7 Tips To Avoid A Rejected Credit Card During Vacation Travel

Today, banks are more vigilant than ever about spotting potential fraud. One way banks spot potential fraud includes charges outside of the cardholder's normal usage pattern -- the area where you live, work, and use your credit card. Often, when consumers go on vacation you intentionally travel outside of your area. Nobody wants a credit card purchase denied while traveling, especially when you don't have the cash with you.

So, what can consumers do to avoid having your credit card denied while shopping during vacation? Banks and credit card issuers advise consumers to:

1. Understand where your credit card is accepted outside of the United States. You can visit the customer service section of your bank's or credit card issuer's website. For example: the Help Center in the Discover site lists the regions where that credit card is accepted, including an international Country Acceptance Map. This is also helpful to understand any exchange rates used, and/or any fees or surcharges that might apply for purchases in different currencies. The Visa Travel Preparation Page provides similar information for cardholders traveling internationally.

2. Decide which credit cards you will bring. You may decided to leave at home the credit cards with high foreign transaction fees, don't offer purchase protection insurance, doesn't offer frequent-flyer mileage, and/or aren't accepted in the countries which you will visit. Experts advise consumers to bring at least two credit cards, and use one as a back-up in case your primary card doesn't work.

3. Notify your bank or credit card issuer of your upcoming travel, and the specific locatons where you will use your credit card. For example, Capital One directs its Visa cardholders to call its Customer Service department (1-800-955-7070) before their trip to provide the following information:

• Credit card number
• Travel destination(s): states and/or countries
• Travel start and stop dates
• Which cardholders will be traveling (if multiple people have accounts)

In Capital One's automated voice system, cardholders speak to enter and select voice prompt options. Say "More Options" and then "Report Upcoming Travel" to access the relevant option. Then, you can enter all of the necessary information, or you can speak with a human representative.

Obviously, if your vacation travel itinerary includes several cities and/or countries, you will want to have all of that information ready. When you contact your bank or credit card issuer, they will provide an international customer service phone number you can call while traveling outside the United States, should you have any problems. Last month before my vacation, I used Capital One's automated voice system. My travel itinerary included about six countries, and I found the system pretty easy to use to enter the necessary information.

4. Watch out for PINs. In some regions, automated kiosks require credit cards with smart chips. If your credit card doesn't have this new technology, it may not work.

5. If you want to use your debit card instead, first contact your bank, credit union, or card issuer to report your travel itinerary. Visit their website to find their office and ATM locations in the states or countries you will visit, any other banks they have partnerships with, any fees (e.g., conversion, foreign transaction) that apply, and any PIN number limitations (e.g., fewer digits). Generally, in-network ATM machines have lower fees than out-of-network ATM machines.

Experts advise consumers to keep sufficient cash with you for smaller purchases. The fewer times you use your debit card, the less you expose it to identity theft and fraud risks. If you read this blog regularly, then you already know that I use my debit card only at my bank's ATM machines. To me, it is too risky to use a debit card in a local retail store or gas station, especially in another country. There is no way to know if the card entry pads (or gas station pumps) has been compromised with skimming devices.

6. If you want to use a prepaid card instead, CardHub advises consumers:

"As long as your prepaid card bears the MasterCard or Visa logo and you notify your issuer of your travel plans, you should be able to use it abroad...”

Wise consumers will still check with their card issuer to get a copy of their prepaid card agreement, to find ATM locations in the states or countries you will visit, any other banks they have partnerships with, and any fees (e.g., conversion, foreign transaction) that apply. Again, in-network ATM machines generally have lower/fewer fees than out-of-network ATM machines. Compare the fees for your prepaid card against fees for your credit/debit cards. Understand your rights, protections, and the differences between credi, debit, and prepaid cards. If decided to use a prepaid card, make sure you load enough money onto it before you leave for your trip.

If you are unsure about whether prepaid cards are for you or not, there are plenty of online resources to help you decide. You can learn more by browsing the Prepaid Cards section of this blog. The posts in this blog section contain plenty of links to external sites and resources.

7. Check for foreign travel advisories. These may suggest additional precautions you should take in the countries you will visit.

Having done all of this, you can then travel with peace of mind.

Chicago Theft Ring Received Sentences For Card Skimming Crimes

In a Chicago court, several defendants were sentenced for card skimming thefts and fraud. The sentences ranged from six years of prison time for the ringleader to two years of probation for other members of the theft ring.

The thieves, working with employees at several fast-food restaurants in Chicago, had allegedly swiped consumers' debit/credit cards through small portable readers to obtain their card numbers. The theft ring then allegedly created fake cards with the stolen card numbers and purchased about $200,000 in merchandise.

Affected consumers had accounts at several banks: Chase, Citibank, Fifth Third Bank Harris Bank, U.S. Bank, Bank of America, and American Express. Reportedly, the banks assisted local law enforcement with the investigations. The seven defendants included:

• Joseph Woods, 33 (the ringleader)
• William Washington, 31
• Alex Houston, 23
• Britain Woods, 34
• Jenette Farrar, 35
• Essence Houston, 29
• Kenyetta Davis, 33,

Congratulations to both local law enforcement and the judicial system.

5 Ways Retail Stores Spy On Their Shoppers

If you haven't read it, there is a good article at Consumer Reports which lists the ways retail stores spy on consumers while shopping. Not the online stores but the physical, brick-and-mortar store locations. Some of the ways stores spy on shoppers:

1. Spy cameras: armed with facial recognition software, these cameras record and track both your movements in the store, the items you look at, and for how long. Some stores use mannequins that contain spy cameras, to distribute cameras thought store areas. Stores often merge these recordings with data from your purchases: amount, payment method (e.g., cash, credit, debit), store sections (e.g., clothing, shoes, housewares, etc.), and items browsed (e.g., pants, dresses, cookware, etc.). Outside cameras record your auto data (e.g., license number, make, model) which is also merged with interior recordings.
2. Smart phone tracking: retailers record the geo-location data from your phone to map/track which departments you visit, in what order, and how long you stay in each department.
3. Interactive digital ads: many contain tiny cameras to record the shoppers that view the ads.
4. RFID technology: merchandise with radio frequency identification tags (RFID) can trigger nearby interactive digital ads, to then serve up targeted, personal ads based on the specific merchandise you are carrying
5. Product returns: many stores demand photo identification to process product returns. Stores claim that the reasons for this are to prevent fraud, but the data collection includes shoppers who do not commit fraud.

What is worse is that the stores do no disclose any warning to shoppers or parents, except that most states require stores to post product return policies visibly in stores.

What's your opinion of the tracking/spying?

Michaels Stores Provide Policies And Class Action Notice On Sales Receipts

My wife and many of her friends like to quilt. They regularly visit retail stores and quilt shops for quilting supplies. This past weekend, my wife visited a Michaels store in Massachusetts. After paying (with cash) for her purchases, she received the following sales receipt:

The sales receipt mentions the store's coupon, exchanges, and returns policies, plus a recent class action lawsuit. The Michaels sales receipt says:

"Dear Valued Customer:

Our coupon policy is to accept one coupon per customer per day. Certain exclusions apply. Please review the exclusion on the coupon and speak with the manager on duty for any questions you may have. Thank You.

To return or exchange an item, customer is required to present a valid photo ID that will be swiped/recorded at the time of the return or exchange for return authorization purposes only. Receipt required within 60 days for refund on most products. Alternate rules apply to books, magazines, and technology and custom products. Returns without receipt will receive Store Return Card. Refunded amount will be the lowest sales price of the item within the last 90 days. Return polices are available at Michaels.com and in store."

One coupon per customer per day? That sounds very stingy and customer unfriendly, as if the store really doesn't want to accept any coupons. And, why use the sales receipt to deliver policy information? This seems customer unfriendly. I've seen promotions and contest information on sales receipts, but not detailed policy information. Simply, print the complete information on regular 8.5 x 11 inch sized paper which is more legible; and insert in each customer's bag. Plus, some customers prefer or require large-print notices.

