Traveling Outside The Country? Before You Leave, Notify Your Credit Card Issuer So Your Purchases Aren't Denied

With the increase in identity theft and fraud during the past few years, many banks have increased their security efforts to fight identify fraud. This includes proactively flagging or automatically denying credit card purchases in another country. This increased security has both good and bad news.

The good news: consumers are better protected against fraud. The bad news: valid purchases by cardholders traveling outside the the country may be denied. The last thing anyone wants to experience is a denied credit card purchase when you are in a different country and low on cash in the local currency.

To avoid this, I notified my credit card issuers before my recent vacation travel. Credit card issuers will want to know your card number, travel destinations, travel start/stop dates, and cardholders traveling.

The letter I used, which you are welcome to adapt for your upcoming trip:

"This regards the [insert Visa/Discover/MasterCard/Amex/etc.] account ending XXXX. I am the cardholder for the above account. This letter is to inform you that I will be traveling on vacation from November 22, 2011 to December 9, 2011, and visiting the following locations: Mexico, Guatemala, Panama, and Colombia (Cartagena). Hence, you will see purchases on my [insert Visa/Discover/MasterCard/Amex/etc.] card at these locations, and from the XXXXXXXXX cruise line."

With some credit card issuers, you can report upcoming travel via a toll-free phone number. I prefer a written letter which documents the communication. The address to use is on your monthly statement. Check the website for your bank or credit card issuer about how to report upcoming travel.

How To Protect Your Sensitive Personal Data When Using Public WiFi Networks

Last week, I met a friend for lunch to discuss her new business venture. After lunch, we moved our discussion to a nearby coffee shop. While there, my friend surfed the Internet using her mobile device and the coffee shop's public WiFi network.

When we finished our discussion, I suggested that she change her passwords for the websites she visited, since she had signed into with HTTP connections instead of HTTPS connections. (My friend had not heard about PrivateWiFi.) During the subway ride home, I began to wonder what a comprehensive list for consumers would be of tips about how to securely use public WiFi networks, at places like airport lounges and coffee shops.

If you aren't familiar with the identity-theft threat, about a year ago there were many articles about the Firesheep Web browser plugin, which allows hackers at public WiFi hotspots to monitor nearby consumers' online sessions and steal account log-in passwords. A recent tweak of Firesheep allows it to steal your Google web history. Not to be outdone, the newer Droidsheep app allows hackers to monitor and steal from mobile devices running the Android operating system.

With tools like these, the identity-theft and fraud damages can be extensive. Thieves can send spam from your email and/or social networking website accounts, or steal money from your bank accounts.

So what can a consumer do to protect their data? This Hot Spot Hacker article offers several good tips for using your mobile device securely at public WiFi networks:

"1. Set your laptop or smart phone so you have to manually select the Wi-Fi network. You may need to change the default setting

2. Make sure you know the exact name of the establishment's Wi-Fi network and connect only to it. Don't be fooled by look-alikes."

These two tips are good reminders because it is easy to set your mobile device to automatically connect at coffee shops you visit repeatedly, and forget about WiFi network security.

"3. Avoid any hot spot that your device lists as "unsecured." Keep in mind that even if a password is required, a hot spot can still be unsecured."

This tip cannot be over emphasized. Of course, it is preferable to use WiFi networks that require a password log-in, but that is just a start. A password log-in is not complete security. For full security, the entire session must be encrypted, because browser cookie and other files transmitted during the session contain personal data hackers can abuse:

"4. If your device shows the site as secured, pay attention to what kind of encryption it lists. WEP (Wired Equivalent Privacy) is an early system, dating from over a decade ago. If it's WEP, treat the network as not secure. WPA (Wi-Fi Protected Access) is better, and WPA2 is best of all."

Most people I know have no idea what brand of wireless encryption to look for and to use. Now you know. Here's what else you need to know about WiFi network security:

"5. If you send personal data over a Wi-Fi link, do so only to an encrypted website. You can tell a site is encrypted if you see the letters "https" (the "s" stands for "secure") at the beginning of its Web address. Also, look for a lock icon on the top or bottom of pages throughout the site."

So, what can a consumer do to use WiFi networks safely and securely? One suggestion:

"6. Before using a public Wi-Fi network, install such software as Force-TLS and HTTPS-Everywhere, which are free add-ons to the Firefox browser. They make sure you use encryption features available on websites you visit. Virtual private network software — some of it free, some not — can also add security."

You could also use PrivateWiFi. And, there are more WiFi network security tips. To learn more, visit the Hot Spot Hacker article. If your mobile device uses the Android operating system, watch this Droidsheep video.

Consumers Should Password Protect Their Mobile Devices

Love your smart phone or tablet? Then password protect it:

Living Life Online: New FTC Guide For Teens And Tweens

The U.S. Federal Trade Commission (FTC) has launched the Living Life Online website to help teens and tweens stay safe online, make good choices online, and understand the consequences of their online choices. A companion print guide (PDF, 3.4 MBytes) explains the website. Both include short articles, activities, quizzes, and an ask-the-expert column, all to help kids learn how to think critically:

"As you live your life online and off, some behaviors can help you be more successful: asking questions to help you figure out what’s real and what’s hype; thinking about things to do – or not – that can help you keep safe; figuring out ways to act that can help you treat others the same way you’d like to be
treated."

The guide addresses topics including sexting, cyber-bullying,online manners, your personal information to protect, photo-sharing, how to avoid cell-phone bill shock, and much more:

"What you post could have a bigger "audience" than you think. Even if you use privacy settings, it’s impossible to completely control who sees your social networking profile, pictures, videos, or texts. Before you click send, think about how you will feel if your family, teachers, coach, or neighbors find it. Once you post information online, you can’t take it back. You may think that you’ve deleted information from a site – or that you will delete it later. Know that older versions may exist on other people’s computers... Get someone’s okay before you share photos or videos they’re in."

