How To Safely Dispose of Your Old Smart Phone

Everybody loves getting the latest smart phone. What to do with your old one? Perhaps, you plan to sell it on eBay or donate it to a charity. Whatever you decide, be sure to remove all sensitive data from it. Otherwise, you could create an identity theft and fraud problem for yourself.

The sensitive data on your smart phone isn't just your list of contacts and their phone numbers. The sensitive data also includes your passwords, email, browser history, calendar, and photos -- the things that document when and where you go both online and in the real world. The sensitivity of both your online passwords and browser history should be obvious. With access to your email, identity criminals could hack into your financial accounts and reset your online passwords. That would be an identity-theft disaster.

How to safely dispose of an old smart phone? Before selling or donating an old smart phone, security experts advise consumers to:

1. Remove the SIM card
2. Remove any memory cards
3. Run a factory reset to delete sensitivie data. To do this, check the (print or online) manual for your smart phone.

But that may not be enough. Accessdata, a computer forensics firm, performed an analysis last year of several popular smart phones available on the resale market. Almost all had sensitive data from the prior owners. As Dark Reading reported:

"The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero... Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included information that would take someone with forensics tools and knowledge to extract from more hidden storage locations... Some of the details available within those four phones included user account information, Social Security numbers, geolocation tags for where the user had taken pictures using the phone, deleted text messages, and a resume. "

In this case, the only secure option is to go old-school: wrap it in cloth and then take a hammer to your old smart phone -- even the older clamshell types. Don't try to resell or donate it. Most consumers don't have access to industrial-strength hard-drive shredding services.

What did you do with your old smart phone? How did you remove any sensitive data from it? Or are your old devices gathering dust in a drawer or closet at home?

Is It Wise To Move Your Money To A Prepaid Card?

Earlier this year, Pew Health Group released the results of focus group research about how consumers view and use prepaid cards. Key findings:

1. Consumers view prepaid cards as a way to avoid hidden bank fees
2. Consumers use prepaid cards to budget and control spending
3. Some prepaid card users like the privacy of prepaid cards, since they don't have to register with their personal information
4. Consumers dislike fees on prepaid cards
5. Prepaid card users don't want either overdraft protection, nor credit lines on prepaid cards
6. Prepaid card users want direct deposit, a savings option, and credit building tools
7. Consumers incorrectly assume federal government oversight of prepaid cards

Finding #1 and #2 together suggest that some consumers view prepaid cards as an easy way to avoid spending money you don't have and avoid the overdraft fees banks charge. For these consumers, moving their money from a checking account to prepaid cards seems attractive. But what are the "costs" or consequences of using prepaid cards instead?

Life has taught me that there are always consequences; some unintentional. Read on.

The overdraft fees banks charge have been so large and frequent, that some consumers seem conditioned to view prepaid cards as a cheaper alternative. We've all heard stories about the $35.00 cup of coffee. Nobody wants to pay that.

CNN Money reported that the average prepaid card charges $300 a year in fees. That $300 in annual prepaid fees may seem cheap if you incur overdraft fees (at $35 each) more than 9 or 10 times a year. This seems to be the case with some of the Pew focus group participants. Pew shared one participant's comments:

"I don’t like the fees on prepaid debit cards... It costs to load (them). It costs $3.95. I don’t like that I pay the $3.95... I’m good with my checking account. Nobody wants to pay extra fees. If we had to, I’d take the $3.95 any day over the $35 overdrafting or for some other fees."

If only the load fee was the only fee on prepaid cards. Both CNN Money and Consumer Reports found a wide variety of fees when it investigated prepaid cards: activation fees, monthly fees, reload fees, cash withdrawal fees, inactivity fees, online payment fees, paper statement fees, customer service phone call fees, and more.

That same $300 in annual prepaid fees seems expensive when compared to a $5 - $10 monthly checking fee many banks charge (assuming good budgeting with no overdraft fees inc urred). That $300 seems ridiculous and avoidable when compared to far lower fees or free checking available at some banks and credit unions.

Are consumers confused? Probably. Banks charge both overdraft fees and fees for overdraft protection. Wise consumers know the difference. And, to avoid overdraft fees It may be better or simpler for you to decline auto-enrollment of overdraft protection.

I found it disheartening that the focus group participants didn't seem to understand the banking practice to reorder debit purchases to maximize overdraft fees. In early 2009, this blog reported about this  banking practice, which increases the frequency of overdraft fees. The CFPB is tackling the overdraft fees issue, and seeks comments from consumers by June 29.

I find particularly troublesome finding #7 above. When deciding to use a checking account or a prepaid card, consumers need to consider:

• The fees on prepaid cards (see the above list and related articles), and which will apply given your usage
• The limits, if any, on fees and interest rates
• Prepaid cards don't build your credit history
• Your rights to receive periodic statements, disclosures of fees, error resolution process, and changes in terms
• Your liabilities when your card is lost, stolen, cloned, includes unauthorized transactions, or includes transactions in error

There are huge differences between credit cards, debit cards, and prepaid cards. There are different types of prepaid cards: gift cards, general purpose, health care spending, and payroll. This blog discussed payroll cards from Bank of America and the Walmart MoneyCard.

Wise consumers know that not all prepaid cards are the same:

• Consumer's liability (e.g., loss, theft, unauthorized transactions) is different for payroll prepaid cards versus gift/general purpose prepaid cards
• Statements and disclosure requirements are different for payroll prepaid cards versus gift/general purpose prepaid cards
• Employer-provided health care flexible spending prepaid cards often have an entirely different set of rules

To learn more and be a smart shopper:

1. Ask the retailer/bank/employer for a copy of their terms and conditions policy for the prepaid card you are considering,
2. Read that policy,
3. Read this FDIC comparison of debit cards, credit cards, and prepaid cards, and
4. Browse related articles in the "Prepaid Cards" section of this blog.