If you compare the returns/exchanges language on the sales receipt to the store's online Return Policy for US residents (there is a separate Return Policy for Canadian residents), you will find that the online policy has additional language. Customers should not assume that the sales receipt mentions the entire return policy.

More importantly, I want to know why Michaels' return/exchange policy requires the scanning and retention of consumers' identification documents (e.g., driver's licenses, state-issued ID's, passports, and military ID's) even when customers have a receipt. This seems customer unfriendly. When a store requires a document like a driver's license to process a return or exchange, the store collects everything on that document: your address, Driver ID number, height, weight, hair and eye color, and birth date.

Does Michaels really need all of this information (e.g., my weight, eye and hair color) to process a return with a valid receipt? This data collection is legal when performed for fraud prevention. There seems to be nothing stopping retailers from using the data collected for other purposes, such as data mining and marketing.

If a consumer has a receipt, that should be all that is necessary. I did some brief checking and at least one' competitor, Jo-Ann Fabric & Craft Stores, does not require IDs for in-store product returns. Smaller local and mom-and-pop fabric/crafts stores probably have more customer-friendly policies, too.

The sales receipt does not mention a privacy policy. It should, since Michaels does have a privacy policy online at its website, with specific additions for residents of California, Nevada, Vermont, and Canada. However, that online privacy policy does not seem to mention its data retention and sharing polices with ID information collected via returns or exchanges.

Given its return/exchange policy, I want to know how long Michaels retains ID information and what other companies (by name) it shares that ID information with -- items a privacy policy typically state. Without a statement in its privacy policy, a retailer can do anything with that data collected. This ID information is very sensitive data. Customers need to know how long a store retains this information and who it is shared with. Otherwise, consumers cannot make an informed choice.

The sales receipt also says (links enabled):

"Michaels Data Breach Class Action (for more information, please go to www.michaelsdatasettlement.com)

Michaels has settled a lawsuit that allowed certain of its customer suffered damages as a result of a data breach at selected Michaels stores between January 1, 2011 and May 12, 2011. Michaels denies all of the claims."

Unfortunately, that last sentence is vague. It refers to claims alleged in the lawsuit and not claims submitted by data breach victims seeking reimbursement for damages. In May 2011, Michaels stores warned customers in Illinois, New Jersey, California, and 15 other states about the data breach. Criminals had reportedly tampered with in-store PIN pads in checkout lines (e.g., skimming) to steal debit and credit card data. Reportedly, 90 PIN pads were initially affected, but the retail chain later replaced about 7,200 PIN pads. About 94,000 consumer accounts were affected.

Browse the list of Michaels stores (Adobe PDF) affected by the data breach. The list included several stores in Massachusetts in Braintree, Burlington, Danvers, Everett, and Hanover. Customers can also visit the Consumer Notices page at the Michaels.com.

Skimming is a worldwide identity theft and fraud problem. Besides supermarkets and retail stores, criminals target bank ATM machines, gas station pumps, and contact-less (e.g., RFID) payment methods. Several states, including California and Washington, have already banned RFID skimming. Stolen debit card and PIN data gives thieves direct access to consumers' checking bank accounts.

The sales receipt also says:

"You are included in the class if you shopped in this Michaels store or in other selected Michaels stores during that period and your Payment Card was swiped on a PIN Pad terminal from which credit or debit card information was stolen. A complete list of affected Michaels stores can be found at www.michaelsdatasettlement.com. Customers whose credit or debit card information was stolen may receive monetary payment for documented unreimbursed monetary damages and/or credit monitoring services. To request such relief, you must submit a claim postmarked by May 25, 2013.

Unless you exclude yourself from the class by March 5, 2013, you will give up the right to ever sue Michaels about the legal claims the settlement resolves. If you stay in the class, you may object to the settlement by March 5, 2013.

The Court will hold a hearing on April 4, 2013, to consider whether to approve the settlement and payment of attorneys' fees and expenses. You may ask to appear and speak at the hearing."

The settlement agreement includes a $600,000 payment by Michaels stores, which could increase to $800,000 depending upon the volume of claims and reimbursements. If the entire $600,000 is not used, then the remainder will be donated to the Starlight Childrens Foundation, which works with seriously ill children.

I'm glad that my wife paid with cash. I hope that she buys her quilting supplies elsewhere in the future, and doesn't have to return or exchange any of her purchases made at Michaels stores.

Most Trusted Companies For Privacy Study

Recently, the Ponemon Institute released the results of its annual study of the companies consumers trust the most to maintain their privacy. The study asked consumers to name and rate the companies they trust the most to protect their personal information. Key findings from the study:

"New entrants to this year’s top 20 most trusted list includes: Microsoft (ranked 17), United Healthcare (ranked 18) and Mozilla (ranked 20). Healthcare, consumer products, and banking are the industry segments considered by consumers to be the most trusted for privacy (among 25 industry categories). In contrast, Internet and social media, non-profits (charities) and toys are viewed as the least trusted for privacy."

The only government organization in the top 20 is the U.S. Postal Service (#5). Some noteworthy findings about consumers' habits:

"78% of respondents continue to perceive privacy and the protection of their personal information as very important or important to the overall trust equation... 63% of respondents admit to sharing their sensitive personal information with an organization they did not know or trust... 59% percent of respondents believe their privacy rights are diminished or undermined by disruptive technologies such as social media, smart mobile devices and geo-tracking tools. 55% say their privacy has been diminished by virtue of perceived government intrusions."

These findings should be a wake-up call to companies operating within the Internet industries, namely app developers and social networking website operators. About data breaches:

"49% of respondents recall receiving one or more data breach notifications in the past 24 months. 70% of these individuals said this notification caused a loss of trust in the privacy practices of the organization reporting the incident."

About consumers' expectations of data security (bold emphasis added):

"73% of respondents believe the substantial security protections over their personal information is the most important privacy feature to advancing a trusted relationship with business or government organizations. Other important privacy features include: no data sharing without consent (59%), the ability to be forgotten (56%) and the option to revoke consent (55%)."

Companies and their lobbyists would be wise to comply with these findings about important privacy features. Some troubling findings from the Ponemon study:

"Only 35% of respondents believe they have control over their personal information and this result has steadily trended downward over seven years. Less than one-third (32%) of respondents admit they do not rely on privacy policies or trust seal programs when judging the privacy practices of organizations they deal with. When asked why, 60 percent believe these policies are too long or contain too much legalese."

Study respondents said that the most significant threats to their privacy were:

• 61% - Identity theft
• 56% - government surveillance
• 42% - notice of data breaches
• 40% - violations of civil liberties
• 36% - annoying background chatter
• 32% - spam
• 30% - employer intrusions
• 28% - stalking
• 23% - annoying advertising
• 19% - children abuses

Ponemon has conducted this study for the past seven years, and noted that the importance of privacy by respondents has increased during this time. The study, conducted during October through December 2012, included responses from 6,704 adults in the United States. About 217 companies were named by respondents from 25 industries. 47% of respondents were male. The average age of all respondents was 34.6 years, with an average income of $55,900. The study defined "personal information" as:

"Information about yourself and your family. This information includes name, address, telephone numbers, e-mail address, Social Security number, other personal identification numbers, access codes, age, gender, income and tax information, purchases, website preferences, health information, account activity and many other pieces of data about you and your household."

Maybe the next study will include photographs, video, and other items posted on social networking websites.

The top 20 most trusted companies from the 2012 study:

1. American Express
2. Hewlett Packard
3. Amazon
4. IBM
5. US Postal Service
6. Procter & Gamble
7. USAA
8. Nationwide
9. eBay
10. Intuit
11. Verizon
12. (Tie) Johnson & Johnson and FedEx
13. 13. WebMD
14. Weight Watchers
15. U.S. Bank
16. Disney
17. Microsoft
18. (Tie) United Healthcare and VISA
19. AT&T
20. Mozilla

I was surprised that respondents ranked the banking industry so favorably. Companies I noticed that did not make the top 20 list: Apple and Google. I suspect that the perception of "children abuses" as a privacy threat will increase in the future.

