5 Things You Should Know About Prepaid Cards

Right now, there probably are three different types of plastic in your wallet or purse. Each type has different rules, disclosures, government regulations, and fees. So, wise consumers use the best type of plastic instead of cash.

Most consumers are familiar with credit cards and debit cards -- the first two types of plastic. Credit cards include an interest rate applied to all purchases, plus a variety of fees (e.g., overdraft, annual usage). Debit cards are offered by banks to their account-holders to access money in their checking and savings accounts.

Prepaid cards often look like debit cards but have several important differences. Prepaid cards must have value stored or "loaded" onto them before they can be used. Usually, consumers use cash to add value to a prepaid card. Then, the consumer uses the prepaid card for purchases, which are deducted from the balance on the card until there is no value left on the prepaid card. Then, more value must be added to the card before it can be used again.

Retail stores, restaurants and malls offer prepaid cards, usually called gift cards. Chances are you may have already received a prepaid card as a gift. I've received and given several prepaid cards as gifts. Customers use the Dunkin' Donuts prepaid card are the chain's retail stores. Prepaid cards from The Old Spaghetti Factory, Starbucks, and Target all operate similarly. Some retailers use their prepaid cards to track customers' purchases for rewards for loyalty programs.

Besides retail stores, many other companies and entities offer prepaid cards. Some employers pay their employees via prepaid cards, often called payroll cards. These payroll cards are designed for employees who don't have checking and savings accounts. Behind every payroll card is a bank that handles the transactions.

Some employers offer their employees prepaid cards only for qualified healthcare spending purchases. Some golf clubs offer prepaid cards for their members to use at the club's golf store and restaurant.

Some banks offer prepaid cards, too, for consumers who lack checking and savings accounts. With all of these prepaid cards in use, it is important for consumers to to know the advantages and disadvantages. There is a pretty good CNN Money article that discusses what consumers should know about prepaid cards:

"Watch out for the fees: The average prepaid card charges nearly $300 in basic fees a year, such as monthly charges, ATM fees and reloading fees, a recent NerdWallet study found... many prepaid cards also charge activation fees, transaction fees, bill payment fees, declined transaction fees, inactivity fees, customer service fees and paper statement fees."

"They don't build credit: Using a prepaid card doesn't help you build credit with the three major credit bureaus... don't be fooled into thinking they are doing anything to boost your credit score."

To browse the entire list of five tips, read the CNN Money article. To learn more about the differences between the three types of plastic in your wallet/purse, read the FDIC alert about consumers' rights. You can also select Prepaid Cards in the tag cloud in the near right column.

What has been your experience? What prepaid cards have you used?

Two Years After Its Data Breach, Upromise Email Notice Leaves Customer Confused

William, an I've Been Mugged reader, received the below email message from Upromise.com:

"From: Upromise (member@your.upromise.com)
Subject: Important information regarding Personalized Offers
Date: March 10, 2012 12:14:23 AM EST
To: ***********@************

Dear William,
Our records show that you had the TurboSaver® toolbar installed with the optional Personalized Offers feature enabled at some point through January 21, 2010. Through that date, because of an issue with vendor-supplied software, the use of this feature resulted in the unintended collection and transmission of certain categories of your personal information to Upromise or our vendor. Depending on how a particular web page was configured, this could have included information you entered into forms such as usernames, passwords, search terms, credit card numbers or financial account numbers. Our members' privacy is extremely important to us, and we took immediate action when we learned of this issue in January 2010 by directing the software vendor to disable the Personalized Offers functionality. As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled.

As always, if you would like to uninstall the TurboSaver toolbar, simply access the toolbar menu by clicking the Upromise logo on the left hand side of the toolbar, select "Uninstall" and follow the prompts. If you have any questions, or need additional information, we welcome you to contact us at 1-800-877-6647 or email questions@upromise.com.

Sincerely,

The Upromise Customer Care Team
www.upromise.com"

William doesn't remember receiving a prior breach notice from Upromise, and says he is diligent about opening both email and postal mail from companies he does business with. William wants to know what is happening at Upromise, and why he received an email that looks like a breach notice two years after the data breach.

William does not appear to be the only concerned Upromise member. You can read posts by a couple customers in the Upromise community forum.

A review of the Upromise Facebook page and Upromise Insider blog did not find any posts during 2012 about a breach notice. I contacted Upromise and a representative, Deborah Hohler replied:

"When the matter came to our attention two years ago, we immediately addressed it and saw no evidence anyone’s data was misused. The protection of personal information is extremely important to us. This email communication was in connection with a proposed consent order from the FTC, and we worked with them on actual content and timing of the message."

At this point, a little history might help. In January 2010, PC Magazine reported about the Upromise breach involving the Upromise Toolbar:

"Privacy researcher and Harvard Business School Professor Ben Edelman has written a report on the practices of the Upromise Toolbar, called TurboSaver by the company. Upromise is a membership system through which you can earn money for college savings by buying items from certain vendors through Upromise. The toolbar facilitates this in your browser and tracks user behavior."

Another breach at a Sallie Mae company seems to have been the result of insider identity theft. In July 2011, WTHR Channel 13 in Indiana reported:

"The suspect is an employee at another Sallie Mae spin-off in Massachusetts - College Choice... In a letter sent to more than 300 parents, College Choice admitted an employee with its program manager, UPromise Investments, accessed names, social security numbers, birthdays and other contact information for seven months while on the job."

Also during July 2011, Upromise filed a breach notice (Adobe PDF) with the State of New Hampshire Department of Justice. The notice did not disclose how many customers were affected, but confirmed the WTHR news report and that letters were mailed to breach victims on June 23, 2011 -- about six months after the toolbar breach was discovered. I also checked Maryland, Vermont, and Wisconsin. None contained any Upromise breach notices, but Maryland hasn't yet uploaded breach notices received during 2011.

William lives in a state that does not post online the breach notices it receives.

The January 18, 2012 U.S. Federal Register (Adobe PDF) mentioned a proposed settlement agreement between the U.S. Federal Trade Commission (FTC) and Upromise, which alleged that:

"... Upromise engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal information it collected and maintained. Among other things, Upromise: (1) Transmitted sensitive information from secure web pages, such as financial account numbers and security codes, in clear readable text; (2) did not use readily available, low-cost measures to assess and address the risks to consumer information; (3) failed to ensure that employees responsible for the information collection program received adequate guidance and training; (4) failed to take adequate measures to ensure that its service provider employed reasonable and appropriate measures to protect consumer information."