The print guide includes resources (e.g., worksheets and information) for parents to encourage discussion with their kids. I found the Living Life Online website thin on interactivity and not nearly as robust as it could (should) be to fully engage kids. The website is more a webpage. A better implementation could have presented separate website sections for children and parents. Hopefully, this is the draft version of the webiste and enhancements will be released soon.

The print guide is a good resource for kids and parents to start the process of learning and discussing good decision-making online. Kids living in the USA must ultimately learn who the FTC is and how to use its resources -- chiefly to recognize phishing, to protect their sensitive personal information, and to file identity theft and fraud complaints.

With a variety of topics, the Living Life Online print guide is a good first step to help kids learn to make good decisions online. What do you think of the guide?

Win Some Cash! Enter The Privacy Concern Contest on Twitter

Here is an opportunity to win some cash! PrivateWiFi, a provider of secure wireless services, is operating a contest via Twitter. Tweet your biggest privacy and security concern and you might win one of the following prizes:

• First Prize: $300
• Second Prize: $200
• Third Prize: $100

The contest started July 12 and ends Friday, July 22. Browse contest rules. You can enter multiple tweets. After the deadline, PrivateWiFi will select the three winning tweets. To enter the contest, tweet your online privacy and security concerns to @PrivateWiFi and use the hashtag #ilikeprivacy. Here is my entry:

@PrivateWiFi Banks selling consumers' debit card shopping habits to 3rd parties. Broken trust & don't know where data goes. #ilikeprivacy

Here are a few other entries:

"SarahaADowney My biggest privacy concern is the collection, sale, & public display of personal data on people search websites. #ilikeprivacy"

"TomBarten my biggest privacy concern is not knowing, and not being able to find out, what happens to your personal data. #ilikeprivacy"

"CAPAPA Privacy-invasive provisions of the negotiated-in-secret Anti Counterfeiting Trade Agreement #ACTA #ilikeprivacy"

So, visit Twitter.com or fire up the twitter app on your mobile device and enter the contest today!

Curious? A few related articles:

• Several banking moving to sell consumers' debit card shopping habits. Shopping habits include how much you purchased, where, and when
• Dump The Porn! Spokeo Has Blown Your Cover!
• Who is Acxiom And What Does It Do With Consumers' Personal Data?
• Apple, Mobile Device Privacy Abuses, And Data Plan Theft
• How Telemarketers Get Your Mobile Phone Number
• Video: Invasion of the Data Snatchers
• New ATM Scam Tactic: Glued Keyboards
• BBB: The Top 10 Scams Of 2010
• What Are Your Personal Identity Information Values?

12 Tips For Consumers To Avoid Identity Theft And Fraud

First, to avoid identity theft and fraud consumers need to first know the ways which identity thieves try to steal your sensitive personal information:

• Skimming-thieves attach devices to ATM machines, ATM booth doorways, and gas-station pumps
• Phishing e-mail messages
• Change of Address: thieves divert your billing statements to another location by completing a change of address form at the post office
• Old-fashioned theft: stealing your wallet or purse
• Pre-texting: thieves pretend to be you and contact (online or via phone) your bank or financial institution to obtain your personal information and money
• Fishing: accessing unlocked snail-mail mail boxes, or lowering "pieces of cardboard covered with glue down blue mail boxes and open envelopes that stick looking for personal information they can steal"
• Dumpster diving for financial statements and "convenience checks" you've thrown out in the trash without shredding them
• Discarded computers, with hard drives that contain personal information, that haven't been properly erased or destroyed before disposal
• Online research of government registers, Internet search engines, and public records to gain pieces of your personal information
• Remote-theft with portable readers that scan and read your contactless (e.g., RFID) debit/credit cards
• Shoulder surfing: simply looking over your shoulder when you make ATM transactions in public places
• Malware: using computer viruses to accesses the personal information on your (home) computer
• Employment scams: thieves advertise fake job openings and use the personal information submitted by applicants
• Social networking sites: thieves access profile pages left publicly open by consumers who ignore privacy settings, produce bogus quizzes, and/or hack a friend's account to gain access to your sensitive personal information

To combat these theft methods, the Los Angeles County Sheriff's Department suggests these 12 tips for consumers to protect themselves:

1. Identity theft starts with the misuse of your personal identifying information such as your name, Social Security number, credit card numbers, or other financial account information.

2. Check your credit report from each of the three major credit bureaus every year.

3. Open your credit card bills and bank statements right away. Review your statements and close unused accounts. Be aware if bills don’t arrive on time. It may mean that someone has changed contact information to hide fraudulent charges.

4. Don’t carry your Social Security card or PIN numbers in your purse or wallet because of what can happen if they fall into the wrong hands.

5. Avoid giving any personal information over the phone, mail, or Internet unless you know who you are dealing with. Give it to them in person instead.

6. Criminals pretend they are collecting money for victims of a natural disaster. Sometimes they claim to be police officers and ask for donations.

7. Elderly people are frequently targeted in money scams. Keep a helpful eye for elderly family members and vulnerable neighbors.

8. Make sure that you disconnect your laptop from a broadband or a shared connection when you are not using it.

9. Avoid offers and pop-up ads that sound too good to be true. They want you to enter your information so they can access all of your personal information.

10. Remove your name from mailing lists for pre-approved credit offers. Pre-approved credit card offers are a target for identity thieves who steal your mail. Have your name removed from credit bureau marketing lists. Call toll-free 888-5OPTOUT (888-567-8688).

11. Only enter personal information on secure Web pages that encrypt your data in transit. You can often tell if a page is secure if "https" is in URL or if there is a padlock icon on the browser window.

12. If you’re going to use a mail box, do so during or close to the posted pick up hours. Better yet, drop your mail off at your local post office. Retrieve mail promptly and discontinue delivery while out of town.