Download the Ponemon report, "2012 Most Trusted Companies For Privacy" (Adobe PDF).

A Smart Phone Gift And A Teachable Moment

Did you buy a smart phone or tablet as a Christmas gift for your child or grandchild? Smart phones are very popular gift items. A recent survey found that about 37% of shoppers planned to buy smart phones as gifts for the holidays.

Last week, an 11-year-old student in my tai chi class mentioned that his mother had purchased an iPhone 5 for him as a Christmas present. After hearing this comment, I began to wonder what I would teach an 11-year-old to prepare him/her to use a smart phone wisely to protect their self online... without over-sharing nor running up a huge monthly bill.

I didn't have to search far nor long. Blogger Janell Burley Hofmann developed a contract when she gave her 13-year-old a new iPhone as a Christmas gift. Hofmann's contract clearly outlines both her terms of the gift and her expectations of her teenager. This makes excellent sense. Some notable items from Hofmann's contract:

"1. It is my phone. I bought it. I pay for it. I am loaning it to you. Aren't I the greatest?
2. I will always know the password.
3. If it rings, answer it. It is a phone. Say hello, use your manners. Do not ever ignore a phone call if the screen reads "Mom" or "Dad." Not ever."

Some of the items on the list are obvious:

"7. Do not use this technology to lie, fool, or deceive another human being. Do not involve yourself in conversations that are hurtful to others. Be a good friend first or stay the hell out of the crossfire.
8. Do not text, email, or say anything through this device you would not say in person.
9. Do not text, email, or say anything to someone that you would not say out loud with their parents in the room. Censor yourself.
10. No porn. Search the web for information you would openly share with me. If you have a question about anything, ask a person -- preferably me or your father...
18. You will mess up. I will take away your phone. We will sit down and talk about it. We will start over again. You and I, we are always learning. I am on your team. We are in this together."

I like that Hofmann has included a no-sexting clause, since many teens now use Snapchat (instead of Facebook.com) thinking that those risky photos disappear, but they don't:

"12. Do not send or receive pictures of your private parts or anyone else's private parts. Don't laugh. Someday you will be tempted to do this despite your high intelligence. It is risky and could ruin your teenage/college/adult life. It is always a bad idea. Cyberspace is vast and more powerful than you. And it is hard to make anything of this magnitude disappear -- including a bad reputation."

Readers of the I've Been Mugged blog may remember smart phone insurance issues encountered by some consumers. So, it makes sense to clarify what happens if/when the smart phone breaks:

6. If it falls into the toilet, smashes on the ground, or vanishes into thin air, you are responsible for the replacement costs or repairs. Mow a lawn, babysit, stash some birthday money. It will happen, you should be prepared."

Items I would add to the any smart phoone or tablet contract for a teenager:

19. You will receive spam via email, text messages, and at social networking websites. Learn how to recognize spam.

20. To avoid using up all of your monthly calling minutes, you will likely be tempted to use the WiFi setting on your smart phone instead. This means you will also be tempted to use public WiFi hotspots, which could make your smart phone vulnerable to malware and computer viruses. Don't. You can use our password-protected home WiFi. If you want to use public WiFi hotspots, you will ask your parents first for a VPN software recommendation.

21. You will install an anti-virus app to protect your smart phone just like this software protects your laptop computer. You will learn how to use that anti-virus software and keep it up-to date.

22. Learn how to read the Privacy Policy and Terms and Conditions Policy at websites. If you don't understand or don't like the policy at a website, don't use that website and don't register at that website, no matter how popular you think it is.

23. Read the Privacy Policy and Terms and Conditions Policy before installing a mobile app. If an app doesn't have a policy, don't install nor use that app. If you don't understand or don't like an app's policy, don't install that app on your smart phone and don't use it.

24. Know the full price of an item or service, including any fees, before making an online purchase with your smart phone. If you are unsure what the price is, don't buy it. If the price is more than $10, get the approval of me or your father, first. If the price is less than $10, you will pay for it out of your weekly allowance.

What do you think of Hofmann's smart phone contract for her teen? What items would you add?

Smart Mannequins Coming Soon To A Retail Store Near You

A few weeks ago, I wrote a blog post about facial recognition and what consumers need to know. Then, a couple articles appeared about EyeSee, a brand of the new version of bionic mannequins coming soon to retail stores.

I like to call them "smart mannequins," which seems to more aequately describe the technologies used.

Smart mannequins allow retailers to place cameras discretely (or secretly, dpending upon your point-of-view) throughout their stores at eye-level (or lower), unlike traditional security cameras mounted high-up on poles or in the ceilings. I am sure that some retailers hope that this new technology will decrease or deter shoplifting crime.

Also, there several implications for consumers. First, retailers can learn more about the types of consumers that enter their stores. How? The cameras can distinguish betwen gender (e.g., male and female), and age (e.g., children and adults). Some experts claim that the cameras in smart mannequins can determine a person's race. I highly doubt the accuracy of that claim since race is a social construct and since people's appearances vary widely within a race.

Second, retailers can learn more about your shopping habits, since smart mannequins utilize facial recognition technogy. The cameras record the store locations and times of day shoppers visit. The facial recognition component allows retailers to learn where within the store you visit, plus your shopping preferences -- even when you do not buy anything. Depending upon placement, the camera can record the types of clothing you review (e.g., pants, dresses, shoes), the size, and colors as your remove garments from the racks to inspect and/or try on.

This brings the data collection about shoppers and browsers at brick-and-mortar stores closer to the online data collection, where retailers learn about your preferences given the website pages you select and view. Together, it makes anonymous shopping more difficult.

And bionic mannequins raises issues about privacy, disclosure, and notification:

• How long is the in-store collected data archived?
• What other companies does the retailer share the in-store collected facial data with?
• How long is the in-store collected data archived?
• How can consumers opt out of the in-store data collection?
• At what point during the in-store visit should a retailer present its privacy policy?
• Or will a single policy "rule" both online and in-store data collection?
• Should there be separate rules that govern retail store section with medical/health devices and products?
• Should data be collected about children?
• If data should be collected about some children, starting at what age?

The facial recognition guidelines recommended by the FTC include privacy by design, transparency, and choice (to opt in or out). The FTC and CDT support a tiered approach that distinguishes between facial recognition technologies that Count (Level 1), Target (Level 2), and Identify (Level 3) consumers.

Some privacy advocates propose a Digital Out Of Home (DOOH) structure to cover all of the various several technologies (e.g., auto license plate scanners, RFID skimmers, interactive billboards, drones, smart mannequins) which can be used to track consumers.

What's your opinion of smart mannequins and tracking within brick-and-mortar stores?

Safe Shopping Tips For 'Black Friday' And The Holidays

You have probably read or heard about it in either the print, television, or radio advertisements. Many retailers will open early Thanksgiving day night to start the long weekend of shopping including what many refer to as "Black Friday." If you plan to shop, know your rights and shopping tips so you don't get "mugged" by excessive fees.

To help consumers, the Massachusetts Office of Consumer Affairs & Business Regulation (OCABR) has developed a holiday shopping guide that explains consumers' rights, the actions retailers are allowed, and shopping tips for the best experience. For example:

"Sale: For the term "sale" to be used in an ad when the actual savings are not stated, the law requires the savings to be at least 10% for items regularly priced $200 or less, and at least 5% for items over $200."

"Restocking Fee: This is a charge deducted from the purchase price when an item is returned, resulting in a partial refund. Sellers must disclose their return policies, including restocking fees, before the initial transaction is completed."

"Layaway: A plan that allows you to pay for a product in installments and receive the merchandise after you have paid in full. A store must fully disclose its policy on layaway plans, including cancellation and return (or non-return) of payments already made."