The proposed settlement agreement includes six parts describing the actions Upromise must take to improve its data security and notices to its members (bold emphasis added):

"Part I of the proposed order requires Upromise to disclose to consumers—before the download or installation of software that records or transmits information about any activity occurring on a computer involving the computer’s interactions with Web sites, services, applications, or forms—the types of information collected and how the information will be used. The disclosure must be clear and prominent and separate from other notices. The company must also obtain consumers’ express affirmative consent before the consumer downloads, installs, or otherwise activates such software. In addition, the company must provide this clear and prominent notice, and obtain express affirmative consent, before enabling data collection through any previously installed TurboSaver Toolbar and before making any material change from stated practices about collection or sharing of personal information through the Toolbar.

Part II of the proposed order requires Upromise to provide notice to consumers who, prior to the issuance of the order, had the Personalized Offers feature enabled. The notice must inform consumers about the categories of personal information that were, or could have been, transmitted by the feature, and how to disable the Personalized Offers feature and uninstall the Toolbar. Part III of the proposed order requires the company to destroy data it collected during the years covered by the complaint unless otherwise directed by the Commission.

Part IV of the proposed order prohibits the company from making any misrepresentations about the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any information collected from or about consumers. Part V of the proposed complaint requires Upromise to maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of such information (whether in paper or electronic format) about consumers. The security program must contain administrative, technical, and physical safeguards appropriate to Upromise’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Upromise to:
- Designate an employee or employees to coordinate and be accountable for the information security program;
- Identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks;
- Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures; - Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Upromise or obtain on behalf of Upromise, and require service providers by contract to implement and maintain appropriate safeguards; and
- Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Part VI of the proposed order requires Upromise to obtain within the first one hundred eighty (180) days after service of the order, and on a biennial basis thereafter for a period of twenty (20) years, an assessment and report from a qualified, objective, independent third party professional, certifying, among other things, that: (1) It has in place a security program that provides protections that meet or exceed the protections required by the proposed order; and (2) its security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of sensitive consumer, employee, and job applicant information has been protected."

Upromise is a rewards program where members save towards college by making everyday purchases with Upromise partners: brick-and-mortar and online stores, restaurants, grocery stores, drug stores, and similar retailers. Upromise members include parents, grandparents, and other family members saving for college for a child, grandchild, or family member. Upromise members can invest their savings in a high-yield savings account or tax-deferred 529 plan, and then use that to pay down student loan, or request a check to pay for college expenses.

What might all of this mean?

According to Hohler at Upromise, the email message William received was part of the above proposed settlement agreement with the FTC (probably Part 2). Given this, the email is in my opinion confusing and unnecessarily vague. It raises more questions than it answers.

A better email update would have reminded Upromise members that this email was follow-up to a prior breach notice, and that it was prompted in part by the settlement agreement with the FTC. The email update didn't mention the settlement agreement at all.

A better email update would also explain why Upromise left a toolbar installed in customers' web browsers that might display inaccurate messaging which might confuse users:

"As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled."

This seems to conflict with Upromise's reply that, "... we immediately addressed it..." about the toolbar data breach. A defective browser toolbar still operating two years after the breach would make anyone wonder.

A better email update would instruct users how to upgrade the defective toolbar. A better email update would have mentioned the proposed settlement agreement with the FTC, and then outlined everything Upromise is doing, or has already done, to comply.

The comprehensive and detailed scope of the proposed consent agreement suggests to me that there were more data security problems at Upromise than a toolbar breach. It seems to me that most of the six parts of the proposed settlement agreement are data security methods a company would implement anyway to protect sensitive assets and customer information.

Having received a breach notice via postal mail after IBM's 2007 breach, I can definitely tell you that a breach letter is not something you would easily forget nor misplace. So, I believe William 100% when he said that the above email is his first notice from Upromise about its 2010 data breach.

In the 4+ years I have written this blog, I have encountered situations where companies experiencing data breaches have created a website about its breach investigation. IBM created such a web site after its 2007 data breach. I searched for such a site at Urpomise and didn't find one. Perhaps its exists and is behind a secure log-in available only to customers. Then again, William would have mentioned it if it exists. A better email update would summarize its breach investigation(s) and explain the proposed consent agreement.

As it stands, users like William are unsure and left wondering exactly what is happening. Transparent communication promotes trust.

If you were affected by the Upromise breach, what has been your experience? What do you think of Upromise's post-breach response? What are your opinions of the proposed settlement agreement?

How Companies Analyze Your Spending And Habits

Two really good news article explain how companies analyze consumers spending and social networking activity. I highly recommend that you read both articles.

The Forbes magazine article, "How Target Figured Out a Teen Girl Was Pregnant Before Her Father Did," summarized very well the problematic behavior of many corporations and retailers. To get a jump on its competitors, Target extensively analyzed -- perhaps better than most retailers -- its customers' purchases and attached undisclosed demographic data to each customer's identification number to mathematically predict what customers might by.

The prediction formulas were so good, Target was able to mathematically deduce from past purchases that this teen girl was pregnant and send coupons to her home -- all before the teen told her parent of the pregnancy:

"What Target discovered fairly quickly is that it creeped people out that the company knew about their pregnancies in advance... So Target got sneakier about sending the coupons. The company can create personalized booklets..."

These personalized coupon books were an attempt to hide the fact that Target knew so much, and disguise that knowledge by presenting both coupons not related to pregnancy with coupons that were related:

"... we learned that some women react badly... Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random... we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer..."

One of my friends called Target's behavior "untethered stupidity" to market pregancy products to a teenager. Yes, that was incredibly stupid, and was likely enabled by its rush to make money. Some of my friends were surprised at the content of the above Forbes article. I wasn't surprised because of the amount of personal information shared:

• Consumers share on social networking websites the items (e.g., products, services, television/cable shows, music) products we like or prefer,
• Banks regularly collect and resell both debit-card and credit-card purchases,
• Consumers share on social networking websites a wide variety of sensitive personal data (e.g., birth date, children's names and ages, list of relatives). The full birth date makes it easy for data brokers and advertisers to distinguish several people with the same name,
• Consumers share product preferences and travel vacation habits through loyalty program memberships,
• State motor vehicle registries regularly sell drivers' data to companies and data brokers. That includes the car, from which marketers can deduce your wealth, favorite color, and when to pitch extended auto warranty service plans,
• Data brokers like Spokeo and Acxiom compile consumers' demographic data from public records and social networking websites, which retailers can purchase,
• Leaky entertainment, quiz, and gaming apps on social networking websites regularly collect consumers sensitive personal data,
• Leaky smartphone apps regularly collect consumers' sensitive personal data, they often shouldn't. The lack of privacy policies with these apps mean the app developers are free to sell the personal data collected.

