Data Breach At Choice Hotels

Since I started this blog almost five years ago, I've written about a variety of data breaches, where sensitive customer and employee information was stolen. Sometimes, the breach involved hackers breaking into a company's website server. Often, it included the theft of a laptop computer or flash drive left in an employee's parked car. Sometimes, it was "insider identity theft" by an employee or contractor. This latest breach involved a method I hadn't heard before.

About April 25, 2012, Choice Hotels notified the appropriate state agencies in both California and New Hampshire of a data breach affecting residents in those states. According to the breach letter submitted by the company, sensitive customer information (e.g., credit card numbers, drivers license numbers, passport numbers, Social Security numbers) were not entered into the proper database fields in the company's customer systems. As a result, this sensitive data wasn't protected (e.g., encrypted), and was passed along to the company's marketing partners where the sensitive data was inadvertently printed on marketing envelopes mailed to customers.

Choice Hotels claims that less than 0.001 percent of guest stays were affected. The breach was discovered in December 2011, and the company immediately stopped using the database for markeing purposes. The company hired Kroll Advisory Solutions to investigate the problem with a "forensic analysis." About 59 New Hampshire residents were affected and have already been notified.

The company's breach notice did not identify the company's marketing partners. Its website Privacy and Security Policy states that:

"If you reside in California and have provided Choice your personally identifiable information, you may request a list from us of third parties with whom we shared your personally identifiable information for their own direct marketing purposes during the preceding calendar year..."

Choice Hotels operates several lodging brands including Clarion, Comfort Inn, EconoLodge, MainStay Suites, and Rodeway Inn. A copy of the breach notice is available at the New Hampshire Department of Justice website and here (Adobe PDF; 154k bytes). The California Attorney General website also includes a copy of the breach letter sent to affected consumers. The company has reportedly contracted with TransUnion Interactive for for free credit monitoring services for breach victims.

Data Breach At Opening Ceremony

BankInfo Security reported details of a data breach at Opening Ceremony, a New York-based clothing and shoe retailer. Hackers inserted malicious software on the company's website server.

The data stolen included the payment card information of customers who purchased products online between Feb. 16 and March 21. the company has already notified customers affected by the breach. In a May 4 letter to affected customers (Adobe PDF), Opening Ceremony has contracted with ID Experts for complimenary credit monitoring and resolution services.

 

6 Threats That Target Consumers' Mobile Devices

If you think that identity thieves and scam aartists have not already targeted your favorite mobile devices, then think again. Dark Reading reported about siz specific threats that target popular mobile devices:

"1. Zitmo - One of the most successful banking Trojans of all time, Zeus, made the jump from PCs to mobile devices through the Zeus-in-the-mobile (Zitmo) spyware application. Prevalent on Android, Zitmo masquerades as a banking activation application and eavesdrops on SMS messages in search of the mobile transaction authentication numbers..."

"2. Mobile Botnets - Since 2009, Perimeter E-Security Research Analyst Grace Zeng has been exploring the possibilities of botnets consisting entirely of mobile devices. Naysayers told her it wasn't feasible, but last month she showed how realistic the possibility is with a presentation at WiSec 2012...:

"5. JiFake - Mobile marketers are loving the convenience of easy-to-scan QR codes to deliver mobile users to their websites and apps through their phones' barcode scanners. Attackers love these codes, too. Researchers are finding that the bad guys are increasingly using the obfuscation of QR codes to trick users into downloading malware..."

To protect yourself and the sensitive data on your smart phone or tablet, experts advise consumers to:

• Download apps only from trusted websites,
• Donwload only apps with privacy policies and terms of conditions that you understand and agree with,
• Keep the anti-virus software on your mobile device updated, just like you do on your laptop or desktop computer, and
• Password protect your mobile device in case it is lost or stolen.

FTC Seeks Information From The Public About How Identity Theft Impacts Elders

The U.S. Federal Trade Commission (FTC) seeks information from the public about how identity theft and fraud impact senior citizens. According to the Bureau of Justice statistics, 11.7 million people, about 5 percent of the population ages 16 or older, were victims of identity theft between 2006 and 2008. The FTC is concerned that:

"... seniors may be particularly susceptible to identity theft. They are often targeted for phishing scams; some seniors have granted powers of attorney giving wide access to their personal information; and most seniors' Medicare cards list their Social Security numbers. In addition, the personal information of senior citizens may be vulnerable in hospitals, nursing homes, and other care facilities."

To learn about the problem, the FTC seeks:

• Original research about the scope of identity theft and elders,
• The types of scams (e.g., phishing, tax, power of attorney, door-to-door) targeting elders,
• Obstacles to fighting or preventing this identity theft,
• Solutions by both the public and private sectors, and
• Any related issues

The FTC focuses upon enforcing laws, sharing its identity-theft complaint data with local law enforcement, and educates both consumers and businesses about data security. The FTC has brought actions against 35 companies for failing to adequately safeguard the sensitvie consumer data stored. In the summer of 2011, the FTC held a forum on the impacts upon children of identity theft. In September 2011, the FTC testified before Congress (Adobe PDF) about the problem and the actions it was taking.

Comments and submissions must be received by July 15, 2012. Information can be submitted in electronic or paper formats. Submissions should be mailed or delivered to:

Federal Trade Commission
Office of the Secretary
Room H-112 (Annex L)
600 Pennsylvania Avenue, N.W.
Washington, DC 20580

Submissions received will be made public on the FTC website.

The FTC helps consumers to prevent fraudulent, deceptive, and unfair business practices. It also provides information to help consumers spot, stop, and avoid them. If you have been a victim of identity theft and fraud, you can file a complaint in English or Spanish at the FTC Complaint Assistant website, or call 1-877-FTC-HELP (1-877-382-4357). The FTC compiles complaints it receives into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad.

