262 posts categorized "Retail" Feed

Mystery Package Scam Operating on Amazon Site. What It Is, The Implications, And Advice For Victims

Amazon logo Last fall, a couple living in a Boston suburb started receiving packages they didn't order from Amazon, the popular online retailer. The Boston Globe reported that the couple living in Acton, Massachusetts:

"... contacted Amazon, only to be told that the merchandise was paid for with a gift card. No sender’s name, no address. While they’ve never been charged for anything, they fear they are being used in a scam... The first package from Amazon landed on Mike and Kelly Gallivan’s front porch in October. And they have continued to arrive, packed with plastic fans, phone chargers, and other cheap stuff, at a rate of one or two a week."

The packages were delivered to the intended recipient. Nobody knows who sent the items: wireless chargers, a high-intensity flashlight, a Bluetooth speaker, a computer vacuum cleaner, LED tent lamps, USB cables, and more. After receiving 25 packages since October, the couple now wants it to stop. What seemed funny at first, is now a nuisance.

The Gallivans are not alone. CBC News reported that students at several universities in Canada have also received mystery packages containing a variety of items they didn't order:

"The items come in Amazon packaging, but there's no indication who's ordering the goods from the online retail giant. "We're definitely confused by it," said Shawn Wiskar, University of Regina Students' Union vice-president of student affairs. His student union has received about 15 anonymous packages from Amazon since late November, many of which contained multiple items. Products sent so far include iPad cases, a kitchen scale and a "fleshlight" — a male sex toy in the shape of a flashlight... Six other university student unions — Dalhousie in Halifax; St. Francis Xavier in Antigonish (Nova Scotia); Ryerson in Toronto; Wilfrid Laurier in Waterloo, Ontario; Royal Roads in Victoria; and the University of Manitoba in Winnipeg — have also confirmed that they've been receiving mysterious Amazon packages since the fall."

Experts speculate that the mystery packages were sent by fraudsters trying to game the retailer's review system. Consumers buy products on Amazon.com either directly from the retailer or from independent sellers listed on the site. The Boston Globe explained:

"Here’s how two experts who used to work for Amazon, James Thomson and Chris McCabe, say it probably works: A seller trying to prop up a product would set up a phony e-mail account that would be used to establish an Amazon account. Then the seller would purchase merchandise with a gift card — no identifying information there — and send it to a random person, in this case the Gallivans. Then, the phantom seller, who controls the “buyer’s” e-mail account, writes glowing reviews of the product, thus boosting the Amazon ranking of the product."

If true, then there probably are a significant number of bogus reviews on the Amazon site. The Boston Globe's news item also suggested that a data breach within a seller's firm might have provided scammers with valid mailing addresses:

"How did Mike, to whom the packages are addressed, get drawn into this? On occasion he’s ordered stuff on Amazon and received it directly from a manufacturer, once from China. That manufacturer or some affiliate may have scooped Mike’s name and address."

If true, then that highlights the downside of offshore outsourcing, where other countries don't mandate data breach disclosures. Earlier in 2017, a resident of Queens in New York City received packages with products she didn't order:

"... All she knows is that the sender is some guy named Kevin who uses Amazon gift cards... And she’s reported the packages to the NYPD, the FBI and the Better Business Bureau since Amazon hasn’t made the deliveries stop."

In that news report, a security expert speculated that criminals were testing stolen debit- and gift-card numbers. Did a seller have a data breach which went unreported? Lots of questions and few answers.

Security experts advise consumers to report packages they didn't order to various law enforcement and agencies, as the Queens resident did. Ultimately, her deliveries stopped, but not for the Gallivans.

Amazon has been unable to identify the perpetrators. At press time, a search of Amazon's Help and Customer Service site section failed to find content helping consumers victimized by this scam.

Perhaps, it is time for law enforcement and the U.S. Federal Trade Commission to step in. Regardless, we consumers will probably hear more news in the future about this scam.


Burger King's Whopper Neutrality Ad. Sincere 'Net Neutrality' Support Or Slick Corporate Advertising?

If you haven't seen it, there is a Whopper Neutrality ad online by Burger King, explains net neutrality in a very easy-to-understand way. Blog post continues after the video:

A November, 2017 poll found that 52 percent of registered voters supported the current rules, including 55 percent of Democrats and 53 percent of Republicans. After that poll, the Commissioners at the FCC voted to killed net neutrality protections for consumers.

Some have questions whether the ad is sincere support of an issue consumers care about, or slick corporate advertising which capitalize on a hot topic. I like the ad. Anything that helps more consumers understand the issue, and what we've lost, is a good thing.

Another view of the ad by The Young Turks. Share your opinions below after the video:

Related posts about net neutrality:


The United States Has A Problem: Declining Foreign Visitors

Visit-usa-coalition-figure1
The United States has a problem: the number of international visitors is declining. What are companies doing to counter this, lost revenues, and other negative impacts? Bloomberg reported (bold emphasis added):

"... 10 business associations, including the U.S. Chamber of Commerce and the National Restaurant Association, have created a travel industry group aimed at reversing the growing unpopularity of the U.S. as a vacation destination. So [last week], some of its biggest players unveiled the "Visit U.S. Coalition" to spur the Trump administration into enacting friendlier visa and border-security policies at a time when federal agencies are doing the opposite... Since 2015, the U.S. and Turkey have been the only places among the top dozen global travel destinations to experience a decline in inbound visitors, a time when other nations such as Australia, Canada, China and the United Kingdom have marked sizable gains..."

Visit-usa-coaltion-figure3Foreign visitors spend their travel money here, which helps businesses in the USA. The amount of the travel decline is measurable:

"... the Commerce Department reported a 3.3 percent drop in traveler spending for last year, through November, the equivalent of $4.6 billion in losses and 40,000 jobs. The U.S. share of international long-haul travel fell to 11.9 percent last year, from 13.6 percent in 2015, according to the U.S. Travel Association, a slippage the group said equates to 7.4 million visitors and $32.2 billion in spending."

According to its website, the Visit U.S. Coalition includes the following founding members: American Gaming Association, American Hotel & Lodging Association, American Society of Association Executives, Asian American Hotel Owners Association, International Association of Exhibitions and Events, National Restaurant Association, National Retail Federation, Society of Independent Show Organizers, the U.S. Chamber of Commerce, and the U.S. Travel Association.

What does this mean? What might the consequences be?

First, if the foreign tourism decline continues, experience tells us that after prolonged revenue losses, affected industries (e.g., hotels, transportation, restaurants, retail shopping, etc.) and companies will layoff or terminate workers. Not good for workers. Not good for the United States economy.

Second, it's great that several companies have organized together into groups... trade associations for several industries; and then several trade associations organized into a coalition... what you might call an uber-trade association... to highlight their concerns, remain competitive, and advocate for their interests. You'd expect any administration which promised to be pro-business would listen these concerns.

Third, the freedom to organize is an important part of a democracy, and a competitive marketplace. Workers want this freedom, too. Sadly, too many corporate executives and politicians deny workers the same freedoms they want their businesses to enjoy. You've probably heard the claim: "corporations are people, my friend." I guess they are a special class of people with more freedom than flesh-and-blood persons.

What do you think of the foreign visitor travel decline?


Royal Caribbean Cruise Line And CPP-The Myers-Briggs Offer Travel Personality Quiz

Inc. Magazine warned in 2016, "ready or not, companies will soon be tracking your emotions." Most Facebook users already knows this. Also in 2016, the social networking site expanded several reaction buttons beyond its (in)famous "Like" button to cover several emotions (e.g., "Love," "Haha," "Wow," "Sad," "Angry"):

Facebook-emotions-buttons

Maybe you have used these reaction buttons. Companies do this because effective marketing appeals to emotions instead of reason.

Now, a popular cruise line has taken things a step further. Cruise Critic, a popular travel site, announced:

"... Royal Caribbean has teamed up with CPP-The Myers-Briggs Company to launch a quiz that offers cruise recommendations based on your personality type. The assessment tool, found on MyAdventurePersonality.com, asks users 13 questions as they pertain to personal behavior and preferences... Once the results are calculated, users will be designated a travel personality type, such as Expert Adventure Planner, Laidback Wanderer and Spontaneous Sightseer. They also will receive an itinerary recommendation best suited for their type, with planning tips."

What is the Myers'Briggs assessment tool? The Myers-Briggs Foundation site explains:

"The purpose of the Myers-Briggs Type Indicator® (MBTI®) personality inventory is to make the theory of psychological types described by C. G. Jung understandable and useful in people's lives. The essence of the theory is that much seemingly random variation in the behavior is actually quite orderly and consistent, being due to basic differences in the ways individuals prefer to use their perception and judgment... In developing the Myers-Briggs Type Indicator [instrument], the aim of Isabel Briggs Myers, and her mother, Katharine Briggs, was to make the insights of type theory accessible to individuals and groups... The identification of basic preferences of each of the four dichotomies specified or implicit in Jung's theory. The identification and description of the 16 distinctive personality types that result from the interactions among the preferences."