"Know the seller: Purchasing from a seller you know and trust is the best way to ensure an excellent shopping experience. For unknown web-sites, use an online store review service such as Epinions, BizRate, the Better Business Bureau..."

"Shop smart with a Smartphone: Smartphones allow consumers to keep track of deals, navigate between stores, and compare prices. Check out apps such as Consumer Reports Mobile Shopper and Google Shopper..."

To read the full list of right and tips for consumers, download the "Black Friday Shoppers Guide" (Adobe PDF) or this mobile-friendly version of the same report. Rules for retailers in other states may vary. Check with the consumer affairs agency in your state.

Related posts:

• California Attorney General Notifies Developers Of Mobile Apps In Violation Of State Privacy Laws
• How To Lock Down Your iOS Mobile Device
• Survey: How Mobile Device Users Protect Their Privacy With Mobile Apps
• 5 Things You SHould Know About Prepaid Cards
• Will A Credit Card Or A Debit Card Protect You Better From Fraud?

Consumers Pay With Methods Other Than Cash

Some statistics about consumers use of cash versus other payment methods:

"Last year 27 percent of all point-of-sale purchases were made with cash and that number is expected to drop to 23 percent by 2017... plastic cards purchases comprised 66 percent of all in-person sales, with nearly half of them, or 31 percent, made with debit cards, according to Javelin. Last year shoppers used credit cards for 29 percent of point-of-sale purchases; Javelin expects that number to rise to 33 percent by 2017. Shoppers deployed gift cards and prepaid cards for 6 percent of purchases made with plastic last year. A mere 7 percent of transactions involved use of a paper check..."

The Huffington Post article also mentioned a few retail stores than no longer accept cash.

5 Things You Should Know About Prepaid Cards

Right now, there probably are three different types of plastic in your wallet or purse. Each type has different rules, disclosures, government regulations, and fees. So, wise consumers use the best type of plastic instead of cash.

Most consumers are familiar with credit cards and debit cards -- the first two types of plastic. Credit cards include an interest rate applied to all purchases, plus a variety of fees (e.g., overdraft, annual usage). Debit cards are offered by banks to their account-holders to access money in their checking and savings accounts.

Prepaid cards often look like debit cards but have several important differences. Prepaid cards must have value stored or "loaded" onto them before they can be used. Usually, consumers use cash to add value to a prepaid card. Then, the consumer uses the prepaid card for purchases, which are deducted from the balance on the card until there is no value left on the prepaid card. Then, more value must be added to the card before it can be used again.

Retail stores, restaurants and malls offer prepaid cards, usually called gift cards. Chances are you may have already received a prepaid card as a gift. I've received and given several prepaid cards as gifts. Customers use the Dunkin' Donuts prepaid card are the chain's retail stores. Prepaid cards from The Old Spaghetti Factory, Starbucks, and Target all operate similarly. Some retailers use their prepaid cards to track customers' purchases for rewards for loyalty programs.

Besides retail stores, many other companies and entities offer prepaid cards. Some employers pay their employees via prepaid cards, often called payroll cards. These payroll cards are designed for employees who don't have checking and savings accounts. Behind every payroll card is a bank that handles the transactions.

Some employers offer their employees prepaid cards only for qualified healthcare spending purchases. Some golf clubs offer prepaid cards for their members to use at the club's golf store and restaurant.

Some banks offer prepaid cards, too, for consumers who lack checking and savings accounts. With all of these prepaid cards in use, it is important for consumers to to know the advantages and disadvantages. There is a pretty good CNN Money article that discusses what consumers should know about prepaid cards:

"Watch out for the fees: The average prepaid card charges nearly $300 in basic fees a year, such as monthly charges, ATM fees and reloading fees, a recent NerdWallet study found... many prepaid cards also charge activation fees, transaction fees, bill payment fees, declined transaction fees, inactivity fees, customer service fees and paper statement fees."

"They don't build credit: Using a prepaid card doesn't help you build credit with the three major credit bureaus... don't be fooled into thinking they are doing anything to boost your credit score."

To browse the entire list of five tips, read the CNN Money article. To learn more about the differences between the three types of plastic in your wallet/purse, read the FDIC alert about consumers' rights. You can also select Prepaid Cards in the tag cloud in the near right column.

What has been your experience? What prepaid cards have you used?

Two Years After Its Data Breach, Upromise Email Notice Leaves Customer Confused

William, an I've Been Mugged reader, received the below email message from Upromise.com:

"From: Upromise (member@your.upromise.com)
Subject: Important information regarding Personalized Offers
Date: March 10, 2012 12:14:23 AM EST
To: ***********@************

Dear William,
Our records show that you had the TurboSaver® toolbar installed with the optional Personalized Offers feature enabled at some point through January 21, 2010. Through that date, because of an issue with vendor-supplied software, the use of this feature resulted in the unintended collection and transmission of certain categories of your personal information to Upromise or our vendor. Depending on how a particular web page was configured, this could have included information you entered into forms such as usernames, passwords, search terms, credit card numbers or financial account numbers. Our members' privacy is extremely important to us, and we took immediate action when we learned of this issue in January 2010 by directing the software vendor to disable the Personalized Offers functionality. As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled.

As always, if you would like to uninstall the TurboSaver toolbar, simply access the toolbar menu by clicking the Upromise logo on the left hand side of the toolbar, select "Uninstall" and follow the prompts. If you have any questions, or need additional information, we welcome you to contact us at 1-800-877-6647 or email questions@upromise.com.

Sincerely,

The Upromise Customer Care Team
www.upromise.com"

William doesn't remember receiving a prior breach notice from Upromise, and says he is diligent about opening both email and postal mail from companies he does business with. William wants to know what is happening at Upromise, and why he received an email that looks like a breach notice two years after the data breach.

William does not appear to be the only concerned Upromise member. You can read posts by a couple customers in the Upromise community forum.

A review of the Upromise Facebook page and Upromise Insider blog did not find any posts during 2012 about a breach notice. I contacted Upromise and a representative, Deborah Hohler replied:

"When the matter came to our attention two years ago, we immediately addressed it and saw no evidence anyone’s data was misused. The protection of personal information is extremely important to us. This email communication was in connection with a proposed consent order from the FTC, and we worked with them on actual content and timing of the message."

At this point, a little history might help. In January 2010, PC Magazine reported about the Upromise breach involving the Upromise Toolbar:

"Privacy researcher and Harvard Business School Professor Ben Edelman has written a report on the practices of the Upromise Toolbar, called TurboSaver by the company. Upromise is a membership system through which you can earn money for college savings by buying items from certain vendors through Upromise. The toolbar facilitates this in your browser and tracks user behavior."

Another breach at a Sallie Mae company seems to have been the result of insider identity theft. In July 2011, WTHR Channel 13 in Indiana reported:

"The suspect is an employee at another Sallie Mae spin-off in Massachusetts - College Choice... In a letter sent to more than 300 parents, College Choice admitted an employee with its program manager, UPromise Investments, accessed names, social security numbers, birthdays and other contact information for seven months while on the job."

Also during July 2011, Upromise filed a breach notice (Adobe PDF) with the State of New Hampshire Department of Justice. The notice did not disclose how many customers were affected, but confirmed the WTHR news report and that letters were mailed to breach victims on June 23, 2011 -- about six months after the toolbar breach was discovered. I also checked Maryland, Vermont, and Wisconsin. None contained any Upromise breach notices, but Maryland hasn't yet uploaded breach notices received during 2011.

William lives in a state that does not post online the breach notices it receives.

The January 18, 2012 U.S. Federal Register (Adobe PDF) mentioned a proposed settlement agreement between the U.S. Federal Trade Commission (FTC) and Upromise, which alleged that:

"... Upromise engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal information it collected and maintained. Among other things, Upromise: (1) Transmitted sensitive information from secure web pages, such as financial account numbers and security codes, in clear readable text; (2) did not use readily available, low-cost measures to assess and address the risks to consumer information; (3) failed to ensure that employees responsible for the information collection program received adequate guidance and training; (4) failed to take adequate measures to ensure that its service provider employed reasonable and appropriate measures to protect consumer information."