Report Analyzes Breach Notifications Affecting Massachusetts Residents

Last week, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released its findings from an analysis of four years of data breach notifications reported to the state. A chief finding was that sensitive data often was not encrypted.

Any businesses or entities storing consumers' personal information has been required since Oct. 31, 2007 to report data breaches to the OCABR. Through September 30, 2011, the OCABR received 1,833 breach notices affecting about 3.2 mikllion people, or an average breach size of 1,727 stolen or lost records. 73% (1,336) of the breaches involved electronic files and affected 97% of breach victims.

The financial services industry reported the most breaches (955) during the last four years, affecting 901,156 people. Most of these breaches were the credit- and debit-card transactions at processing centers and retail stores. The health care industry has had fewer breaches (214), but affected far more people ( 983,746), including the South Shore Hospital breach in 2010.

In March 2010, new laws went into effect requiring entities that store, own, or license personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP) describing how it will protect sensitive information. the new law required entities to encrypt sensitive information if it is transmitted over public networks, the Internet, or carried on portable devices.

The of breaches each year have remained pretty steady, ranging from a low of about 415 to a high of about 470. Other findings:

"... stolen or lost portable electronic devices are most often not secure. Of the 365 devices reported lost or stolen, only 13 were encrypted. The lost devices led to exposure for 409,572 people. By contrast, the 27 encrypted machines kept information secure for 24,269 people... of the 75 lost or misplaced portable devices reported; only one was encrypted, compromising 1.2 million pieces of information. Of the 290 stolen portable devices stolen, 12 were encrypted, protecting 4,110 pieces of information. The 277 unencrypted devices exposed 220,000 pieces of information."

The types of devices lost/stolen included desktop computers and computer tapes. The types of portable devices lost or stolen included laptop computers, thumb drives, and storage discs (CDs). The report concluded:

"If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 % or 1,490,308 people. If all portable devices were encrypted from march 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people... compliance with the encryption requirement is a powerful to to safeguard the personal information of millions of residents"

Download the OCABR data breach report (Adobe PDF, 948K bytes).

Data Breach By PWC Exposes Personal Data Of Under Armour Employees

The Baltimore CBS News affiliate reported during the weekend about a data breach at Under Armour, that exposed the sensitive personal information of employees. The company's auditing firm, PWC, lost on or about April 12 in the postal mail an unencrypted flash drive containing personnel information.

The data elements lost or stolen included employees' names, Social Security numbers, and pay. Under Armour has about 5,400 employees worldwide. Employees have been offered one year of free credit monitoring. PWC is investigating how its security failed.

This PWC data breach highlights the data security risks and impacts from an outsourcing vendor. And no client company wants a breach by their auditing firm. Sadly, this is not the first breach by an auditing or accounting firm. Notable breach history:

Year	Company	Auditor / Accountant	# Records	Comments
January, 2012	Regions Financial Corp.	Ernst & Young	Unknown	Sensitive personal financial information including SSNs of current and former Regions employees. Auditor from Ernst & Young mailed a flash drive and decryption code. Flash drive lost/stolen. Regions employs ~27K people in 16 states.
April 2009	Borrego SPrings Bank	Not disclosed	Unknown	Sensitive personal financial information including bank account names, numbers, and balances. Theft of 7 laptop computers from an auditing firm's office.
January 2008	Mariner Health Care, SavaSeniorCare Administrative Services, LLC	Windham Brannon	80, 124	Sensitive personal and financila information including current and former employees' SSNs, 401(k) data, DOBs, and salaries. Cash and several laptops stolen from Windham's Atlanta office.
March, 2007	Springfield City Schools (Ohio)	State Auditor	1,950	Sensitive personal information of current and former employees. Theft of laptop from a state auditor employee's vehicle parked at home.
October 2006	Community National Bank	Crowe Chizek	90	Sensitive personal and financial information including SSNs, tax ID numbers, and account numbers. Two laptops belonging to Crowe auditors were stolen from a car in a restaurant parking lot.
October 2006	DirecTV	Deloitte & Touche	55	Names and SSNs of some current and former employees. Laptop stolen during the home of a Deloitte & Touche employee.
Data Source: Privacy Rights Clearinghouse

Utah Medicaid Breach Larger Than First Estimated

A data breach at the Utah Department of Technology Services (DTS), which operates computer servers that store Medicaid claims data for the Utah Department of Health (UDH), appears to have affected more consumers than first estimated. Late last week, the DTS reported that about 181,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients were affected. About 25,096 people of the 181k total had their Social Security numbers exposed/stolen.

Yesterday, the UDH disclosed a greater number of breach victims: an additional 255,000 additional victims had that Social Security numbers stolen, and an additional 350,000 had lesser personal information exposed/stolen. So, the total count is now 780,000 breach victims:

Medicaid claims typically include patients' names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and billing codes for medical procedures. The initial breach estimate was 24,000 records exposed/stolen. The breach investigation is still ongoing. UDH disclosed in a press release:

"DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again..."

The UDH is notifying all breach victims via a breach letter, but with a priority of first notifying the consumers whose Social Security numbers were exposed. These breach letters offer one year of free credit monitoring services. Other breach victims will receive a slightly different notice with information about how to further protect themselves. People with online access via the My Case web portal, were given breach notices both online at the web site and via e-mail.

Hackers Target Facebook Users With New Malware Tool To Steal Credit Card Information

In case you haven't heard, scammers and identity thieves have targeted social networking users. Trusteer reported a new scam by identity theives using a new version of the "Ice IX" malware.

