ProtectYourIDNow site contains a wealth of information for consumers, plus local events by state. I visited the website to see what's available this year. There are some interesting statistics about how consumers don't protect themselves nor their sensitive personal information:

"68 percent of people with public social media profiles shared their birthday information (with 45 percent sharing month, date and year); 63 percent shared their high school name; 18 percent shared their phone number; and 12 percent shared their pet's name-all are prime examples of personal information a company would use to verify your identity."

While it may feel nice to receive birthday congratulations from your "friends" on social networking websites, the fact is that your birth date is a sensitive and critical piece of personal information that data brokers (and identity thieves) use to distinguish between multiple people with the same name. Experts warn consumers to stop doing these seven things on Facebook and other social networking websites. Some other interesting statistics:

"Seven percent of Smartphone owners were victims of identity fraud... 32 percent of Smartphone owners do not update to a new operating system when it becomes available; 62 percent do not use a password on their home screen... 32 percent save login information on their mobile device... Young adults, aged 18-24, took the longest to detect identity theft - 132 days on average... the average cost ($1,156) was roughly five times more than the amount lost by other age groups... Children may be 51 times more likely than adults to have their identity stolen..."

The NPYIW website includes tips to protect yourself, informative videos, advice about what to do if you are a victim of identity theft and fraud, and an online quiz to test your knowledge about identity theft and fraud. Sponsors of NPYIW include the National Foundation for Credit Counseling, the National Sheriffs Association, the National Association of Triads, the Consumer Federation of America, the Council Of Better Business Bureaus, the U.S. Federal Trade Commission (FTC), the Identity Theft Resource Center, the National Crime Prevention Council, the Credit Union National Association, and many others.

Did you attend a NPYIW event? If so, share your experience below.


Survey: How Mobile Device Users Protect Their Privacy With Mobile Apps

A recent survey by the Pew Research Center investigated how mobile device users manage their privacy. The survey included both cell phone users and smart phone users. Key findings:

"54% of app users have decided to not install a cell phone app when they discovered how much personal information they would need to share in order to use it; 30% of app users have uninstalled an app that was already on their cell phone because they learned it was collecting personal information that they didn’t wish to share. Taken together, 57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons."

It is good to read that consumers are not blindly downloading and using mobile device apps, since prior studies have documented sporadic and inconsistent access to privacy policies for mobile apps. After pressure from the California Attorney General, several companies (e.g., Amazon.com, Apple, Google, hewlett-packard, Microsoft, and Research In Motion) that operate mobile app stores agreed to improve app privacy policies disclosing the personal data collected, stored, and shared. Earlier this month, researchers at M.I.T. documented privacy abuses by mobile apps that tracked consumers without notice nor consent. And, the U.S. Federal Trade Commission published guidelines for businesses that develop and market mobile device apps.

The Pew survey found that almost one-third, 31% of all smart phone users surveyed, have lost their device or had it stolen. Among users 18 to 24 years of age, about 45% had either lost their device or had it stolen. The survey authors concluded:

"Smartphone owners are generally more active in managing their mobile data, but also experience greater exposure to privacy intrusions"

The table below highlights this conclusion:

ActivitySmart Phone UsersCell Phone Users
Back up phone contents 59% 21%
Cleared browsing or search history 50% 14%
Turned off location tracking 30% 7%
Experienced lost or stolen device 33% 29%
Somebody accessed device in a way that felt like a privacy intrustion 15% 8%

Pew conducted the nationwide survey, in both English and Spanish, of 2,254 adults (age 18 and older) during March 15 to April 3, 2012. Download the Pew report: "Privacy and Data management on Mobile Devices."


How To Safely Dispose of Your Old Smart Phone

Everybody loves getting the latest smart phone. What to do with your old one? Perhaps, you plan to sell it on eBay or donate it to a charity. Whatever you decide, be sure to remove all sensitive data from it. Otherwise, you could create an identity theft and fraud problem for yourself.

The sensitive data on your smart phone isn't just your list of contacts and their phone numbers. The sensitive data also includes your passwords, email, browser history, calendar, and photos -- the things that document when and where you go both online and in the real world. The sensitivity of both your online passwords and browser history should be obvious. With access to your email, identity criminals could hack into your financial accounts and reset your online passwords. That would be an identity-theft disaster.

How to safely dispose of an old smart phone? Before selling or donating an old smart phone, security experts advise consumers to:

  1. Remove the SIM card
  2. Remove any memory cards
  3. Run a factory reset to delete sensitivie data. To do this, check the (print or online) manual for your smart phone.

But that may not be enough. Accessdata, a computer forensics firm, performed an analysis last year of several popular smart phones available on the resale market. Almost all had sensitive data from the prior owners. As Dark Reading reported:

"The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero... Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included information that would take someone with forensics tools and knowledge to extract from more hidden storage locations... Some of the details available within those four phones included user account information, Social Security numbers, geolocation tags for where the user had taken pictures using the phone, deleted text messages, and a resume. "

In this case, the only secure option is to go old-school: wrap it in cloth and then take a hammer to your old smart phone -- even the older clamshell types. Don't try to resell or donate it. Most consumers don't have access to industrial-strength hard-drive shredding services.

What did you do with your old smart phone? How did you remove any sensitive data from it? Or are your old devices gathering dust in a drawer or closet at home?