The proposed settlement agreement includes six parts describing the actions Upromise must take to improve its data security and notices to its members (bold emphasis added):

"Part I of the proposed order requires Upromise to disclose to consumers—before the download or installation of software that records or transmits information about any activity occurring on a computer involving the computer’s interactions with Web sites, services, applications, or forms—the types of information collected and how the information will be used. The disclosure must be clear and prominent and separate from other notices. The company must also obtain consumers’ express affirmative consent before the consumer downloads, installs, or otherwise activates such software. In addition, the company must provide this clear and prominent notice, and obtain express affirmative consent, before enabling data collection through any previously installed TurboSaver Toolbar and before making any material change from stated practices about collection or sharing of personal information through the Toolbar.

Part II of the proposed order requires Upromise to provide notice to consumers who, prior to the issuance of the order, had the Personalized Offers feature enabled. The notice must inform consumers about the categories of personal information that were, or could have been, transmitted by the feature, and how to disable the Personalized Offers feature and uninstall the Toolbar. Part III of the proposed order requires the company to destroy data it collected during the years covered by the complaint unless otherwise directed by the Commission.

Part IV of the proposed order prohibits the company from making any misrepresentations about the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any information collected from or about consumers. Part V of the proposed complaint requires Upromise to maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of such information (whether in paper or electronic format) about consumers. The security program must contain administrative, technical, and physical safeguards appropriate to Upromise’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Upromise to:
- Designate an employee or employees to coordinate and be accountable for the information security program;
- Identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks;
- Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures; - Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Upromise or obtain on behalf of Upromise, and require service providers by contract to implement and maintain appropriate safeguards; and
- Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Part VI of the proposed order requires Upromise to obtain within the first one hundred eighty (180) days after service of the order, and on a biennial basis thereafter for a period of twenty (20) years, an assessment and report from a qualified, objective, independent third party professional, certifying, among other things, that: (1) It has in place a security program that provides protections that meet or exceed the protections required by the proposed order; and (2) its security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of sensitive consumer, employee, and job applicant information has been protected."

Upromise is a rewards program where members save towards college by making everyday purchases with Upromise partners: brick-and-mortar and online stores, restaurants, grocery stores, drug stores, and similar retailers. Upromise members include parents, grandparents, and other family members saving for college for a child, grandchild, or family member. Upromise members can invest their savings in a high-yield savings account or tax-deferred 529 plan, and then use that to pay down student loan, or request a check to pay for college expenses.

What might all of this mean?

According to Hohler at Upromise, the email message William received was part of the above proposed settlement agreement with the FTC (probably Part 2). Given this, the email is in my opinion confusing and unnecessarily vague. It raises more questions than it answers.

A better email update would have reminded Upromise members that this email was follow-up to a prior breach notice, and that it was prompted in part by the settlement agreement with the FTC. The email update didn't mention the settlement agreement at all.

A better email update would also explain why Upromise left a toolbar installed in customers' web browsers that might display inaccurate messaging which might confuse users:

"As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled."

This seems to conflict with Upromise's reply that, "... we immediately addressed it..." about the toolbar data breach. A defective browser toolbar still operating two years after the breach would make anyone wonder.

A better email update would instruct users how to upgrade the defective toolbar. A better email update would have mentioned the proposed settlement agreement with the FTC, and then outlined everything Upromise is doing, or has already done, to comply.

The comprehensive and detailed scope of the proposed consent agreement suggests to me that there were more data security problems at Upromise than a toolbar breach. It seems to me that most of the six parts of the proposed settlement agreement are data security methods a company would implement anyway to protect sensitive assets and customer information.

Having received a breach notice via postal mail after IBM's 2007 breach, I can definitely tell you that a breach letter is not something you would easily forget nor misplace. So, I believe William 100% when he said that the above email is his first notice from Upromise about its 2010 data breach.

In the 4+ years I have written this blog, I have encountered situations where companies experiencing data breaches have created a website about its breach investigation. IBM created such a web site after its 2007 data breach. I searched for such a site at Urpomise and didn't find one. Perhaps its exists and is behind a secure log-in available only to customers. Then again, William would have mentioned it if it exists. A better email update would summarize its breach investigation(s) and explain the proposed consent agreement.

As it stands, users like William are unsure and left wondering exactly what is happening. Transparent communication promotes trust.

If you were affected by the Upromise breach, what has been your experience? What do you think of Upromise's post-breach response? What are your opinions of the proposed settlement agreement?

How Companies Analyze Your Spending And Habits

Two really good news article explain how companies analyze consumers spending and social networking activity. I highly recommend that you read both articles.

The Forbes magazine article, "How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did," summarized very well the problematic behavior of many corporations and retailers. To get a jump on its competitors, Target extensively analyzed -- perhaps better than most retailers -- its customers' purchases and attached undisclosed demographic data to each customer's identification number to mathematically predict what customers might by.

The prediction formulas were so good, Target was able to mathematically deduce from past purchases that this teen girl was pregnant and send coupons to her home -- all before the teen told her parent of the pregnancy:

"What Target discovered fairly quickly is that it creeped people out that the company knew about their pregnancies in advance... So Target got sneakier about sending the coupons. The company can create personalized booklets..."

These personalized coupon books were an attempt to hide the fact that Target knew so much, and disguise that knowledge by presenting both coupons not related to pregnancy with coupons that were related:

"... we learned that some women react badly... Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random... we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer..."

One of my friends called Target's behavior "untethered stupidity" to market pregancy products to a teenager. Yes, that was incredibly stupid, and was likely enabled by its rush to make money. Some of my friends were surprised at the content of the above Forbes article. I wasn't surprised because of the amount of personal information shared:

• Consumers share on social networking websites the items (e.g., products, services, television/cable shows, music) products we like or prefer,
• Banks regularly collect and resell both debit-card and credit-card purchases,
• Consumers share on social networking websites a wide variety of sensitive personal data (e.g., birth date, children's names and ages, list of relatives). The full birth date makes it easy for data brokers and advertisers to distinguish several people with the same name,
• Consumers share product preferences and travel vacation habits through loyalty program memberships,
• State motor vehicle registries regularly sell drivers' data to companies and data brokers. That includes the car, from which marketers can deduce your wealth, favorite color, and when to pitch extended auto warranty service plans,
• Data brokers like Spokeo and Acxiom compile consumers' demographic data from public records and social networking websites, which retailers can purchase,
• Leaky entertainment, quiz, and gaming apps on social networking websites regularly collect consumers sensitive personal data,
• Leaky smartphone apps regularly collect consumers' sensitive personal data, they often shouldn't. The lack of privacy policies with these apps mean the app developers are free to sell the personal data collected.

What might that undisclosed demographic data be? It's pretty easy to deduce or infer:

• Name, address, age from the store loyalty program registration
• Income from any store credit cards, loyalty program registrations, surveys, or average purchase history over time (e.g., wealthy people spend more, less wealthy purchase more with coupons)
• Favorite colors from the colors of clothes purchased
• Left-handed preference from types of products purchased
• Personal preferences from any product comments at the retailer's web site or products "liked" at social networking websites (purchased from data brokers)
• Type of vision from purchases (e.g., non-prescription sunglasses indicate good vision)
• Health issues (e.g., eczema, dry skin, dandruff) from the types of lotions and shampoos purchased
• Health issues (e.g., over-weight) by the size of clothes purchased or from retailers offering pharmacies and in-store clinics
• Durable goods (e.g., dishwasher, washing machine, gas or electric oven) used at home from purchases
• Auto and electronics owned from purchases, either the item or related accessories purchased
• Approximate ages of children by types of toys purchased or from photographs at social networking websites
• Where else you shop, based on GPS coordinates collected from any apps installed on your smartphone, or data purchased from mobile service providers
• Retail stores that use facial recognition cameras can track your shopping patterns (e.g., when where, duration), even when you pay with cash and left your GPS-enabled cell phone at home, and supplement this with demographic data from photos you are tagged in at social networking websites
• Any gaps in the above demographic data can easily be filled by data purchased from data brokers like Acxiom and/or ads run on social networking websites

The New York Times article, "How Companies Learn Your Secrets," includes a more detailed analysis, with how marketers look for "chunks" in consumers' behaviors to predict future purchases:

"This process, in which the brain converts a sequence of actions into an automatic routine, is called “chunking.” There are dozens, if not hundreds, of behavioral chunks we rely on every day. Some are simple: you automatically put toothpaste on your toothbrush before sticking it in your mouth..."