After a Facebook member (within an infected computer) has logged into their Facebook account, the "Ice IX" malware spawns a new browser with a fake Facebook page which prompts users to enter credit card information for supposed additional data security protection. Of course, no security protection is provided, and the malware steals both the consumer's credit card information and other sensitive personal data stored on your computer.

This is another fine example of the creativity and persistence of scammers and identity thieves. Visit the Trusteer website to view screen images of the fake Facebook page. To learn more about how to protect yourself when using Facebook.com and its mobile apps, see the links in the "Using Facebook Safely" module in the near-right column.

Global Payments Breach Affects 1.5 Million Consumers

Last week, debit and credit card payments processor Global Payments Inc. announced that its systems had been breached by hackers and perhaps as many as 3 million credit and debit card numbers had been stolen. Global Payments processes transactions for Visa and MasterCard for retailers and card issuers.

In a statement released Sunday, Global Payments revised downard the number of stolen cards:

"... it identified and self-reported unauthorized access into its processing system. The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained..."

The company has not disclosed how hackers breached its systems, nor the duration of the breach. The company's Monday-morning conference call focused on earnings and left little time for questions about the breach details.

The term "Track 2" refers to certain data elements stored in the magnetic strip on the back of debit and credit cards. Also on Sunday, Visa removed Global Payments from its list of "compliant service providers." Forbes magazine reported that the company expects to quickly correct the Visa compliance issue:

"Global Payments chief executive Paul Garcia is quoted in the company’s statement as saying that “We are making rapid progress toward bringing this issue to a close,” and emphasized that all major brands of cards still allow Global Payments to act as a payment processor."

After a breach like this, card issuers (e.g., banks, credit unions, retailers) will usually notify directly those cardholders with stolen account information, and whether replacement cards and accounts will be issued. And the card issuers usually seek reimbursement from the payments processor to cover the costs of issuing replacement cards to consumers.

Another payments processor, Heartland Payment Systems, experienced a much larger breach in 2008, after which multiple lawsuits resulted as card issuers provided replacement cards and accounts. With a reported 800,000 merchants and 3.5% market share, Global Payments is a smaller payments processor, when compared to First Data Corporation's 22.6% market share.

The largest banks, like Bank of America, have subsidiaries with joint venture arrangement with processor First Data to process card transactions. It seems to me that hackers have smartly figured out a way to steal valid credit/debit card information is to attack the transaction processors instead of retailers, like T.J.Maxx, or banks directly.

I called Global Payments to see how many retailers they may have lost already due to the breach and their inability to process Visa transactions. The public relations rep referred inquiries to the company's data breach site: www.2012securityupdate.com, which includes this statement to its merchants/retail clients:

"We are still processing all of your transactions, including Visa transactions, and will continue to work with the card associations in response to this incident."

Time will tell if and how long that continues. The company's breach web site also advises affected cardholders who suspect fraud to monitor their accounts, contact their card issuer, and place a Fraud Alert on their credit reports.

The Global Payments breach highlights the fact that several companies are involved in debit/credit card transaction flow, from the time yo swipe your card until when payment is completed. And, the security of that transaction flow is only as strong as the weakest link, or company, in the flow.

The Bright Side of Identity Theft And Fraud For Consumers

In a New York Times article titled, "The Bright Side Of Being Hacked," reporter Somini Sengupta described several benefits for corporations of a data breach via hacking. The article concluded:

"Rather, what Anonymous has done, experts said at the big RSA computer security conference here last week, is raise the alarm about the unguarded state of corporate computer systems."

Yes, raised awareness is a good thing, as was recently discussed about unsecured corporate video conferencing systems. Sengupta's articles reminded me of a blog post I wrote in 2010 which listed six benefits for consumers of being an identity theft victim:

"1. Awareness: After an identity thief has stolen your personal data, account credentials, and/or money consumers seem to have a new awareness of of the value of their sensitive personal data.
2. Acceptance and curiosity: after having their identity information and/or money stolen, there is an acceptance that identity theft is a problem. There is a curiosity to learn about other ways identity thieves and criminals might harm them, so they can avoid this painful experience in the future.
3. Willingness to change behaviors: Not knowing how to protect yourself is terrifying to most people. The pain from this terror seems to be sufficient incentive for consumers to change their habits (e.g., practice safe online shopping habits, check their credit reports for accuracy, use strong passwords at online sites, maintain anti-virus software on their home computer, etc.). Of the people I have talked with, after being an identity-theft victim, none want to return to their old ways.
4. Stronger consumer interest: along with this awareness about identity theft is an interest in products, services, processes, and/or laws that address and protect the needs and assets of consumers. Getting good customer service seems to become more important, too.
5. Gratitude and appreciation: before becoming a victim of identity theft and fraud, many consumers perceive warnings by consumer and privacy advocates to be unnecessary and overly cautious. Some have called me paranoid. After experiencing the pain of the theft and fraud, a different attitude emerges which includes a sincere appreciation for identity theft protection advice to help them fix their fraud problem, and a context for listening to future warnings.
6. Participation in our democracy: when the perception is that local or federal laws haven't kept up with business practices, some been motivated to write to their Congressional reps to demand action."

While, identity theft and fraud are painful experiences for consumers, these events can be a huge wake-up call for consumers to change their habits and practice better data security habits at home, at work, at ATM machines, at their doctor's office, at social networking websites, and with their mobile devices.

Former MLB Player Jailed On Fraud And Identity Theft Charges

This story caught my attention for reasons you might find surprising. It did not catch my attention because it involves a celebrity. It caught my attention because it shows how employees and independent contractors can become identity theft and fraud victims via an employer.