What might that undisclosed demographic data be? It's pretty easy to deduce or infer:

• Name, address, age from the store loyalty program registration
• Income from any store credit cards, loyalty program registrations, surveys, or average purchase history over time (e.g., wealthy people spend more, less wealthy purchase more with coupons)
• Favorite colors from the colors of clothes purchased
• Left-handed preference from types of products purchased
• Personal preferences from any product comments at the retailer's web site or products "liked" at social networking websites (purchased from data brokers)
• Type of vision from purchases (e.g., non-prescription sunglasses indicate good vision)
• Health issues (e.g., eczema, dry skin, dandruff) from the types of lotions and shampoos purchased
• Health issues (e.g., over-weight) by the size of clothes purchased or from retailers offering pharmacies and in-store clinics
• Durable goods (e.g., dishwasher, washing machine, gas or electric oven) used at home from purchases
• Auto and electronics owned from purchases, either the item or related accessories purchased
• Approximate ages of children by types of toys purchased or from photographs at social networking websites
• Where else you shop, based on GPS coordinates collected from any apps installed on your smartphone, or data purchased from mobile service providers
• Retail stores that use facial recognition cameras can track your shopping patterns (e.g., when where, duration), even when you pay with cash and left your GPS-enabled cell phone at home, and supplement this with demographic data from photos you are tagged in at social networking websites
• Any gaps in the above demographic data can easily be filled by data purchased from data brokers like Acxiom and/or ads run on social networking websites

The New York Times article, "How Companies Learn Your Secrets," includes a more detailed analysis, with how marketers look for "chunks" in consumers' behaviors to predict future purchases:

"This process, in which the brain converts a sequence of actions into an automatic routine, is called “chunking.” There are dozens, if not hundreds, of behavioral chunks we rely on every day. Some are simple: you automatically put toothpaste on your toothbrush before sticking it in your mouth..."

Some chunks are more complex; consider the series of behaviors women will perform to prepare for a pregnancy: purchase different clothes, lotions, and/or personal hygiene items. Now, think more broadly, because everyone's behaviors can be chunked. Not just women. The researchers found:

"... when some customers were going through a major life event, like graduating from college or getting a new job or moving to a new town, their shopping habits became flexible in ways that were both predictable and potential gold mines for retailers. The study found that when someone marries, he or she is more likely to start buying a new type of coffee. When a couple move into a new house, they’re more apt to purchase a different kind of cereal. When they divorce, there’s an increased chance they’ll start buying different brands of beer. Consumers going through major life events often don’t notice, or care, that their shopping habits have shifted, but retailers notice..."

And a baby definitely qualifies as a major life event.

Now, consider your past purchases. Advertisers value that so they can serve up different products at these major life events. Coombine this with your GPS location in the physical world, and it is a marketers dream: to know you shop every Saturday morning and then serve up ads on your smartphone before you arrive at the supermarket; or to serve up childrens toy and food ads before you shop for their birthday parties.

Maybe all of this doesn't bother you, or maybe it does. The bottom line: where you go in the world, what you purchase, and how much you consume are all pretty personal facts. Consumers should have control over when and with whom this personal data gets shared. If you choose to share everything, fine. Some of us feel and act differently.

A Debit Card Cautionary Tale

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today, she tackles what I believe will become a huge identity-theft problem. As employers lower their administrative costs by outsourcing payment systems that include debit-card transactions, the result is a more complicated, patchwork mix of companies where it is not easily clear who is responsible when bad things happen.]

By R. Michelle Green

At a business conference I attended, the topic turned to health care insurance administration. Some of the attendees now have new debit cards they didn’t ask for. Their employers gave them debit cards for their health care expenses (to access their Flexible Spending Accounts). Instead of having to submit receipts, employees offer the card at the point of sale. If s/he tries to charge more than allowed, or tries to charge things that are not acceptable, the card is rejected. Easily fits into the distributor’s payment systems (cash credit debit), no paperwork for the employee, less evaluative work for the FSA provider. Everyone wins, right?

Not everyone.

Meet Caren (not her real name, of course). She offered her new debit card -- her's is called a United Healthcare Consumer Accounts Card -- for prescription meds in January last year. However, the purchase was rejected by the pharmacy. She assumed it was a glitch, and paid for it herself. While this eventually happened every time, she doesn’t have medical charges every day, so it took a while to recognize that the card never worked. For reasons not relevant here, she did not pursue this with the provider until the fall, only to discover that all her money had been used up on health care charges she didn’t make.

She spoke with United Healthcare using the phone number on her Consumer Accounts Card. She submitted all her information in writing as they requested. They produced a sheet showing that her charges mostly matched (about 70%) identical charges paid 1-2 business days after hers. Though they did not accuse her of fraud, they did say the case was closed and did not merit an appeal. When she approached her human resources provider, he said, well at least she got the tax break. (!) She didn’t get a tax break, she got a salary reduction! She was deprived of access to her own money, set aside from her salary. The debit card agreement online says that she should call the bank operating the card, but that hasn’t proven productive either.

Had a second card been issued to someone else, we wondered? Not to her (or to the bank’s) knowledge. Did the drugstore have signatures on the other charges ostensibly hers? The other charges were mail order charges through Medco, so no receipts or signatures. She has no account with Medco. The pharmacy is not interested in pursuing this, they’ve been paid (perhaps twice!). Medco won’t address it, as she is not a client. The debit card provider only knows the money is spent. The FSA account holder is satisfied that it was spent for the right things. Only Caren is out of pocket and disadvantaged. Doubly so – this was so traumatic that she did not enroll in FSA this year. That makes her ineligible for the associated tax benefit in 2012.

Turns out our blog host is interested in the way financial systems are evolving, and found this issue particularly interesting. There are a lot more parties in the mix than you might at first think. Caren has an employer small enough that it purchases human resources expertise from a national firm. So there’s Caren, Small Firm, and Big HR Firm. Big HR Firm takes the money from her account and sends it somewhere based on their agreement with United Healthcare. Her debit card is managed by United Healthcare, and Optum Health Bank administers that card for them. Optum Health Bank has a subsidiary, Optum Financial, that handles the flow of money from the holding account to the point of sale. And what about the pharmacy: could their processes have been compromised as well?

I read a lot about fraud and scams, and wondered if this could be the tip of a software theft operation, selecting certain customers, and duplicating certain customers’ receipts, at just low enough rates that they are not perceived. (Good movie, eh? But Occam’s Razor says: not likely.) But who is the person with enough clout to investigate this, particularly if no one person or entity loses big bucks?

Today she tweeted that she had heard from Big HR Firm – there’s nothing they can do. So who’s responsible? Several corporations are in play; doesn’t each have a responsibility to Caren? Who can help her?