Some chunks are more complex; consider the series of behaviors women will perform to prepare for a pregnancy: purchase different clothes, lotions, and/or personal hygiene items. Now, think more broadly, because everyone's behaviors can be chunked. Not just women. The researchers found:

"... when some customers were going through a major life event, like graduating from college or getting a new job or moving to a new town, their shopping habits became flexible in ways that were both predictable and potential gold mines for retailers. The study found that when someone marries, he or she is more likely to start buying a new type of coffee. When a couple move into a new house, they’re more apt to purchase a different kind of cereal. When they divorce, there’s an increased chance they’ll start buying different brands of beer. Consumers going through major life events often don’t notice, or care, that their shopping habits have shifted, but retailers notice..."

And a baby definitely qualifies as a major life event.

Now, consider your past purchases. Advertisers value that so they can serve up different products at these major life events. Coombine this with your GPS location in the physical world, and it is a marketers dream: to know you shop every Saturday morning and then serve up ads on your smartphone before you arrive at the supermarket; or to serve up childrens toy and food ads before you shop for their birthday parties.

Maybe all of this doesn't bother you, or maybe it does. The bottom line: where you go in the world, what you purchase, and how much you consume are all pretty personal facts. Consumers should have control over when and with whom this personal data gets shared. If you choose to share everything, fine. Some of us feel and act differently.

A Debit Card Cautionary Tale

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today, she tackles what I believe will become a huge identity-theft problem. As employers lower their administrative costs by outsourcing payment systems that include debit-card transactions, the result is a more complicated, patchwork mix of companies where it is not easily clear who is responsible when bad things happen.]

By R. Michelle Green

At a business conference I attended, the topic turned to health care insurance administration. Some of the attendees now have new debit cards they didn’t ask for. Their employers gave them debit cards for their health care expenses (to access their Flexible Spending Accounts). Instead of having to submit receipts, employees offer the card at the point of sale. If s/he tries to charge more than allowed, or tries to charge things that are not acceptable, the card is rejected. Easily fits into the distributor’s payment systems (cash credit debit), no paperwork for the employee, less evaluative work for the FSA provider. Everyone wins, right?

Not everyone.

Meet Caren (not her real name, of course). She offered her new debit card -- her's is called a United Healthcare Consumer Accounts Card -- for prescription meds in January last year. However, the purchase was rejected by the pharmacy. She assumed it was a glitch, and paid for it herself. While this eventually happened every time, she doesn’t have medical charges every day, so it took a while to recognize that the card never worked. For reasons not relevant here, she did not pursue this with the provider until the fall, only to discover that all her money had been used up on health care charges she didn’t make.

She spoke with United Healthcare using the phone number on her Consumer Accounts Card. She submitted all her information in writing as they requested. They produced a sheet showing that her charges mostly matched (about 70%) identical charges paid 1-2 business days after hers. Though they did not accuse her of fraud, they did say the case was closed and did not merit an appeal. When she approached her human resources provider, he said, well at least she got the tax break. (!) She didn’t get a tax break, she got a salary reduction! She was deprived of access to her own money, set aside from her salary. The debit card agreement online says that she should call the bank operating the card, but that hasn’t proven productive either.

Had a second card been issued to someone else, we wondered? Not to her (or to the bank’s) knowledge. Did the drugstore have signatures on the other charges ostensibly hers? The other charges were mail order charges through Medco, so no receipts or signatures. She has no account with Medco. The pharmacy is not interested in pursuing this, they’ve been paid (perhaps twice!). Medco won’t address it, as she is not a client. The debit card provider only knows the money is spent. The FSA account holder is satisfied that it was spent for the right things. Only Caren is out of pocket and disadvantaged. Doubly so – this was so traumatic that she did not enroll in FSA this year. That makes her ineligible for the associated tax benefit in 2012.

Turns out our blog host is interested in the way financial systems are evolving, and found this issue particularly interesting. There are a lot more parties in the mix than you might at first think. Caren has an employer small enough that it purchases human resources expertise from a national firm. So there’s Caren, Small Firm, and Big HR Firm. Big HR Firm takes the money from her account and sends it somewhere based on their agreement with United Healthcare. Her debit card is managed by United Healthcare, and Optum Health Bank administers that card for them. Optum Health Bank has a subsidiary, Optum Financial, that handles the flow of money from the holding account to the point of sale. And what about the pharmacy: could their processes have been compromised as well?

I read a lot about fraud and scams, and wondered if this could be the tip of a software theft operation, selecting certain customers, and duplicating certain customers’ receipts, at just low enough rates that they are not perceived. (Good movie, eh? But Occam’s Razor says: not likely.) But who is the person with enough clout to investigate this, particularly if no one person or entity loses big bucks?

Today she tweeted that she had heard from Big HR Firm – there’s nothing they can do. So who’s responsible? Several corporations are in play; doesn’t each have a responsibility to Caren? Who can help her?

Data Breach At Motorola Mobility Affects Refurbished XOOM Tablets

Motorola Mobility admitted Friday in a press release that it failed to erase the sensitive personal information of original owners on refurbished tablets. The breach included about 100 Motorola XOOM WiFi tablets from a batch of 6,200. The tablets were resold by Woot.com during October through December 2011.

Motorola did not specify the types of sensitive personal information exposed, but it likely include any personal information the original tablet owners stored on their devices:

"It is possible that users might have stored photographs and documents. They may have also stored user names and passwords for email and social media accounts, as well as other password-protected sites and applications."

Ya think so? Duh! Obviously, affected consumers should change their passwords at any online bank, financial, and social networking websites; especially if you stored your passwords on your Motorola tablet. Purchasers of the affected refurbished tablets should return their devices to Motorla to ensure that the memory of each device is cleared. If you purchased a refurbished Motorola XOOM Wi-Fi tablets from Woot.com between October and December 2011, you should visit motorola.com/xoomreturn or call Motorola Mobility Customer Support (1-800-734-5870 and select Option 1) to determine if your tablet is affected.

For consumers who purchased and then returned a Motorola XOOM Wi-Fi tablet to Amazon.com, Best Buy, BJ’s Wholesale, eBay, Office Max, Radio Shack, Sam’s Club, or Staples and a few other independent retailers between March and October 2011, Motorola offers a free two-year membership with Experian’s ProtectMyID Alert credit monitoring service. The company also directed original tablet owners to contact Experian at 1-866-926-9803 to register for their complimentary credit monitoring service.

At press time, refurbished XOOM tablets were selling for about $349 on Amazon.com.

This breach is troublesome. While breaches often happen, the company should have adequately wiped all sensitive personal data from refurbished tablets. That the company failed to do so makes one wonder if any malware was transmitted to purchasers of refurbished tablets -- or of any other Motorola mobile devices.

If you were affected by this data breach, share your experience below.

CVS Caremark Agrees To Pay $20 Million To Settle With Three States For Pension Fraud Claims

CVS Caremark Corporation has agreed to pay about $20 million to settle lawsuits in three states about alleged pension system fraud. The lawsuits were filed by two whistleblowers, CVS pharmacists, and claimed that CVS resold returned drugs, changed presecription orders to increase prcies, and filed false reports about prescriptions fulfilment dates. The Los Angeles Times reported:

"... CVS Caremark will pay nearly $7 million to the California Public Employees’ Retirement System, $4 million to the state of Illinois and $3 million to the state of Florida. Other money from the settlement went to plaintiff attorneys’ fees and costs..."