Indeed, this assessment tool became very accessible. The Seattle Times reported in 2013:

"Chances are you’ve taken the Myers-Briggs Type Indicator (MBTI), or will. Roughly 2 million people a year do. It has become the gold standard of psychological assessments, used in businesses, government agencies and educational institutions... More than 10,000 companies, 2,500 colleges and universities and 200 government agencies in the United States use the test... It’s estimated that 50 million people have taken the Myers-Briggs personality test since the Educational Testing Service first added the research to its portfolio in 1962... Organizations administer the MBTI assessment to employees in one of two ways. They either pay for someone in their human-resources department to become certified, then pay the materials costs each time employees take the test. Or, they contract with certified, independent training consultants or leadership coaches."

Selected questions from the MyAdventurePersonality site. Click to view larger version The travel quiz uses different and fewer (13 versus ~ 88) forced-choice questions than the MBTI. Plus, the travel quiz categorizes consumers into four travel personality types (versus 16 types by the MBTI). And, the MBTI tool is administered by certified professionals in an ethical manner. So, consumers shouldn't assume that the travel quiz is as rigorous as the MBTI. Admittedly, MyAdventurePersonality may add more questions and/or types in the future.

If you are considering the travel quiz, wise consumers always read the fine print, first. The MyAdventurePersonality site uses the same legal and privacy policies as the core Royal Caribbean cruise line site. So, consumers should know that whatever they submit to the travel quiz will probably be freely shared with other entities, since the Royal Caribbean Privacy Policy does not state any limitations.

The MyAdventurePersonality site may be a marketing gimmick to attract new customers and/or better target e-mail marketing campaigns to current and prospective cruise travelers.

Me? After 28 cruise ship vacations (with many on Royal Caribbean ships) to many areas of the planet, I know my travel needs and preferences very well. So, I doubt the quiz will tell me something I don't already know.

What do you think? Should companies uses these types of quizzes?


Smart Lock Maker Suspends Operations

Otto, a smart lock maker, has suspended operations. Sam Jadallah, the firm's CEO, announced the suspension just before the Consumer Electronics Show (CES). TechCrunch reported:

"The company made the decision just ahead of the holidays, a fact that founder and CEO Sam Jadallah recently made public with a lengthy Medium post now pinned to the top of the startup’s site... Jadallah told TechCrunch that the company’s lock made it as far as the manufacturing process, and is currently sitting in a warehouse, unable to be sold by a hardware startup that is effectively no longer operating... The long and short of it is that the company was about to be acquired by someone with a lot more resources and experience in bringing a product to market, only to have the rug apparently pulled out at the last minute..."

The digital door lock market includes a variety of types and technologies, such as biometrics, face recognition, iris recognition, palm recognition, voice recognition, fingerprint recognition, keypad locks, and magnetic stripe locks. Consumer Reports rated bothh door locks and smart locks.

Several digital locks are available at online retail sites, including products by August, Brilong, Kwikset, Samsung, and several other makers.


Futurism: Your Life Without Net Neutrality Protections

Federal communications Commission logo You've probably heard that Ajit Pai, the Chairman of the U.S. Federal Communications Commission (FCC), is leading his agency towards a vote on December 14, 2017 to kill net neutrality. How will consumers' online lives change? Futurism described what your online life will be like without net neutrality:

"You’re at work and want to check Facebook on your lunch break to see how your sister is doing. This is not exactly a straightforward task, as your company uses Verizon. You’re not about to ask your boss if they’d consider putting up the extra cash every month so that you can access social media in the office, so you’ll have to wait until you get home.

That evening, you log in to pay your monthly internet bill — or rather, bills.

See, there’s the baseline internet cost, but without net neutrality, you also have to pay a separate monthly fee for social media, another for "leisure" pages like Reddit and Imgur, and another still for liberal-leaning news sites — because your provider’s CEO is politically conservative. Not only is your bill confusing, you’re not sure you can really afford to access all these websites that, at one point in time, you took for granted.

In addition to the sites you can access if you pay for them, there are also websites that have just become lost to you. Websites that you once frequented, but that now, you aren’t even sure how to access anymore. You can’t even pay to access them. You used to like reading strange Wikipedia articles late at night and cruising for odd documentaries — but now, all those interests that once entertained and educated you in your precious and minimal free time are either behind yet another separately provided paywall or blocked entirely. You’ve started to ask around, see if your friends or coworkers with other providers have better access... but the story is pretty much always the same."

Net neutrality meme highlighting blocked content. Click to view larger version In short, without net neutrality:

  1. You will lose the freedom to use the internet bandwidth you've purchased monthly as you desire;
  2. Corporate internet service providers (ISPs) increase their their revenues and profits by adding tolls to each package in a sliced-and-diced approach to internet content;
  3. Your internet bill will become just as confusing, frustrating, and expensive as your cable-TV bill, where ISPs force you to buy several expensive packages of sites in order to access your favorite sites;
  4. The new, expensive tolls allow ISPs to decide what internet content you see and don't see. Sites or content producers unwilling to pay fees to ISPs will find their content blocked or relegated to "slow" speed lanes; and
  5. Both middle-class and poor online users will bear the brunt of the price increases.

If you think this can't happen in the United States, consider:

"Some countries are already living this reality. In New Zealand, Vodafone offers mobile internet packages that are comprised of different types of services. You might have to pay a certain amount to access social apps like Snapchat and Instagram, and a separate fee to chat with friends via Facebook Messenger and iMessage. A similar framework is used by Portugal’s MEO, where messaging, social media, music streaming, video streaming, and email are also split into separate packages.

Long ago, FCC Chairman Pai made his position clear. Breitbart News reported on April 28, 2017:

"Federal Communications Commission (FCC) Chairman Ajit Pai told Breitbart News in an exclusive interview that an open and free internet is vital for America in the 21st century. During a speech at the Newseum on Wednesday, Pai said he plans to roll back the net-neutrality regulations and to restore the light-touch regulatory system established by President Bill Clinton and Congressional Republicans by the 1996 Telecommunications Act... Chairman Pai said during his speech that the internet prospered before net neutrality was enacted... Breitbart News asked the FCC chief why he thinks that net neutrality is a problem, and why we must eliminate the rule. He said: "Number one there was no problem to solve, the internet wasn’t broken in 2015. In that situation, it doesn’t seem me that preemptive market-wide regulation is necessary. Number two, even if there was a problem, this wasn’t the right solution to adopt. These Title II regulations were inspired during the Great Depression to regulate Ma Bell which was a telephone monopoly. And the broadband market we have is very different from the telephone market of 1934. So, it seems to me that if you have 4,462 internet service providers and if a few of them are behaving in a way that is anti-competitive or otherwise bad for consumer welfare then you take targeted action to deal with that. You don’t declare the entire market anti-competitive and treat everyone as if they are a monopolist. Going forward we are going to propose eliminating that Title II classification and figure out the right way forward. The bottom line is, everyone agrees on the principles of a free and open internet what we disagree with is how many regulations are needed to preserve the internet." "

Note the language. Pai uses "free and open internet" to refer to freedoms for ISPs to do what they want; a slick attempt to co-opt language net neutrality proponentsused for freedoms for consumers go online where they want without additional fees. Pai's "Light touch" means fewer regulations for ISPS regardless of the negative consequences upon consumers. Pai's comments in April attempted to spin existing net neutrality laws as antiquated ("the telephone market of 1934"), when, in fact, net neutrality was established recently... in 2010. Even the same Breitbart News article admitted this:

"Net neutrality passed under former Democrat Tom Wheeler’s FCC in 2010."

Pai's exaggerations and falsehoods are astounding. Plenty of bogus claims by Pai and net neutrality critics. In January of this year, President Donald Trump appointed Ajit Pai, a former lawyer with Verizon, as the FCC Chairman. Earlier this year, CNN reported:

"More than 1,000 startups and investors have now signed an open letter to Pai opposing the proposal. The Internet Association, a trade group representing bigger companies like Facebook, Google, and Amazon, has also condemned the plan. "The current FCC rules are working for consumers and the protections need to be kept in tact," Michael Beckerman, president and CEO of the Internet Association, said at a press conference Wednesday."

Regular readers of this blog are aware that more than "a few" ISPs committed abused consumers and content producers. (A prior blog post listed many historical problems and abuses of consumers by some ISPs.) Also, consider this: Pai made his net-neutrality position clear long before the public submitted comments to the FCC this past summer. Sounds like he never really intended to listen to comments from the public. Not very open minded.

As bad it all of this sounds, it's even worse. How? An FCC Commissioner, 28 U.S. senators, and the New York State Attorney General (AG) have lobbied FCC Chairman Pai to delay the net neutrality vote planned by the FCC on December 14, due to clear and convincing evidence of the massive fraud of comments submitted to the FCC's online commenting system.

In short, the FCC's online comments system is corrupted, hacked, and unreliable. The group (e.g., FCC commissioner, 28 Senators, and NY State AG) also objects to the elimination of net neutrality on the merits.

The fraud evidence is pretty damning, but Chairman Pai seems intent upon going ahead with a vote to kill net neutrality despite the comments fraud. Why? How? Ars Technica reported on December 4th:

"FCC Chairman Ajit Pai says that net neutrality rules aren't needed because the Federal Trade Commission can protect consumers from broadband providers... When contacted by Ars, Pai's office issued this statement in response to the [delay request] letter: "This is just evidence that supporters of heavy-handed Internet regulations are becoming more desperate by the day as their effort to defeat Chairman Pai's plan to restore Internet freedom has stalled. The vote will proceed as scheduled on December 14."

