Consumer Reports Reviews Facebook And How To Use It Safely

If you haven't read it, there is a good review by Consumer Reports of the Facebook social networking website. The news media has focused on some of the controversial aspects of the report. For example, CNN reported, like many other news organizations, the survey finding that about 25 percent of Facebook users lie about information in their Facebook profile to protect their identity.

While lying about profile information may seem like an effective privacy strategy, the Consumer Report review of Facebook highlights the various ways Facebook tracks its members. Some Facebook members have made conscious choices to share personal data, and do so in status messages, sharing items, and commenting upon others' status messages. Yet other tracking methods exist.

The Consumer Reports review is a good reminder that its members are the products:

"... the company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account."

One tracking method is the facial-recognition software used to "tag" (e.g., identify) people (and places) in both photos and videos. Members who aren't careful to turn off the geo-tagging feature in their smart phones or tablets will provide even more personal data with photos and videos uploaded to Facebook.

Another method are the Facebook apps member use for music, news, and games -- which are loosely managed by Facebook:

"... according to Kevin Johnson, security consultant at Florida-based Secure Ideas, who has developed apps and tests their security. The sole credential needed to create an app is a verified Facebook account, including a cell phone number or credit card. And the company doesn’t have to review your source code (programming instructions) before it goes live..."

So, there seems to be little to no verification of apps for security or compliance when those apps have a privacy policy.

A method Facebook uses to track both members and non-members includes those "Like" buttons you have see on websites across the Internet:

"... Facebook keeps track of the other websites [its members] visit. That happens via the “Like,” “Recommendations,” and similar buttons that so many sites include. In addition to reporting your presence, the “Like” button sends along the date and time of your visit and your IP address, whether or not you click on it. The company has acknowledged that this happens even when Facebook users are logged out, a practice that had prompted class-action lawsuits in the U.S. If you’re logged in to Facebook, it can collect even more data. The company also said that it collects data from people who are not its users and have never visited its site..."

The review is also a good reminder of the scope of data Facebook collects:

"... thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook's Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list... Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff..."

If you want to learn more about Schrems, visit Europe Versus Facebook. The review ends with a list of nine ways consumers can use Facebook (and similar social networking sites) safely:

"1. Think before you type. Even if you delete an account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.

3. Protect basic information. Set the audience for profile items, such as your town or employer. And remember: Sharing info with “friends of friends” could expose it to tens of thousands.

4. Know what you can’t protect. Your name and profile picture are public. To protect your identity, don’t use a photo, or use one that doesn’t show your face.

5. “UnPublic” your wall. Set the audience for all previous wall posts to just friends.

7. Block apps and sites that snoop. Unless you intercede, friends can share personal information about you with apps. To block that, use controls to limit the info apps can see."

Read the complete review of Facebook.com by Consumer Reports.

6 Threats That Target Consumers' Mobile Devices

If you think that identity thieves and scam aartists have not already targeted your favorite mobile devices, then think again. Dark Reading reported about siz specific threats that target popular mobile devices:

"1. Zitmo - One of the most successful banking Trojans of all time, Zeus, made the jump from PCs to mobile devices through the Zeus-in-the-mobile (Zitmo) spyware application. Prevalent on Android, Zitmo masquerades as a banking activation application and eavesdrops on SMS messages in search of the mobile transaction authentication numbers..."

"2. Mobile Botnets - Since 2009, Perimeter E-Security Research Analyst Grace Zeng has been exploring the possibilities of botnets consisting entirely of mobile devices. Naysayers told her it wasn't feasible, but last month she showed how realistic the possibility is with a presentation at WiSec 2012...:

"5. JiFake - Mobile marketers are loving the convenience of easy-to-scan QR codes to deliver mobile users to their websites and apps through their phones' barcode scanners. Attackers love these codes, too. Researchers are finding that the bad guys are increasingly using the obfuscation of QR codes to trick users into downloading malware..."

To protect yourself and the sensitive data on your smart phone or tablet, experts advise consumers to:

• Download apps only from trusted websites,
• Donwload only apps with privacy policies and terms of conditions that you understand and agree with,
• Keep the anti-virus software on your mobile device updated, just like you do on your laptop or desktop computer, and
• Password protect your mobile device in case it is lost or stolen.

Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

• During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
• During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

“Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

1. Be ready to give out some personal information.
2. Know that a third-party will gain access to your personal information.
3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).

Hackers Target Facebook Users With New Malware Tool To Steal Credit Card Information

In case you haven't heard, scammers and identity thieves have targeted social networking users. Trusteer reported a new scam by identity theives using a new version of the "Ice IX" malware.

After a Facebook member (within an infected computer) has logged into their Facebook account, the "Ice IX" malware spawns a new browser with a fake Facebook page which prompts users to enter credit card information for supposed additional data security protection. Of course, no security protection is provided, and the malware steals both the consumer's credit card information and other sensitive personal data stored on your computer.

This is another fine example of the creativity and persistence of scammers and identity thieves. Visit the Trusteer website to view screen images of the fake Facebook page. To learn more about how to protect yourself when using Facebook.com and its mobile apps, see the links in the "Using Facebook Safely" module in the near-right column.

Class Action Suit Filed Against Path Claims More Data Was Collected Besides Address Books

A second class-action lawsuit was filed against Path Inc. claiming the company's mobile app collected more infromation than just users' address books. The suit also calimed that users of the Path app were:

"... victims of unfair, deceptive, and unlawful business practices; wherein their property, privacy, and security rights were violated..."

The additional data allegedly collected without notice and without consent included find GPS locations, users' personally identifiable information, and the personal information of minor children.

The suit claims that the information collected was distributed to other companies with notice or consent, and that tracking methods were added to users digital information:

"Affix to Plaintiff's and Class members' digital content, referencing photos, videos, and audio files, without notice or authorization tracking mechanisms and information... "filtering" of digital content by installation of geo-tags for tracking, interception and monitoring of social network interactions... that third-party social network interactions would be monitored and then transmitted, used, disclosed, and stored on path's servers..."

The suit claims that Path stored address book information is an insecure manner. By February 2012, Path reportedly had about 2 million users.

The suit was filed in Northern District Court of California by attorneys Strange & Carpenter of Los Angeles, and Joseph Malley of Dallas. Readers of this blog recognize Malley, often referred to as a "Privacy Crusader." Malley was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Hulu.com and KISSmetrics ("zombie E-Tags"), Ringleader, Facebook, and Apple. In 2010, Facebook settled its suit for $9.5 million. So, Malley has plenty of experience with online privacy and tracking issues.

You can download the Hernandez et al v Path Inc. complaint from Courthouse News (Adobe PDF).

A Privacy Bill Of Rights For Mobile Users

The Electronic Frontier Foundation (EFF) issued a statement calling for a bill of rights for wireless users. Because mobile devices are always on and store a vast amount of sensitive personal data (e.g., contacts, Internet usage, social networking website usage, GPS location, calendar, phone calls made and received, online banking, photographs, user-created documents, etc.), the EFF believes firmly that:

"... he stakes are even higher for manufacturers, carriers, app developers, and mobile ad networks to respect user privacy in order to earn and retain the ever-important trust of the public."

I agree with this position, and this blog has covered numerous instances where mobile device manufacturers, telecommunications providers, advertising networks, apps-store operators, and/or app developers working singularly or together have abused consumers' privacy. The EFF's proposed Mobile User Bill of Rights contains six items:

1. Individual control: Users have a right to exercise control over what personal data applications collect about them and how they use it. Although some access control exists at the operating system level in smart phones, developers should seek to empower users even when it's not technically or legally required by the platform. The right to individual control also includes the ability to remove consent and withdraw that data from application servers. The White House white paper puts it well: "Companies should provide means of with drawing consent that are on equal footing with ways they obtain consent. For example, if consumers grant consent through a single action on their computers, they should be able to withdraw consent in a similar fashion."

2. Focused data collection: In addition to standard best practices for online service providers, app developers need to be especially careful about concerns unique to mobile devices. Address book information and photo collections have already been the subject of major privacy stories and user backlash. Other especially sensitive areas include location data, and the contents and metadata from phone calls and text messages. Developers of mobile applications should only collect the minimum amount required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information.