McAfee Anti-Virus Software Rated Poorly By Consumer Reports

I have been a happy and satisfied McAfee Internet Security Suite user for the past 12+ years on several desktop and lately laptop computers at home. I have written in this blog about anti-virus software, anti-phishing softare, and the need for consumers to keep the anti-virus software on their home computer current. I do.

Given this, I was concerned to read in the June 2011 issue of Consumer Reports magazine about an extremely low rating of the McAfee Internet Security 2011 software. The 31-point rating was far below the 65-point rating of BitDefender. This low rating was the opposite of my experience with the McAfee anti-virus software. I really like and use heavily the McAfee SiteAdvisor browser plugin.

So, I wrote to McAfee asking them what they thought of this low rating by Consumer Reports, and their plans to address it. I received this reply via e-mail:

"From: McAfee NA Customer Service
Sent: Wednesday, May 11, 2011 8:43 PM
Subject: RE: McAfee Customer Service - SR-xxxxxxxxx

Dear George,
Thank you for contacting McAfee Customer Service. I understand that you are disappointed with the McAfee ratings that has provided by Consumer Reports magazine.

George, I would like to inform you that the results in the area of virus and firewall protection in this one particular review, are disappointing to us as we always strive to earn top ratings and therefore the rankings for our various products.

However, the review results are a direct opposite of the test results shown in reviews performed across the top anti-malware vendors by other testing organizations like NSS Labs and AV-Comparatives. Also, the article in Consumer Reports shows nothing more than an overview chart of ‘their findings’ and it is not clear how the various products were specifically tested by Consumer Reports.

In spite of this, let me assure you that McAfee takes this test seriously and remains dedicated to further improving threat detection. In doing so, we are continually working to enhance our malware detection processes including through our Global Threat Intelligence, and through our company-wide Trust & Safety Initiative. Please be confident that McAfee remains relentlessly focused on security.

You may also contact us by phone by dialing 1-866-622-3911. Our business hours are from 8 am to 8 pm CST, daily. xxxxxxxxx is the Service Request number for this issue. You can quote this number in your further contacts. For all your future Service and Support needs, please visit http://service.mcafee.com. Thank you for contacting McAfee Customer support!

Sincerely,

Rengarajan K.
McAfee Customer Service-Tier 1

PC World reviewed McAfee Internet Security 2011 and rated it 3.5 of 5 stars. A prior blog post discussed some of NSS Lab's findings. I revisited the NSS Labs website and downloaded the Q3 2010 NSS Labs review of consumer anti-malware products. NSS Labs rated McAfee Internet Security highly on several measures, and recommended it plus two other products. You can download the NSS review for free (PDF).

I plan to continue using McAfee software and will watch for more test results by other independent labs.

What anti-virus software do you use/ Why?

Video: Invasion Of The Data Snatchers

If you want an explanation of the role and scope of data mining companies and information brokers, the video below provides a pretty good overview, with engaging graphics. It highlights all of the various ways companies collect personal information about consumers. And, "invasion" is an accurate description.

This blog does not endorse the online service mentioned. Consumers should shop around and read the contractual fine print and terms of any online service before purchase, to determine if the product or service meets your needs.

Anonymous Web Surfing: Get Cocoon

With all of the online threats, malware, and tracking some consumers have turned to anonymous web browsing. To learn more, I discussed the Cocoon anonymous web browsing service with Brian Fox, cofounder and Chief Technology Officer at Virtual  World Computing (VWC), producer of Cocoon.

I've Been Mugged: What is your position and duties at Get Cocoon?
Brian Fox: I am co-founder and CTO of VWC. I am the principal inventor of the technology and process in the Cocoon service. Jeff Bermant is the other co-founder, and the primary owner of the itch that needed scratching.

Mugged: How and why did Virtual World Computing start offering anonymous web browsing?
Fox: We believe everyone has a right to use the Internet securely and privately, and without the risk of getting malware. We see that the Internet is the next generation of communication, after Pony Express, Telegraph, and Telephone. Why should we as a society accept that this form of communication be less private and secure than its previous forms?

Mugged: How secure are your company’s web servers?
Fox: Today, our servers are housed in a tier 3 secure facility. Our servers run SE Linux, which is the Linux that was modified by the NSA to increase security and compartmentalization. Because we run Linux, we are not vulnerable to Windows-based viruses. Because we run SE Linux we are not vulnerable to any currently known linux-based attack. We believe that our servers are extremely secure.

What consumer data is retained on your servers and for how long?
That's up to you. You can choose to not save any data in your Cocoon account, and that's your prerogative. We feel there are benefits to having your history stored securely, encrypted and available to you, and only you, whenever and wherever you want. Everyone has experienced the scenario of having found some piece of information while on one computer, say at home, and then had difficulties finding that same info when they want it at work. With Cocoon, your history, bookmarks, logins, passwords, notes, are all available to you on any computer where you've installed Cocoon. And you are the only one who has the key to unlock that encrypted information. But it's your call, never save the data or leave it there as long as you like and delete it when you close your account, it's up to you.

On my laptop, I use the Better Privacy add-on with Firefox to regularly delete the web browser cookies that websites save to my laptop. How is Cocoon different?
Cocoon prevents cookies from being stored on your computer at all. They are stored in your Cocoon account. Today, Cocoon doesn't offer an option to delete cookies on a periodic basis (which of course, can only happen while Firefox is running :-) Instead, we supply an option to delete your Cocoon stored cookies whenever you log out. We are building a feature that lets you specify for which websites Cocoon should not delete stored cookies. We feel this offers you the best of both worlds - you can keep the cookies that you want (e.g., login cookies for Gmail or sourceforge), and delete all of the other cookies (e.g., banking, etc.).