I find the whole process deeply disturbing. First, only 28 U.S. Senators seem concerned about the massive comments fraud. Why aren't all 100 concerned? Second, why aren't any House members concerned? Third, President Trump hasn't said anything about it. (This makes one wonder if POTUS45 either doesn't care consumers are hurt, or is asleep at the wheel.) Elected officials in positions of responsibility seem willing to ignore valid concerns.

Logo-verizon-protestsMany consumers are concerned, and protests to keep net neutrality are scheduled for later today outside Verizon stores nationwide. What do you think?


Security Researchers Announce Another Method To Defeat Apple Face ID

Bkav-artificial-mask
You may remember, earlier this year Apple launched its iPhone X with Face ID feature for users to unlock their phones:

"Your face is now your password. Face ID is a secure and private new way to unlock, authenticate, and pay... Face ID is enabled by the TrueDepth camera and is simple to set up. It projects and analyzes more than 30,000 invisible dots to create a precise depth map of your face."

Like it or not, there is no security system for your smartphone that can't be defeated. Mashable reported yesterday that security researchers have found another method to defeat Face ID:

"The same Vietnamese team that managed to trick Face ID with an elaborately constructed mask now says it has found a way to create a replicated face capable of unlocking Apple's latest and greatest biometric using a series of surreptitiously snagged photographs. Apple has copped to the fact that Face ID, for all its technical prowess, isn't perfect. It can be tricked by twins. For

The Bkav researchers explained in a blog post how their crude mask defeated Face ID:

"Bkav used a 3D mask (which costs ~200 USD), made of stone powder, with glued 2D images of the eyes. Bkav experts found out that stone powder can replace paper tape (used in previous mask) to trick Face ID' AI at higher scores. The eyes are printed infrared images – the same technology that Face ID itself uses to detect facial image. These materials and tools are casual for anyone. An iPhone X has its highest security options enabled, then has the owner's face enrolled to set up Face ID, then is immediately put in front of the mask, iPhone X is unlocked immediately. There is absolutely no learning of Face ID with the new mask in this experiment."

The same blog post also explained how a three-dimensional model can defeat Face ID:

"Bkav researchers said that making 3D model is very simple. A person can be secretly taken photos in just a few seconds when entering a room containing a pre-setup system of cameras located at different angles. Then, the photos will be processed by algorithms to make a 3D object.

It can be said that, until now, Fingerprint is still the most secure biometric technology. Collecting a fingerprint is much harder than taking photos from a distance. Meanwhile, just by taking photos from a distance to create 3D objects as mentioned above, both Apple's Face ID and Samsung's Iris Scanner can be bypassed easily."

Experts advise consumers to continue using passcodes, especially for online banking apps. And high-value targets (e.g., senior corporate executives, government officials, politicians, attorneys, etc.) probably shouldn't use facial recognition features to unlock their mobile devices.

I guess that 3-D models will provide law enforcement (and spy agencies) with new ways to use their archived collections of facial images. The Guardian reported earlier this year:

"Approximately half of adult Americans’ photographs are stored in facial recognition databases that can be accessed by the FBI, without their knowledge or consent, in the hunt for suspected criminals. About 80% of photos in the FBI’s network are non-criminal entries, including pictures from driver’s licenses and passports. The algorithms used to identify matches are inaccurate about 15% of the time, and are more likely to misidentify black people than white people."

What do you think?


German Regulator Bans Smartwatches For Children

VTech Kidizoom DX smartwatch for children. Select for larger version Parents: considering a smartwatch for your children or grandchildren? Consider the privacy implications first. Bleeping Computer reported on Friday:

"Germany's Federal Network Agency (Bundesnetzagentur), the country's telecommunications agency, has banned the sale of children's smartwatches after it classified such devices as "prohibited listening devices." The ban was announced earlier today... parents are using their children's smartwatches to listen to teachers in the classroom. Recording or listening to private conversations is against the law in Germany without the permission of all recorded persons."

Some smartwatches are designed for children as young as four years of age. Several brands are available at online retailers, such as Amazon and Best Buy.

Why the ban? Gizmodo explained:

"Saying the technology more closely resembles a “spying device” than a toy... Last month, the European Consumer Organization (BEUC) warned that smartwatches marketed to kids were a serious threat to children’s privacy. A report published by the Norwegian Consumer Council in mid-October revealed serious flaws in several of the devices that could easily allow hackers to seize control. "

Clearly, this is another opportunity for parents to carefully research and consider smart device purchases for their family, to teach their children about privacy, and to not record persons without their permission.


Whole Foods Says Data Breach 'Resolved'

Whole Foods Market logo During the weekend, Whole Foods Markets announced in a customer notification update that it had "resolved" a recent data breach involving the unauthorized access of customers' payment information in certain stores. The customer notification update stated:

"Whole Foods Market has resolved the incident previously announced on September 28, 2017, involving unauthorized access of payment card information used at certain venues such as tap rooms and full table-service restaurants located within some stores. These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected. Whole Foods Market learned of the unauthorized access on September 23, 2017. The company conducted an investigation, obtained the help of a leading cyber security forensics firm, and contacted law enforcement. Whole Foods Market replaced these point of sale systems for payment card transactions and stopped the unauthorized activity..."

Reportedly, the breach included about 100 locations. The company operates about 473 stores nationwide.

The breach method used by criminals and the types of payment information accessed:

"The investigation determined that unauthorized software was present on the point of sale system at certain venues. The software copied payment card information—which could have included payment card account number, card expiration date, internal verification code, and cardholder name—of customers who used a payment card at these venues at dates that vary by venue but are no earlier than March 10, 2017 and no later than September 28, 2017."

Earlier this year, Amazon acquired Whole Foods for about $13.7 billion. Whole Foods said that Amazon.com systems do not connect to the payment systems at Whole Foods stores, and that transactions on the Amazon.com site were not affected. An October 20, 2017 press release repeated most of the same information as the customer notification.

Besides the replacement of affected point-of-sale terminals, the customer notification did not elaborate about exactly how the breach was "resolved," how the malware was installed in the terminals, nor how the resolution will keep this type of breach from happening again. Often, a resolution includes the hardening of certain computer systems, improved malware detection software, improved managerial oversight, and/or the training of employees. This seems especially important for retail stores with multiple, exposed payment terminals.

Within the Whole Foods website, its September 28, 2017 press release headline links to the same October 20th customer information update. It seems the company deleted the September press release. Why do this? It makes it difficult for readers to determine what's new or changed since the September 28 disclosure.

Plus, hacking details matter. As readers of this blog know, unattended, free-standing payment terminals in retail stores have long been high-value targets for criminals armed with skimming devices. Was the malware introduced locally (e.g., manually by a person) at each terminal or centrally through the company's computer network? Sadly, the update did not explain. Hopefully, future updates will.

Until then, it's hard for customers to trust that the breach was fully "resolved." Replacing the affected terminals is no guarantee that the malware won't be re-introduced into the replacement terminals. If I continue to shop there, I'll use cash. What do you think?


Hacked Butt Plug Highlights Poor Security Of Many Mobile Devices

Image of butt plug, Hush by Lovense. Click to view larger version

In a blog post on Tuesday, security researcher Giovanni Mellini  discussed how easy it was to hack a Bluetooth-enabled butt plug. Why this Internet-connected sex toy? Mellini explained that after what started as a joke he'd bought a few weeks ago:

"... a Bluetooth Low Energy (BLE) butt plug to test the (in)security of BLE protocol. This caught my attention after researchers told us that a lot of sex toys use this protocol to allow remote control that is insecure by design."

Another security researcher, Simone Margaritelli had previously discussed a BLE scanner he wrote called BLEAH and how to use it to hack BLE-connected devices. Mellini sought to replicate Margaritelli's hack, and was successful:

"The butt plug can be remotely controlled with a mobile application called Lovense Remote (download here). With jadx you can disassemble the java application and find the Bluetooth class used to control the device. Inside you can find the strings to be sent to the toy to start vibration... So we have all the elements to hack the sex toy with BLEAH... At the end is very easy to hack BLE protocol due to poor design choices. Welcome to 2017."

Welcome, indeed, to 2017. The seems to be the year of hacked mobile devices. Too many news reports about devices with poor (or no) security: the encryption security flaw in many home wireless routers and devices, patched Macs still vulnerable to firmware hacks, a robovac maker's plans to resell interior home maps its devices created, a smart vibrator maker paid hefty fines to settle allegations it tracked users without their knowledge nor consent, security researchers hacked a popular smart speaker, and a bungled software update bricked many customers' smart door locks.

In 2016, security researchers hacked an internet-connected vibrator.

And, that's some of the reports. All of this runs counter to consumers' needs. In August, a survey of consumers in six countries found that 90 percent believe it is important for smart devices to have security built in. Are device makers listening?

Newsweek reported:

"Lovense did not immediately respond to a request for comment from Newsweek but the sex toy company has spoken previously about the security of its products. "There are three layers of security," Lovense said in a statement last year. "The server side, the way we transfer information from the user’s phone to our server and on the client side. We take our customer’s private data very seriously, which is why we don’t serve any on our servers." "

I have nothing against sex toys. Use one or not. I don't care. My concern: supposedly smart devices should have robust security to protect consumers' privacy.