Data Breach At Motorola Mobility Affects Refurbished XOOM Tablets

Motorola Mobility admitted Friday in a press release that it failed to erase the sensitive personal information of original owners on refurbished tablets. The breach included about 100 Motorola XOOM WiFi tablets from a batch of 6,200. The tablets were resold by Woot.com during October through December 2011.

Motorola did not specify the types of sensitive personal information exposed, but it likely include any personal information the original tablet owners stored on their devices:

"It is possible that users might have stored photographs and documents. They may have also stored user names and passwords for email and social media accounts, as well as other password-protected sites and applications."

Ya think so? Duh! Obviously, affected consumers should change their passwords at any online bank, financial, and social networking websites; especially if you stored your passwords on your Motorola tablet. Purchasers of the affected refurbished tablets should return their devices to Motorla to ensure that the memory of each device is cleared. If you purchased a refurbished Motorola XOOM Wi-Fi tablets from Woot.com between October and December 2011, you should visit motorola.com/xoomreturn or call Motorola Mobility Customer Support (1-800-734-5870 and select Option 1) to determine if your tablet is affected.

For consumers who purchased and then returned a Motorola XOOM Wi-Fi tablet to Amazon.com, Best Buy, BJ’s Wholesale, eBay, Office Max, Radio Shack, Sam’s Club, or Staples and a few other independent retailers between March and October 2011, Motorola offers a free two-year membership with Experian’s ProtectMyID Alert credit monitoring service. The company also directed original tablet owners to contact Experian at 1-866-926-9803 to register for their complimentary credit monitoring service.

At press time, refurbished XOOM tablets were selling for about $349 on Amazon.com.

This breach is troublesome. While breaches often happen, the company should have adequately wiped all sensitive personal data from refurbished tablets. That the company failed to do so makes one wonder if any malware was transmitted to purchasers of refurbished tablets -- or of any other Motorola mobile devices.

If you were affected by this data breach, share your experience below.

CVS Caremark Agrees To Pay $20 Million To Settle With Three States For Pension Fraud Claims

CVS Caremark Corporation has agreed to pay about $20 million to settle lawsuits in three states about alleged pension system fraud. The lawsuits were filed by two whistleblowers, CVS pharmacists, and claimed that CVS resold returned drugs, changed presecription orders to increase prcies, and filed false reports about prescriptions fulfilment dates. The Los Angeles Times reported:

"... CVS Caremark will pay nearly $7 million to the California Public Employees’ Retirement System, $4 million to the state of Illinois and $3 million to the state of Florida. Other money from the settlement went to plaintiff attorneys’ fees and costs..."

In 2007, CVS Corporation merged with Caremark Rx Inc.. The combined company operates about 7,000 retail stores, and provides prescription drug management services for employers.

Crain's Chicago Business reported Michael Leonard, a partner with Chicago-based law firm Meckler Bulger Tilson Marick & Pearson LLP, which along with Los Angeles-based law firm Engstrom Lipscomb & Lack LLP represented the whistleblowers, as describing the lawsuit:

“They fought the thing tooth and nail, and denied, denied, denied, despite what the evidence was...”

Move Your Money To... Walmart? A Good Deal?

This blog has covered extensively the ways banks have "mugged" consumers via higher fees, higher interest rates, traps, and tricks. I was surprised to read in the Tuesday the New York Times a report about some consumers moving their money to Walmart Money Centers, instead of to banks or credit unions. Move your money to Walmart? Really?

After reading the newspaper article, I visited the Walmart Money Centers website to learn more:

By offering several a la carte banking services (e.g., debit card, money transfers, bill pay, money orders, credit cards, check cashing, and checks), Walmart has wormed its way into banking. If it walks like a duck, sounds like a duck, and smells like a duck -- then it must be a duck. How was this allowed to happen?

Apparently, many consumers who don't have a checking account (e.g., referred to as the "unbanked") are using Walmart Money Centers to cash they paychecks, since the fees are lower than at many banks. I have mixed feelings about this. Here's why:

Advantages:

• It benefits consumers to have a competitive choice since Walmart Money Centers offer lower check-cashing fees than banks and payday lenders. That could create a downward pressure on banks to lower their fees to remain competitive
• I see the benefit to Walmart of paying its associates via Walmart debit cards. This removes or lowers the middle-man processor costs

Now, the disadvantages.

First, "banking" with Walmart is still very expensive for consumers. A $3.00 fee to cash a $800.00 weekly paycheck is really an effective annual interest rate of 19.5% ($3/$800 x 52 pay periods per year). That same $3.00 fee on a $400 weekly paycheck equals a 39% effective annual interest rate.

The Walmart MoneyCard (e.g., debit card) is expensive, too. The $3.00 fee to load money onto a card, plus the $3.00 monthly maintenance fee is really an effective annual interest rate of 18% (assuming a $300 paycheck and 26 pay periods per year). So, a consumer is paying 18% to access their own money. What? That 18% is a rate similar to many credit cards, where a consumer can avoid the interest charges by paying their balance in full at the end of the month.

While Walmart Money Centers may seem like an attractive option, it's really expensive "banking." Better to find a credit union with free checking and save both the $78 in annual check-cashing fees and $108 in annual debit card fees.

Second, I can understand the benefits for Walmart of paying its associates via Walmart debit cards. The benefits for Walmart Associates are questionable at best, given the above debit-card fees. The lack of banking choice is troublesome:

"Walmart associates may receive their pay either by direct deposit or through the First Data Money Network program and may access their wages through the Money Network MasterCard Paycard(R) or Money Network(TM) Checks."

This reminds me of the old "company store" practice from the 1800's where companies forced their employees to shop only at the company store, and kept them in debt bondage -- only it's worse today. How? Keep reading.

Third, the lack of disclosure and transparency is extremely troubling. If a consumer left Bank of America for a Walmart Money Center, then you are still banking with some of the same companies that perform outsourced, back-office financial transactions. According to a 2009 Reuters press release:

"Walmart, MasterCard Worldwide and First Data today announced a new, more sustainable payroll program designed to reduce the number of paper paychecks and pay stubs distributed each year to Walmart and Sam's Club associates... "

Alert readers will remember that First Data is a joint venture partner with Banc of America Merchant Services to process BofA debit card transactions. When I asked Bank of America to explain this joint venture, they declined to comment. And, there's more.

Wal-mart operates its Money Centers by outsourcing functions to Moneygram. According to Hoovers, Moneygram:

"... sells MoneyGram-branded cash transfers and money orders at some 227,000 locations around the globe. It is the leading provider of money orders in the US, issuing some 175 million annually. Wal-Mart is MoneyGram's largest money-transfer and money order agent, accounting for more than a quarter of the company's revenues. MoneyGram also offers in-person and electronic bill payment services, letting users pay everything from mortgages to utilities, and processes official checks for financial institutions."