Version 3.0+ of the Firefox browser already has a feature called “Start Private Browsing.” How is Cocoon different?
Private browsing mode on Firefox does not provide you with anonymous browsing and only prevents your browsing and cookie history from being saved on your computer. On the other hand, Cocoon prevents both websites and your ISP from knowing what sites you've visited, as well as keeping all tracking information off your computer. It does this at the same time as giving you the option to keep that history or those cookies stored securely if you want.

Many consumers like to use free (unsecure) WiFi at places like coffee shops and airports. How does Cocoon protect consumers in these situations?
Cocoon makes every website on the Internet encrypted and secure, even on free open WiFi. When you log into Cocoon, you create a secure connection between you and Cocoon preventing man-in-the-middle attacks like Firesheep.

Version 4.0 of the Firefox web browser offers a Do Not Track feature. How does Cocoon compare  with this?
Firefox 4.0, like Chrome and IE9, all offer an option to be added to Do Not Track lists - but these lists rely on voluntary compliance by advertisers to join and/or honor - and the user is responsible for activating these systems. Cocoon's method is proactive - a service that lets you take control without needing advertisers to agree to anything.

What types of consumers or professionals (e.g., attorneys, financial advisors, etc.) can best benefit by using Cocoon?
Although anyone can benefit from features such as stopping spam by using Mailslots (disposable anonymous email addresses), professionals such as lawyers, doctors, and financial advisors –- who work with highly private data– can directly benefit from the protection Cocoon offers stopping malware from infecting their computers and potentially stealing personal data, and having secure connections while on WiFi networks. Everyone deserves the peace of mind that comes from knowing their information is private, secure and malware-free.

How might a consumer use Cocoon while traveling on business or vacation?
In addition to being protected on open WiFi networks, I've appreciated that once I securely log into Cocoon I have access to all my login and passwords even on my wife's computer - and once I log out I know that that information is not on her computer, it's still safely stored in my account on Cocoon.

How flexible is the Cocoon configuration, so consumers can switch to normal browsing mode when visiting trusted websites, like their bank?
The configuration of Cocoon is so seamless it is almost invisible. There's actually no need to turn off Cocoon when visiting any site. If you choose to bypass the protections of Cocoon, there is a "pause" or "un-lock" button right on the toolbar for you.

Many consumers like comprehensive services/software. What are Get Cocoon’s plans to provide an umbrella service covering a user’s computer, tablet, and smart phone?
Great question, and it's definitely in the works. We've tested Cocoon with the Firefox browser on various systems and will be offering other options soon. IE is the next to roll out and others to follow. We are particularly focused on the needs of the mobile user, and have products and service enhancements in store for them.

What do you see in the future for anonymous web browsing software?
While anonymity is an important feature of Cocoon, we feel that it is only one part. We feel that privacy is not synonymous with anonymity. For instance, I am happy to do this interview, but there is a limit to what information I will divulge. That is because my personal privacy is important to me. In the future, we feel that both inward and outward facing privacy will be de rigueur, and we know that Cocoon customers will be enjoying that -- as well as additional features that will be necessitated by changes in online behavior, such as voting, reviews, and the like.

Is there anything else you want consumers to know about Cocoon and/or your company?

Cocoon is created by a team of people who strongly believe in the rights of people to use the Web privately and securely. We believe that the Internet is a resource for the world, and not just for a select few. Our mission is to enable access, privacy, and security on the Internet to anyone who desires it. Our feature creation is driven by the needs of our users, and we ensure that there are many ways to communicate with us - even anonymously!

Thanks to Brian Fox for discussing Cocoon with the I've Been Mugged blog.

The Four Pillars of Online Data Privacy

A few weeks ago, I blogged about personal identity information values -- shopping and acting online consistent with what you deem important. eGov precently published comments by the European Union (EU) Justice Commissioner, Vivianne Reding, about privacy for individuals. Reding's view of privacy for individuals in an online digital world includes four pillars:

1. The “right to be forgotten” - a combination of consumers' right to withdrawn or opt-out of any data collection efforts by companies, and the burden on companies to prove first that they have a need to archive and store the sensitive personal information of consumers they have already collected.

2. "Transparency" - to build consumers' trust, companies should fully disclose and inform consumers about what personal data they collect about consumers and why, how they use the personal data collected, the names of all third-party companies they share personal data with, the rights of consumers for remedies when consumers' rights are violated, and the risks with the personal data companies ask consumers to share.

3. "Privacy by default" - in too many instances companies build websites with privacy controls that are so complicated and convoluted that consumers can't effectively make their personal data private. In these websites, there really isn't any privacy and the websites' privacy controls don't reflect consumers' true consent. Reding believes that this situation must change, and that private should mean private.

4. "Protection by data location" - privacy standards for EU citizens should be consistent regardless of where consumers' personal data is stored. For example, if an EU resident's personal data is collected and stored by a U.S.-based company, then that company must comply with EU privacy standards, not U.S. privacy standards.

All of these pillars make perfect sense to me, but I see the fourth pillar being particularly tough. It's logical extension would force a website operator to konw, track and comply with a multitude of countries' varying privacy policies. My impression is that many corporate executives would be unhappy with having to work within the boundaries of all four pillars (not just the fourth), when they usually don't have to today.

I especially agree with Reding about the risks stated in the second pillar. Explanations about risks from sharing personal data apply to all consumers, but especially to youth who don't yet understand how business works and how companies use personal information. The risks and consequences should be explained to consumers about personal data that companies may make public permanently that consumers cannot make private again.

Over at the Guardian UK, columnist Mayes contests Reding's second pillar:

"But does the "right to be forgotten" really have a sound basis? In British law there is no right to be forgotten, but there are a host of laws to protect your identity and personal data... But to say there should be a right to be forgotten is to say we can live outside society. We can't."

To me, it's not about living "outside of society." For a lot of perfectly valid reasons, a consumer may decide to live off the grid, or entirely off-line. It is about consumers' control; the ability to control when and where your sensitive personal information is archived. Without the second pillar, there is no real control for consumers.