What's your opinion? Do you think it is wise to move your money from a checking account to a prepaid card?

Mintz Levin: Breach Notification Laws In The United States

The law firm of Mintz Levin has produced a report listing data breach notification laws in the United States as of June 1, 2012. The report includes details by state, and includes the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Typically, breach notification laws include a:

• Description of the personal information that must be protected
• List of the businesses, organizations, and state/local agencies that must comply with the state's breach notification law
• Process for the timing, content, and distibution of a breach notification
• Any exceptions to the law (e.g., encrypted files)
• Other provisions and applicable state laws
• Penalties for violations
• Whether breach victims (e.g., state residents) can sue, and if so against whom

Four states do not have any breach notification laws:

• Alabama
• Kentucky
• New Mexico
• South Dakota

If you live in one of these states, contact your elected officials and demand that your state pass a breach notification law. When companies or government agencies have consumers' sensitive personal information lost or stolen, you need to know to protect yourself.

The report is also available here (Adobe PDF, 469 k bytes).

Consumer Reports Reviews Facebook And How To Use It Safely

If you haven't read it, there is a good review by Consumer Reports of the Facebook social networking website. The news media has focused on some of the controversial aspects of the report. For example, CNN reported, like many other news organizations, the survey finding that about 25 percent of Facebook users lie about information in their Facebook profile to protect their identity.

While lying about profile information may seem like an effective privacy strategy, the Consumer Report review of Facebook highlights the various ways Facebook tracks its members. Some Facebook members have made conscious choices to share personal data, and do so in status messages, sharing items, and commenting upon others' status messages. Yet other tracking methods exist.

The Consumer Reports review is a good reminder that its members are the products:

"... the company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account."

One tracking method is the facial-recognition software used to "tag" (e.g., identify) people (and places) in both photos and videos. Members who aren't careful to turn off the geo-tagging feature in their smart phones or tablets will provide even more personal data with photos and videos uploaded to Facebook.

Another method are the Facebook apps member use for music, news, and games -- which are loosely managed by Facebook:

"... according to Kevin Johnson, security consultant at Florida-based Secure Ideas, who has developed apps and tests their security. The sole credential needed to create an app is a verified Facebook account, including a cell phone number or credit card. And the company doesn’t have to review your source code (programming instructions) before it goes live..."

So, there seems to be little to no verification of apps for security or compliance when those apps have a privacy policy.

A method Facebook uses to track both members and non-members includes those "Like" buttons you have see on websites across the Internet:

"... Facebook keeps track of the other websites [its members] visit. That happens via the “Like,” “Recommendations,” and similar buttons that so many sites include. In addition to reporting your presence, the “Like” button sends along the date and time of your visit and your IP address, whether or not you click on it. The company has acknowledged that this happens even when Facebook users are logged out, a practice that had prompted class-action lawsuits in the U.S. If you’re logged in to Facebook, it can collect even more data. The company also said that it collects data from people who are not its users and have never visited its site..."

The review is also a good reminder of the scope of data Facebook collects:

"... thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook's Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list... Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff..."

If you want to learn more about Schrems, visit Europe Versus Facebook. The review ends with a list of nine ways consumers can use Facebook (and similar social networking sites) safely:

"1. Think before you type. Even if you delete an account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.

3. Protect basic information. Set the audience for profile items, such as your town or employer. And remember: Sharing info with “friends of friends” could expose it to tens of thousands.

4. Know what you can’t protect. Your name and profile picture are public. To protect your identity, don’t use a photo, or use one that doesn’t show your face.

5. “UnPublic” your wall. Set the audience for all previous wall posts to just friends.

7. Block apps and sites that snoop. Unless you intercede, friends can share personal information about you with apps. To block that, use controls to limit the info apps can see."

Read the complete review of Facebook.com by Consumer Reports.

Report Analyzes Breach Notifications Affecting Massachusetts Residents

Last week, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released its findings from an analysis of four years of data breach notifications reported to the state. A chief finding was that sensitive data often was not encrypted.

Any businesses or entities storing consumers' personal information has been required since Oct. 31, 2007 to report data breaches to the OCABR. Through September 30, 2011, the OCABR received 1,833 breach notices affecting about 3.2 mikllion people, or an average breach size of 1,727 stolen or lost records. 73% (1,336) of the breaches involved electronic files and affected 97% of breach victims.

The financial services industry reported the most breaches (955) during the last four years, affecting 901,156 people. Most of these breaches were the credit- and debit-card transactions at processing centers and retail stores. The health care industry has had fewer breaches (214), but affected far more people ( 983,746), including the South Shore Hospital breach in 2010.

In March 2010, new laws went into effect requiring entities that store, own, or license personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP) describing how it will protect sensitive information. the new law required entities to encrypt sensitive information if it is transmitted over public networks, the Internet, or carried on portable devices.

The of breaches each year have remained pretty steady, ranging from a low of about 415 to a high of about 470. Other findings:

"... stolen or lost portable electronic devices are most often not secure. Of the 365 devices reported lost or stolen, only 13 were encrypted. The lost devices led to exposure for 409,572 people. By contrast, the 27 encrypted machines kept information secure for 24,269 people... of the 75 lost or misplaced portable devices reported; only one was encrypted, compromising 1.2 million pieces of information. Of the 290 stolen portable devices stolen, 12 were encrypted, protecting 4,110 pieces of information. The 277 unencrypted devices exposed 220,000 pieces of information."