In September, Fitch Ratings announced in a press release:

"MoneyGram has been informed that it is being investigated by a federal grand jury in connection with its consumer anti-fraud and anti-money laundering program matters for the period 2004 to early 2009. A prior similar investigation led to MoneyGram paying an $18 million fine..."

Thomas H. Lee Partners and Goldman Sachs own about 85% of MoneyGram.

Fourth, I thought that Walmart was prohibited from banking. The New York Times reported:

"Four years ago, Wal-Mart abandoned its plans to obtain a long-sought federal bank charter amid opposition from the banking industry and lawmakers, who feared the huge retailer would drive small bankers out of business and potentially conflate its banking and retail operations. Ever since, Wal-Mart has been quietly building up à la carte financial services, becoming a force among the unbanked and “unhappily banked,” as one Wal-Mart executive put it."

Fifth, the fine print about the Walmart MoneyCard states the following about its debit card:

"The Card is issued by GE Money Bank, member FDIC, pursuant to a license from Visa, U.S.A. Additional services provided by Green Dot Corporation. Not available in all states. Issuance fee, monthly fee, and other fees apply..."

This means that Walmart outsources its debit card operations to GE Money Bank, where cardholders' money and accounts are insured by the Federal Deposit Insurance Corporation (FDIC) which insures banks. So, the FDIC is effectively insuring Walmart! I'll bet you didn't know that. Neither did I until I read the fine print. How did this happen?

I hope the New York Times reports more about all of this.

My main point: if consumers choose to "bank" at Walmart Money Centers, you should know who you really are doing business with. The Walmart brand name appears the retail stores, but several outsourced companies actually process its financial transactions -- just like the big banks.

Me? Walmart Money Centers do not appeal to me for both the reasons above, and plus several Walmart business practices. Hence, I have boycotted Walmart since 2000.

What do you think? Are Walmart Money Centers a good option? If you have moved your money to Walmart, share your experiences.

How To Protect Your Sensitive Personal Data When Using Public WiFi Networks

Last week, I met a friend for lunch to discuss her new business venture. After lunch, we moved our discussion to a nearby coffee shop. While there, my friend surfed the Internet using her mobile device and the coffee shop's public WiFi network.

When we finished our discussion, I suggested that she change her passwords for the websites she visited, since she had signed into with HTTP connections instead of HTTPS connections. (My friend had not heard about PrivateWiFi.) During the subway ride home, I began to wonder what a comprehensive list for consumers would be of tips about how to securely use public WiFi networks, at places like airport lounges and coffee shops.

If you aren't familiar with the identity-theft threat, about a year ago there were many articles about the Firesheep Web browser plugin, which allows hackers at public WiFi hotspots to monitor nearby consumers' online sessions and steal account log-in passwords. A recent tweak of Firesheep allows it to steal your Google web history. Not to be outdone, the newer Droidsheep app allows hackers to monitor and steal from mobile devices running the Android operating system.

With tools like these, the identity-theft and fraud damages can be extensive. Thieves can send spam from your email and/or social networking website accounts, or steal money from your bank accounts.

So what can a consumer do to protect their data? This Hot Spot Hacker article offers several good tips for using your mobile device securely at public WiFi networks:

"1. Set your laptop or smart phone so you have to manually select the Wi-Fi network. You may need to change the default setting

2. Make sure you know the exact name of the establishment's Wi-Fi network and connect only to it. Don't be fooled by look-alikes."

These two tips are good reminders because it is easy to set your mobile device to automatically connect at coffee shops you visit repeatedly, and forget about WiFi network security.

"3. Avoid any hot spot that your device lists as "unsecured." Keep in mind that even if a password is required, a hot spot can still be unsecured."

This tip cannot be over emphasized. Of course, it is preferable to use WiFi networks that require a password log-in, but that is just a start. A password log-in is not complete security. For full security, the entire session must be encrypted, because browser cookie and other files transmitted during the session contain personal data hackers can abuse:

"4. If your device shows the site as secured, pay attention to what kind of encryption it lists. WEP (Wired Equivalent Privacy) is an early system, dating from over a decade ago. If it's WEP, treat the network as not secure. WPA (Wi-Fi Protected Access) is better, and WPA2 is best of all."

Most people I know have no idea what brand of wireless encryption to look for and to use. Now you know. Here's what else you need to know about WiFi network security:

"5. If you send personal data over a Wi-Fi link, do so only to an encrypted website. You can tell a site is encrypted if you see the letters "https" (the "s" stands for "secure") at the beginning of its Web address. Also, look for a lock icon on the top or bottom of pages throughout the site."

So, what can a consumer do to use WiFi networks safely and securely? One suggestion:

"6. Before using a public Wi-Fi network, install such software as Force-TLS and HTTPS-Everywhere, which are free add-ons to the Firefox browser. They make sure you use encryption features available on websites you visit. Virtual private network software — some of it free, some not — can also add security."

You could also use PrivateWiFi. And, there are more WiFi network security tips. To learn more, visit the Hot Spot Hacker article. If your mobile device uses the Android operating system, watch this Droidsheep video.

Received Poor Customer Service? How To Complain Effectively

Recently, Consumer Reports published the results of its survey about customer service by several retailers. Many companies' customer service operations rated poorly. Consumers often left the store (or website or hung up the phone) in frustration without getting heard or their issue heard or resolved.

Consumers should not have to sue a retailer to get a response or the services they paid for. The CR report offered several suggestions for consumers to complain effectively to get heard and ideally get your issue resolved:

1. Give praise: explain what the retailer did well. Whether on the phone or in-person, give the good news first and the bad news second. The customer service representative is human, is more likely to hear and act.
2. Stuck in voice-mail hell? Consult websites such as such as dialAHuman.com and getHuman.com for the customer-service numbers to exit voice-mail to access a live representative.
3. Keep a written record of the situation or problem. Keep any receipts. Make notes of the customer service representative's name, phone number and extension, date and time of your call -- or attempted call. If the representative provided a confirmation or service-request number, keep a record of that, and use that number later when following up online, via snail mail, or via phone.
4. Escalate appropriately: if you have tried the above tactics without success, escalate the issue to the representative's supervisor. If you can't get resolution, politely ask the customer service representative to get his/her boss on the phone line.
5. Don't give up. Speak firmly. Post your story on social-networking sites. Contact a consumer-advocate blogger. There are many around the country. If you use Twitter, use hashtags (examples: #custserv #fail; #sears #fail) to make your tweets searchable. 