3. Transparency: Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation. Transparency is particularly critical in instances where the user doesn’t directly interact with the application (as with, for example, Carrier IQ).

4. Respect for context: Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided. If contact data is collected for a "find friends" feature, for example, it should not be released to third parties or used to e-mail those contacts directly. When the developer wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user.

5. Security: Developers are responsible for the security of the personal data they collect and store. That means, for example, that it should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer.

6. Accountability: Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them.

The industry would be well advised to comply now with this bill of rights, rather than wait, deflect, and avoid. It can simply look at the airline industry as an example of what happens when an industry abuses it customers, loses the public's trust, and is then forced to comply with a airline passengers bill of rights.

High Value Targets

Use Caution With Bill-To-Your-Cell-Phone Services

Lots of people like to try new services as they become available. It's generally a good idea as those new services can save time, effort, and/or money.

There is a good article at the Consumer Reports website which advises consumers to use caution when using bill-to-your-cellular-phone services. Perhaps, you have heard of the phrase: "digital wallet." There are several services available to pay with your cellular phone.

The magazine recently analyzed wireless carriers' contracts for bill-to-your-cell-phone services, and found:

"... consumer rights can vary widely between wireless carriers and the protections carriers claim to provide are often not spelled out in the contracts..."

The contracts outline consumers rights and responsibilities -- especially when bad things happen (e.g., bill problems, fraud). If the contracts aren't clear or complete, then you may encounter problems. The magazine used several secret shoppers to survey customer service representatives at:

"... Verizon, five from AT&T, and two each from Sprint and T-Mobile... Our test results show that, on average, cell carriers' customer service representatives are not aware of their company's policies."

Again, if the customer service representatives are unfamiliar with their employer's bill-to-your-cell-phone services, then you may encounter difficulty getting any bill problems resolved. Inspect your monthly bills closely for accurate charges.

How Companies Analyze Your Spending And Habits

Two really good news article explain how companies analyze consumers spending and social networking activity. I highly recommend that you read both articles.

The Forbes magazine article, "How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did," summarized very well the problematic behavior of many corporations and retailers. To get a jump on its competitors, Target extensively analyzed -- perhaps better than most retailers -- its customers' purchases and attached undisclosed demographic data to each customer's identification number to mathematically predict what customers might by.

The prediction formulas were so good, Target was able to mathematically deduce from past purchases that this teen girl was pregnant and send coupons to her home -- all before the teen told her parent of the pregnancy:

"What Target discovered fairly quickly is that it creeped people out that the company knew about their pregnancies in advance... So Target got sneakier about sending the coupons. The company can create personalized booklets..."

These personalized coupon books were an attempt to hide the fact that Target knew so much, and disguise that knowledge by presenting both coupons not related to pregnancy with coupons that were related:

"... we learned that some women react badly... Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random... we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer..."

One of my friends called Target's behavior "untethered stupidity" to market pregancy products to a teenager. Yes, that was incredibly stupid, and was likely enabled by its rush to make money. Some of my friends were surprised at the content of the above Forbes article. I wasn't surprised because of the amount of personal information shared:

• Consumers share on social networking websites the items (e.g., products, services, television/cable shows, music) products we like or prefer,
• Banks regularly collect and resell both debit-card and credit-card purchases,
• Consumers share on social networking websites a wide variety of sensitive personal data (e.g., birth date, children's names and ages, list of relatives). The full birth date makes it easy for data brokers and advertisers to distinguish several people with the same name,
• Consumers share product preferences and travel vacation habits through loyalty program memberships,
• State motor vehicle registries regularly sell drivers' data to companies and data brokers. That includes the car, from which marketers can deduce your wealth, favorite color, and when to pitch extended auto warranty service plans,
• Data brokers like Spokeo and Acxiom compile consumers' demographic data from public records and social networking websites, which retailers can purchase,
• Leaky entertainment, quiz, and gaming apps on social networking websites regularly collect consumers sensitive personal data,
• Leaky smartphone apps regularly collect consumers' sensitive personal data, they often shouldn't. The lack of privacy policies with these apps mean the app developers are free to sell the personal data collected.

