6 Threats That Target Consumers' Mobile Devices

If you think that identity thieves and scam aartists have not already targeted your favorite mobile devices, then think again. Dark Reading reported about siz specific threats that target popular mobile devices:

"1. Zitmo - One of the most successful banking Trojans of all time, Zeus, made the jump from PCs to mobile devices through the Zeus-in-the-mobile (Zitmo) spyware application. Prevalent on Android, Zitmo masquerades as a banking activation application and eavesdrops on SMS messages in search of the mobile transaction authentication numbers..."

"2. Mobile Botnets - Since 2009, Perimeter E-Security Research Analyst Grace Zeng has been exploring the possibilities of botnets consisting entirely of mobile devices. Naysayers told her it wasn't feasible, but last month she showed how realistic the possibility is with a presentation at WiSec 2012...:

"5. JiFake - Mobile marketers are loving the convenience of easy-to-scan QR codes to deliver mobile users to their websites and apps through their phones' barcode scanners. Attackers love these codes, too. Researchers are finding that the bad guys are increasingly using the obfuscation of QR codes to trick users into downloading malware..."

To protect yourself and the sensitive data on your smart phone or tablet, experts advise consumers to:

• Download apps only from trusted websites,
• Donwload only apps with privacy policies and terms of conditions that you understand and agree with,
• Keep the anti-virus software on your mobile device updated, just like you do on your laptop or desktop computer, and
• Password protect your mobile device in case it is lost or stolen.

FTC Seeks Information From The Public About How Identity Theft Impacts Elders

The U.S. Federal Trade Commission (FTC) seeks information from the public about how identity theft and fraud impact senior citizens. According to the Bureau of Justice statistics, 11.7 million people, about 5 percent of the population ages 16 or older, were victims of identity theft between 2006 and 2008. The FTC is concerned that:

"... seniors may be particularly susceptible to identity theft. They are often targeted for phishing scams; some seniors have granted powers of attorney giving wide access to their personal information; and most seniors' Medicare cards list their Social Security numbers. In addition, the personal information of senior citizens may be vulnerable in hospitals, nursing homes, and other care facilities."

To learn about the problem, the FTC seeks:

• Original research about the scope of identity theft and elders,
• The types of scams (e.g., phishing, tax, power of attorney, door-to-door) targeting elders,
• Obstacles to fighting or preventing this identity theft,
• Solutions by both the public and private sectors, and
• Any related issues

The FTC focuses upon enforcing laws, sharing its identity-theft complaint data with local law enforcement, and educates both consumers and businesses about data security. The FTC has brought actions against 35 companies for failing to adequately safeguard the sensitvie consumer data stored. In the summer of 2011, the FTC held a forum on the impacts upon children of identity theft. In September 2011, the FTC testified before Congress (Adobe PDF) about the problem and the actions it was taking.

Comments and submissions must be received by July 15, 2012. Information can be submitted in electronic or paper formats. Submissions should be mailed or delivered to:

Federal Trade Commission
Office of the Secretary
Room H-112 (Annex L)
600 Pennsylvania Avenue, N.W.
Washington, DC 20580

Submissions received will be made public on the FTC website.

The FTC helps consumers to prevent fraudulent, deceptive, and unfair business practices. It also provides information to help consumers spot, stop, and avoid them. If you have been a victim of identity theft and fraud, you can file a complaint in English or Spanish at the FTC Complaint Assistant website, or call 1-877-FTC-HELP (1-877-382-4357). The FTC compiles complaints it receives into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad.

Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

• During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
• During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

“Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

1. Be ready to give out some personal information.
2. Know that a third-party will gain access to your personal information.
3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).

Hackers Target Facebook Users With New Malware Tool To Steal Credit Card Information

In case you haven't heard, scammers and identity thieves have targeted social networking users. Trusteer reported a new scam by identity theives using a new version of the "Ice IX" malware.