What do you think of these four pillars?

Facebook Comments Plugin: To Switch Or Not?

Like many bloggers, I want readers to easily comment on bog posts and keep out the spammers. It is a tricky balance to achieve. Like many bloggers, this blog requires commenters to enter a name, email and website address. Despite these rules, including the Terms of Service policy, spammers continue to submit off-topic comments that are clearly advertising and unrelated to the blog post topic.

To effectively keep out the spammers, some bloggers have turned to the Facebook Comments Plug-in as a solution to verify users and to screen out the spammers. Some notable blogs like CrunchGear have implemented the Facebook Comments Plug-in -- at least on a trial or temporary basis. Other bloggers have seen their comments traffic decline as Facebook membership has risen. Some bloggers like the new Facebook Comments Plugin -- at least on others' blogs and not yet theirs.

For this blog, I have made the decision not to switch to the Facebook Comments Plug-in. Why? As I see it, the disadvantages outweigh the advantages.

The chief advantage is that Facebook Comments Plug-in requires commenters to use real identities (or at least identities as "real" as they have been created on Facebook). And, I am happy with the current comment system Typepad.com provides. The disadvantages I see of the Facebook Comments Plug-in:

Loss of control and of content: the comments become the property of Facebook. Upon terminating the Facebook Comments Plug-in, I would lose those comments. There are several valuable comment threads in this blog, with some running as long as two years. My readers and I have learned a lot from the comments submitted, and I would never give up this valuable content.

Comprehensive Solution: my preferred commenting solution must be comprehensive and allow users to choose how they want to identify their selves. As TechCrunch noted:

"Facebook comments don’t support Twitter or Google logins. It doesn’t yet allow sites to archive their comments to make backups..."

Readership Usage: this blog has more followers on Twitter than on Facebook. This blog has more followers via e-mail than on Facebook. So, the comments approach must factor in this actual readership usage.

Mistrust: having written repeatedly about Facebook's privacy missteps and class-action lawsuits. I have learned that Facebook will consistently act in its own self-interest. I don't trust Facebook. I trust Facebook to continue to make public at some date members' sensitive person data it had previously deemed private. That abuse is something I would not subject my readers to.

Corporate Blocks: many companies block access to Facebook in the workplace. That alone is probably a deal-killer. Discussions of identity theft, data breaches, and privacy require access to this blog.

Lack of Disclosure: at times, Facebook doesn't disclose to members everything it is doing, like censoring members time line.

Extensive Tracking: in a prior post i wrote about how Facebook Social Plug-ins perform tracking around the Web. The commenter verification advantage is not enough to subject my readers to more tracking by Facebook.

Buggy Interface: having used Facebook for several years, I have noticed many bugs and errors. I am not going to subject my readers to that.

On supposed benefit of the Facebook Comments Plug-in is that it will bring more readers, and commenters, to your blog. This blog has been optimized for search/SEO, so getting new readers has not been a problem. Currently, monthly readership is about 19,000 page views monthly, an increase of greater than 45% compared to a year ago.

To summarize, any plug-in solutions have to be consistent with my identity information values.

As always, I value my readers' opinions and comments. Let me know below what you think about the Facebook Comments Plug-in.

Error-Filled Background Checks Make Finding a New Job Difficult

At some point during our work careers, we all look for a new job. Given the recent, ongoing economic downturn, many people are looking for work. When applying for a new job, potential employers usually perform a background check of applicants. What happens when the background check includes wrong information? The following story explains what happens.

Channel 7 News, the ABC News affiliate in San Francisco, reported the story of Patrick Chad Padilla, who applied for a security job position at a Walmart store in Sacramento, California. After the third interview, Padilla was offered the job pending a background check. Walmart withdrew the job offer when the background check turned up problematic information.

After looking at the the background check Walmart, Padilla noticed that the report contained information about Patrick Saenz Padilla, who Channel 7 News would later discover is a criminal serving time in a New Mexico prison. Despite the middle name differences, Walmart insisted on using the faulty background check and refused to offer Padilla the job.

Hello? Does anybody at Walmart use their brains?

Obviously not. Brain-dead bureaucracies operate in the private sector, and not just in government agencies.

This story is important for several reasons. First, multiple companies made errors in this story. Walmart's errors are clear. Second, Padilla applied for a job at Roseville Hyundai later and the same thing happened again. The faulty background check stopped another job offer.

Third, there are some sensible guidelines governing the proper use of background checks by companies. In at least one instance, an employer started a new policy demanded Facebook passwords from both job applicants and current employees without any suspicion of wrongdoing. (That policy has since been suspended for a 45-day review.)

Fourth Acxiom, the provider of the background check service definitely shares some of the blame for Padilla's job-search difficulties. Acxiom clearly made mistakes by combining information about two different people into a single report. From the news story, it isn't clear that Acxiom has corrected Padilla's profile information. The middle name difference should have been easy to spot, but Acxiom either missed it, or ignored it. And Padilla suffered the consequences.

This is not the first incident with an erroneous background check. In this incident in Kansas last year, the local sheriff's office helped the affected job applicant clear his name.

Background checks are necessary, as employers can't hire convicted criminals for certain jobs. A wide variety of companies use Acxiom products and services, including Sony Ericsson Mobile Communications, Urban Mapping, Blackboard, USA Swimming, Senior Checked, Windstream, and General Motors. At its mid-year 2010 conference, the National Association of Professional Background Screeners (NAPBS®) Background Screening Credentialing Council (BSCC) announced that Acxiom and several other companies had achieved compliance with its Background Screening Agency Accreditation Program (BSAAP).

Although this class-action against Acxiom was ultimately unsuccessful in the courts, it did reveal that Acxiom buys a lot of its information about consumers from various states' motor vehicle agencies.