What might that undisclosed demographic data be? It's pretty easy to deduce or infer:

• Name, address, age from the store loyalty program registration
• Income from any store credit cards, loyalty program registrations, surveys, or average purchase history over time (e.g., wealthy people spend more, less wealthy purchase more with coupons)
• Favorite colors from the colors of clothes purchased
• Left-handed preference from types of products purchased
• Personal preferences from any product comments at the retailer's web site or products "liked" at social networking websites (purchased from data brokers)
• Type of vision from purchases (e.g., non-prescription sunglasses indicate good vision)
• Health issues (e.g., eczema, dry skin, dandruff) from the types of lotions and shampoos purchased
• Health issues (e.g., over-weight) by the size of clothes purchased or from retailers offering pharmacies and in-store clinics
• Durable goods (e.g., dishwasher, washing machine, gas or electric oven) used at home from purchases
• Auto and electronics owned from purchases, either the item or related accessories purchased
• Approximate ages of children by types of toys purchased or from photographs at social networking websites
• Where else you shop, based on GPS coordinates collected from any apps installed on your smartphone, or data purchased from mobile service providers
• Retail stores that use facial recognition cameras can track your shopping patterns (e.g., when where, duration), even when you pay with cash and left your GPS-enabled cell phone at home, and supplement this with demographic data from photos you are tagged in at social networking websites
• Any gaps in the above demographic data can easily be filled by data purchased from data brokers like Acxiom and/or ads run on social networking websites

The New York Times article, "How Companies Learn Your Secrets," includes a more detailed analysis, with how marketers look for "chunks" in consumers' behaviors to predict future purchases:

"This process, in which the brain converts a sequence of actions into an automatic routine, is called “chunking.” There are dozens, if not hundreds, of behavioral chunks we rely on every day. Some are simple: you automatically put toothpaste on your toothbrush before sticking it in your mouth..."

Some chunks are more complex; consider the series of behaviors women will perform to prepare for a pregnancy: purchase different clothes, lotions, and/or personal hygiene items. Now, think more broadly, because everyone's behaviors can be chunked. Not just women. The researchers found:

"... when some customers were going through a major life event, like graduating from college or getting a new job or moving to a new town, their shopping habits became flexible in ways that were both predictable and potential gold mines for retailers. The study found that when someone marries, he or she is more likely to start buying a new type of coffee. When a couple move into a new house, they’re more apt to purchase a different kind of cereal. When they divorce, there’s an increased chance they’ll start buying different brands of beer. Consumers going through major life events often don’t notice, or care, that their shopping habits have shifted, but retailers notice..."

And a baby definitely qualifies as a major life event.

Now, consider your past purchases. Advertisers value that so they can serve up different products at these major life events. Coombine this with your GPS location in the physical world, and it is a marketers dream: to know you shop every Saturday morning and then serve up ads on your smartphone before you arrive at the supermarket; or to serve up childrens toy and food ads before you shop for their birthday parties.

Maybe all of this doesn't bother you, or maybe it does. The bottom line: where you go in the world, what you purchase, and how much you consume are all pretty personal facts. Consumers should have control over when and with whom this personal data gets shared. If you choose to share everything, fine. Some of us feel and act differently.

Apple Says Path And Other iPhone Apps Violated Policy

A prior blog post discussed how a developer found the Path iPhone app collecting his contact information without notice nor consent. The All Things D blog reported a reply by an Apple spokesperson:

"Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines... We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."

Twitter, Hipster, and other apps that collected users' contact information also are modifying their processes to stop collection. The statement by Apple still doesn't explain why Apple did not reject apps that violate its policy from being sold in its app store. Nor does Apple seem to address the consequences for these violators.

The "working to make this even better" sounds disingenuous. Either an app violated the policy, or it didn't. Either Apple checks apps for compliance or it doesn't. There is no inbetween. One cannot be a little pregnant.

At press time, the Apple Press Info website section did not mention the above statement.