The Sports Illustrated article, "How Lenny Dykstra Got Nailed" explains how former Major League Baseball player Lenny Dykstra was jailed on identity theft and fraud charges. To fund a lavish lifestyle, Dykstra allegedly asked his employees to use their credit cards, never repaid them for the purchases, and used without authorization their sensitive personal information (e.g., Social Security Number) to apply for loans.

This story also highlights the importance of filing identity-theft and fraud complaints with both local law enforcement, the FTC, and the CFPB. Filed complaints allow law enforcement to discover patterns they might not discover otherwise.

Wilberto Hernandez, a personal credit repair consultant in Los Angeles had phoned local police after he received a notice from a credit agency that his Social Security number had been presented for credit checks at two car dealerships. Hernandez had helped one of Dykstra's business associates with credit repair services. Local police quickly saw a pattern among police reports filed:

"By Christmas 2010, [the police detective] had spoken with 17 people—personal assistants, drivers, private jet pilots and housekeepers—who claimed that Dykstra did not pay them for services, used their credit cards or got hold of their Social Security numbers and opened credit cards in their names."

One victim's situation was particularly instructive:

"Christopher Gavanis, then 30, had just moved to Los Angeles from Pennsylvania. Gavanis... couldn't afford a car to help him find work—but he did have a sterling credit rating. According to an interview police conducted with Gavanis on April 14, 2011, Dykstra promised him the car he desperately needed in return for the use of his credit... Dykstra also promised Gavanis a job with Home Free Systems once clients started rolling in..."

High Value Targets

FTC Survey: The Good And Bad Experiences Of Identity-Theft Victims With Consumer Reporting Agencies

The U.S. Federal Trade Commission (FTC) released the results of its survey of consumers who had reported to the FTC that they were identity-theft victims. The survey assesses consumers experiences with recovering from identity theft and contacting the national consumer reporting agencies (CRAs). The survey also assesses how consumers exercise their rights under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA - 2003).

Overall findings:

• 68% of survey respondents were somewhat or very satisfied with their overall experiences with the national consumer reporting agencies (e.g., Equifax, Experian, and TransUnion), but many consumers said it was difficult to reach a live person.
• Less than half of the respondents were aware of most of their rights under FACTA before they contacted the consumer reporting agencies.
• Few consumers exercise their right to block selected information in their credit reports from identity theft and fraud, since most consumers (78%) don't know about this right
• Some respondents complained about feeling pressured to buy additional identity theft monitoring products when they called the consumer reporting agencies.

FACTA gave consumers the right to:

• Pace Fraud Alerts on their credit file with the nationwide CRAs,
• Request a free credit report from each of the three national CRAs when placing a fraud alert,
• Block fraudulent information from appearing in their credit reports,
• Receive a notice of these and other rights from the CRAs

When placing a fraud alert, consumer only need to contact one of the three national CRAs. After successfully placing a Fraud Alert on their credit file with one CRA, most of the time the other two CRAs will automatically add Fraud Alerts to the consumer's file on their systems. When requesting a Fraud Alert, consumers can also request a free copy of their credit report. Survey results about Fraud Alert and free credit report requests:

• 44% of survey respondents were not aware before contacting a CRA of their right to place a Fraud Alert on their credit file. Despite this, 85% of respondents ultimately requested a Fraud Alert on their file.
• When requesting a Fraud Alert, 58% of survey respondents reported that all three national CRAs placed alerts when requested. 36% of respondents were unsure what happened, and 6% reported that at least one CRA didn't place a Fraud Alert.
• 44% of respondents who requested a Fraud Alert said they were very satisfied with the process, 32% said they were somewhat satisfied, and 17% said there were either somewhat or very dissatisfied with the process.
• Most survey respondents (56%) requested their free credit report (when placing a Fraud Alert) by telephone, compared to the website (33%), and postal mail form (14%).
• Most (51%) said that they received their free credit report from all CRAs they contacted, while 33% stated that they received it from only some of the CRAs they contacted. 11% said that they did not receive any credit reports.
• 43% of respondents said that they were very satisfied with the process of requesting free credit reports after placing a fraud alert. 32% said that they were somewhat satisfied. 22% said that they were either somewhat or very dissatisfied.

Errors occur in credit reports, either from identity fraud or from honest mistakes by the CRA or lender. Consumers can dispute this erroneous data and demand that it be removed or corrected. Survey results about credit report accuracy:

• Most survey respondents (60%) were aware before contacting a CRA that they had the right to challenge the accuracy of information on their credit report.
• 36% of respondents who contacted a CRA disputed the accuracy of information on their credit report in connection with the identity theft that led to the contact. Of those who disputed information, 72% filed disputes with a CRA and while 46% contacted the creditor that provided the information to the CRA.
• The types of credit report information disputed: 47% challenged identification and employment (47%), payments (48%) about a specific debt, and unauthorized lenders who obtained their credit report (40%).
• Of survey respondents who disputed information in their credit reports, 52% said that the information was corrected or removed, 22% said that the information was not corrected, and 18% said that they were not sure what happened.
• Of survey respondents who had information corrected by the CRA, 42% said that the error was corrected after a single contact. 27% said the error was corrected after two contacts. 24% said the correction required three to five contacts, and 4% said they contacted the CRA six or more times.
• Of survey respondents who disputed information in their credit reports, most (57%) said that they were either very or somewhat satisfied with the process. 17% said that they were somewhat dissatisfied, and 21% said that they were very dissatisfied.