The types of devices lost/stolen included desktop computers and computer tapes. The types of portable devices lost or stolen included laptop computers, thumb drives, and storage discs (CDs). The report concluded:

"If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 % or 1,490,308 people. If all portable devices were encrypted from march 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people... compliance with the encryption requirement is a powerful to to safeguard the personal information of millions of residents"

Download the OCABR data breach report (Adobe PDF, 948K bytes).

Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

• During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
• During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

“Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

1. Be ready to give out some personal information.
2. Know that a third-party will gain access to your personal information.
3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).

FTC Survey: The Good And Bad Experiences Of Identity-Theft Victims With Consumer Reporting Agencies

The U.S. Federal Trade Commission (FTC) released the results of its survey of consumers who had reported to the FTC that they were identity-theft victims. The survey assesses consumers experiences with recovering from identity theft and contacting the national consumer reporting agencies (CRAs). The survey also assesses how consumers exercise their rights under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA - 2003).

Overall findings:

• 68% of survey respondents were somewhat or very satisfied with their overall experiences with the national consumer reporting agencies (e.g., Equifax, Experian, and TransUnion), but many consumers said it was difficult to reach a live person.
• Less than half of the respondents were aware of most of their rights under FACTA before they contacted the consumer reporting agencies.
• Few consumers exercise their right to block selected information in their credit reports from identity theft and fraud, since most consumers (78%) don't know about this right
• Some respondents complained about feeling pressured to buy additional identity theft monitoring products when they called the consumer reporting agencies.

FACTA gave consumers the right to:

• Pace Fraud Alerts on their credit file with the nationwide CRAs,
• Request a free credit report from each of the three national CRAs when placing a fraud alert,
• Block fraudulent information from appearing in their credit reports,
• Receive a notice of these and other rights from the CRAs

When placing a fraud alert, consumer only need to contact one of the three national CRAs. After successfully placing a Fraud Alert on their credit file with one CRA, most of the time the other two CRAs will automatically add Fraud Alerts to the consumer's file on their systems. When requesting a Fraud Alert, consumers can also request a free copy of their credit report. Survey results about Fraud Alert and free credit report requests:

• 44% of survey respondents were not aware before contacting a CRA of their right to place a Fraud Alert on their credit file. Despite this, 85% of respondents ultimately requested a Fraud Alert on their file.
• When requesting a Fraud Alert, 58% of survey respondents reported that all three national CRAs placed alerts when requested. 36% of respondents were unsure what happened, and 6% reported that at least one CRA didn't place a Fraud Alert.
• 44% of respondents who requested a Fraud Alert said they were very satisfied with the process, 32% said they were somewhat satisfied, and 17% said there were either somewhat or very dissatisfied with the process.
• Most survey respondents (56%) requested their free credit report (when placing a Fraud Alert) by telephone, compared to the website (33%), and postal mail form (14%).
• Most (51%) said that they received their free credit report from all CRAs they contacted, while 33% stated that they received it from only some of the CRAs they contacted. 11% said that they did not receive any credit reports.
• 43% of respondents said that they were very satisfied with the process of requesting free credit reports after placing a fraud alert. 32% said that they were somewhat satisfied. 22% said that they were either somewhat or very dissatisfied.

Errors occur in credit reports, either from identity fraud or from honest mistakes by the CRA or lender. Consumers can dispute this erroneous data and demand that it be removed or corrected. Survey results about credit report accuracy:

• Most survey respondents (60%) were aware before contacting a CRA that they had the right to challenge the accuracy of information on their credit report.
• 36% of respondents who contacted a CRA disputed the accuracy of information on their credit report in connection with the identity theft that led to the contact. Of those who disputed information, 72% filed disputes with a CRA and while 46% contacted the creditor that provided the information to the CRA.
• The types of credit report information disputed: 47% challenged identification and employment (47%), payments (48%) about a specific debt, and unauthorized lenders who obtained their credit report (40%).
• Of survey respondents who disputed information in their credit reports, 52% said that the information was corrected or removed, 22% said that the information was not corrected, and 18% said that they were not sure what happened.
• Of survey respondents who had information corrected by the CRA, 42% said that the error was corrected after a single contact. 27% said the error was corrected after two contacts. 24% said the correction required three to five contacts, and 4% said they contacted the CRA six or more times.
• Of survey respondents who disputed information in their credit reports, most (57%) said that they were either very or somewhat satisfied with the process. 17% said that they were somewhat dissatisfied, and 21% said that they were very dissatisfied.

Consumers can block certain information within their credit reports that resulted from identity theft and fraud. Blocks are different from disputes. CRAs must respond within four (4) days after receiving a valid request to block certain data in a credit report. Survey results about blocking fraudulent information:

• Of survey respondents who contacted a credit reporting agency, 78% were not aware of the right to block information in the credit file. Few survey respondents (21%) exercised this right to block the reporting of information resulting from identity theft.
• Of those who requested that information be blocked, 46% said that all CRAs blocked the information. 18% said that some of the CRAs blocked the information, and 9% said that none of the agencies blocked the information.

The FTC concluded in its report (bold emphasis added):

"Despite the 68% general satisfaction rate with the CRAs, the survey reveals three areas where respondents faced difficulties in exercising their FACTA rights. First, one prominent complaint was the difficulty in reaching a representative at a CRA with whom to speak about identity theft. Many respondents said that it was difficult or impossible to move past the automated response system... Second, the survey results suggest that a relatively small number of identity theft victims are aware of their FACTA rights. Less than half of the respondents were aware of most of their rights prior to contacting the CRAs. Even for the most well-understood right – disputing inaccurate information – only 60% of respondents who contacted a CRA were aware of this right prior to contacting the CRA... Third, both the survey respondents and the focus groups raised concerns about the CRAs using consumer contacts about identity theft as an opportunity to sell identity theft protection products. Several respondents and focus group participants complained that they felt pressured to buy one or more products and that, in some cases, they received services that they did not want or need."