Smart shoppers want persons they authorize -- and not unknown hackers -- to remotely control their vibrators. Thoughts? Comments?


'Map Your Orgasm' - A New Smart Device For Women

Recently, Mashable reported about a new smart device for women:

"The Lioness looks like a pretty standard vibrator on the outside, but inside it has four sensors that measure temperature, the force of muscle contractions, and track the movement of the device. When you’re done with your session, you can sync the Lioness with its app (available for iOS and Android). It then provides you with easy-to-read visualization of what was happening to your body while you were busy getting off. So, yes, essentially it gives you a map of your orgasm. You can also tag each session with different terms so you can track how your health, sleep, alcohol consumption, mood, etc. affect your experiences."

Gives you a map of your orgasm? That's a surprising description. Perhaps, I shouldn't have been surprised. First, there were online tools such as "map my ride" and map my run." Good stuff to help consumers stay healthy. I guess a tool resembling 'map your orgasm' was bound to happen.

Lioness sounds like a much better product name. To learn more, I visited the Lioness site. The home page featured this statement: "Don't worry, we will never share your email or spam you." That's a good start.

Privacy is important; especially with smart devices which collect intimate data about consumers. Earlier this year, news reports described a plan by a smart-device maker to resell the interior home maps its robovacs created. And, another smart vibrator maker paid hefty fines to settle allegations that it tracked users without their knowledge nor consent.

A wise person once said, "the devil is in the details." The privacy policy in a company's website is a good place to hunt for details. While blogging about privacy and identity theft during the last 10 years, I've read plenty of privacy policies. Plenty. I read the Lioness Privacy Policy (dated May 1) and found some notable sections:

"This Privacy Policy applies to our vibrators and other devices (“Devices”), our websites, including but not limited to lioness.io (individually a “Site” and collectively “Sites”), the Lioness software (“Software”) and Lioness mobile applications (the “Apps”). The Devices, Sites, Software and Apps are collectively referred to in this Policy as the “Lioness Service,” and by proceeding to use the Lioness Service you consent that we may handle the data that we collect from you in accordance with this Privacy Policy."

Pretty standard stuff so far. Warning: I'm not an attorney. If you want legal advice, hire an attorney. Like you, I'm just a regular consumer trying to understand smart devices while maintaining as much privacy as possible. Additional sections in the policy I found interesting:

"Sync Your Device
When you sync your Device through an App or the Software, data recorded on your Device is transferred from your Device to our servers. This data is stored and used to provide the Lioness Service and is associated with your account. Each time a sync occurs, we log data about the transmission. Some examples of the log data are the sync time and date, device battery level, and the IP address used when syncing."

Let's unpack that. The vibrator and its mobile app, record the date, time, and battery usage. Combine this with data collected from the four sensors and Lioness will know plenty about your usage: when (date and time), location, duration, preferred movement patterns, and more. It indeed could create a map. More sections in the policy:

"WHY WE COLLECT DATA
Lioness uses your data to provide you with the best experience possible, to help you learn about your body, and to improve and protect the Lioness Service. Here are some examples: i) Contact information is used to send you notifications and to inform you about new features or products... ii) Data and logs are used in research to understand and improve the Lioness Device and Lioness Service; to troubleshoot the Lioness Service; to detect and protect against error, fraud or other criminal activity; and to enforce the Lioness Terms of Service; iii) Aggregate data that does not identify you may be used to inform the health community about trends; for marketing and promotional use..."

Data That Could Identify You
Personally Identifiable Information (PII) is data that includes a personal identifier like your name, email or address, or data that could reasonably be linked back to you."

Hmmm. The policy does not list all data elements that personally identify you. For me, that's important to know. And, anything recorded on a smartphone can easily be linked to a person using her 10-digit phone number or the mobile device's serial number.

Informed shoppers probably want to know before purchase which other companies (e.g., business partners, affiliates, advertisers, etc.) Lioness shares data with. Its May 1, 2017 privacy policy also states:

"... companies that are contractually engaged in providing Lioness with services, such as order fulfillment, email management and credit card processing. These companies are obligated by contract to safeguard any PII they receive from us..."

"THIRD PARTIES
Lioness will not be responsible for the practices of third parties that Lioness does not own or control or individuals that Lioness does not employ or manage. The information provided by you to other third parties may be subject to their own privacy policies, which may differ from Lioness’s privacy policy. The Lioness Service may contain links to other sites, and we make every effort to only link to sites that share our high standards and respect for privacy. However, we are not responsible for the privacy practices employed by other sites..."

"DATA RETENTION
Lioness reserves the right to retain your PII for as long as your account remains active..."

So, the policy doesn't mention other companies by name. Not good. That makes it tough for consumers to make informed decisions.

Fitness tracking with the MapMyRide app On Facebook, many of my friends regularly share visual maps of their workouts. (See example on right.) That's their freedom of choice. So, some consumers are probably wondering if Lioness offers a similar share function. Again from the privacy policy:

"Community Posts
The Lioness Service may offer discussion forums, message boards, social networking opportunities, chat pages and other public forums or features in which you may provide personal information, materials and related content. If you submit personal information when using these public features, please note that such personal information may be publicly posted and otherwise disclosed and used without limitation or restriction."

So, the policy doesn't mention literal maps, per se. They might or might not provide the feature to users. The key takeaway: the responsibility rests upon the user. Don't share it if you don't want it made public.

It's probably helpful to also know that the product uses Bluetooth technology to perform data syncing. From the Lioness FAQ page:

"Wait...will there be bluetooth in my vagina?
Nope. We know that there are a lot of people who don’t like the idea of bluetooth being on while in use, so we made it so bluetooth automatically turns off when you use it."

Also, the FAQ page mentioned:

"Is my data stored securely and kept confidential?
Absolutely. We thought about privacy and security from the beginning for this product. You are the only one who can access your individual data. Everything is encrypted and we fully anonymize the data..."

That's good, but the privacy policy didn't mention data encryption. I expected it would. Not sure what to make of that.

Is the Lioness a good deal? Only you can decide for yourself -- and you should after reading both the privacy and terms-of-service policies.

Me? In my opinion, there seems to be too much wiggle-room for data sharing. The policy contains a lot of words and nothing special compared to other policies I've read. What are your opinions?


Russian Malware Targets Hotels In Europe And Middle East

FireEye, a security firm, has issued a warning about malware targeting the hotel industry within both Europe and the Middle East. The warning:

"... a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic... Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks... in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network..."

The key takeaway: criminals use malware to infiltrate the WiFi networks at hotels in order to steal the login credentials (IDs, passwords) of traveling business and government executives. The criminals know that executives conduct business while traveling -- log into their employers' computer networks. Stealing those login credentials provides criminals with access to the computer networks operated by corporations and governments. Once inside those networks, the criminals can steal whatever of value they can access: proprietary information, trade secrets, customer lists, executives' and organization payment information, money, or more.

A variety of organizations in both the public and private sectors use software by FireEye to detect intrusions into their computer networks by unauthorized persons. FireEye software detected the breach at Target (which Target employees later ignored). Security researchers at FireEye discovered vulnerabilities in HTC smartphones which failed to adequately protect users' fingerprint data for unlocking phones.

Security warnings earlier this year mentioned malware by the APT28 group targeting Apple Mac users. The latest warning by FireEye also described the 2016 hack in more detail:

"... the victim was compromised after connecting to a hotel Wi-Fi network. Twelve hours after the victim initially connected to the publicly available Wi-Fi network, APT28 logged into the machine with stolen credentials. These 12 hours could have been used to crack a hashed password offline. After successfully accessing the machine, the attacker deployed tools on the machine, spread laterally through the victim's network, and accessed the victim's OWA account. The login originated from a computer on the same subnet, indicating that the attacker machine was physically close to the victim and on the same Wi-Fi network..."

So, travelers aren't safe even when they use strong passwords. How should travelers protect themselves and their sensitive information? FireEye warned:

"Travelers must be aware of the threats posed when traveling – especially to foreign countries – and take extra precautions to secure their systems and data. Publicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible."


The Bogus Claims By Broadband Providers And Their Allies About Net Neutrality

The Techdirt blog has called out -- in plain language -- the bogus claims and distortions by broadband providers about net neutrality rules. Techdirt reported:

"... one of AT&T, Comcast and Verizon's favorite bogus claims about net neutrality rules is that such consumer protections will somehow prevent the sick or disabled from getting the essential internet connectivity they need. For example, Verizon once tried to claim that the deaf and disabled would be harmed if large ISPs weren't allowed to create fast or slow lanes.. this claim that net neutrality rules somehow prevent ISPs from prioritizing essential medical technologies or other priority traffic has always been bullshit. The FCC's 2015 open internet rules (pdf) are embedded with numerous, significant caveats when it comes to creating fast and slow lanes... In fact, the existing rules go to great lengths to differentiate "Broadband Internet Access Service (BIAS),” (your e-mail, Netflix streams and other more ordinary traffic) from “Non-BIAS data services,” which can include everything from priority VoIP traffic to your heart monitor and other Telemedicine systems."