Consumers can block certain information within their credit reports that resulted from identity theft and fraud. Blocks are different from disputes. CRAs must respond within four (4) days after receiving a valid request to block certain data in a credit report. Survey results about blocking fraudulent information:

• Of survey respondents who contacted a credit reporting agency, 78% were not aware of the right to block information in the credit file. Few survey respondents (21%) exercised this right to block the reporting of information resulting from identity theft.
• Of those who requested that information be blocked, 46% said that all CRAs blocked the information. 18% said that some of the CRAs blocked the information, and 9% said that none of the agencies blocked the information.

The FTC concluded in its report (bold emphasis added):

"Despite the 68% general satisfaction rate with the CRAs, the survey reveals three areas where respondents faced difficulties in exercising their FACTA rights. First, one prominent complaint was the difficulty in reaching a representative at a CRA with whom to speak about identity theft. Many respondents said that it was difficult or impossible to move past the automated response system... Second, the survey results suggest that a relatively small number of identity theft victims are aware of their FACTA rights. Less than half of the respondents were aware of most of their rights prior to contacting the CRAs. Even for the most well-understood right – disputing inaccurate information – only 60% of respondents who contacted a CRA were aware of this right prior to contacting the CRA... Third, both the survey respondents and the focus groups raised concerns about the CRAs using consumer contacts about identity theft as an opportunity to sell identity theft protection products. Several respondents and focus group participants complained that they felt pressured to buy one or more products and that, in some cases, they received services that they did not want or need."

The FTC sent survey invitations to about 3,000 consumers who had previously reported to the FTC hotline that they were identity-theft victims. The survey questions were based on six focus groups conducted in 2009. 634 consumers responded. The FTC maintains the anonymity of all survey respondents. Download the FTC, Using FACTA Remedies Report (Adobe PDF - 4.9 M Bytes), which is also available here.

Want to learn more? Suggested readings about credit and CRAs:

• Fraud Alert Renewal: Easy And Fast
• Placing a Freeze (Or Lock) On Your Credit Files
• Fraud Alert or Credit Freeze: What's The Difference?
• Are Fraud Alerts Useless?
• Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms (Part One)?
• Have You Heard About Credit Reports From Innovis?
• Directory Of Credit Reporting Agencies
• What It Means To Have An Unrequested Security Freeze On Your Credit Report
• A Primer On Credit Scores
• FTC Testifies Before Congress About Identity Theft And Fraud
• FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports
• FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

CFPB Reports List Of Consumer Complaints About Financial Products

In its annual report, the new Consumer Financial Protection Bureau (CFPB), a federal agency designed to ensure that financial products and services for consumers are beneficial for consumers, listed the leading complaints submitted by consumers. The CFPB accepts complaints about credit cards and mortgages.

The CFPB began operation on July 21, 2011. In its annual report (Adobe PDF) to the U.S. Congress, the CFPB reported that by December 31, 2011, it had received 13,210 complaints from consumers, including 9,307 credit card complaints and 2,326 mortgage complaints. 44% of all complaints were submitted through the CFPB website, and about 15% via telephone calls. The leading types of credit-card complaints received:

Leading Credit Card Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Billing Disputes	1,278	13.7%
2. Identity Theft / Fraud / Embezzlement	1,014	10.9%
3. APR or Interest rate	950	10.2%
4. Other	854	9.2%
5. Closing / Cancelling Account	478	5.1%
6. Credit reporting	437	4.7%
7. Credit Card Payment / Debt Protection	383	4.1%
8. Collection Practices	378	4.1%
9. Late Fee	364	3.9%
10. Other Fee	334	3.6%
Total for Top 10 complaint types	6,470	65.9%

The types of mortgage complaints received:

Mortgage Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Problems when you are unable to pay (Loan modification, collection, foreclosure)	889	38.2%
2. Other	540	23.2%
3. Making payments (Loan servicing, payments, escrow accounts)	501	21.5%
4. Applying for the loan (Application, originator, mortgage broker)	235	10.1%
5. Signing the agreement (Settlement process and costs)	96	4.1%
6. Receiving a credit offer (Credit decision/Underwriting)	65	2.8%
Total Mortgage Complaints	2,326	100.0%

The FTC advises consumers who experience identity theft or fraud with financial products to both submit a complaint to the CFPB and submit a complaint to the FTC.

I like the CFPB's mission and its website. The agency's consumer response mechanisms are still new and in their infancy. They will become more beneficial as the agency identifies and resolves problems. What is your opinion of the CFPB?

National Consumer Protection Week

March 4 - 10, 2012 is national Consumer Protection Week (NCPW). About 30 federal agencies and the U.S. Federal Trade Commission (FTC), plus consumer groups, state, county, and local government agencies are participating with the goal to:

"... focus attention on the importance of consumer information and provide people with free resources explaining their rights in the marketplace."

During the week, various groups will share information and tips about how to:

• Avoid identity theft, and scams,
• Protect your privacy, and
• Manage your money

NCPW began 14 years ago. The website has materials in both English and Spanish. David Vladeck, Director of the FTC's Bureau of Consumer Protection, said:

"The information on NCPW.gov can help consumers understand their rights, protect their privacy online and off, manage credit and debt, avoid identity theft, recognize foreclosure rescue scams, and report fraud... Visitors can download and print materials to share with friends and neighbors, or use the toolkit to plan a larger community event."

To learn more, visit NCPW.gov.

FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

Earlier this week, the U.S. Federal Trade Commission (FTC) released its annual report of the leading complaints filed by consumers. During 2011, identity theft (again) led the list of complaints. This is the 12th consecutive year that identity theft has led the list:

Type of Complaint or Scam	Number	% Of Total
1. Identity Theft	279,156	15%
2. Debt Collection	180,928	10%
3. Prizes, Sweepstakes and Lotteries	100,208	6%
4. Shop-at-Home and Catalog Sales	98,306	5%
5. Banks and Lenders	89,341	5%
6. Internet Services	81,805	5%
7. Auto Related	77,435	4%
8. Imposter Scams	73,281	4%
9. Telephone and Mobile Services	70,024	4%
10. Advance-Fee Loans and Credit Protection/Repair	47,414	3%

Other notable findings:

• Fraud: 990k of the 1.8 million complaints were fraud-related. 68% of consumers reported a fraud complaint where they paid an amount. The total amount paid was $1.5 billion, and the median amount paid was $537. 43% of consumers were contacted via email. The five states with the highest per-capita fraud reported were Colorado, Delaware, Maryland, Nevada, and Virginia.
• Identity Theft: Government documents/benefits fraud (27%) was the most common form reported, followed by credit card fraud (14%), phone or utilities fraud (13%), bank fraud (9%), and employment fraud (8%). 45% of consumers reported they contacted local law enforcement. The five states with the highest per-capita identity theft were Florida, Georgia, California, Arizona, and Texas.
• Countries: the top five countries were the USA (80%), Canada (4%), the United Kingdom (4%), Nigeria (2%), and Jamaica (2%).
• Age: consumers that filed complaints during 2011 were ages 50-59 (23%), followed by ages 40-49 (20%), ages 30-39 (17%), ages 60-69 (15%), and ages 20-29 (15%).
• Military: members from all four branches plus the Coast Guard reported complaints. For this group, identity theft ranked as the number one complaint, followed by Debt Collection. Mortgage Foreclosure Relief and Debt Management ranked as fourth for this group, compared to 13 for all consumers.

During 2011, consumers submitted about 1.8 million complaints, an increase of 24% over 2010. All complaints submitted by consumers are collected in the FTC Consumer Sentinel Network database, which contains 30 different categories of complaints. Download the 2011 FTC Consumer Sentinel Network Data Book (Adobe PDF).

How To Evaluate A Health Care Debit Card Plan From Your Employer

A blog post on Tuesday described Caren's experience with her United Healthcare Consumer Accounts Card, a specialized debit card her employer provided for Flexible Spending Account (FSA) expenses. That blog post highlighted what can go wrong with a health care debit card.

I wanted to take a closer look at the card agreement, and see what broader issues might apply in general. Today's blog post includes my findings about several items employees should be aware of when considering a health care debit card plan. I am not an attorney, so this is not legal advice -- just my observations and opinions as a consumer -- like you tyring to navigate a complex world. If you need legal advice, hire an attorney.

First, healthcare debit cards are similar to traditional debit cards, but with several important differences. Employees must understand how they work and when fees apply, just as you would with a traditional debit card with your bank checking account. So, it is important to closely read all appliable agreements, terms, or policies y to know your rights and responsibilities -- especially when bad things happen.

The introduction to the United Healthcare Consumer Accounts Card agreement (Adobe PDF; which is also available here) lists some important warnings:

"At the register or cashier: This is not a credit card, but you will need to choose “credit” when making purchases... At the pharmacy, supermarket or other retail store: Pay for eligible over-the-counter (OTC) supplies and materials. Please note: The card will be rejected if purchasing OTC medicines, even when prescribed..."

Select "credit" at the point-of-sale even though the card says "Debit" on its face? Prescribed OTC medicine will still be rejected? These exceptions sound like a recipe for employee confusion and rejected purchases. While the agreement states that it is a MasterCard Debit, I wonder if the bank tweaked a traditional credit-card payment solution for health care purchases and rushed it to market without removing all the bugs first.

What comes to mind is that old saying: never buy the first year of a new car production (and wait until the manufacturer gets all of the bugs out). Seems to apply to payment solutions, too.

Section #2 of the same agreement states:

"When you use the Card, you represent and warrant that you will not submit, and have not previously submitted, a claim for reimbursement for the same expenses under any other plan or program. You agree to save all invoices or receipts that are provided to you by merchants and service providers when you use the Card. You agree to provide a copy of any such receipt to us or United Healthcare, promptly on request. If you fail to submit a receipt when it is requested, under IRS rules, the amount in question may not be excluded from your gross income for federal tax purposes or may otherwise result in financial penalties to you. Your use of the Card is subject to the terms and conditions of the Plan, as well as the terms and conditions of this Agreement..."

So, employees must still save all purchase receipts. The health care debit card doesn't eliminate all paperwork. The last sentence in the above clause is important because it highlights the fact that several policies apply. It would be helpful if this agreement listed all applicable policies. My estimate is that at least five different policies apply:

1. Consumer Accounts Card Agreement,
2. United Healthcare HIPAA Privacy Policy,
3. Any additional policies at myUHC.com,
4. Employee handbook or manual,
5. Optum Bank policy

Employees should not have to guess which policies apply. It would be best for employees if a single, consolidated policy applied, but unfortunately American business does not operate that way today.

Let's return to the Consumer Accounts Card agreement, which also states:

"You agree that you will only use the Card to pay for eligible expenses under the Plan... if you use the Card for anything other than an eligible expense, you will be liable for any taxes, penalties and other expenses payable under applicable law and any expenses we, United Healthcare or your employer may incur as a result of such impermissible use. Upon demand, you agree to reimburse us, United Healthcare or your employer, as the case may be, for any such use for non-eligible expenses..."

While employees may think that ineligible FSA expenses are automatically blocked at the point-of-sale, the agreement governs what really happens. The Consumer Accounts Card payment process may indeed block some ineligible purchases, but United Healthcare and the bank seem to have left themselves a convenient loophole where employees are still liable. It would be helpful if the agreement stated what those amounts of taxes, penalties, and other expenses could be. It seems risky to use a debit card when you don't know the exact amount of fees that might apply.