The FTC sent survey invitations to about 3,000 consumers who had previously reported to the FTC hotline that they were identity-theft victims. The survey questions were based on six focus groups conducted in 2009. 634 consumers responded. The FTC maintains the anonymity of all survey respondents. Download the FTC, Using FACTA Remedies Report (Adobe PDF - 4.9 M Bytes), which is also available here.

Want to learn more? Suggested readings about credit and CRAs:

• Fraud Alert Renewal: Easy And Fast
• Placing a Freeze (Or Lock) On Your Credit Files
• Fraud Alert or Credit Freeze: What's The Difference?
• Are Fraud Alerts Useless?
• Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms (Part One)?
• Have You Heard About Credit Reports From Innovis?
• Directory Of Credit Reporting Agencies
• What It Means To Have An Unrequested Security Freeze On Your Credit Report
• A Primer On Credit Scores
• FTC Testifies Before Congress About Identity Theft And Fraud
• FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports
• FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

CFPB Reports List Of Consumer Complaints About Financial Products

In its annual report, the new Consumer Financial Protection Bureau (CFPB), a federal agency designed to ensure that financial products and services for consumers are beneficial for consumers, listed the leading complaints submitted by consumers. The CFPB accepts complaints about credit cards and mortgages.

The CFPB began operation on July 21, 2011. In its annual report (Adobe PDF) to the U.S. Congress, the CFPB reported that by December 31, 2011, it had received 13,210 complaints from consumers, including 9,307 credit card complaints and 2,326 mortgage complaints. 44% of all complaints were submitted through the CFPB website, and about 15% via telephone calls. The leading types of credit-card complaints received:

Leading Credit Card Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Billing Disputes	1,278	13.7%
2. Identity Theft / Fraud / Embezzlement	1,014	10.9%
3. APR or Interest rate	950	10.2%
4. Other	854	9.2%
5. Closing / Cancelling Account	478	5.1%
6. Credit reporting	437	4.7%
7. Credit Card Payment / Debt Protection	383	4.1%
8. Collection Practices	378	4.1%
9. Late Fee	364	3.9%
10. Other Fee	334	3.6%
Total for Top 10 complaint types	6,470	65.9%

The types of mortgage complaints received:

Mortgage Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Problems when you are unable to pay (Loan modification, collection, foreclosure)	889	38.2%
2. Other	540	23.2%
3. Making payments (Loan servicing, payments, escrow accounts)	501	21.5%
4. Applying for the loan (Application, originator, mortgage broker)	235	10.1%
5. Signing the agreement (Settlement process and costs)	96	4.1%
6. Receiving a credit offer (Credit decision/Underwriting)	65	2.8%
Total Mortgage Complaints	2,326	100.0%

The FTC advises consumers who experience identity theft or fraud with financial products to both submit a complaint to the CFPB and submit a complaint to the FTC.

I like the CFPB's mission and its website. The agency's consumer response mechanisms are still new and in their infancy. They will become more beneficial as the agency identifies and resolves problems. What is your opinion of the CFPB?

PHI Project Releases Report About Health Care Data Security

On Monday, the PHI Project released a report about the state of data security within health care organizations titled, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security." Key findings:

• Weak Data Security: health care organizations are entrusted with safeguarding patient privacy, but their security efforts are not keeping pace with the growing risks of lost/stolen protected health information (PHI),
• Data Breach Activity: the number and size of data breaches including PHI are increasing. The negative impacts are financial, legal, clinical, and reputational for the organizations experiencing data breaches,
• The PHI Project recommends that health care organizations implement a five-step method – PHI Value Estimator (PHIve) -- to evaluate the risks of a breach of PHI data, and implement preventative measures.

According to Rick Kam, president and co-founder of ID Experts and chair of the PHI Project:

“No organization can afford to ignore the potential consequences of a data breach... We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI.”

The PHI Project is a partnership including the American National Standards Institute (ANSI) via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) -- with assistance from ID Experts.

Report Warns Proposed MBTA Cuts Would Hamper Boston Metro Area's Economy, Jobs And Growth

A Better City (ABC), a nonprofit transportation advocacy organization, has released a position paper about the fare increases and services cuts proposed by the MBTA. ABC analyzed both proposals by the MBTA to close a $161 million budget deficit forecast for the fiscal year beginning July 1, 2012. In its paper, ABC concluded:

"... the T should seek to close part of its budget gap with a more reasonable fare hike and limited service cuts. The T should then work with MassDOT, Massport, the Patrick administration and the legislature to address the remaining budget shortfall for FY 2013, and to begin work on a long-term, comprehensive finance plan for the Commonwealth’s entire transportation system."

The MBTA had proposed service cuts including the termination of late night and weekend commuter rail service, weekend "E" Green Line service, Mattapan Line, many bus routes, and all ferry service. About these cuts, ABC stated:

"... The T should not cut Commuter Rail service after 10pm and on weekends, nor should it cut weekend service on the E Branch of the Green Line or the Mattapan Trolley. Commuter boat service should be preserved, with a lower public subsidy and operated under the auspices of Massport. Due to the severe impact on riders, bus route service eliminations or reductions should be limited to the ten least efficient routes in the system. Going forward, the T should adopt more stringent and rational service planning criteria across all modes and commit to adjusting service accordingly."