Asurion Surveys Consumers About Their Smart Phones; Recycling Old Gadgets With Gazelle

Asurion, the provider of insurance services for mobile device users, announced on Tuesday the result of a recent survey of 3,000 smart phone users. Consumers are in love with their smart phones. Some survey results:

• About 30 percent of survey participants believe their smart phone is more helpful than their significant other: more entertaining or never talks back
• About half of survey respondents have sent racey text messages to their partners
• About 20 percent of respondents would not end a date if the other person spent the entire time on their phone

The survey included smart phone users in the United States. To learn more about Asurion, read this blog post.

If you desk drawer at home is filling up with old cell phones and electronic gadgets, then this may be an option for you. Gazelle, an electronics recycling company, claims that it will pay cash for old gadgets: cell phones, digital cameras, MP3 players, GPS devices, calculators, tablets, and more.

I haven't used Gazelle, so I don't know if it pays well and provides good data security. I'll bet that some I've Been Mugged readers probably have already used Gazelle. If you have, share your experiences below.

Big Banks vs. Credit Unions

If you are unsure about whether or not to move your money from a big banks to a small, community bank and credit union, consider the statistics below from Consumer Reports:

Item / Fee	Big Banks	Credit Unions
Non-interest Checking (per month)	$10.27	$6.00
Minimum Balance to Waive Fees	$1,115.97	$500.00
Online Bill Payment (per month)	$6.95	$0.00
Use Another Bank's ATM (per transaction)	$2.21	$1.07
ATM Surcharge (per transaction)	$2.96	$2.79
Overdraft (per transaction)	$34.48	$27.82
Insufficient Funds (per transaction)	$34.48	$27.82
Stop Payment (per transaction)	$31.09	$19.43

To learn more:

• Javelin Research Reports Results About Bank Transfer Day
• Learn About Credit Unions. Free Workshops At A Nearby City
• Keeping Its Commitment To Its Customers: A Bank Does The Right Thing
• Bank of America Merchant Services And Money Network Announce New Payroll Solution
• How To File A Complaint About A Bank
• Move Your Money To... Walmart? A Good Deal?
• Some Banks Reverse Decisions To Add New Debit Card Fees

iPhone App Uploads Users' Entire iPhone Address Books

An I've Been Mugged reader alerted me about this. In his blog, Arun Thampi has documented technically how the Path iPhone app uploaded his entire iPhone address book and contact information to its servers without notifying customers nor gaining their permission. Arun's described his experience:

"I was thinking of implementing a Path Mac OS X app... I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add. Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path."

The comments section of the blog post includes a conversation between Arun and Dave Morin, CEO of Path. During the discussion, one user raises the relevant issues and questions:

"1. Why are you uploading the actual address book data, rather than (say) generating hashes of the user's email addresses locally, then uploading just those hashes... 2. Why wasn't this an opt-in situation to begin with? Isn't that against Apple's own T&Cs? 3. How can we have our contact information deleted from your servers, if we wish to do that?

It is good that Morin apologized on behalf of Path. He also wrote in the comment sectionr:

1. This is a good alternative solution which we'll look into. Thanks for the idea. 2. This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information... 3. As I mentioned in the previous answer, we are rolling out this functionality for 2.0.6. In the meantime, if you would like your data deleted from our servers please contact our service team at service@path.com..."

During the discussion, a user cites the relevant sections of the App Store's terms and conditions (Adobe PDF):

"I'd say that 17.1 and 17.2 of the approval guidelines specifically forbids what you are currently doing: 17.1: Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used. 17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected..."

The additional issues I see:

• Almost all of the comments are by people who aren't lawyers. I am sure that a lawyer will weigh in on this soon.
• The opt-out process Morin describe sounded cumbersome to me, as if it was created in haste after the fact. The system default never should have been to auto upload customers' entire phone books.
• It's great that Thampi found this problem. However, one should not have to be a computer programmer or website developer in order to verify that smartphone apps don't violate either the app developer's policies or the app store's policies.
• As social networking and app companies innovate, it is critical for the industry to figure out where the line is between users accepting data collection to enable convenience versus too much data collection. This makes it difficult to impossible to gain trust among users about the safety, security, and reliability of mobile device apps.
• I look forward to reading Apple's response about why it didn't reject the Path iPhone app.