The U.S. Federal Communications Commission (FCC), led by Ajit Pai a former lawyer at Verizon, moved closer to eliminating net neutrality with a preliminary vote in May. For those who don't know or have forgotten, net neutrality is when consumers are in control -- consumers choose where to go online with the broadband they've purchased, and ISPs must treat all content equally. That means no blocking, no throttling, and no paid prioritization. Net neutrality means consumers stay in control of where they go online.

Without net neutrality, consumers lose the freedom of choice. ISPs will decide where consumers can go online, which sites you can visit, and which sites you can visit only if you pay more. ISPs will likely group web sites into tiers (e.g., slow vs. fast "lanes"), similar to premium cable-TV channels. Do you want your monthly internet bill as confusing, complicated, and expensive as your cable-TV bill? I don't, and I doubt you do either.

TechDirt highlighted other bogus claims:

... how net neutrality kills network investment) doesn't stop it from being circulated repeatedly by the army of politicians, think tankers, consultants, fauxcademics, and lobbyists paid to pee in the net neutrality discourse pool.

One of the core perpetrators of this myth is AT&T, which just scored a massive, lucrative $6.5 billion contract to build the nation's first, unified emergency first responder network: aka FirstNet... AT&T isn't worried about net neutrality rules harming medical services, since they've long-been exempted. AT&T's worried about one thing: any rules stopping it from abusing a lack of broadband competition to drive up prices and engage in anti-competitive behavior."

Back in May, the U.S. Federal Communications Commission (FCC) tmoved closer to eliminating net neutrality with a preliminary vote in May.

What can you do? Plenty. Now is the time for more concerned citizens to rise, speak up, and fight back. Write to your elected officials. Tell your friends, classmates, coworkers, and family members. Use this action form to contact your elected officials. Participate in local marches and protests. Join the Fight For The Future. Support the EFF.


Hacked Amazon Echo Converted Into Always-On Surveillance Device

Image of amazon Echo Wired reported how a white-hat hacker provided proof-of-concept that a popular voice-activated, smart home speaker could easily be hacked:

"... British security researcher Mark Barnes detailed a technique anyone can use to install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the hacked device to his own faraway server. The technique requires gaining physical access to the target Echo, and it works only on devices sold before 2017. But there's no software fix for older units, Barnes warns, and the attack can be performed without leaving any sign of hardware intrusion."

Amazon sells both new and refurbished speakers. Newer models also include cameras. All are probably high-value targets of hackers and spy agencies.

Reportedly, Amazon has fixed the security vulnerability in newer (2017) models. The company advises customers to keep the software on their speakers current, and purchase speakers from trusted retailers. However (bold emphasis added):

"... Barnes agrees that his work should serve as a warning that Echo devices bought from someone other than Amazon—like a secondhand seller—could be compromised. But he also points out that, contrary to the implication of the company's statement, no software update will protect earlier versions of the Echo, since the problem is in the physical connection its hardware exposes.

Instead, he says that people should think twice about the security risks of using an Echo in public or semipublic places, like plans for the Wynn Hotel in Las Vegas to put an Echo in every room."

Voice-activated smart speakers in hotel lobbies and rooms. Nothing could go wrong with that. All it takes is a prior guest, or criminal posing as a hotel staff or cleaning person, to hack and compromise one or more older devices. Will hotels install the newer devices? Will they inform guests?

For guaranteed privacy, it seems hotel guests may soon have to simply turn off (or mute) smart speakers, smart televisions, and personal assistants. Convenience definitely has its price (e.g., security and privacy). What do you think?


Robotic Vacuum Cleaner Maker To Resell Data Collected Of Customers' Home Interiors

iRobot Roomba autonomous vacuum. Click to view larger image Do you use a robovac -- an autonomous WiFi-connected robotic vacuum cleaner -- in your home? Do you use the mobile app to control your robovac?

Gizmodo reports that iRobot, the maker of the Roomba robotic vacuum cleaner, plans to resell maps generated by robovacs to other smart-home device manufacturers:

"While it may seem like the information that a Roomba could gather is minimal, there’s a lot to be gleaned from the maps it’s constantly updating. It knows the floor plan of your home, the basic shape of everything on your floor, what areas require the most maintenance, and how often you require cleaning cycles, along with many other data points... If a company like Amazon, for example, wanted to improve its Echo smart speaker, the Roomba’s mapping info could certainly help out. Spatial mapping could improve audio performance by taking advantage of the room’s acoustics. Do you have a large room that’s practically empty? Targeted furniture ads might be quite effective. The laser and camera sensors would paint a nice portrait for lighting needs..."

Think about it. The maps identify whether you have one, none, or several sofas -- or other large furniture items. The maps also identify the size, square footage, of your home and the number of rooms. Got a hairy pet? If your robovac needs more frequently cleaning, that data is collected, too.

One can easily confirm this by reading the iRobot Privacy Policy:

"... Some of our Robots are equipped with smart technology which allows the Robots to transmit data wirelessly to the Service. For example, the Robot could collect and transmit information about the Robot’s function and use statistics, such as battery life and health, number of missions, the device identifier, and location mapping. When you register your Robot with the online App, the App will collect and maintain information about the Robot and/or App usage, feature usage, in-App transactions, technical specifications, crashes, and other information about how you use your Robot and the product App. We also collect information provided during set-up.

We use this information to collect and analyze statistics and usage data, diagnose and fix technology problems, enhance device performance, and improve user experience. We may use this information to provide you personalized communications, including marketing and promotional messages... Our Robots do not transmit this information unless you register your device online and connect to WiFi, Bluetooth, or connect to the internet via another method."

Everything seems focused upon making your robovac perform optimally. Seems. Read on:

"When you access the Service by or through a mobile device, we may receive or collect and store a unique identification numbers associated with your device or our mobile application (including, for example, a UDID, Unique ID for Advertisers (“IDFA”), Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, phone number, and, depending on your mobile device settings, your geographical location data, including GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your mobile device..."

Use the mobile app and your robovac's unique ID number can easily be associated with other data describing you, where you live, and your lifestyle. Valuable stuff.

Another important section of the privacy policy:

"We may share your personal information in the instances described... i) Other companies owned by or under common ownership as iRobot, which also includes our subsidiaries or our ultimate holding company and any subsidiaries it owns. These companies will use your personal information in the same way as we can under this Policy; ii) Third party vendors, affiliates, and other service providers that perform services on our behalf, solely in order to carry out their work for us, which may include identifying and serving targeted advertisements, providing e-commerce services, content or service fulfillment, billing, web site operation, payment processing and authorization, customer service, or providing analytics services.

Well, there seems to be plenty of wiggle room for iRobot to resell your data. And, that assumes it doesn't change its privacy policy to make resales easier. Note: this is not legal advice. If you want legal advice, hire an attorney. I am not an attorney.

The policy goes on to describe customers' choices with stopping or opting out of data collection programs for some data elements. If you've read that, then you know how to opt out of as much as possible of the data collection.

The whole affairs highlights the fact that the data collected from different brands of smart devices in consumers' homes can be combined, massaged, and analyzed in new ways -- ways in which probably are not apparent to consumers, and which reveal more about you than often desired. And, the whole affair is a reminder to read privacy policies before purchases. Know what valuable personal data you will give away for convenience.

Eyes wide open.

Got an autonomous robotic lawn mower? You might re-read the privacy policy for that, too.


National Parks: Buy Your Senior Pass Before the Price Hike

The U.S. National Park Service (NPS) is responsible for the care of the nation's parks. With 417 sites, its park system includes 129 historical parks or sites, 87 national monuments, 59 national parks, 25 battlefields or military parks, 19 preserves, 18 recreation areas, 10 seashores, four parkways, four lake shores, and two reserves. Last year, the NPS celebrated its 100th anniversary.

Visiting and camping within national parks are popular activities, especially during the summertime. More than 307 million persons visited the national park system during 2015. The NPS operates 879 visitor centers and contact stations. It employs more than 22,000 permanent, temporary, and seasonal workers. 440,000 volunteers assist those workers. Browse more NPS statistics (Adobe PDF), and the proposed 2018 budget to fix much deferred maintenance.

The NPS offers a variety of passes for frequent users and groups. Lifetime passes for seniors (age 62 or older) are a bargain since the pass holder can use it plus accompanying passengers is a single, private, non-commercial vehicle. The price of a senior pass will rise from $10.00 to $80.00 on August 28. For those counting, that is a 700 percent price increase!

U.S. citizens or permanent residents can buy passes. There are three ways to buy senior passes:

A $10.00 processing fee is charged for online and postal orders. Applicants must provide documentation proving citizenship and age. See the Frequently Asked Questions: Recreational Passes page (USGS site) for additional information, including forms of acceptable documentation. Within the parks and recreational sites, there may be additional fees for special services (e.g., camping, swimming, boat launch, specialized interpretive services). The senior pass may provide a 50 percent discount on these fees, but does not cover fees charged by concession stands.

Six agencies participate in the Interagency Pass Program: National Park Service, U.S. Forest Service, U.S. Fish and Wildlife Service, Bureau of Land Management, Bureau of Reclamation, and the U.S. Army Corps of Engineers. So, senior passes also provide access to other agencies' sites -- more than 2,000 sites in total.