According to ABC, everyday the Boston's population doubles as people commute to work. 55% of those work trips, and 45% of all MBTA trips, include commuting to work. The service cuts proposed by the MBTA would make it difficult for employees to get to work, employers to staff positions, patients to visit doctors and hospitals, and customers to visit entertainment venues:

"Across all sectors, ABC member businesses told us they are concerned about the impact that fare hikes and service cuts would have on their employees’ ability to get to work. Some of our members in the hospitality industry noted that the T’s current service hours are not adequate for employees working odd shifts... The viability of T service, then, has a direct impact on the size of this industry’s job shed, and particularly on the job prospects of low-skilled workers... The health care industry operates 24 hours a day, 7 days a week, and the hospitals of the Longwood Medical Area would be particularly impacted by the proposed service cuts to the Green Line E Branch and the Commuter Rail. These cuts would impact the ability not only of doctors, nurses and support staff to get to their jobs, but also of patients to make their appointments... These businesses have also deployed flexible scheduling and staggered shifts to best utilize their real estate and cope with our already-congested transportation network."

The service cuts would force more autos onto already congested roads, resulting in:

"... 55,000 and 92,000 more cars on the road daily... if there were no public transportation in the Boston area, the additional traffic congestion would cost the regional economy $663 million annually. Based on this estimate, if one-tenth of the T’s current ridership elect to abandon the T and drive their commutes... the additional congestion could cost Massachusetts $66 million a year."

Parking around the city, already a problem, would become worse as more people drive and many parking lots are replaced by office buildings:

"ABC members located in the South Boston Waterfront were particularly concerned that changes at the T would increase demand for parking at a time when large lots currently used by commuters to the Waterfront and to the Financial District are slated to be developed over the next decade. South Boston, East Boston and Downtown are all subject to Parking Freezes. The City of Cambridge also enforces a Parking and Transportation Demand Management ordinance. These policies, implemented to curb air pollution, have made both cities heavily reliant on transit to support future economic growth..."

The higher education industry would be similarly affected:

"... increased demand for parking is at odds with their plans to expand. UMass Boston is a commuter school with a 45% transit share. It’s attempting to increase that number to 60% so that it can utilize its surface parking lots for staging construction of new campus buildings. Boston University, which purchases $2.1 million in T passes for faculty, staff and students, and spends $1.6 million operating its shuttle service, is also planning to reduce its parking spaces in order to make room for new construction. T fare hikes and service cuts will make it harder for both these institutions to grow..."

The entertainment and tourism industries would be similarly affected:

"The proposed cuts to evening and weekend Commuter Rail service would have a significant impact on fans’ and patrons’ ability to get into and out of the city for games, concerts and other cultural events."

ABC suggests that the MBTA:

• Limit its fare increase to 25% and pursue smaller, more frequent increases,
• Maintain commuter rail, trolley, and ferry services,
• Cut only the "10 worst" bus lines,
• Better match resources (e.g., buses and trains) to demand

ounded in 1989 as the Artery Business Committee, A Better City is a nonprofit association representing Greater Boston’s business and institutional community on transportation, land development and environmental sustainability. Download the ABC position paper (Adobe PDF, 1.9M Bytes), which is also available here (Adobe PDF, 1.9M Bytes).

FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

Earlier this week, the U.S. Federal Trade Commission (FTC) released its annual report of the leading complaints filed by consumers. During 2011, identity theft (again) led the list of complaints. This is the 12th consecutive year that identity theft has led the list:

Type of Complaint or Scam	Number	% Of Total
1. Identity Theft	279,156	15%
2. Debt Collection	180,928	10%
3. Prizes, Sweepstakes and Lotteries	100,208	6%
4. Shop-at-Home and Catalog Sales	98,306	5%
5. Banks and Lenders	89,341	5%
6. Internet Services	81,805	5%
7. Auto Related	77,435	4%
8. Imposter Scams	73,281	4%
9. Telephone and Mobile Services	70,024	4%
10. Advance-Fee Loans and Credit Protection/Repair	47,414	3%

Other notable findings:

• Fraud: 990k of the 1.8 million complaints were fraud-related. 68% of consumers reported a fraud complaint where they paid an amount. The total amount paid was $1.5 billion, and the median amount paid was $537. 43% of consumers were contacted via email. The five states with the highest per-capita fraud reported were Colorado, Delaware, Maryland, Nevada, and Virginia.
• Identity Theft: Government documents/benefits fraud (27%) was the most common form reported, followed by credit card fraud (14%), phone or utilities fraud (13%), bank fraud (9%), and employment fraud (8%). 45% of consumers reported they contacted local law enforcement. The five states with the highest per-capita identity theft were Florida, Georgia, California, Arizona, and Texas.
• Countries: the top five countries were the USA (80%), Canada (4%), the United Kingdom (4%), Nigeria (2%), and Jamaica (2%).
• Age: consumers that filed complaints during 2011 were ages 50-59 (23%), followed by ages 40-49 (20%), ages 30-39 (17%), ages 60-69 (15%), and ages 20-29 (15%).
• Military: members from all four branches plus the Coast Guard reported complaints. For this group, identity theft ranked as the number one complaint, followed by Debt Collection. Mortgage Foreclosure Relief and Debt Management ranked as fourth for this group, compared to 13 for all consumers.

During 2011, consumers submitted about 1.8 million complaints, an increase of 24% over 2010. All complaints submitted by consumers are collected in the FTC Consumer Sentinel Network database, which contains 30 different categories of complaints. Download the 2011 FTC Consumer Sentinel Network Data Book (Adobe PDF).

Foreclosure Abuse Widespread

Last week, the San Francisco Assessor-Recorder office released the results of an audit (Adobe PDF) of about 400 home that were foreclosed on during 2009, 2010, and 2011. The audit found that about 84% of the homes had at least one violation of California foreclosure laws.

The office began the audit last Fall with Aequitas, a mortgage investigation firm, after problems surfaced in mortgage records requested by homeowners facing foreclosure. Assessor-Recorder Phil Ting said,

“When it became clear that property records were severely undermined, a red flag was raised... Those records are supposed to be filed with this office and many were simply missing or had serious inconsistencies..."