Canadian Privacy Commissioner Introduces Graphic Novel To Help Youth Safely Use the Internet With Mobile Devices

The Office of the Privacy Commissioner in Canada has introduced a graphic novel designed to help teens and youth use the Internet safely with mobile devices. If you haven't read it, I highly recommend it. It is an easy read and it clearly describes some good, basic data security habits.

The graphic novel (Adobe PDF - 4.5 M Bytes) is good for youth (and their parents) everywhere, and not just in Canada. The skills needed to safely use mobile devices and maintain privacy are universal.

In the United States, the Federal Trade Commission (FTC) offers the "Heads Up: Share With Care" guide (Adobe PDF) for youth at the OnGuard Online website.


Traveling Outside The Country? Before You Leave, Notify Your Credit Card Issuer So Your Purchases Aren't Denied

With the increase in identity theft and fraud during the past few years, many banks have increased their security efforts to fight identify fraud. This includes proactively flagging or automatically denying credit card purchases in another country. This increased security has both good and bad news.

The good news: consumers are better protected against fraud. The bad news: valid purchases by cardholders traveling outside the the country may be denied. The last thing anyone wants to experience is a denied credit card purchase when you are in a different country and low on cash in the local currency.

To avoid this, I notified my credit card issuers before my recent vacation travel. Credit card issuers will want to know your card number, travel destinations, travel start/stop dates, and cardholders traveling.

The letter I used, which you are welcome to adapt for your upcoming trip:

"This regards the [insert Visa/Discover/MasterCard/Amex/etc.] account ending XXXX. I am the cardholder for the above account. This letter is to inform you that I will be traveling on vacation from November 22, 2011 to December 9, 2011, and visiting the following locations: Mexico, Guatemala, Panama, and Colombia (Cartagena). Hence, you will see purchases on my [insert Visa/Discover/MasterCard/Amex/etc.] card at these locations, and from the XXXXXXXXX cruise line."

With some credit card issuers, you can report upcoming travel via a toll-free phone number. I prefer a written letter which documents the communication. The address to use is on your monthly statement. Check the website for your bank or credit card issuer about how to report upcoming travel.


How To Protect Your Sensitive Personal Data When Using Public WiFi Networks

Last week, I met a friend for lunch to discuss her new business venture. After lunch, we moved our discussion to a nearby coffee shop. While there, my friend surfed the Internet using her mobile device and the coffee shop's public WiFi network.

When we finished our discussion, I suggested that she change her passwords for the websites she visited, since she had signed into with HTTP connections instead of HTTPS connections. (My friend had not heard about PrivateWiFi.) During the subway ride home, I began to wonder what a comprehensive list for consumers would be of tips about how to securely use public WiFi networks, at places like airport lounges and coffee shops.

If you aren't familiar with the identity-theft threat, about a year ago there were many articles about the Firesheep Web browser plugin, which allows hackers at public WiFi hotspots to monitor nearby consumers' online sessions and steal account log-in passwords. A recent tweak of Firesheep allows it to steal your Google web history. Not to be outdone, the newer Droidsheep app allows hackers to monitor and steal from mobile devices running the Android operating system.

With tools like these, the identity-theft and fraud damages can be extensive. Thieves can send spam from your email and/or social networking website accounts, or steal money from your bank accounts.

So what can a consumer do to protect their data? This Hot Spot Hacker article offers several good tips for using your mobile device securely at public WiFi networks:

"1. Set your laptop or smart phone so you have to manually select the Wi-Fi network. You may need to change the default setting

2. Make sure you know the exact name of the establishment's Wi-Fi network and connect only to it. Don't be fooled by look-alikes."

These two tips are good reminders because it is easy to set your mobile device to automatically connect at coffee shops you visit repeatedly, and forget about WiFi network security.

"3. Avoid any hot spot that your device lists as "unsecured." Keep in mind that even if a password is required, a hot spot can still be unsecured."

This tip cannot be over emphasized. Of course, it is preferable to use WiFi networks that require a password log-in, but that is just a start. A password log-in is not complete security. For full security, the entire session must be encrypted, because browser cookie and other files transmitted during the session contain personal data hackers can abuse:

"4. If your device shows the site as secured, pay attention to what kind of encryption it lists. WEP (Wired Equivalent Privacy) is an early system, dating from over a decade ago. If it's WEP, treat the network as not secure. WPA (Wi-Fi Protected Access) is better, and WPA2 is best of all."

Most people I know have no idea what brand of wireless encryption to look for and to use. Now you know. Here's what else you need to know about WiFi network security:

"5. If you send personal data over a Wi-Fi link, do so only to an encrypted website. You can tell a site is encrypted if you see the letters "https" (the "s" stands for "secure") at the beginning of its Web address. Also, look for a lock icon on the top or bottom of pages throughout the site."

So, what can a consumer do to use WiFi networks safely and securely? One suggestion:

"6. Before using a public Wi-Fi network, install such software as Force-TLS and HTTPS-Everywhere, which are free add-ons to the Firefox browser. They make sure you use encryption features available on websites you visit. Virtual private network software — some of it free, some not — can also add security."

You could also use PrivateWiFi. And, there are more WiFi network security tips. To learn more, visit the Hot Spot Hacker article. If your mobile device uses the Android operating system, watch this Droidsheep video.