Second, employees should be aware of their responsibilities to avoid liability. The "Consumer Liability" portion of the agreement states:

"Tell us AT ONCE if you believe your Card has been lost or stolen. Telephoning is the best way of keeping your possible losses down. If you tell us within 4 business days, you can lose no more than $0 if someone used your Card without your permission. (If you believe your Card has been lost or stolen, and you tell us within 4 business days after you learn of the loss or theft, you can lose no more than $0 if someone used your Card without your permission.)"

This four-day time period seems unreasonably short. My bank allows 60 days from my statement to dispute a charge on that statement. Does United Healthcare expect employees to check their online FSA account every four days? The next portion of the agreement states what happens when employees provide notice after the four-day window:

"If you do NOT tell us within 4 business days after you learn of the loss or theft of your Card, and we can prove we could have stopped someone from using your Card without your permission if you had told us, you could lose as much as $50."

Now, the liability sounds more like the liability with a traditional credit card: $50. What I find troubling about this clause is that it assumes traditional theft or loss. This blog has documented numerous examples of identity thieves plant skimming devices inside point-of-sale terminals at gas stations, supermarkets, and other retail stores to steal consumers' data to clone debit cards. Since employees are forced to use health care debit cards at retail stores, a more relevant agreement would provide tips about what to do if they believe their card has been cloned. Perhaps the myUHC.com site explains this, but I don't have a myUHC.com account.

The agreement also states (emphasis added by me):

"... if the statement you receive from the Plan administrator shows transfers that you did not make, tell us at once. If you do not tell us within 90 days after the statement was mailed to you, you could lose as much as $50 if we can prove that we could have stopped someone from taking the money if you had told us in time."

Again, that sounds like traditional credit card liability (e.g., $50), but at least the window for notice is longer at 90 days. Why lead with the four day clause? It seems unnecessary. In Caren's case, it seems that United Healthcare is enforcing the 90-day clause. What I find troublesome about the above clause is that it assumes paper statements sent via postal mail. In reality, employees' statements are available online. Nothing is sent via postal mail. So, why write the agreement assuming this? It sounds like the card agreement was rushed to market without all the bugs removed.

Another portion of the agreement states:

"ALL QUESTIONS ABOUT TRANSACTIONS MADE WITH YOUR CARD MUST BE DIRECTED TO THE BANK, AND NOT TO YOUR EMPLOYER OR PLAN ADMINISTRATOR. The Bank is responsible for issuing the Card and for resolving any errors in transactions made with your Card. The transactions will appear only on the statements provided to you by the Plan administrator."

It would be helpful if the agreement listed the bank's phone and postal address information. I couldn't find it in the agreement. The agreement lists United Healthcare's phone and postal address information. In my experience, well-written agreements provide both phone and postal address information with any instructions where consumers should give notice. Perhaps, the other policies provide this information, but I don't have a myUHC.com account.

SO, let's see if I got this correct. The agreement directs employees to contact United Healthcare for transfers the employee didn't make, but contact the bank about statement "errors."What's the difference? How are employees to tell? This sounds confusing.

It troubles me that the above clause mentions "errors" and doesn't mention "fraud." I would expect any bank to aggressively investigate suspected fraud. The fact that Optum Bank's flow of funds page still presents a 2008 copyright does not give me much confidence in the bank:

If something this simple still says 2008, what else has this bank missed? Or, should consumers conclude that the Optum web site hasn't been updated in four years? Or is this flow-of-funds information that is four-years old and/or obsolete? I would expect more timely and current information from any bank -- especially one processing my extremely sensitive health care information.

The "Fees" section of the agreement states:

"OptumHealth Bank does not charge usage fees for this card."

No fees are good, because banks can apply a wide variety of fees to debit-card accounts.However, it means that employees should monitor any changes in the card agreement. Things might change with new fees introduced. So, employees should read any updates to the card agreements or policies with their health care debit cards.

Now, let's return to Caren's story. The fact that Caren never used the Medco online pharmacy should be a huge "red flag" to Optum Bank, Large HR Firm, and United Healthcare. It suggests that Caren's payment information was stolen. The payment data on Caren's Consumer Accounts Card could have been stolen via a skimming device, which identity thieves plant inside point-of-sale terminals at retail stores and gas stations -- not just at bank ATM machines.

If Caren's Consumer Accounts Card was not cloned via skimming device theft, then a couple other options are possible. The pharmacy may have re-submitted the purchases it originally rejected -- and if so, it should have notified Caren, and reimbursed her for the purchases she paid out-of-pocket. Caren could test this by using a different pharmacy. If the duplicate charges don't happen at the second pharmacy, then it is reasonable to assume a problem at the first pharmacy. If the duplicate charges continue, then it seems safe to assume that her debit payment data was stolen.

Insider identity theft is always a possibility. It's harder for employees to spot, but it does happen.