It's difficult to impossible for a homeowner to fight foreclosure when mortgage records are inaccurate or incomplete. Ting emphasized the need for state legislation to guarantee compliance with California foreclosure laws by the mortgage industry.

The register of deeds in Guildford County, North Carolina, examined 6,100 mortgage documents last year, and found signature irregularities in 4,500 (xx%). Experts see this as a clear indicator of the illegal practice of "robosigning" documents.

Seems to me it is time to both fine companies and send bankers to prison nationwide. Only then will this madness stop. Demand action from your elected officials.

Slowly, More Consumers Consider Website Privacy Policies Before Buying

PC Pro recently reported the results of a recent Forrester Research study. Forrester surveyed 37,000 consumers in North America, and found that a growing percentage of consumers consider companies' website privacy policies in their decisions about whether to do business with a company:

"Websites need to rethink their privacy policies as consumers ditch those that hide data rules or leak information, according to research from Forrester. The analyst found that a growing number of consumers were reading how companies dealt with their privacy and voting with their feet if they didn’t like what they saw."

More than half of survey respondents over 55 years of age said that they refused to complete an online transaction because of the company’s terms of use or privacy policy. In 2008, 40% answered this question the same way.

The PC Pro article would have been more helpful if it linked directly to the Forrester Research report and included more facts. The Forrester research study found:

"Individuals see different types of data differently -- they're most worried about what we consider individual identity data, and far less concerned about the capture and use of their behavioral data... Most consumers are willing to share their data in exchange for value. But, what they consider "valuable" is very age-dependent..."

If the article had included examples of well-crafted privacy policies, this would help consumers learn about what to look for in privacy policies -- at websites, social networking websites, and with mobile-device apps. In 2011, the European Union Justice Commissioner described four pillars of online data privacy, which is a good start for any corporate privacy policy.

In 2008, a brief review of the privacy policy at Mint.com prompted a huge discussion on this blog -- that still continues today.

FTC Testifies Before Congress About Identity Theft And Fraud Affecting Children

On September 1,the U.S. Federal Trade Commission (FTC) testified before the House Committee on Ways and Means Committee Subcommittee about identity theft and children. At the hearing in in Plano, Texas, Deanya Kueckelhan, Director of the FTC’s Southwest Regional Office, delivered the FTC testimony.

The theft and fraud involving children's Social Security numbers is a growing problem. Identity thieves can access and steal Social Security numbers from children’s records in schools, doctors offices, social services agencies, and other sources. Sometimes, family members who have fallen on hard economic times use the identities of their children to obtain credit they couldn't obtain otherwise. Experts explore the problem recently in the Stolen Futures forum, hosted jointly by the FTC and the Department of Justice’s Office for Victims of Crime.

For adult identity theft, the Bureau of Justice Statistics reported in its National Crime Victimization Survey Supplement that about 11.7 million persons, about 5% of all Americans ages 16 or older, were identity-theft victims during a two-year period ending December 2008. The financial of that theft was $17.3 billion.

For child identity theft, a study by ID Analytics found 142,000 instances of identity fraud each year in the United States where children are the victims. Another study by the Carnegie Mellon CyLab of 40,000 children who had been enrolled in an identity protection service found that 4,311 of those children -- about 10.2 percent -- had loans, property, utility, and other accounts associated with their Social Security numbers.

In her testimony, the FTC's Kuechelhan describe another aspect of the child identity theft:

"... a child’s unused SSN is uniquely valuable to a thief because it typically lacks a previous credit history and can be paired with any name and birth date. In effect, a child’s identity is a blank slate that can be used to obtain goods and services over a long time period because parents typically do not monitor their children’s credit..."

Kuechelhan also described the identity protection problem:

"... fraud alerts, a key tool used by adult victims of identity theft to warn potential creditors of possible identity theft, are premised on the existence of a credit file. Parents ordinarily cannot place a fraud alert on their child’s credit file if the child has no such file. Further, remedies available under federal law such as extended fraud alerts, access to documents underlying the theft, and blocking of erroneous debts typically require a victim to obtain a police report to document the crime... children victimized by parents or guardians are often reluctant to file a police report naming a loved one or a source of financial support as the perpetrator."

Read the FTC testimony (PDF).

What is a parent to do? First, concerned parents should understand the available credit file protection tools: fraud alert, credit-file freeze, and the differences between the two tools. Second, investigate a credit monitoring and identity protection service to cover both parents and children in your family. Several services exist, which I will explore in future blog posts. Shop around because monthly prices and features vary.

Third, teach your children, tweens, and teens about money, credit, the sensitive personal information they must protect, and their responsibility when they become adults to monitor their credit files produced by the major credit-reporting agencies: Equifax, Experian, and TransUnion. You can find plenty of information in this blog.

In my opinion, a broader solution to the problem would be for credit reporting agencies to automatically place a free Security Freeze on the credit reports of all children. This freeze would automatically be lifted (for free) when the child turns 18. Parents could temporarily lift the freeze for children younger than 18 for instances to apply for education loans for that child.

What do you think of child identity theft?

Ponemon Report: Costs of a Data Breach

Given the massive Sony Playstation Network data breach in April, and the claim by a Marketplace expert that Sony delayed customer notification to lower its post-breach costs, I thought that I would take another look again at the report about breach costs.