Not a senior? Besides standard annual passes ($80.00 each), the NPS offers a variety of annual passes: free passes for military members and their dependents, passes for 4th grade students, free passes for persons with disabilities, and free passes for volunteers. To learn more, visit the NPS site and use its park search finder.

Want to buy your pass in person? Not all sites sell passes, so check this list of federal recreation sites that issue passes (Adobe PDF) for the site nearest to you.

I bought my senior pass as the Adams National Historic Park in Quincy, Massachusetts. The park includes the birthplaces of two presidents, the "summer White House," Stone Library, the Adams Carriage House, and 13 acres of a historic landscapes. Guided tours (April 19 - November 10) start at the visitor center (1250 Hancock Street, Quincy, MA), where senior, military, and 4th grade recreational passes can also be purchased in person.

National parks offer much to see and do. I've visited several national parks covering a wide variety of natural environments, scenery, and wildlife: Denali National Park, Glacier National Park, Grand Canyon National Park, Haleakala National Park, and Volcanoes National Park. Words and photos cannot express the beauty!

I want my grandchildren and great-grandchildren to be able to visit and see the natural wonders in our national parks. Have you visited a national park? Which is your favorite?


How Two Common Medications Became One $455 Million Specialty Pill

[Editor's Note: today's guest post, by the reporters at ProPublica, explores reasons for the high cost of prescription drugs for patients in the United States. Today's post is reprinted with permission.]

by Marshall Allen, ProPublica

Everything happened so fast as I walked out of the doctor's exam room. I was tucking in my shirt and wondering if I'd asked all my questions about my injured shoulder when one of the doctor's assistants handed me two small boxes of pills.

"These will hold you over until your prescription arrives in the mail," she said, pointing to the drug samples.

Strange, I thought to myself, the doctor didn't mention giving me any drugs.

I must have looked puzzled because she tried to reassure me.

"Don't worry," she said. "It won't cost you any more than $10."

I was glad whatever was coming wouldn't break my budget, but I didn't understand why I needed the drugs in the first place. And why wasn't I picking them up at my local CVS?

At first I shrugged it off. This had been my first visit with an orthopedic specialist and he, Dr. Mohnish Ramani, hadn't been the chatty type. He'd barely said a word as he examined me, tugging my arm this way and bending it that way before rotating it behind my back. The pain made me squirm and yelp, but he knew what he was doing. He promptly diagnosed me with frozen shoulder, a debilitating inflammation of the shoulder capsule.

But back to the drugs. As an investigative reporter who has covered health care for more than a decade, the interaction was just the sort of thing to pique my interest. One thing I've learned is that almost nothing in medicine 2014 especially brand-name drugs 2014 is ever really a deal. When I got home, I looked up the drug: Vimovo.

The drug has been controversial, to say the least. Vimovo was created using two readily and cheaply available generic, or over-the-counter, medicines: naproxen, also known by the brand Aleve, and esomeprazole magnesium, also known as Nexium. The Aleve handles your pain and the Nexium helps with the upset stomach that's sometimes caused by the pain reliever. The key selling point of this new "convenience drug"? It's easier to take one pill than two.

But only a minority of patients get an upset stomach, and there was no indication I'd be one of them. Did I even need the Nexium component?

Of course I also did the math. You can walk into your local drugstore and buy a month's supply of Aleve and Nexium for about $40. For Vimovo, the pharmacy billed my insurance company $3,252. This doesn't mean the drug company ultimately gets paid that much. The pharmaceutical world is rife with rebates and side deals 2014 all designed to elbow ahead of the competition. But apparently the price of convenience comes at a steep mark-up.

Think about it another way. Let's say you want to eat a peanut butter and jelly sandwich every day for a month. You could buy a big jar of peanut butter and a jar of grape jelly for less than 10 bucks. Or you could buy some of that stuff where they combine the peanut butter and grape jelly into the same jar. Smucker's makes it. It's called Goober. Except in this scenario, instead of its usual $3.50 price tag, Smucker's is charging $565 for the jar of Goober.

So if Vimovo is the Goober of drugs, then why have Americans been spending so much on it? My insurance company, smartly, rejected the pharmacy's claim. But I knew Vimovo's makers weren't wooing doctors like mine for nothing. So I looked up the annual reports for the Ireland-based company, Horizon Pharma, which makes Vimovo. Since 2014, Vimovo's net sales have been more than $455 million. That means a lot of insurers are paying way more than they should for their Goober.

And Vimovo wasn't Horizon's only such drug. It has brought in an additional $465 million in net sales from Duexis, a similar convenience drug that combines ibuprofen and famotidine, AKA Advil and Pepsid.

This year I have been documenting the kind of waste in the health care system that's not typically tracked. Americans pay more for health care than anyone else in the world, and experts estimate that the U.S. system wastes hundreds of billions of dollars a year. In recent months I've looked at what hospitals throw away and how nursing homes flush or toss out hundreds of millions of dollars' worth of usable medicine every year. We all pay for this waste, through lower wages and higher premiums, deductibles and out-of-pocket costs. There doesn't seem to be an end in sight 2014 I just got a notice that my premiums may be increasing by another 12 percent next year.

With Vimovo, it seemed I stumbled on another waste stream: overpriced drugs whose actual costs are hidden from doctors and patients. In the case of Horizon, the brazenness of its approach was even more astounding because it had previously been called out in media reports and in a 2016 congressional hearing on out-of-control drug prices.

Health care economists also were wise to it.

"It's a scam," said Devon Herrick, a health care economist with the National Center for Policy Analysis. "It is just a way to gouge insurance companies or employer health care plans."

Unsurprisingly, Horizon says the high price is justified. In fact, the drug maker wrote in an email, "The price of Vimovo is based on the value it brings to patients."

Thousands of patients die and suffer injuries every year, the company said, because of gastric complications from naproxen and other non-steroid anti-inflammatory drugs (NSAIDs). Providing pain relief and stomach protection in a single pill makes it more likely patients will be protected from complications, it said.

And Horizon stressed Vimovo is a "special formulation" of Aleve and Nexium, so it's not the same as taking the two separately. But several experts said that's a scientific distinction that doesn't make a therapeutic difference. "I would take the two medications from the drugstore in a heartbeat 2014 therapeutically it makes sense," said Michael Fossler, a pharmacist and clinical pharmacologist who is chair of the public-policy committee for the American College of Clinical Pharmacology. "What you're paying for with [Vimovo] is the convenience. But it does seem awful pricey for that."

Public outrage is boiling over when it comes to high drug prices, leading the media and lawmakers to scold pharmaceutical companies. You'd think a regulator would monitor this, but the Food and Drug Administration told me they are only authorized to review new drugs for safety and effectiveness, not prices. "Prices are set by manufacturers and distributors," the FDA said in a statement.

Horizon acquired Vimovo in November 2013 from the global pharmaceutical giant AstraZeneca. Horizon knew it faced challenges trying to get top dollar for inexpensive ingredients. "Use of these therapies separately in generic form may be cheaper," it said in its 2013 report to investors. But the company executed a shrewd strategy to give everyone -- insurers, patients, doctors and pharmacies -- the incentive to use Vimovo. It's instructive to review its playbook.

To get Vimovo covered, Horizon made deals with insurance payers and pharmacy benefit managers -- the intermediaries who help determine which drugs get reimbursed. The contracts generally included special rebates and even administrative fees for these intermediaries, the Horizon reports said, so the drug maker got paid much less than the sticker price, though it wouldn't say how much. But the company's net sales show the deals worked.

Horizon put boots on the ground to get the prescriptions rolling, expanding its sales force by the hundreds and focusing its marketing and sales efforts on doctors who already liked to prescribe brand-name drugs. The company's message to doctors emphasized the convenience of prescribing the two ingredients in a single pill and that the single pill protected patients by making it more likely they would take their medication as directed.

Horizon also primed the medical community by giving donations totaling $101,000 to the American Gastroenterology Association, a specialty nonprofit for physicians. Some doctors refuse drug-industry money, if only to at least avoid the appearance of a conflict of interest. ProPublica has done loads of stories showing why doctors taking money is indeed problematic, including one about drug makers' influence on physician specialty groups. When I went on the American Gastroenterology Association's website, the first thing I saw was a pop-up ad from a drug company. Several of the association's board members have received drug-company money, too. Horizon has made clear in its annual reports that donations to the group "help physicians and patients better understand and manage" the risks of pain relievers causing gastric problems.

Horizon also zeroed in on patients' worries about drug costs. To encourage them to fill their prescriptions, Horizon covered all or most of their out-of-pocket costs. That's why my doctor's office could promise me I wouldn't spend too much for my Vimovo. The program, Horizon told investors in reports, addressed the impact of pharmacies switching to less expensive alternatives and could "mitigate" the effect of payers searching for cheaper alternatives.

The strategy worked on me. I didn't even know why I was getting the prescription, but when they told me it wouldn't cost more than I would spend on lunch with a friend, I gave it the OK. A pharmacy I'd never heard of sent me a bottle of Vimovo for $10, even though my insurance company rejected the claim.

Turns out paying the patient's costs motivated my doctor, too. I waited until the end of my next visit to bring up Vimovo, and then we had a follow-up conversation on the phone. Ramani didn't know the price of the drug and found it "disturbing" when I told him. That was a surprise to me, but not to him. He said he leaves billing to his staff and doesn't even know how much he gets paid for a lot of the procedures he performs, let alone how much insurers are being charged for drugs. The marketing arms of companies like Horizon must count on this sort of blindness.