A recent survey by The Black Book of Outsourcing rated Acxiom number one in customer satisfaction for IT outsourcing. Well, Acxiom may help its IT department customers save money, but I wonder how reliable that customer satisfaction rating is. Would consumers rate Acxiom highly? My guess is Padilla wouldn't rate Acxiom highly.

Fifth, background-check concerns are not only about Acxiom, but also apply to other companies that provide similar services. CNN Money listed some of the companies, including Rapleaf, that provide background checks based on the collection of consumer data from public records. The Wall Street Journal published a similar list of what it called "scrapers." LewRockwell.com published a similar list of companies consumers should consider removing their profile data from.

Sixth, when private companies offer products and services based on their collections of sensitive consumer information, there has to be a method to discover and correct mistakes and erroneous entries. This process exists with the major credit reporting agencies, but not with companies like Acxiom. As Channel 7 News reported:

"There's no federal or state agency that's making these companies actually clean up their records and make them accurate..."

Getting pack to Padilla's story: later, Walmart reversed itself and encourage Padilla to apply for a different job. What? Is Walmart serious? After all of the obvious mistakes and blunders, Walmart couldn't do the right thing, apologize, and simply offer the job to Padilla?

Meanwhile, Padilla had moved on to work for another company. I wouldn't work at Walmart either after this poor treatment. It signals that Walmart probably treats vendors, suppliers, and its employees just as poorly.

If this story upsets you (and I truly hope that it did upset you), I encourage you to write to your elected officials and tell them:

• Potential employers must give job applicants copies of the background check report used for the hire decision
• Consumers should not suffer the consequences for corporate mistakes and errors, especially about background checks
• Federal and state laws must require companies to correct errors in their databases containing consumer information
• Database marketing services (e.g., companies that collect data and offer products based on those databases) must provide consumers with a fast, easy-to-use, and prompt process for reviewing and correcting errors in their profile
• Corporate violators should be prohibited from the data collection and from any services/products based on that data collection

Have you been denied a new job due to an error-filled background check? Have you lost a job offer to an erroneous background check? We'd like to hear your experiences, and if you were able to correct the problem.

How To Protect Your New Mobile Device And Your Sensitive Data On It

You just bought a new smartphone, tablet computer, video game, or flat-screen television that connects to the Internet. How do you protect yourself and your sensitive personal information on it? Infosec Island published a good list which I recommend. Some of the tips:

"... threats aimed at mobile phones are growing. Use software that backs up smart devices and use strong discretion when storing, saving or editing personal information on your smartphone or device. Don’t keep all of your personal passwords on your device, and avoid using it to store financial information like credit card and bank account numbers."

And:

"Many people don’t realize that their new gaming console may represent another port of entry for cybercrooks into their household. Some Internet TV applications can expose personal information, so be sure to install anti-virus software, two-way firewalls, anti-spyware, anti-phishing, and safe search capabilities, just as you would on a PC..."

Read the full list of security tips for consumers.

Facebook Members Warn Their Friends About Spokeo

During the past few weeks, I have seen several friends on Facebook post this message about Spokeo:

"There's a site called www.spokeo.com that's a new online USA phone book with personal information: everything from pics you've posted on Facebook or the web: your credit score, home value, income, age. Remove yourself by searching your name, copy the URL of your page, then go to the bottom right corner of the page and click on the Privacy button to remove yourself. Copy & re-post so your friends are aware."

Regular readers of this blog already know about Spokeo since this blog covered it in April 2010. When I reviewed my personal Spokeo listing recently, it had plenty of errors: incomplete name, wrong address, and other details. The data looked as if Spokeo tried to match and merge (unsuccessfully) data from an old White Pages phone book directory with data they may have purchased from marketers and/or state motor vehicle registries.

This data inaccuracy reminded me of an experience I had with credit reporting agencies in 2004. That year, I applied for an American Express card anticipating an extended business trip in London. American Express denied my application because I was "deceased." Obviously, I am not dead. When I checked my credit reports, they had erroneously co-mingled data from my deceased father and from me. If you don't know it, credit reporting agencies rely on consumers to check the accuracy of their credit reports, and to submit correcting information. This approach rests on the assumption that most consumers want their credit reports to accurately reflect their creditworthiness.

My points:

1. It is good to view your Spokeo listing and opt-out of their program. The problem: the burden is on consumers to continually opt out as every new Internet-based marketing company springs up. That is not the Internet I envisioned nor long for, and I'll bet you agree.
2. I feel no obligation whatsoever to notify Spokeo about the inaccuracies in my listing, and hope that you don't feel obligated either. Better to let Spokeo wallow in ignorance.
3. Like Facebook and other data mining or marketing companies, Spokeo makes money from our personal data, correct or incorrect. If I were sharing in that revenue stream, then I might feel motivated to inform Spokeo of the errors in my personal listing.
4. Data mining companies like Spokeo will continue to publish plenty of mistakes in their databases. Why? Many consumers have multiple online identities. While data mining companies can analyze purchases from credit cards, patterns from location-based status meesages, or your "likes" on social networking sites, only YOU know how accurate the demographic and descriptive data is about YOU. Spokeo "swims" in the same consumer identity cesspool as other data mining companies and markets. At least credit reporting agencies have the benefit of updating their records with structured data from lenders and banks.
5. Executives at data mining and marketing companies like Spokeo want to believe their data is accurate. In my view, it often isn't. People move, change street addresses, use multiple email addresses, use multiple phone numbers, regularly delete their web browser cookies, use add-ons like BetterPrivacy to delete Flash cookies, use software like MAXA Cookie Manager to delete a variety of LSO's stored on their computers, and opt-out of location-based messages. So, the value of that data is less than they think and has less utility for applications.

So, go ahead and check your Spokeo listing. How accurate was it? Did you opt-out? I've Been Mugged blog readers want to know.