Consumer Paid For Service Contract And Sears Fails To Provide Home Repair Service

This blog has always advocated for consumers. Today's blog post is about the experiences a friend has had with extremely poor home appliance repair service.

In July 2009, Ilene purchased a boiler from Sears Home Improvement with a Master Service contract (including repairs through 2015), for steam heat for her home. When Ilene tried to use the boiler for steam heat in the fall of 2009, it failed to start. Ilene's experience:

"In July of 2009, I bought a boiler from Sears Home Improvement along with a service contract. The first time I fired up the boiler to heat the house [in the Fall of 2009], it failed to work. I called the appropriate number to get service and was told that there were no contractors in my area and they would have to locate someone. I called several more times in the next few days and after 4 days of living in the cold, I called my plumber who not only fixed the problems, but also told me the installers had failed to skim the system and do several other things that were according to code."

Ilene added:

"Sears did send someone to inspect the boiler installation. He admitted to me there were flaws in the installation and said Sears was no longer using that contractor. Nevertheless, when I asked Sears to pay the plumber's bill, they refused, saying they had not authorized me to call my plumber. This caused me to sue in Small Claims Court."

Ilene sued Sears in Small Claims Court in March 2010, and won a settlement of $500. (Don't mess with seniors!) However, the court process cost her a filing fee and a day's lost pay. You'd think that after this experience, Sears would correct any gaps in its residential repair service. Apparently not by March 2011:

"On March 17, the boiler stopped working and after making sure it was not a fuse or thermostat problem, I called Sears Home Improvement for service. I was put on hold for over ten minutes (twice) and hung up convinced this was a deliberate evasion tactic. I was not called back until 5 days after I had lost heat, one day after my plumber had restored it. I was so angry, I told [Sears] it was fixed and I was going to sue them again."

Ilene lives in Cambridge, Massachusetts -- near Boston, a major metropolitan area. She wants to know why Sears sold her a service contract if they don't have any reliable contractors where she lives. And, Ilene also wants Sears to honor the Master Service contract she paid for.

In New England, it is often cold during March, with daytime temperatures in the 30's and low 40's -- colder nights with temperatures below freezing. As a senior citizen who has family living with her, and who recently had hip surgery, a working boiler for heat is critical.

Understandably, Ilene feels like she has been mugged by Sears:

"They certainly are not the same reputable Sears I grew up with!!"

Obviously, a consumer should not have to sue a retailer to get resolution. It seems unbelieveable that Sears cannot arrange reliable repair service for consumers living in a major metropolitan area in the Northeast.

According to The Consumerist blog, at least one other New England resident also went without heat during March after Sears failed to send a repair technician. Seven days without heat is too long. Repair service failures like this are unacceptable in cold weather regions.

It would seem that Ilene's experience of failing to get home boiler repair service from Sears is not an isolated event.

After some online searching, I noticed that while the Sears Home Services Twitter page is active, the Sears Home Appliances Twitter page appears to have been abandoned (with its last tweet dated May 2010). The Consumerist blog advised consumers to:

"... contact the Sears Cares executive customer service line, which can be reached at searscares@searshc.com."

Ilene asked for my help. First, I suggested to Ilene that she write to her U.S. Congress House representative and to her Massachusetts House representative about the repair service failures. Second, on Ilene's behalf to get Sears' response to this repair service failure, I sent an email inquiry to Sears on Sunday, March 27. While I did not receive a reply, a Sears representative called Ilene on Tuesday, March 29. According to Ilene:

"I was contacted by a representative from Sears as a result of your inquiry. She had reviewed the record and said Sears, "had definitely dropped the ball". She is doing further investigation, but acknowledged that I had a Masters Contract to cover repairs. I have an expectation that Sears will pay the bill to repair the boiler and hopefully to replace the pipe clogged up with sludge. Thank you so much for your assistance!"

You can contact the Sears representative, Stephanie, at 1(800) 573-8431, extension 11032.

Has anyone else experienced home repair service problems like this from Sears? If so, what did you do to correct the problem?

Briar Group Restaurants Settles 2009 Data Breach For $110K

In a press release yesterday, the Massachusetts Attorney General's office anounced a settlement with the Briar Group LLC restaurants for a 2009 data breach where the company failed to take reasonable steps to protect customers debit and credit card information:

"According to the lawsuit, filed in Suffolk Superior Court, the Briar Group experienced a data breach in April 2009, when malcode that was installed on Briar’s computer systems allowed hackers access to customers’ credit and debit card information, including names and account numbers. The malcode was not removed from the Briar Group’s computers until December 2009. Further, the complaint alleges that the Briar Group failed to change default usernames and passwords on its point-of-sale computer system; allowed multiple employees to share commons usernames and passwords; failed to properly secure its remote access utilities and wireless network; and continued to accept credit and debit cards from consumers after Briar knew of the data breach."

The Briar Group LLC ownes and operates several popular restaurants including Ned Devine's, the Green Briar, and The Harp, and Solas. The judgment, signed on March 28, 2011, requires the company to pay $110k in civiil penalties to the Commonwealth, and to comply with both Massachusetts data security regulations and Payment Card Industry Data Security Standards (PCIDSS). All restaurants in the company must also develop a security password management system and implement data security measures to comply with PCIDSS standards, including a Written Information Security Program (PDF document). 

Consumers need to know that retailers adequately protect their banking information as required by law. Congratulations to the Massachusetts Attorney General's Office.

Gas Station Pumps And the 'Clear' Button Email: A Real Solution?

Recently, a friend forwarded to me the email message below and asked if the solution suggested was valid. Perhaps you have seen this email too:

Subject: USE THE "CLEAR" BUTTON Using credit/debit card?

Read this note very carefully. I did not know about the clear button, but I will be pushing the clear button before I swipe my gas or debit card.

People are getting really desperate due to the constantly rising gas prices. A friend just told me about something that happened to one of his coworkers.. She used her credit/debit card to purchase gas at the pump (like most of us do). She received her receipt like normal.

However, when she checked her statement, there were 2 $50.00 charges added in addition to her purchase. Upon investigation, she found out that because she did not press the 'clear' button on the pump, the employee inside the store was able to use her card to purchase his/her own gas!

To keep this from happening, after you get your receipt, you must press the 'CLEAR' button or your information will be stored until the next customer inserts their card. Be sure to tell all your friends/family so that this doesn't happen to them. I had never noticed the clear button but I got gas the other day and sure enough it is there. I shall be using it from now on.