Both C/Net and Wired summarized well the situation. C/Net said:

"Apple, of course, has learned the hard way that it needs to be strict about how iOS apps use, share, and distribute users' private data..."

And Wired said:

In fact, Facebook was caught doing the exact same thing that Path is currently taking heat for, over two years ago."

Data Breach At Motorola Mobility Affects Refurbished XOOM Tablets

Motorola Mobility admitted Friday in a press release that it failed to erase the sensitive personal information of original owners on refurbished tablets. The breach included about 100 Motorola XOOM WiFi tablets from a batch of 6,200. The tablets were resold by Woot.com during October through December 2011.

Motorola did not specify the types of sensitive personal information exposed, but it likely include any personal information the original tablet owners stored on their devices:

"It is possible that users might have stored photographs and documents. They may have also stored user names and passwords for email and social media accounts, as well as other password-protected sites and applications."

Ya think so? Duh! Obviously, affected consumers should change their passwords at any online bank, financial, and social networking websites; especially if you stored your passwords on your Motorola tablet. Purchasers of the affected refurbished tablets should return their devices to Motorla to ensure that the memory of each device is cleared. If you purchased a refurbished Motorola XOOM Wi-Fi tablets from Woot.com between October and December 2011, you should visit motorola.com/xoomreturn or call Motorola Mobility Customer Support (1-800-734-5870 and select Option 1) to determine if your tablet is affected.

For consumers who purchased and then returned a Motorola XOOM Wi-Fi tablet to Amazon.com, Best Buy, BJ’s Wholesale, eBay, Office Max, Radio Shack, Sam’s Club, or Staples and a few other independent retailers between March and October 2011, Motorola offers a free two-year membership with Experian’s ProtectMyID Alert credit monitoring service. The company also directed original tablet owners to contact Experian at 1-866-926-9803 to register for their complimentary credit monitoring service.

At press time, refurbished XOOM tablets were selling for about $349 on Amazon.com.

This breach is troublesome. While breaches often happen, the company should have adequately wiped all sensitive personal data from refurbished tablets. That the company failed to do so makes one wonder if any malware was transmitted to purchasers of refurbished tablets -- or of any other Motorola mobile devices.

If you were affected by this data breach, share your experience below.

How To Dispose Of Your Old Smart Phone Or Tablet

It seems that about every few months, manufacturers introduce a new smart phone or tablet mobile device. Perhaps, you received a new mobile device recently as a Christmas or birthday present. Maybe, you are a consumer who must have the latest technology. Regardless, your collection of old and obsolete mobile devices can quickly pile up.

What should consumers do with their old mobile devices? Or more precisely: how should consumers dispose of their old mobile devices to avoid identity theft and fraud?

The U.S. Federal Trade Commission (FTC) advises consumers to, first, permanently delete all personal information from your old smart phone or mobile device:

"Permanent data deletion usually requires several steps. Remove the memory or subscriber identity module (SIM) card from the phone. That’s an important first step in deleting information, but you likely will need to do more to erase all the sensitive data on your device. You can command a cell phone to delete certain data, but that will only delete the references to where the data is located; the actual information stays on the phone’s operating system."

Consult the user manual for your smart phone (you kept it, didn't you?) for the exact steps to permanently delete contact information, lists of calls received and made, photos, passwords, and any payment information.

Second, you have several disposal options:

• Recycle: many cellular phone manufacturers, service providers, and non-profit organizations groups offer programs to recycle their components, including accessories like chargers. Visit the Environmental Protection Agency (EPA) to learn more about recycling programs. Consult Earth911 to find a nearby recycling center. The U.S. Postal Service operates a free “Mail Back” program for consumers to recycle small electronic products: smart phones, digital cameras, PDAs, and inkjet cartridges. Free envelopes are available at select Post Offices.
• Donate: some charitable organizations accept old mobile devices.
• Resell: Some individuals and organizations will buy your old mobile devices.
• Dispose properly: mobile device batteries should not be placed in the trash. Many cellular phones contain toxic metals, which can contaminate the environment. Instead, dispose when your town/city offers hazardous waste collection days.