Over-Sharing During The Holidays

One important thing I try to do in this blog is to remind consumers of good data security habits. A recent "Connected But Carelesss" study of 1,000 Internet users in the United States, sponsored by Symantec Norton and conducted by Javelin Research, found that many consumers are lax about the security of their information while online:

"... consumers are still somewhat cavalier and under-informed when it comes to Internet security, specifically in three areas: location-based services, mobile phone transactions, and online passwords."

Just under half (47%) of the consumer survey participants respondents said they expected their online purchases to increase between the Thanksgiving and New Year's holidays. About a third (31%) between the ages of 18-34 said they expected their social networking activity to increase during the same period.

Location-based status messages, or telling people real-time where you are via your mobile device, is a leading risky behavior when consumers share too much:

"... 15% of people surveyed knew enough about geo-location to be able to explain it... 22% who use their mobile or smartphones to connect to the Internet, admitted to giving applications on those devices permission to identify their location... 56% under the age of 35 said they update their social networking status with their location, which can inadvertently broadcast to real-world criminals that they’re not at home."

A second risky behavior is that consumers take for granted that their mobile devices are secure. While 38% of survey respondents use a mobile device or smartphone to check bank accounts and 51% post updates on social networking sites:

"... one in four people accessing the Internet this way aren’t sure, or haven’t even thought about, what’s safe mobile practice, while another 42 percent have only a “general idea” of what constitutes safe practices. In addition, 52 percent of those people accessing the Internet via their mobile devices don’t use the basic level of protection of having an access password in place..."

I have repeatedly discussed in this blog the need for strong passwords. More results from the Norton study:

• 46% said they never change their password on their e-mail account
• 31% said they never change their password on banking and financial accounts
• 42% said they never change their password on social networking sites
• 71% of survey respondents who have one password across different accounts/sites say they do so because it is easier

Identity thieves and spammers are probably happy to read these survey results. Experts advise consumers to do the following to protect your identity and financial information:

1. Password-protect your mobile device or smart phone: add a password so nobody else can access the information in your mobile device
2. Consider a "remote-wipe" feature for your mobile device. Norton offers a Mobile Security application for Android users to remotely lock or wipe data when their phone is lost or stolen.
3. Think before using your personal mobile device for business. Check for your employer's mobile device policy, as some employers use remote-wipe features which will delete everything in your smart phone
4. Think before logging in: assume that public WiFi connections are risky with communications monitored, whether you use a laptop, smart phone, or other mobile device. Avoid becoming a sidejacking victim. Never enter sensitive bank account information, debit card or social security numbers when browsing the Web via a public Wi-Fi connection
5. Use one credit card specifically for online purchases. It makes it easier to spot any fraudulent items, and limits your liability if your card number is stolen. Don't use a debit card
6. Update the anti-virus software on your laptop or desktop computer
7. Change your passwords at least once every 90 days. Use strong passwords
8. Don't use the same sign-in credentials and password for all of your online accounts and email accounts. Use different passwords. The recent Gawker breach highlighted this risk.

Happy holidays!

The State of Anti-Virus Software

Last week, NSS Labs released their quarterly report on Consumer Anti-Malware Products. I read this report because one advice experts always recomend to avoid identity theft is that consumers keep the anti-malware (e.g., software that identifies, blocks and deletes viruses, spyware and related bad stuff) software on their home computers up to date.

Usually NSS Lab's report is available for a fee, but this quarter's version is free because of the subject matter. NSS Labs tested several anti-malware software brands and the software effectiveness is far from consistent. Key results from the report:

• Software effectiveness varies. The ability to block software viruses varies widely by brands from a low of 54% (AVG) to a high of 90% (Trend Micro) across tested products. You would think that performance would not vary so widely (36% points) across products, but it does. Higher numbers are better since it represents a product that prevents the user's computer from downloading more viruses and from running more viruses accidentally downloaded.
• Update time varies. The time before a malicious website (e.g., a web site infected with malware) was blocked ranged from a low of 3.3 hours (Trend Micro) to a high of 28.5 hours (AVG) across 11 vendors' products. Lower numbers are better since it represents a product that prevents sooner the web browser from visiting infected websites.

The report includes a really good chart comparing each product's performance in 3Q2009 to 3Q2010. The report groups products into three categories: Recommend, Neutral, and Caution. I am happy that the anti-virus software I used was listed in the "Recommend" category. Products in this category performed well consistently across all tests, compared to products rated lower which performed highly on one test and poorly on another.

The report's authors estimated that:

"Cybercriminals have between a 10% - 45% chance of getting past your AV with Web Malware (depending on the product). Cybercriminals have between 25% - 97% chance of compromising your machine using exploits."

NSS Labs tested all software on computers running Windows® 7 with 2 GB RAM and 20GB hard drive. "Exploits" included attempts to take over the computer and send spam to others, to capture and transmit sensitive personal information such as bank account numbers and sign-in credentials. Applications included Internet Explorer®, Mozilla® Firefox®, Apple® Quicktime®, and Adobe® Acrobat®. NS Labs tested the leading anti-virus software products including AVG Internet Security 9, ESET Smart Security 4, F-Secure Internet Security 2010, Kaspersky Internet Security 2011, McAfee Internet Security, Microsoft Security Essentials, Norman Security Suite, Panda Internet Security 2011, Sunbelt VIPRE Antivirus Premium 4, Symantec Norton Internet Security 2010, and Trend Micro Titanium Maximum Security.

Download today the NSS Labs report.

National Protect Your Identity Week

If you hadn't heard, October 17 - 23, 2010 is National Protect Your Identity Week (PYIW). About 10 million consumers were victims of identity theft and fraud last year. And the problem isn't going away anytime soon.