In 2007, CVS Corporation merged with Caremark Rx Inc.. The combined company operates about 7,000 retail stores, and provides prescription drug management services for employers.

Crain's Chicago Business reported Michael Leonard, a partner with Chicago-based law firm Meckler Bulger Tilson Marick & Pearson LLP, which along with Los Angeles-based law firm Engstrom Lipscomb & Lack LLP represented the whistleblowers, as describing the lawsuit:

“They fought the thing tooth and nail, and denied, denied, denied, despite what the evidence was...”

Move Your Money To... Walmart? A Good Deal?

This blog has covered extensively the ways banks have "mugged" consumers via higher fees, higher interest rates, traps, and tricks. I was surprised to read in the Tuesday the New York Times a report about some consumers moving their money to Walmart Money Centers, instead of to banks or credit unions. Move your money to Walmart? Really?

After reading the newspaper article, I visited the Walmart Money Centers website to learn more:

By offering several a la carte banking services (e.g., debit card, money transfers, bill pay, money orders, credit cards, check cashing, and checks), Walmart has wormed its way into banking. If it walks like a duck, sounds like a duck, and smells like a duck -- then it must be a duck. How was this allowed to happen?

Apparently, many consumers who don't have a checking account (e.g., referred to as the "unbanked") are using Walmart Money Centers to cash they paychecks, since the fees are lower than at many banks. I have mixed feelings about this. Here's why:

Advantages:

• It benefits consumers to have a competitive choice since Walmart Money Centers offer lower check-cashing fees than banks and payday lenders. That could create a downward pressure on banks to lower their fees to remain competitive
• I see the benefit to Walmart of paying its associates via Walmart debit cards. This removes or lowers the middle-man processor costs

Now, the disadvantages.

First, "banking" with Walmart is still very expensive for consumers. A $3.00 fee to cash a $800.00 weekly paycheck is really an effective annual interest rate of 19.5% ($3/$800 x 52 pay periods per year). That same $3.00 fee on a $400 weekly paycheck equals a 39% effective annual interest rate.

The Walmart MoneyCard (e.g., debit card) is expensive, too. The $3.00 fee to load money onto a card, plus the $3.00 monthly maintenance fee is really an effective annual interest rate of 18% (assuming a $300 paycheck and 26 pay periods per year). So, a consumer is paying 18% to access their own money. What? That 18% is a rate similar to many credit cards, where a consumer can avoid the interest charges by paying their balance in full at the end of the month.

While Walmart Money Centers may seem like an attractive option, it's really expensive "banking." Better to find a credit union with free checking and save both the $78 in annual check-cashing fees and $108 in annual debit card fees.

Second, I can understand the benefits for Walmart of paying its associates via Walmart debit cards. The benefits for Walmart Associates are questionable at best, given the above debit-card fees. The lack of banking choice is troublesome:

"Walmart associates may receive their pay either by direct deposit or through the First Data Money Network program and may access their wages through the Money Network MasterCard Paycard(R) or Money Network(TM) Checks."

This reminds me of the old "company store" practice from the 1800's where companies forced their employees to shop only at the company store, and kept them in debt bondage -- only it's worse today. How? Keep reading.

Third, the lack of disclosure and transparency is extremely troubling. If a consumer left Bank of America for a Walmart Money Center, then you are still banking with some of the same companies that perform outsourced, back-office financial transactions. According to a 2009 Reuters press release:

"Walmart, MasterCard Worldwide and First Data today announced a new, more sustainable payroll program designed to reduce the number of paper paychecks and pay stubs distributed each year to Walmart and Sam's Club associates... "

Alert readers will remember that First Data is a joint venture partner with Banc of America Merchant Services to process BofA debit card transactions. When I asked Bank of America to explain this joint venture, they declined to comment. And, there's more.

Wal-mart operates its Money Centers by outsourcing functions to Moneygram. According to Hoovers, Moneygram:

"... sells MoneyGram-branded cash transfers and money orders at some 227,000 locations around the globe. It is the leading provider of money orders in the US, issuing some 175 million annually. Wal-Mart is MoneyGram's largest money-transfer and money order agent, accounting for more than a quarter of the company's revenues. MoneyGram also offers in-person and electronic bill payment services, letting users pay everything from mortgages to utilities, and processes official checks for financial institutions."

In September, Fitch Ratings announced in a press release:

"MoneyGram has been informed that it is being investigated by a federal grand jury in connection with its consumer anti-fraud and anti-money laundering program matters for the period 2004 to early 2009. A prior similar investigation led to MoneyGram paying an $18 million fine..."

Thomas H. Lee Partners and Goldman Sachs own about 85% of MoneyGram.

Fourth, I thought that Walmart was prohibited from banking. The New York Times reported:

"Four years ago, Wal-Mart abandoned its plans to obtain a long-sought federal bank charter amid opposition from the banking industry and lawmakers, who feared the huge retailer would drive small bankers out of business and potentially conflate its banking and retail operations. Ever since, Wal-Mart has been quietly building up à la carte financial services, becoming a force among the unbanked and “unhappily banked,” as one Wal-Mart executive put it."

Fifth, the fine print about the Walmart MoneyCard states the following about its debit card:

"The Card is issued by GE Money Bank, member FDIC, pursuant to a license from Visa, U.S.A. Additional services provided by Green Dot Corporation. Not available in all states. Issuance fee, monthly fee, and other fees apply..."

This means that Walmart outsources its debit card operations to GE Money Bank, where cardholders' money and accounts are insured by the Federal Deposit Insurance Corporation (FDIC) which insures banks. So, the FDIC is effectively insuring Walmart! I'll bet you didn't know that. Neither did I until I read the fine print. How did this happen?

I hope the New York Times reports more about all of this.

My main point: if consumers choose to "bank" at Walmart Money Centers, you should know who you really are doing business with. The Walmart brand name appears the retail stores, but several outsourced companies actually process its financial transactions -- just like the big banks.

Me? Walmart Money Centers do not appeal to me for both the reasons above, and plus several Walmart business practices. Hence, I have boycotted Walmart since 2000.

What do you think? Are Walmart Money Centers a good option? If you have moved your money to Walmart, share your experiences.

How To Protect Your Sensitive Personal Data When Using Public WiFi Networks

Last week, I met a friend for lunch to discuss her new business venture. After lunch, we moved our discussion to a nearby coffee shop. While there, my friend surfed the Internet using her mobile device and the coffee shop's public WiFi network.

When we finished our discussion, I suggested that she change her passwords for the websites she visited, since she had signed into with HTTP connections instead of HTTPS connections. (My friend had not heard about PrivateWiFi.) During the subway ride home, I began to wonder what a comprehensive list for consumers would be of tips about how to securely use public WiFi networks, at places like airport lounges and coffee shops.

If you aren't familiar with the identity-theft threat, about a year ago there were many articles about the Firesheep Web browser plugin, which allows hackers at public WiFi hotspots to monitor nearby consumers' online sessions and steal account log-in passwords. A recent tweak of Firesheep allows it to steal your Google web history. Not to be outdone, the newer Droidsheep app allows hackers to monitor and steal from mobile devices running the Android operating system.

With tools like these, the identity-theft and fraud damages can be extensive. Thieves can send spam from your email and/or social networking website accounts, or steal money from your bank accounts.

So what can a consumer do to protect their data? This Hot Spot Hacker article offers several good tips for using your mobile device securely at public WiFi networks:

"1. Set your laptop or smart phone so you have to manually select the Wi-Fi network. You may need to change the default setting

2. Make sure you know the exact name of the establishment's Wi-Fi network and connect only to it. Don't be fooled by look-alikes."

These two tips are good reminders because it is easy to set your mobile device to automatically connect at coffee shops you visit repeatedly, and forget about WiFi network security.