My response to my friend was that while the CLEAR button might prevent the next customer from using your debit card information, the CLEAR button is not a rreliable identity-theft prevention solution when using your debit/credit card at gas station pumps. Why? Because the identity criminals insert skimming devices inside gas station pumps. The skimming device reads and steals your card account information and personal identification number (PIN), and then transmits the data wirelessly to thieves nearby with a laptop. Gas station pumps are easy targets because the pumps are unattended for long periods of time when the gas station is closed.

So, you can press the CLEAR button a hundred times and that is not going to protect you against a tampered gas station pump with a skimming device inside.

 

Same thing if the skimming device is on the outside of a bank ATM machine: usually covering the card slot. The skimming device collects debit card account information and transmits the stolen data wirelessly to the criminals nearby with a laptop. If the skimming device can’t record your PIN number, then the thieves also install a tiny video camera above the bank ATM machine (or gas staton pump) to record your PIN via video. The thieves later match the PINs to accounts, make clones of the victims' debit cards with the stolen information, and then use the cloned debit cards to drain victims' checking accounts.

 

Recently, some criminals installed the skimming device inside the door jam when you use your debit card to open the bank ATM booth.

 

As I have written before, to avoid getting "mugged" at gas station pumps, consumer must protect their PIN. Experts advise that consumers should:

1. Pay at the pump using the "credit" option and not the "debit" option. This provides you with greater protections, liability limited to $50, and you don't use your PIN. Plus, you receive loyalty points if your credit card has a loyalty program.
2. If you want to pay using the "debit" option, don't pay at the pump. Go inside the gas station and pay at the cashier's window with your debit card. If a "signature debit" is available, use that there instead of your PIN.
3. If things look sketchy, pay with cash since that never discloses your bank account information.

What do I do? I pay with cash, especially if I am at a gas station I don't shop at regularly. It is impossible to tell if a gas station pump has been tampered with or not. I use my debit card only at my bank's ATM machines.

About email: if you receive an email with a suggested solution, it is always wise to check the authenticity at a website like Snopes.com. Not everything you receive in a nicely typed e-mail message is true. Snopes.com explains and debunks email hoaxes about various topics including gas station pumps.

Should You Pay With Credit, Debit, Cash Or a Charge Card?

There are important differences when shopping with a debit card versus a credit card. The new credit card rules highlight the need for consumers to make an informed choices about the payment method used when shopping. Identity thieves have increased their use of skimming devices at both gas station pumps and bank ATM machines.

So, which payment method is best: cash, credit cards, debit cards, or charge cards? This video below from ABC News offers some practical tips to help you make an informed choice.

If you need to build up your credit history and credit score, paying with cash and/or a debit card won't help. If you have the discipline, charge cards offer several advantages over credit cards including the opportunity to build your credit history/score.

For many years, I had an American Express charge card. I used it to pay for business travel, since my employer promptly reimbursed me for business travel. Later in my career, I simplified both my life and my finances by reducing my use of credit/plastic. Ultimately, I paid off all of my credit card debt and cut back to two credit cards from a high of five credit/charge cards (and a high balance of $18,000). Today, I pay my credit card bills in full every month.

Police Find Skimming Devices Inside Pumps at 180 Gas Stations in Utah

This is news regardless of where you live. Why? The use of skimming devices by identity criminals is not limited to Utah. ABC 4 television news reported:

"Utah police investigators said crooks have installed electronic "skimming" devices at 180 gas stations from Salt Lake to Provo in an attempt to steal bank card and pin numbers... The skimming device is actually located inside the gas pump... The “Skimmer” copied card and pin numbers giving the criminals free access to the victim’s bank accounts... Crooks used the stolen card information captured by the device to steal more than $11,000 using ATM machines in Los Angeles... Investigators don't know how many card numbers the crooks stole... The only way that you're going to know if you've fallen victim to this is if your credit card starts being used or if your debit card number starts being used..."

If thieves drain your checking account balance to zero, you'll know that way too. By then the damage has been done, and your bank may not reimburse you for the stolen money.

Because it is impossible to spot a gas station pump that has been tampered with, I never pay at the pump. Instead, I go inside to the cashier and pay with credit or cash. And I keep my credit card within eyesight. I use my debit card only at my bank's ATM machines.

TJX Hacker Gets 4 Years In Prison

It's important to note when identity thieves get what they deserve in court. The Wired Threat Level blog reported last week:

"Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy... Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts. Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers."

The group used money mules to withdraw money from ATM machines with stolen bank account information and to wire money to overseas accounts in Latvia. In December 2009, former Morgan Stanley programmer and co-conspirator, Stephen Watt, received two years in prison. Watt wrote the code for a sniffer computer program used to steal card account data from the TJX network. For his role in the conspiracy and thefts, experts say Gonzalez may receive at least 17 years in prison.

Don't Get "Mugged" At A Gas Pump. Protect Your Debit Card Number and PIN

Prior posts have warned consumers about skimming scams at ATM machines and how to recognize and avoid ATM machines that has been tampered with. As consumers have use their debit cards more often at a wider range of retail stores, identity thieves have moved their skimming scams accordingly.

I wasn't surprised to read that criminals operate card-skimming scams at gas stations, and not just at ATM machines. I was surprised to learn the following: at ATM machines criminals attach a portable card-skimming device on the outside of the ATM card slot (where it can be seen if you are alert), but at gas stations criminals insert a portable card-skimming device inside the gas pump where it can't be seen by consumers.

Inside the gas pump? Read the scam alert from the AARP Webletter:

"Soon after filling up at the gas pump, a motorist learns that his bank account has been emptied. What happened? Another case of “skimming,” in which crooks place a portable card-reading device—readily available over the Internet—inside the pump. When the customer inserts his debit card and enters the required personal identification number, the device captures both the data from the card’s magnetic stripe and the PIN. Later, the devices are retrieved, and the stolen data is used to create a duplicate card to raid the victim’s bank account."

Gas stations are becoming a more popular target by identity thieves since the gas pumps are frequently unattended and not monitored by security cameras. This makes it easier for criminals to insert a portable card-reader device inside the gas pump to steal consumers' bank account information:

"That was the case with one member of the Russian mob, which is often behind organized skimming rings. He took a job at an Arco station and placed a skimming device inside a gas pump. After he disappeared, authorities learned that his hidden skimmer stole $300,000 from customers’ debit cards."

The skimming scams are made easier by older gas station pumps that don't encrypt the PIN numbers.

What should a consumer do to avoid getting "mugged" at a gas station? The first priority is to protect your personal identification number (PIN). Experts advise that consumers should:

1. Pay at the pump using the "credit" option and not the "debit" option. This provides you with greater protections, liability limited to $50, and you don't use your PIN. Plus, you receive loyalty points if your credit card has a loyalty program.
2. If you want to pay using the "debit" option, don't pay at the pump. Go inside the gas station and pay at the cashier's window. If a "signature debit" is available, use that there instead of your PIN.
3. Pay with cash if possible, since that never discloses your bank account information.