If you operate a small business that collected the sensitive personal data of your clients, customers, contractors, and/or employees, then certain data security rules may apply. Check with your industry trade association of the FTC website. For example, certain rules apply for health organizations when disposing PHI data (PDF). Another example, the American Bar Association (ABA) advises its member attorneys:

"... However, the January 01, 2007 edition of the Federal Trade Commission's Disposal Rule (16 CFR Part 682) says that the responsibility to properly dispose of consumer information includes the sale, donation or transfer of any medium, including computer equipment, upon which consumer information is stored."

Why You Shouldn't Install Those Entertaining Apps On Facebook

There is an excellent Facecrooks blog post that explains the risks of installing most "fun and entertaining" apps on Facebook. First, you have to understand the extreme limitations of Facebook:

"... there is no formal review process for applications or developers on the Facebook platform. Anyone and everyone (scammers included) can create apps. This is far different from the “Walled Garden” approach taken by Apple. Many unsuspecting users might be under the impression that if it’s on Facebook then it must be legitimate. That is totally not the case."

Second, think long and hard before installing any app that requires you to give it permission to:

• Access all of the data in your Facebook profile
• Access all of your Facebook friends list
• Post as you
• Just because the app address starts with HTTPS doesn't mean it is safe
• Doesn't have a privacy policy
• Has a privacy policy you don't like

Third, it is wise for Facebook members to "like" Facecrooks and follow its posts, so you are aware of emerging threats and scams.

Plenty Of Collateral Damage From a Credit Card Theft

There is a good article in PC Magazine that describes the scope of damages from identity theft when credit cards, smart phones, and spammers intersect. Jacqueline, a sales manager, had her credit card stolen and cloned, which resulted in over $2,000 in fraudulent charges. (Damages #1.) Her bank cancelled the exisitng credit card account and issued her a new credit card account. You would assume that was the end of the story, but sadly it wasn't.

Then, the credit card theft and card cloning happened with the replacement credit card -- which suggests an insider identity-theft problem at the bank Jacqueline uses.  Her bank cancelled the replacement credit card account, and issued her a second replacement credit card. End of the story, right?

Wrong. Next, Jacqueline and her contacts began to receive a flood of text message and phone call spam from unknown phone numbers. Apparently, the identity criminals had also stolen Jacqueline's mobile phone number (Damages #2.) along with her credit card information. Jacqueline's company-issued Blackberry-brand smart phone had been spamming people and phishing for consumers' Sovereign Bank sign-in credentials.

Jacqueline doesn't work at Sovereign Bank. After more investigations by the IT department at Jacqueline's employer, her mobile carrier, Verizon, informed them that the text message spam wasn't coming from its network, but from a computer pretending to be Jacqueline. Apparently, the credit card thieves re-sold Jacqueline's personal data and mobile phone number to other identity criminals, which included a spammer (Damages #3.):

"Someone had gotten a hold of her mobile number and was spoofing other phones using her digits. It turns out there's software designed specifically for businesses to send bulk SMS to lists of phone numbers from a computer."

Wow! What a mess. This saga highlights several issues, including the:

• Creativity and persistence of identity thieves,
• Efficiency of online forums where consumers' stolen personal data is resold and traded,
• Value of consumers' (digital) personal information, and
• Duration of damages from identity theft and fraud.

The average consumer doesn't think about how valuable the various bits of their personal information are. But, identity criminals think about it deeply.

The good news in this story was that the IT department at Jacqueline's employer was able to rule out any leaky smart phone apps that could have compromised her data security.

Today, there's not much more Jacqueline or her employer's IT department can do. Her personal identity information is out there in the thieves' domain. As I see it, all she can do is file police reports to document the trail of theft, and lock down her credit reports to keep the damage from spreading to her financial accounts. If the thieves also have her Social Security number, then they can obain fraudulent identification cards and drivers licenses. And, there's nothing to restrict the thieves' action with the USA borders.

Much Of Consumers' Internet Usage Assumes Unlimited Access

On Friday, my wife and I returned from a two-week vacation in Central and South America. Our cruise ship sailed from San Diego through the Panama Canal to Fort Lauderdale, stopping at ports in Mexico, Guatemala, Panama, and Colombia. The trip included an instructive reminder of how consumers' Internet usage is shaped by price plans.