"3. Avoid any hot spot that your device lists as "unsecured." Keep in mind that even if a password is required, a hot spot can still be unsecured."

This tip cannot be over emphasized. Of course, it is preferable to use WiFi networks that require a password log-in, but that is just a start. A password log-in is not complete security. For full security, the entire session must be encrypted, because browser cookie and other files transmitted during the session contain personal data hackers can abuse:

"4. If your device shows the site as secured, pay attention to what kind of encryption it lists. WEP (Wired Equivalent Privacy) is an early system, dating from over a decade ago. If it's WEP, treat the network as not secure. WPA (Wi-Fi Protected Access) is better, and WPA2 is best of all."

Most people I know have no idea what brand of wireless encryption to look for and to use. Now you know. Here's what else you need to know about WiFi network security:

"5. If you send personal data over a Wi-Fi link, do so only to an encrypted website. You can tell a site is encrypted if you see the letters "https" (the "s" stands for "secure") at the beginning of its Web address. Also, look for a lock icon on the top or bottom of pages throughout the site."

So, what can a consumer do to use WiFi networks safely and securely? One suggestion:

"6. Before using a public Wi-Fi network, install such software as Force-TLS and HTTPS-Everywhere, which are free add-ons to the Firefox browser. They make sure you use encryption features available on websites you visit. Virtual private network software — some of it free, some not — can also add security."

You could also use PrivateWiFi. And, there are more WiFi network security tips. To learn more, visit the Hot Spot Hacker article. If your mobile device uses the Android operating system, watch this Droidsheep video.

Received Poor Customer Service? How To Complain Effectively

Recently, Consumer Reports published the results of its survey about customer service by several retailers. Many companies' customer service operations rated poorly. Consumers often left the store (or website or hung up the phone) in frustration without getting heard or their issue heard or resolved.

Consumers should not have to sue a retailer to get a response or the services they paid for. The CR report offered several suggestions for consumers to complain effectively to get heard and ideally get your issue resolved:

1. Give praise: explain what the retailer did well. Whether on the phone or in-person, give the good news first and the bad news second. The customer service representative is human, is more likely to hear and act.
2. Stuck in voice-mail hell? Consult websites such as such as dialAHuman.com and getHuman.com for the customer-service numbers to exit voice-mail to access a live representative.
3. Keep a written record of the situation or problem. Keep any receipts. Make notes of the customer service representative's name, phone number and extension, date and time of your call -- or attempted call. If the representative provided a confirmation or service-request number, keep a record of that, and use that number later when following up online, via snail mail, or via phone.
4. Escalate appropriately: if you have tried the above tactics without success, escalate the issue to the representative's supervisor. If you can't get resolution, politely ask the customer service representative to get his/her boss on the phone line.
5. Don't give up. Speak firmly. Post your story on social-networking sites. Contact a consumer-advocate blogger. There are many around the country. If you use Twitter, use hashtags (examples: #custserv #fail; #sears #fail) to make your tweets searchable. 

Consumer Paid For Service Contract And Sears Fails To Provide Home Repair Service

This blog has always advocated for consumers. Today's blog post is about the experiences a friend has had with extremely poor home appliance repair service.

In July 2009, Ilene purchased a boiler from Sears Home Improvement with a Master Service contract (including repairs through 2015), for steam heat for her home. When Ilene tried to use the boiler for steam heat in the fall of 2009, it failed to start. Ilene's experience:

"In July of 2009, I bought a boiler from Sears Home Improvement along with a service contract. The first time I fired up the boiler to heat the house [in the Fall of 2009], it failed to work. I called the appropriate number to get service and was told that there were no contractors in my area and they would have to locate someone. I called several more times in the next few days and after 4 days of living in the cold, I called my plumber who not only fixed the problems, but also told me the installers had failed to skim the system and do several other things that were according to code."

Ilene added:

"Sears did send someone to inspect the boiler installation. He admitted to me there were flaws in the installation and said Sears was no longer using that contractor. Nevertheless, when I asked Sears to pay the plumber's bill, they refused, saying they had not authorized me to call my plumber. This caused me to sue in Small Claims Court."

Ilene sued Sears in Small Claims Court in March 2010, and won a settlement of $500. (Don't mess with seniors!) However, the court process cost her a filing fee and a day's lost pay. You'd think that after this experience, Sears would correct any gaps in its residential repair service. Apparently not by March 2011:

"On March 17, the boiler stopped working and after making sure it was not a fuse or thermostat problem, I called Sears Home Improvement for service. I was put on hold for over ten minutes (twice) and hung up convinced this was a deliberate evasion tactic. I was not called back until 5 days after I had lost heat, one day after my plumber had restored it. I was so angry, I told [Sears] it was fixed and I was going to sue them again."

Ilene lives in Cambridge, Massachusetts -- near Boston, a major metropolitan area. She wants to know why Sears sold her a service contract if they don't have any reliable contractors where she lives. And, Ilene also wants Sears to honor the Master Service contract she paid for.

In New England, it is often cold during March, with daytime temperatures in the 30's and low 40's -- colder nights with temperatures below freezing. As a senior citizen who has family living with her, and who recently had hip surgery, a working boiler for heat is critical.

Understandably, Ilene feels like she has been mugged by Sears:

"They certainly are not the same reputable Sears I grew up with!!"

Obviously, a consumer should not have to sue a retailer to get resolution. It seems unbelieveable that Sears cannot arrange reliable repair service for consumers living in a major metropolitan area in the Northeast.

According to The Consumerist blog, at least one other New England resident also went without heat during March after Sears failed to send a repair technician. Seven days without heat is too long. Repair service failures like this are unacceptable in cold weather regions.

It would seem that Ilene's experience of failing to get home boiler repair service from Sears is not an isolated event.

After some online searching, I noticed that while the Sears Home Services Twitter page is active, the Sears Home Appliances Twitter page appears to have been abandoned (with its last tweet dated May 2010). The Consumerist blog advised consumers to:

"... contact the Sears Cares executive customer service line, which can be reached at searscares@searshc.com."

Ilene asked for my help. First, I suggested to Ilene that she write to her U.S. Congress House representative and to her Massachusetts House representative about the repair service failures. Second, on Ilene's behalf to get Sears' response to this repair service failure, I sent an email inquiry to Sears on Sunday, March 27. While I did not receive a reply, a Sears representative called Ilene on Tuesday, March 29. According to Ilene:

"I was contacted by a representative from Sears as a result of your inquiry. She had reviewed the record and said Sears, "had definitely dropped the ball". She is doing further investigation, but acknowledged that I had a Masters Contract to cover repairs. I have an expectation that Sears will pay the bill to repair the boiler and hopefully to replace the pipe clogged up with sludge. Thank you so much for your assistance!"

You can contact the Sears representative, Stephanie, at 1(800) 573-8431, extension 11032.

Has anyone else experienced home repair service problems like this from Sears? If so, what did you do to correct the problem?

Briar Group Restaurants Settles 2009 Data Breach For $110K

In a press release yesterday, the Massachusetts Attorney General's office anounced a settlement with the Briar Group LLC restaurants for a 2009 data breach where the company failed to take reasonable steps to protect customers debit and credit card information:

"According to the lawsuit, filed in Suffolk Superior Court, the Briar Group experienced a data breach in April 2009, when malcode that was installed on Briar’s computer systems allowed hackers access to customers’ credit and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009. Further, the complaint alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share commons usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach."

The Briar Group LLC ownes and operates several popular restaurants including Ned Devine's, the Green Briar, and The Harp, and Solas. The judgment, signed on March 28, 2011, requires the company to pay $110k in civiil penalties to the Commonwealth, and to comply with both Massachusetts data security regulations and Payment Card Industry Data Security Standards (PCIDSS). All restaurants in the company must also develop a security password management system and implement data security measures to comply with PCIDSS standards, including a Written Information Security Program (PDF document). 

Consumers need to know that retailers adequately protect their banking information as required by law. Congratulations to the Massachusetts Attorney General's Office.