The ProtectYourIDNow site contains events for consumers by state. I visited the website to see the types of events available. Most of the events are sponsored by local organizations and governments, and many events are access to portable shredding resources for consumers who don't have at-home shredding machines. Other events include workshops about how to avoid scams, or tips about credit scores and credit reports. Many of the events are free. I encourage readers to find a PYIW event near you.

The PYIW website includes informative videos, and an online quiz to test your knowledge about identity theft and fraud. Sponsors of PYIW include the Better Business Bureau, the National Foundation for Credit Coounseling, the Consumer Federation of America, the U.S. Federal Trade Commission (FTC), myFICO, the Identity Theft Resource Center, the National Crime Prevention Council, the National Council of La Raza, the Credit Union National Association, and many others.

Basic Steps To Protect Your Wireless Home Network From Hackers

If you operate a wireless network at home, you may find this U.S. Federal Trade Commission (FTC) video helpful:

 

To learn more, read these related blog posts:

• More About Sidejacking
• Sidejacking: What It Is and How To Protect Yourself
• A Free and Easy Way To Test the Security of Your Wireless Home Network

US Search Settles with FTC Over Deceptive Marketing

Many consumers want to manage their online identity and reputation, especially when the online information is false or misleading. Unfortunately, some companies have rushed to take advantage of consumers' fears.

Late last month, US Search settled charges with the U.S. Federal Trade Commission (FTC) about deceptive marketing. The settlement requires the data broker to refund fees to about 5,000 consumers and not to engage in future deceptive marketing:

"US Search, Inc., is an online data broker that compiles public records and sells data about consumers to the public. The records may contain not only names, addresses and phone numbers, but also information such as aliases, marriages and divorces, bankruptcies, neighbors, associates, criminal records, and home values... Since June 2009, US Search sold consumers its “PrivacyLock” Service, which it claimed would allow them to “lock their records” and prevent their names and other information from appearing on the company’s website, its search results, or advertisements for a year."

In its complaint, the FTC alleged the data broker's promises to consumers were false and that the PrivacyLock Service failed to:

• Block consumers’ names from showing up as an associate of someone else in a search for the other person’s name;
• Block consumers’ information from appearing in a “reverse search” of their phone number or address, or in a search of their address in real estate records;
• Work when the consumer changed addresses, thereby generating new records that would not be subject to the PrivacyLock

A "reverse search" is when a user enters a phone number or street address and the service displays the person's name. This website capability has been around for years at popular white-page telephone book websites such as AT&T AnyWho and WhitePages.com. This is one reason why I pay the extra monthly fee to not disclose my landline phone number in the telephone company's white pages. Once your landline phone number gets out, it will likely end up in lots of data brokers' databases.

Many data brokers compile and resell information about consumers. To learn more, read these blog posts about Spokeo and Acxiom. Plus, many states' registry of motor vehicles departments sell data to data brokers. In July of this year, a major DPPA class-action lawsuit was dismissed.

Survey Results: Norton 2010 Cybercrime Report

Last week, Norton released its 2010 Cybercrime Report. The main finding is that cybercrime is a huge, worldwide problem:

"For the first time, this report reveals that nearly two thirds of adults globally have been a victim of some kind of cybercrime (65%). Cybercrime hotspots where adults have experienced cybercrime include: 83%, China; 76% Brazil/India; 73% USA."

What is "cybercrime?" Cybercrime includes:

"Computer viruses and malware attacks are the most common types of cybercrime people suffer from, with 51% of adults globally feeling the effects of these. In New Zealand, Brazil and China it’s even worse, with more than six out of 10 computers getting infected (61%, 62% and 65% respectively). Adults around the world have also been on the receiving end of online scams, phishing attacks, hacking of social networking profiles and credit card fraud."

Readers can download one or several several country-specific versions of the report. I downloaded the United States version. Some of the detailed findings:

• 73% of adults in the USA (compared to 65% of adults worldwide) reported experiencing some form of cybercrime
• 2% of adults in the USA (compared to 3% of adults worldwide) expect to not be a victim of some form of cybercrime
• 78% of adults in the USA (compared to 79% of adults worldwide) expect cybercriminals will not be brought to justice
• In the USA, 67% of adults are angry about it, and 59% are frustrated. Worldwide, the comparable statistics are 58% and 51%
• When asking for help, in the USA 59% of adults call their bank, 54% change their behavior, and 44% call their Internet Service Provider (ISP). Worldwide, the comparable statistics are 51%, 48% and 44%
• In the USA, the average cost to resolve cybercrime is $128 and 24 days. Worldwide, the comparable statistics are $334 and 28 days.
• 25% of adults in the USA (and 31% worldwide) reported not being able to resolve cybercrime.
• 51% of adults in the USA (and 45% worldwide) believe that you can never restore an online reputation after a cybercrime event

The online survey was conducted February 2-22, 2010 for Symantec Corporation by StrategyOne, an independent market research firm. The survey included 7,066 adults aged 18 and over in 14 countries (Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, New Zealand, Spain, Sweden, United Kingdom, United States). The survey used the primary language in each country.

Only 9% of adults worldwide feel very safe online. Combine that statistic with any of the above findings about expecting to be a victim, criminals not being brought to justice,, feelings of anger, and the cost of resolution and you have a very sad commentary on the state of today's Internet.

The report confirms something I have said for a long time. Consumers demand control over their sensitive personal information -- the number one rule consumers in the USA use as a solution to protect themselves online. In the USA, the leading "common-sense rules" consumers in the USA use to protect themselves online are:

• 79% safeguard personal information
• 78% never disclose online passwords
• 78% don't open email/links from strangers
• 78% are skeptical of offers that seem too good to be true

This blog contains plenty of resources to help consumers stay safe online. To learn more, click on the "List of Lists" or "Reviews" links in the horizontal navigation bar at the top of this page. If you use Facebook.com, you see the list of blog posts in the Facebook module in the near-right column.