Back in March 2011, the Ponemon Institute released findings for breach costs for 2010. There are separate reports for the U.S. and the U.K.. Findings from the U.S. report:

• More organizations respond faster to data breaches. In 2010, 43% notified breach victims within a month, up 7% from 2009.
• Faster response costs more. Organizations that notified breach victims within a month incurred an average cost per-record cost of $268 in 2010, up $49 (22%) from $219 during 2009. Companies that took longer to respond incurred an average cost per record of $174, down $22 (11%) from 2009.
• Malicious or criminal attacks were about a third (31%) of all data breaches.
• Malicious or criminal attacks are more expensive, too, averaging $318 per record during 2010, up $103 (48%) from 2009.
• The average cost per record comprised $74 of direct costs (34%), up 22% from 2009, and $144 of indirect costs (66%). Ponemon found that direct costs have been increasing since 2008 while indirect costs have declined. Direct costs include expenses for organizations to comply with data security regulations (Federal, state, and local), breach detection, and the notification of breach victims and government officials.
• Data breach costs have risen for a fifth consecutive year. The average organizational cost of a data breach was $7.2 million during 2010, up 7% from $6.8 million in 2009.
• The customer churn after a data breach contributed to breach costs, and varied by industry. While the average churn rate across all companies studied was 4%, the highest churn rates were in pharmaceuticals and healthcare (7% each). The industries with the lowest churn rates were the  public sector (less than 1%) and retail (1%).
• Similarly, the average cbreach ost per record varied by industry. In 2010, the industries the highest average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). The industries with the lowest per-record costs were media ($131), education ($112), and the public sector ($81).

The causes of data breaches and their associated costs:

Breach Type	Frequency 2010	Avg. Cost/Record
First Timer YES	20%	$326
Malicious or criminal attack YES	31%	$318
Third-Party Mistake YES	39%	$302
Quick Response YES	43%	$268
Lost or Stolen Device YES	35%	$258
System Failure YES	27%	$210
Negligence YES	41%	$198
CISO Leadership YES	45%	$193
External Consulting Support YES	37%	$191

The analysis of costs:

Cost Type	2010	2009
Lost Customer Business Due To Churn	39%	40%
Legals Services: Defense	14%	14%
Investigations & Forensics	11%	8%
Audit and Consulting Services	10%	12%
Customer Acquisition Costs	9%	9%
Contact Costs: Inbound	6%	5%
Contact Costs: Outbound	5%	6%
Legal Services: Compliance	2%	2%
Identity Protection Services	2%	2%
Free or Discounted Services	1%	1%
Public Relations / Communications	1%	1%
TOTAL	10%	102%

Based on the above cost analysis, the free or discounted credit monitoring services organizations often provide breach victims (e.g., consumers, employees) is not a major cost component. It suggests that companies could provide longer periods of free credit monitoring and credit restoration services. For example, the State of Texas is offering its breach victims a single year of complimentary credit monitoring.

Ponemon studied breaches for 51 companies. Download the 2010 Ponemon U.S. Cost Of A Data Breach report (PDF format).

Report: Top 10 Botnets of 2010

Recently, a family member mentioned to me that their personal computer didn't have a comprehensive anti-virus program. Not good. Today's post describes one type of virus software: botnets. Earlier this month, anti-botnet firm Damballa released it report of the leading botnots in 2010 (PDF).

A "botnet" is a collection computers used to run a software application... in this instance to perform cybercrime. The collection of computers can be computers located in consumers' homes and small businesses. The collection is infected with the malware software, controlled remotely by the software developer. Often, the botnet software works in the backgroound to remain unseen and operate secretly.

Botnets are used to perform certain identity-theft tasks, like stealing personal and bank information, stealing companies' intellectual property, and performing other corporate espionage. Botnets are also used to send computer virus software, send e-mail spam, and to flood a website with page requests rendering that website unavilable and unusable by the public (a/k/a DDoS = Distributed Denial of Service attack).

According to Damballa, the top 10 botnets accounted for approximately 47% of all botnet compromised victims during 2010, down from 81% during 2009. Damballa estimated that 35.2% of infected IP addresses had two or more different botnets running.Those leading botnets, based on the penetration into infected computers:

Rank	Botnet Name	Penetration % of Victims
1	TDLBotnetA (RudeWarlockMob)	14.8%
2	RogueAVBotnet (FreakySpiderCartel)	5.7%
3	ZeusBotnetB (FourLakeRiders)	5.3%
4	Monkif	5.2%
5	Koobface.A	4.0%
6	Conficker.C	2.8%
7	Hamweq (GraySunGirls)	2.5%
8	AdwareTrojanBotnet (WickedRockMonsters)	2.2%
9	Sality	2.1%
10	SpyEyeBotnetA (OneStreetTroop)	1.9%

A responsible consumer doesn't want to contribute to the computer virus problem. What should you do? Keep the anti-virus software on your home computer/laptop up-to-date and running. Run scans weekly of the hard drive, including any external or USB drives. Use a comprehensive anti-virus software product, too. If your computer is running slower than usual, it may be infected.

Do You Trust CEOs and Company Breach Notification Letters?

Recently, Fast Company published a news item about the public's trust in various institutions. The main point: from 2009 to 2010 trust in CEOs was greater than trust in "persons like yourself" for the first time. The key graphic:

I found this hard to believe after the Madoff scandal, the BP oil spill, the recession, the public's anger towards banks, the huge credit card interest rate increases, the bailouts, and huge bank executive compensation. If we believe this Edelman study, then we consumers still trust CEOs, including those at banks, more than we just people who are similar to ourselves.

I'll ask the question a little bit differently. When you receive a breach notificaiton letter via snail mail:

• Do you really trust that the company (and its CEO) did everything possible to protect your sensitive personal information, which it has since lost or had stolen?
• Do you trust that the breach notification fully explained what happened and the risks to you?
• Do you that the company will openly, honestly, and directly tell you the results of its breach investigation?
• Do you trust that the company has taken all appropriate steps to implement data security methods to prevent another data breach?