Ramani doesn't receive money or gifts from Horizon. (I confirmed this on ProPublica's Dollars for Docs website, which lists drug-company payments.) He said he likes Vimovo because Horizon covers the patient's out-of-pocket costs, entirely in many cases. Prescribing the generics or over-the-counter medications separately would actually cost more, he said. Which of course is exactly the company's plan. But Ramani agreed that the high cost of the drug to insurers ultimately raises overall health care costs for all Americans.

Knowing Vimovo's price, I asked him if he would continue to prescribe it. "It changes my thought process," he said. "But at the end of the day, I have to think about the patient and whether the patient will be able to pay out of pocket or not."

Ramani said the Horizon drug rep told him Vimovo prescriptions had to go through a particular pharmacy for the patient to receive financial assistance. In its 2016 annual report, Horizon wrote that prescriptions for its drugs might not be filled by certain pharmacies because of insurance-company exclusions, co-payment requirements, or incentives to use lower-priced alternatives. So that's why they didn't give me the option of picking up my pills at my neighborhood drugstore.

Instead, my Vimovo was mailed to me from White Oak Pharmacy in Nutley, New Jersey, which is about 45 minutes from my house. I drove there to find out why. The neighborhood pharmacy is on the bottom floor of a two-story brick building on a street corner, next to a hair salon.

Vishal Chhabria, the pharmacist who owns White Oak, told me the drug company sets the price of Vimovo. He insisted his pharmacy has no special relationship or contract with Horizon. Maybe the drug company steers prescriptions his way, he said, because his pharmacy will process the coupons that reduce or eliminate the patient costs, which some pharmacies don't.

Chhabria said there is no approved generic alternative to Vimovo, so he can't suggest one to patients. And while other drugs, like over-the-counter medications, would be cheaper for the health system overall, they are more expensive for the individual patient, he said.

In poring through Horizon's financial filings, it appears the drug's run may be ending. Horizon said in its report for the first quarter of 2017 that fewer insurance companies have been willing to cover Vimovo and many that do have demanded larger rebates. As a result, Horizon has been eating more of the costs of providing the drug to patients, as they must have in my case. The prescriptions have still been coming in, but net sales were just under $5 million in the first quarter of this year, down 81 percent from the first quarter of 2016.

Critics of Vimovo say that's still more than patients should be spending on the drug. "That number should be zero," said Linda Cahn, an attorney who advises corporations, unions and other payers to help reduce their costs. "If you want to talk about waste, that's waste."

Herrick, the health care economist, said Horizon cashed in by eliminating many of the barriers in the system that are meant to control costs. The company got patients on board by covering their out-of-pocket costs. It appealed to doctors by promoting the benefits to patients. And it did an end-run around chain pharmacies, which typically might suggest a lower-priced alternative, by steering prescriptions to pharmacists who would participate in their patient-assistance program.

"Somebody brainstormed: 'How can we nullify any consumer check and balance in this supply chain? What can we do to keep the customer from asking questions?'" Herrick said.

The scheme that played out with Vimovo is bound to happen again, Herrick said. Maybe it already is. Drug companies are always on the lookout to deploy similar strategies.

I dutifully took my Vimovo for several days, until I noticed it kept me awake until 3 in the morning 2014 a rare side effect. (Perhaps they need to add a third drug to the combo.) I probably have more than 50 pills left in the bottle on my bedside table. Maybe I could sell it back to Horizon for $1,500.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Verizon To Exit Its Copper Wire Telephone Business In Several States In 2018

Verizon logo If your home uses a copper wire telephone service, often called a "landline" or POTS (e.g., Plain Old Telephone Service), you may soon have to make a change. In Boston, Verizon will abandon its landline business in June 2018.

On Saturday, my wife received a letter via postal mail from Verizon. We live in Boston. The "Notice of Copper Retirement" stated:

"Currently, Verizon brings voice and/or data services to your home over copper cables. However, the company is updating to fiber-optic technology in your area, and will be retiring its copper facilities that currently serve you and your neighbors.

To continue to provide you service, Verizon will have to move your service to these fiber-optic facilities. If fiber is available to your home now, we will be contacting you individually soon to schedule an appointment to transition your services to fiber. Otherwise, we will be contacting you once fiber is available. In either case, we will need to move your service well before we retire the copper in your area which is scheduled for on or after June 1, 2018

We will transfer your voice services from copper to fiber at no cost to you. This transfer will not result in any change to the voice service that you currently receive from Verizon. You may continue to subscribe to the same voice service at the same price, terms, and conditions. In addition, any devices that rely upon your voice service, such as fax machines, medical devices, or security alarms connected to a central station, will continue to work in the same way as they currently do over copper. We will also provide you with a battery backup device at no charge. For almost all residential customers, that device uses standard D-cell batteries that can support up to 24 hours of standby voice service during a commercial power outage. In case of a prolonged power outage, you can simply replace the batteries and extend the backup power.

If you subscribe to our High Speed Internet service, the migration to fiber will require a change since that service is not available on our fiber facilities. The Internet access service that we offer on fiber is FiOS Internet. FiOS Internet is available at significantly faster speeds than High Speed Internet. We will offer the service at a special rate for customers who migrate from copper to fiber facilities as a result of the retirement of our copper facilities. In some cases, this price may be lower or higher than what you currently pay for internet access.

Please review the Frequently Asked Questions for additional information about the fiber update or visit us at verizon.com/fiberupgrade. If you still have questions, please call us Monday through Friday, 8 a.m. - 8 p.m., or Saturday 9 a.m. - 5 p.n. at 1-877-439-7442.

You may also contact the Federal Communications Commission or your State Commission if you have any questions. Thank you for continuing to be a loyal customer. We greatly appreciate your business.

Sincerely

Janet Gazlay Martin
Director, Network Transformation

I visited the website mentioned in the notice. That site pitches the FiOS Internet service, and doesn't explain the company's copper landline retirement activities. You have to do a little digging online to find the locations where Verizon announced its retirement of copper-wire telephone services. The locations include several states in the Northeast and Middle Atlantic regions. Earlier this month, Verizon announced the retirement of copper landlines next year in the following states, cities, and towns:

  • Delaware: Newark, Ocean View
  • Maryland: Bethesda, Columbia, Glen Burnie, Rockville, Towson
  • Massachusetts: Danvers, Dorchester, Framingham, Hanover, Lawrence, Leominster, Marblehead, Newton, North Chelmsford, Roxbury, Stoughton, West Roxbury
  • New Jersey: Bergen, Berlin, Cape May, Cranford, East Dover, East Orange, Ewing, Freehold, Hackensack, Haddonfield, Journal Square, Marlton, Medford, Merchantville, Morristown, New Brunswick, Red Bank, Somerville, Toms River, Union City, Wall Township, Woodbury
  • New York: Cayuga Williamsville, Cornwall, Mineola, Mount Vernon, Plainview Central, Skaneateles, White Plains, and multiple areas within all of the five boroughs of New York City
  • Pennsylvania: Allentown, Dormont, Glenolden, Jefferson, Jenkintown, Mayfair, Mechanicsburg, portions of Philadelphia, Pilgrim, Turtle Creek, Wilkinsburg
  • Rhode Island: portions of Providence
  • Virginia: Arlington, Falls Church, Reston, Springfield, Virginia Beach, and portions of Richmond

The telecommunications company made similar announcements during February, 2017 about other areas within the same states. Verizon is not alone. Telephone companies have planned for years to abandon their their copper landline services. In August 2015, the Institute of Electrical and Electronics Engineers (IEEE) reported that the U.S. Federal Communications Commission (FCC):

"... set new ground rules for carriers seeking to replace their old copper telephone networks. Approved by a 3-2 vote at an open meeting yesterday, the rules require carriers to notify customers in advance and to seek FCC approval before reducing services... FCC chairman Tom Wheeler and others have been pushing to shift telephone traffic to fiber optics and the Internet. Critics have charged that phone companies are allowing their old copper networks to decay to force customers to shift to fiber service. But some 37 million households —- many of them headed by elderly people —- remain on legacy copper, commissioner Mignon Clyburn noted at the hearing. Other holdouts live in rural areas that lack cellular and broadband service. Some prefer copper connections because they are independent of local power lines, and offer better 911 emergency service.

The FCC ruling requires that carriers notify retail customers at least three months before shutting down a copper network, and provide six-months notice to interconnecting carriers using the old lines. (Clyburn complained that that's much less time than the FCC gave before shutting down analog broadcast television, but voted for the measure anyway.) Carriers also must seek FCC approval if the telephone changeover would "discontinue, reduce or impair" service... In a separate vote, all five FCC commissioners agreed to require carriers to offer customers backup power supplies that maintain their phone service during prolonged power outages..."

You can read announcements by AT&T about copper landline retirements. CenturyLink notified the FCC last year about copper landline retirements in eight states: in Alabama, Florida, Michigan, Minnesota, Pennsylvania, Virginia, Washington, and Wisconsin.