What do I do? I pay with cash, especially if I am at a gas station I don't shop at regularly.

Advice For Consumers About Holiday Shopping With Layaway Plans

Since banks and credit card companies have made it difficult to get and to keep credit, many consumers have turned to layway plans as a method to do their holiday shopping. If this situation describes you, then you should know that the U.S. Federal Trade Commission (FTC) issued an alert to consumers about layaway plans so you don't get "mugged" by a shady store or online retailer:

"... it’s important to ask questions about the layaway plan and the refund policy when considering the layaway option. The alert, “Layaway: Another Way to Buy,” also tells consumers to: check out the business offering the plan; get the merchant’s layaway policy in writing; and keep good records of payments."

To check out a business or retailer, visit the Attorney General’s Web site for your state (www.naag.org), the local consumer protection agency in your state, or the Better Business Bureau in your state. These resources can tell you if other consumers have already filed complaints about the retailer you are considering shopping at -- online or their physical store.

If you shop using layaway plans and encounter a problem, we'd love to hear about it. You can describe your situation below in a comment.

Weak Data Security Facilitates Data Breaches By Retailers

Yesterday, the Associated Press released its finding of an investigation into data breaches since 2006 and Payment Card Industry (PCI) compliance by retailers. The key findings:

"The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst...More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers... many others likely have been breached and didn't detect it."

I've written previously about data breaches at debit/credit card payment processors that were audited and supposed to be PCI compliant. Too many retail companies are still not compliant with PCI standards:

"... one in 10 of the medium-sized and large retailers in the United States — face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves."

Combine this with the fact that 20% of information technology professionals lie on data security audits, and you have a culture focused on making money and not protecting consumers sensitive personal data. Perhaps the damning part:

"Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost."

The consequences tor consumers:

"It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud."

many of us have already experienced large increases in our credit card interest rates to cover higher expenses by banks and credit card issuers. I'm sure part of these higher expenses are the costs to re-issue credit cards after huge data breaches and to pay for the fraud.

The Associated Press article mentioned one example where it took a consumer four months to fix two credit cards that were hacked as part of the Hannaford grocery chain breach. And that didn't include the time spent to adjust online bill payment arrangements with those credit cards -- the work consumers must do and credit card companies don't help with after a data breach.

This means that retailers are more interested in making money and profits than a sincere effort to protect your sensitive personal data. Is this acceptable? Of course not. Can the retail and credit card industries do a better job? They should and must.

If this infuriates you (and I truly hope that this does make you mad), I encourage you to write to your credit card company and demand better data security, and not just fines of payment processors and retailers who are not PCI compliant. The address is on the back of your monthly credit card paper statement.

Then, write to your elected officials in Congress and demand both strong legislation to send to jail company executives who continue to ignore data security, stronger PCI standards, and an FTC policy that is stronger and more effective than the current self-monitoring policy.

Sears Settles With The FTC About Consumer Privacy Abuses With Undisclosed Tracking Software

I've Been Mugged discussed consumer privacy abuses by Sears in 2008. On June 4, 2009, ComputerWorld reported Sears Holdings Management settled with the U.S. Federal Trade Commission about a complaint where Sears failed to inform "My SHC Community" customers about the large amount of sensitive personal data it collected with a downloadable software application:

"Sears Holdings, owner of the Sears and Kmart retail chains, invited some visitors of Sears.com and Kmart.com to become members of the "My SHC Community," paying them $10 if they agreed to download "research" software that would confidentially track their online browsing... the software not only tracked browsing, but also monitored customers' online secure sessions, including sessions on third-party Web sites... The Sears software collected the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size of Web-based e-mail messages... The software would also track some computer activities that were unrelated to the Internet..."

From now through July 6, interested consumers can submit comments to the FTC about this Sears settlement. Before submitting a comment, consumers should read:

• How To File Public Comments by the FTC
• FTC press release about the Sears settlement
• The FTC Complaint and proposed settlement agreement

Based on comments received, the FTC will decide whether or not to proceed with the proposed settlement agreement. I encourage readers to review the proposed settlement. You may feel it is not strong enough, especialy about the sensitive consumer data Sears already collected.

Exposing The Online Tracking Of Consumers By Retailers

This MediaPost article really caught my attention. It seems that Cathy Dwyer, a professor at Pace University's Seidenberg School of Computer Science and Information Systems, sat students in front a computer and showed them all of the ways companies track their online usage. After witnessing this tracking the students' complacency turned to outrage:

"I do this with 18-, 19- and 20-year-olds, and once they find out this is going on they go ballistic. A few of them in one of my classes canceled their Facebook accounts..."

This online tracking includes a multitude of browser cookies and Web beacons which companies rarely or never disclose in their Web site Terms of Conditions and Privacy policies. To better understand this, Dwyer studied the Levis.com site:

"... Dwyer discovered, for instance, that a JavaScript downloaded to the browser came from Atlas and contained seven one by one image files from a range of behavioral networks. In all, Dwyer detected nine Web beacons dropped on the client machine, and one Omniture cookie that passed back a list of installed software on the machine."

This is important because, a) of the secrecy -- consumers are not informed of both the tracking activity and the wide range of companies involved, and b) it happens without the consumer's consent:

"None of the companies linked to these nine Web beacons are mentioned in Levi's privacy policy... The only third party mentioned is the digital advertising provider Avenue A, but none of these Web beacons link to Avenue A... this study shows the amount of data collected and shared with third parties is much higher than what is described in the Levi's privacy policy. Levi's customers are not asked to consent to these practices, and the partners that Levi's shares information with are not identified."

This secret targeted advertising without consent is also important because:

"...anonymity does not equal privacy. Privacy is not just a matter of controlling what information about oneself is disclosed to or by a third party. Dwyer and others contend that undisclosed behavioral tracking compromises our autonomy in the market."

In other words, consumers can't make informed choices about the products and services we buy, when our online experience is shaped and affected without our knowledge. Reportedly, Dwyer will present her research findings at the 15th Americas Conference on Information Systems in a paper titled, "Behavioral Targeting: a Case Study of Consumer Tracking on Levis.com."

If this bothers you (and I hope that it does), learn more about targeted advertising (a/k/a behavioral targeting). Then, write to your favorite retailers and demand more disclosure in their Web site Terms of Service and Privacy policies. If that doesn't work, write to your elected officials in Congress and demand legislation for more disclosure.