Cruise ships contain many modern conveniences, one of which is Internet access via WiFi. Typically, each ship has both an Internet cafe and several hot spots for convenient access. Prices are pretty consistent across cruise lines. The Holland America ship we sailed on provided Internet access "as you go" ($ .75 per minute), a 100-minute block ($ .55 per minute), or a 250-minute block ($ .40 per minute). I purchased a couple 250-minute blocks, since I am a heavy user.

It doesn't matter what device you use on board: desktop, laptop, smart phone, or tablet. If it uses a WiFi connection, you pay a per-minute rate because of the satellite connection.

While aboard the MS Statendam, I accessed Facebook.com to tease coworkers and friends who were working hard while I relaxed poolside on the Lido Deck. The experience reminded me -- in monetary terms -- of just how time intensive most social networking sites like Facebook are. I quickly chewed through the minutes I purchased.

The old school approach: you read and created email messages offline, and then signed in online to send and receive email messages. Then, you signed off. It was a quick "in and out" online.

Today's typical online session: you sign into Facebook to browse your timeline for messages to comment upon. Next, you stay signed in to browse the Walls of specific friends, because Facebook uses a formula to selectively display only some from all of your friends. Then, you spend even more time signed into Facebook while reading articles at other websites which you friends mentioned in their Facebook status messages.

Compared to email, Facebook is time intensive. This is good for Facebook but not good for consumers in situations paying for Internet access by the minute. Most consumers access the Internet from home (or work) via unlimited access plans. (Not so for mobile phone access.) Right now, that unlimited access is good for both Facebook and for consumers. Change that unlimited access and you quickly change consumers' online behavior.

Houston Identity Theft Theft Ring Arrested After Ordering Smart Phones

The Houston Examiner reported the arrest of members of an identity theft ring that used the stolen identities of Sprint customers to order fraudulent replacement smart phones, which they resold:

"Customers are routinely asked for their secret PIN numbers when they walk into Sprint stores, and federal agents say employees of the store were giving that information to thieves who were using it to get replacement phones that could be sold online."

What I found interesting about this case were the three points where data security failed. Better security at any one of these points could have stopped this theft ring before it started.

First, insider identity theft by employee facilitated the thefts. Using the stolen identities, the thieves ordered replacement smart phones from the insurance company, Asurion, used by Sprint mobile customers. A data breach like this highlights the need for a mobile service provider to implement a Red Flags program to identify and address problem data-security areas.

Second, the insurance company didn't seem to notice the rise in replacement phones within a specific geographic area:

"After filing the insurance claims, Secret Service agents say brand new phones were mailed out to hotels throughout the Houston area."

Most banks regularly flag purchases outside a consumer's normal credit card purchase patterns. Mobile service providers and mobile device insurers could and should do the same; especially where insurance claims include a different delivery address than the customers' home address. The new overage alert features by mobile service providers is a good first step in this direction, but it shouldn't require prodding by the FCC.

Third, several Houston area hotels seem to routinely accept and deliver packages to people who routinely made reservations but never checked in. This is like airlines accepting luggage for passengers who make reservations but never buy a ticket. Airlines have identified this security risk, and so too should hotels. Accept packages if you want, but deliver them only to customers have they have registered and checked in; or make it a perk only for loyalty program members.

Services To Remotely Lock, Locate, And Retrieve Your Lost Or Stolen Mobile Device

If you seek a way to protect your mobile device, there seem to be plenty of choices for consumers. Ubergizmo recently reported that Symantec has launched its Norton Anti-Theft service to help consumers remotely lock, locate, and retrieve lost or stolen mobile devices.

What I really like about the Ubergizmo article is its list of mobile device anti-theft services:

"... such as Find My iPhone by Apple, GadgetTrak, AccuTracking, SeekDroid that use location-based software, or StuffBak and TrackitBack that use a coded recovery label placed on the device. AT&T now offers the Mobile Locate app in its Mobile Protection Pack and Verizon offers Asurion’s Mobile Recovery app."

This blog recently covered the smartphone insurance plan from Verizon and Asurion.