What should employees do if your employer offers a specialized debit card for healthcare expenses? I suggest the following steps:

• Read all applicable policies to know your rights and responsibilities -- especially before registering for a FSA with your employer. Your employer may have negotiated a really good deal for its employees, or not. Don't blindly assume so; read the fine print in the agreement first. Part of evaluating if it's a good deal is looking for certain clauses in the agreement -- like the ones listed above. If you have difficulty reading contracts, get help from a trusted friend, family member, or attorney if you can afford one.
• Use the Internet to find reviews written by employees about their health care debit card plan. Places I like to look include Consumer Reports, The Consumerist, and Epinions.
• File a police report with local law enforcement. (In Caren's case, somebody spent money from her FSA account without her authorization. That is theft.) Insist on law enforcement accepting the report. Make several copies. Attached the police report to any complaints filed with your employer, the FSA healthcare administrator, and the bank,
• Use a different pharmacy. If the duplicate charge problem stops, it is reasonable to assume a problem at the first pharmacy, and file a police report accordingly,
• If you feel that you aren't getting the services promised by the bank which processes your health care debit card transactions, learn about how to file a complaint against your bank.
• File a fraud complaint with the U.S. Federal Trade Commission (FTC) including any relevant documents (and non-action by employer, HR Firm, health care firm, and bank). This will help the FTC track any emerging theft trends with health care debit cards.
• If there is no action by the employer, HR Firm, healthcare firm, and/or bank), write a letter to your federal or state elected officials asking for help. It's part of their jobs -- to help their constituents.

Is the United Healthcare Consumer Accounts Card a good deal? Only you can decide for yourself, as everyone's needs are different. Hopefully, I have highlighted the things consumers should look for in any health care card agreement, so you can make an informed decision.

If you use a specialized debit card for health care expenses, what has been your experience?

A Debit Card Cautionary Tale

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today, she tackles what I believe will become a huge identity-theft problem. As employers lower their administrative costs by outsourcing payment systems that include debit-card transactions, the result is a more complicated, patchwork mix of companies where it is not easily clear who is responsible when bad things happen.]

By R. Michelle Green

At a business conference I attended, the topic turned to health care insurance administration. Some of the attendees now have new debit cards they didn’t ask for. Their employers gave them debit cards for their health care expenses (to access their Flexible Spending Accounts). Instead of having to submit receipts, employees offer the card at the point of sale. If s/he tries to charge more than allowed, or tries to charge things that are not acceptable, the card is rejected. Easily fits into the distributor’s payment systems (cash credit debit), no paperwork for the employee, less evaluative work for the FSA provider. Everyone wins, right?

Not everyone.

Meet Caren (not her real name, of course). She offered her new debit card -- her's is called a United Healthcare Consumer Accounts Card -- for prescription meds in January last year. However, the purchase was rejected by the pharmacy. She assumed it was a glitch, and paid for it herself. While this eventually happened every time, she doesn’t have medical charges every day, so it took a while to recognize that the card never worked. For reasons not relevant here, she did not pursue this with the provider until the fall, only to discover that all her money had been used up on health care charges she didn’t make.

She spoke with United Healthcare using the phone number on her Consumer Accounts Card. She submitted all her information in writing as they requested. They produced a sheet showing that her charges mostly matched (about 70%) identical charges paid 1-2 business days after hers. Though they did not accuse her of fraud, they did say the case was closed and did not merit an appeal. When she approached her human resources provider, he said, well at least she got the tax break. (!) She didn’t get a tax break, she got a salary reduction! She was deprived of access to her own money, set aside from her salary. The debit card agreement online says that she should call the bank operating the card, but that hasn’t proven productive either.

Had a second card been issued to someone else, we wondered? Not to her (or to the bank’s) knowledge. Did the drugstore have signatures on the other charges ostensibly hers? The other charges were mail order charges through Medco, so no receipts or signatures. She has no account with Medco. The pharmacy is not interested in pursuing this, they’ve been paid (perhaps twice!). Medco won’t address it, as she is not a client. The debit card provider only knows the money is spent. The FSA account holder is satisfied that it was spent for the right things. Only Caren is out of pocket and disadvantaged. Doubly so – this was so traumatic that she did not enroll in FSA this year. That makes her ineligible for the associated tax benefit in 2012.

Turns out our blog host is interested in the way financial systems are evolving, and found this issue particularly interesting. There are a lot more parties in the mix than you might at first think. Caren has an employer small enough that it purchases human resources expertise from a national firm. So there’s Caren, Small Firm, and Big HR Firm. Big HR Firm takes the money from her account and sends it somewhere based on their agreement with United Healthcare. Her debit card is managed by United Healthcare, and Optum Health Bank administers that card for them. Optum Health Bank has a subsidiary, Optum Financial, that handles the flow of money from the holding account to the point of sale. And what about the pharmacy: could their processes have been compromised as well?

I read a lot about fraud and scams, and wondered if this could be the tip of a software theft operation, selecting certain customers, and duplicating certain customers’ receipts, at just low enough rates that they are not perceived. (Good movie, eh? But Occam’s Razor says: not likely.) But who is the person with enough clout to investigate this, particularly if no one person or entity loses big bucks?

Today she tweeted that she had heard from Big HR Firm – there’s nothing they can do. So who’s responsible? Several corporations are in play; doesn’t each have a responsibility to Caren? Who can help her?

Apple Says Path And Other iPhone Apps Violated Policy

A prior blog post discussed how a developer found the Path iPhone app collecting his contact information without notice nor consent. The All Things D blog reported a reply by an Apple spokesperson:

"Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines... We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."

Twitter, Hipster, and other apps that collected users' contact information also are modifying their processes to stop collection. The statement by Apple still doesn't explain why Apple did not reject apps that violate its policy from being sold in its app store. Nor does Apple seem to address the consequences for these violators.

The "working to make this even better" sounds disingenuous. Either an app violated the policy, or it didn't. Either Apple checks apps for compliance or it doesn't. There is no inbetween. One cannot be a little pregnant.

At press time, the Apple Press Info website section did not mention the above statement.

When Online Convenience Trumps Security

Recently, a coworker said to me that she definitely values convenience over security when it comes to using her mobile device and the Internet. To me, that is a false choice. Consumers can, and should, demand both.