For those readers who are social networking and smartphone users:

• Do you trust the the social networking site will adequately protect your personal information?
• Do you trust the social networking site fully disclosed all of the other company it sold your personal information to?
• Do you trust the social networking site to adhere to its privacy policy?
• Do you trust the apps at the social networking site to protect your personal information?
• What about the apps on your smartphone or tablet?

WatchGuard: The Most Risky Online Apps

On Tuesday, WatchGuard Technologies announced its list of the most risky online applications. The list is based on risk, and the provider of security solutions for businesses defined risk based on three factors:

1. Productivity loss: when employees spend time during work hours on social networking websites,
2. Data loss: data breaches via social networking websites when employees disclose proprietary company information, and
3. Malware source: when employees introduce computer viruses to the company's network by following links in social networking status messages to destination websites that are infected with viruses or malware

The list of risky online applications included in order: Facebook, Twitter, YouTube, LinkedIn, 4chan, and Chatroulette. Personally, I considered visiting 4chan, an image board where members post images and comment on them, but didn't when McAfee SiteAdvisor software served up this adware/spyware warning:

In fact, I'd love it if McAfee Site Advisor produced an app that intergrated it with the Bing search on my smartphone.

Next, I'd love to see WatchGuard produce a list of the most risky apps available within a social networking website, as some Facebook apps are more risky than others. And, I'd like to see the company produce a list of risky smartphone apps, since employees can visit social media sites with a variety of mobile devices. Consumers and corporate executives need to know both.

If you want to learn more, read the results from the Norton "Connected But Careless" study.

The State of Anti-Virus Software

Last week, NSS Labs released their quarterly report on Consumer Anti-Malware Products. I read this report because one advice experts always recomend to avoid identity theft is that consumers keep the anti-malware (e.g., software that identifies, blocks and deletes viruses, spyware and related bad stuff) software on their home computers up to date.

Usually NSS Lab's report is available for a fee, but this quarter's version is free because of the subject matter. NSS Labs tested several anti-malware software brands and the software effectiveness is far from consistent. Key results from the report:

• Software effectiveness varies. The ability to block software viruses varies widely by brands from a low of 54% (AVG) to a high of 90% (Trend Micro) across tested products. You would think that performance would not vary so widely (36% points) across products, but it does. Higher numbers are better since it represents a product that prevents the user's computer from downloading more viruses and from running more viruses accidentally downloaded.
• Update time varies. The time before a malicious website (e.g., a web site infected with malware) was blocked ranged from a low of 3.3 hours (Trend Micro) to a high of 28.5 hours (AVG) across 11 vendors' products. Lower numbers are better since it represents a product that prevents sooner the web browser from visiting infected websites.

The report includes a really good chart comparing each product's performance in 3Q2009 to 3Q2010. The report groups products into three categories: Recommend, Neutral, and Caution. I am happy that the anti-virus software I used was listed in the "Recommend" category. Products in this category performed well consistently across all tests, compared to products rated lower which performed highly on one test and poorly on another.

The report's authors estimated that:

"Cybercriminals have between a 10% - 45% chance of getting past your AV with Web Malware (depending on the product). Cybercriminals have between 25% - 97% chance of compromising your machine using exploits."

NSS Labs tested all software on computers running Windows® 7 with 2 GB RAM and 20GB hard drive. "Exploits" included attempts to take over the computer and send spam to others, to capture and transmit sensitive personal information such as bank account numbers and sign-in credentials. Applications included Internet Explorer®, Mozilla® Firefox®, Apple® Quicktime®, and Adobe® Acrobat®. NS Labs tested the leading anti-virus software products including AVG Internet Security 9, ESET Smart Security 4, F-Secure Internet Security 2010, Kaspersky Internet Security 2011, McAfee Internet Security, Microsoft Security Essentials, Norman Security Suite, Panda Internet Security 2011, Sunbelt VIPRE Antivirus Premium 4, Symantec Norton Internet Security 2010, and Trend Micro Titanium Maximum Security.

Download today the NSS Labs report.

Are Social Networking Sites Becoming a Security Risk?

Earlier this week, Sophos released the results of a survey which found:

• 57% of users report they have been spammed via social networking sites, a rise of 70.6% from last year
• 36% reveal they have been sent malware via social networking sites, a rise of 69.8% from last year
• 72% of firms surveyed are worried that employee usage of social networking sites places their firms at risk
• Survey respondents identified Facebook as the social networking site posing the greatest security risks
• 49% of companies survey allow their employees unrestricted access to Facebook, up from 36% a year ago

These results are part of Sophos' 2010 Security Threat Report (PDF, 3.22 MB), which explores current and emerging computer security trends:

"... criminals identify potential victims on social networks, and then attack them, both at home and at work. In Sophos's opinion, many Web 2.0 sites are concentrating too much on growing their marketshare at the expense of properly defending their existing users from internet threats."

When asked which social networking site posed the greatest security risk, 60% of respondents identified Facebook. MySpace was rated second (18%), followed by Twitter (17%) and LinkedIn (4%).

"Although LinkedIn is considered to be by far the least threatening of the networks, Sophos advises that it can still provide a sizeable pool of information for hackers... Sites like LinkedIn provide hackers with what is effectively a corporate directory, listing your staff's names and positions. This makes it child's play to reverse-engineer the email addresses of potential victims."

I'm surprised that the report didn't mention Tagged, Classmates, Youtube, Plaxo, and Flickr in the list of social networking sites that might pose a security risk.

In a related news story, ZDNet Asia listed the top five security threats as:

1. Malware
2. Spam
3. Targeted attack through employees
4. Phishing
5. Human error, leading to leaked corporate data