Since the FCC set copper-retirement rules in 2015, technology adoption has climbed slightly. In January of this year, Pew Research reported that 77 percent of adults in the USA own a smartphone and 73 percent have broadband internet at home. However, while:

"... broadband adoption has increased to its highest level since the Center began tracking this topic in early 2000, not all Americans have shared in these gains. For instance, those who have not graduated from high school are nearly three times less likely than college graduates to have home broadband service (34 percent vs. 91 percent)... 12 percent of Americans say they are “smartphone dependent” when it comes to their online access – meaning they own a smartphone but lack traditional broadband service at home. The share of Americans who are smartphone dependent has increased 4 percentage points since 2013, and smartphone reliance is especially pronounced among young adults, nonwhites and those with relatively low household incomes."

While more people have smartphones and internet access at home, a sizeable number still have copper landlines. Phys.org reported in November 2016 the results of a recent survey:

"... 20 percent of the nation's households still view having a landline or fixed telephone as the most important of their telecommunications choices, according to a survey that queried consumers about their telephone and internet preferences... The study also found that for the average consumer, having mobile telephone service is about 3.5 times more important than a landline or fixed telephone service... Study findings suggest about 90 percent of American households have at least one mobile phone, 75 percent have fixed internet service, 58 percent have mobile internet service and 49 percent have fixed telephone service. Mobile telephone service was the most important service for the typical respondent, followed by fixed internet service, mobile internet service and fixed telephone service, although a portion rank fixed telephone first."

According to the 2012 United States Census, there are about 117 million households in the United States, and 2.59 persons on average per household. So, a substantial portion of the population will probably view negatively the termination of copper wire telephone services in their homes.

Verizon's copper termination notice was unnecessarily complicated, which could confuse many consumers. The portion of its notice which said "If fiber is available to your home..." was laughable. FiOS is already available in our neighborhood. Verizon notified me months ago, and I already migrated my antiquated DSL (Digital Subscriber Line) internet service on my phone line to FiOS. Verizon's landline business unit should know what its FiOS division is doing.The left hand should know what the right hand is doing.

So, Verizon's notice wasn't as customized nor as relevant as it could have been. It makes one wonder if, in its zeal to terminate its copper wire phone business, Verizon rushed the customer letters.

Readers of this blog remember the Boston City Council's hearings in 2015 about residents' requests for FiOS. In 2015, Verizon hadn't deployed FiOS even though it had been available in several suburban towns for many years. Example: a friend in Lexington has had FiOS since at least 2009. So, Verizon could have deployed FiOS far sooner, providing consumers more time to migrate their phone service without rushing.

What should consumers do? It depends upon your lifestyle. If you already have a smartphone, you may want to simply terminate your landline phone service and use your smartphone instead. If you don't have a smartphone, you can migrate your copper landline phone service to Verizon's FiOS fiber connection, to a smartphone, or to another telephone service provider. For example, many cable-TV providers, such as Comcast, provide phone service in residences.

Some consumers value security and privacy. If you perform phone-based banking or online banking with your desktop/laptop computer, then security is a concern. Since smartphones or wireless phones using home WiFi networks transmit using radio waves, you'll probably want to encrypt you wireless online banking transmissions to protect against theft by criminals or hackers. Several brands of Virtual Private Network (VPN) software and apps are available to encrypt your wireless transmissions. If you are unfamiliar with VPN software, this prior blog post contains links to online primers and tutorials.

If you received a copper termination letter from your phone company, what were your opinions of it? Did you switch to fiber landlines or to wireless?


Coming Soon: A New HD Video Standard For TV. Will Over-The-Air Broadcasts Remain Free?

Federal communications Commission logo Soon, consumers will hear about improvements in over-the-air broadcast television. Free, broadcast television has been around since forever, and High Definition (HD) broadcast signals have been around since 2009. Many consumers have chosen free, over-the-air broadcast television to avoid expensive monthly cable-TV bills.

Consumer Reports explained:

"Technically called ATSC 3.0, the new broadcast standard is—thankfully—being more generally billed as "Next-Gen Broadcast TV." There are a few big differences between our current ATSC 1.0 broadcasts and the new ones we'll receive as part of ATSC 3.0. A key one is that the new standard is IP (internet protocol)-based, which means it can carry internet content alongside traditional TV broadcasts. The broadcasts can also include 4K video and high dynamic range (HDR) content—the two biggest selling points in TVs right now."

And, consumers will be able to receive the new HD broadcast signals on their smart phones. Reportedly, the coming ATSC 3.0 standard will use a more efficient video format, called HEVC or H.265, which streaming services already use.

Last year, WRAL-TV in Raleigh, North Carolina began to broadcast using the new standard with a documentary, "Take Me Out To the Bulls' Game." The U.S. Federal Communications Commission (FCC) announced in February a Notice of Proposed Rulemaking (NPRM) which sought comments from the public about the new HD broadcast standard. That FCC announcement stated, in part:

"ATSC 3.0 has the potential to greatly improve broadcast signal reception on mobile devices and television receivers without outdoor antennas.  It is also intended to enable broadcasters to offer enhanced and innovative new features to consumers, including Ultra High Definition picture and immersive audio, more localized programming content, an advanced emergency alert system capable of waking up sleeping devices to warn consumers of imminent emergencies, improved accessibility options, and interactive services.

A coalition of broadcast and consumer electronics industry representatives petitioned the Commission to allow the use of the new standard. The upgraded technology is intended to merge the capabilities of over-the-air broadcasting with the broadband viewing and information delivery methods of the Internet using the same 6 MHz channels presently allocated for digital television (DTV)."

Like most things in life, details matter. Consumer Reports warned:

"... Jonathan Schwantes, senior policy counsel at Consumers Union, the policy and mobilization arm of Consumer Reports, says that some consumers could lose the ability to get some ATSC 1.0 signals if the host station is located farther away than their current broadcaster.

"Our position is that next-gen TV can and will be beneficial to consumers if implemented by the FCC in a measured and conscientious manner," he says. That could include making sure the current coverage areas are preserved as much as possible, not allowing broadcasters to downgrade the quality of ATSC 1.0 broadcasts from high to standard definition, and providing consumers with education on issues such as the timing of the transition and what new equipment they may need."

So, some broadcasters might choose to cut corners while migrating to the new standard: reduce their existing HD over-the-air signal strength, degrade their existing HD signal quality, or both. Not good.

And, there's more bad news for consumers. The new HD broadcast standard may cost more. You're probably wondering how, since over-the-air broadcasts have been free since television was introduced. Consumer Reports explained:

"... broadcasters could encrypt at least part of their programming, and require users to create an account and pay for access to certain features. No details are available on how this would work from the consumer's point of view. Consumers Union and other groups say they will insist that consumers continue to have access to free over-the air high-definition TV reception."

The new HD broadcast standard should not include hidden costs or new fees for consumers. For many consumers, new televisions are expensive and out of reach. Many consumers have chosen to "cut the cord" to save money. For these consumers, free over-the-air broadcast television is vital.

Nor should broadcasters be able to cut corners and force consumers to the new HD standard by degrading their existing HD signal strength and/or quality. The new HD broadcast standard should be voluntary for consumers. Nor should consumers be forced to submit to broadcasters their personal, contact, and payment information. One of the benefits of over-the-air broadcasts is privacy.

The next-gen TV standard offers benefits to both consumers and broadcasters. The FCC must balance the needs of both, and not serve only one group. The industry uses the term "Multi-channel Video Programming Distributors" (MVPD) to describe companies that provide video content. These MVPD companies include video producers and distributors: legacy cable-TV providers, TV networks, and others that provide programming via cable, the Internet, and over-the-air broadcasts.

Some MVPDs do both: produce and distribute video content. These MVPDs have a financial bias to force consumers from free over-the-air broadcasts to their proprietary, higher cost distribution networks (e.g., cable, internet). Consumers must have the freedom to choose how they consumer video content, and not have a distribution network forced upon them via bundling, "retransmission consent system," or other MVPD tactics.

What are retransmission consent systems? This 16-142 filing by Consumer's Union, Public Knowledge, and New America's Open Technology Institute explained (Adobe PDF):

"It is increasingly axiomatic that, when MVPDs and broadcast groups engage in retransmission consent negotiations, consumers end up suffering, or footing the bill, or both. Increased broadcast retransmission consent fees are passed on to consumers by MVPDs who have little choice but to accept most broadcaster demands or face crippling blackouts.... Large MVPDs, and those which also own broadcast interests, also use the retransmission consent process to extract favorable terms, potentially limiting the growth or viability of competitive video services. Comcast, for example, is rumored to have fleshed out its fledgling over-the-top (OTT) service by exercising most-favored-nation clauses in many of its carriage contracts. Comcast can only demand such favorable contract terms due to its dominant position in the video delivery marketplace, and once again, consumers are left holding the bag..."

So, the FCC must not make things worse for consumers by allowing the new HD broadcast standard to reduce competition and raise prices. Higher prices may be good for MVPDs (and their stockholders) but not for consumers.

If you want to submit a comment or read comments already submitted about the new HD broadcast standard, search for the 16-142 Filing within the FCC's Electronic Filing & Comment System (ECFS). At press time, only 167 persons, companies, and entities had submitted filings and comments (compared to 2,869,632 comments via ECFS about Net Neutrality). Not good.

What are your opinions about the new HD video broadcast standard?