After a Facebook member (within an infected computer) has logged into their Facebook account, the "Ice IX" malware spawns a new browser with a fake Facebook page which prompts users to enter credit card information for supposed additional data security protection. Of course, no security protection is provided, and the malware steals both the consumer's credit card information and other sensitive personal data stored on your computer.

This is another fine example of the creativity and persistence of scammers and identity thieves. Visit the Trusteer website to view screen images of the fake Facebook page. To learn more about how to protect yourself when using Facebook.com and its mobile apps, see the links in the "Using Facebook Safely" module in the near-right column.

CFPB Reports List Of Consumer Complaints About Financial Products

In its annual report, the new Consumer Financial Protection Bureau (CFPB), a federal agency designed to ensure that financial products and services for consumers are beneficial for consumers, listed the leading complaints submitted by consumers. The CFPB accepts complaints about credit cards and mortgages.

The CFPB began operation on July 21, 2011. In its annual report (Adobe PDF) to the U.S. Congress, the CFPB reported that by December 31, 2011, it had received 13,210 complaints from consumers, including 9,307 credit card complaints and 2,326 mortgage complaints. 44% of all complaints were submitted through the CFPB website, and about 15% via telephone calls. The leading types of credit-card complaints received:

Leading Credit Card Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Billing Disputes	1,278	13.7%
2. Identity Theft / Fraud / Embezzlement	1,014	10.9%
3. APR or Interest rate	950	10.2%
4. Other	854	9.2%
5. Closing / Cancelling Account	478	5.1%
6. Credit reporting	437	4.7%
7. Credit Card Payment / Debt Protection	383	4.1%
8. Collection Practices	378	4.1%
9. Late Fee	364	3.9%
10. Other Fee	334	3.6%
Total for Top 10 complaint types	6,470	65.9%

The types of mortgage complaints received:

Mortgage Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Problems when you are unable to pay (Loan modification, collection, foreclosure)	889	38.2%
2. Other	540	23.2%
3. Making payments (Loan servicing, payments, escrow accounts)	501	21.5%
4. Applying for the loan (Application, originator, mortgage broker)	235	10.1%
5. Signing the agreement (Settlement process and costs)	96	4.1%
6. Receiving a credit offer (Credit decision/Underwriting)	65	2.8%
Total Mortgage Complaints	2,326	100.0%

The FTC advises consumers who experience identity theft or fraud with financial products to both submit a complaint to the CFPB and submit a complaint to the FTC.

I like the CFPB's mission and its website. The agency's consumer response mechanisms are still new and in their infancy. They will become more beneficial as the agency identifies and resolves problems. What is your opinion of the CFPB?

Technical Support Phone Scam Poses As Microsoft Windows Affiliate Company

Yesterday, i received a telephone call from "Dean Thomas" (probably not his real name) who said he was from the "Technical & Maintenance Department of Windows." The phone number he gave was (209) 813-0133, which I assume was bogus, too.

Immediately, I recognized this phone scam as I had read about it previously in Consumer Reports:

"The scam has become so widespread that Microsoft has studied the problem in four countries, including the U.S. The study found that scammers stole an average of $875 from victims and caused $1,730 in damage to their computers."

Plus, I follow the Better Business Bureau on Twitter, which issued this alert months ago. I decided to listen to the scammer's pitch so I could report about it on this blog.

Basically, the scam artists pretend to be from a reputable company that is seriously interested in protecting you from virus software that can damage your computer. The first part of the pitch is an attempt to gain your confidence -- that they have received error messages already from my computer. After gaining your trust, they will ask you to visit a website, not with your web browser, but the "Run Software" dialog box. Doing so would give them access and control over your computer -- and the freedom to steal any files with passwords and bank accoount sign-in credentials.

With his heavy Southern Asia accent, "Dean" asked me to browse various system registry files (e.g., the Event Viewer, the Command level interface) on my computer, in a bogus attempt to convince me that my computer is already infected with malware. At one point during the call, "Dean" asked me to verify the CLSID number of my computer. Of course, I refused -- all the while acting like a dumb computer user so I had enough time to perform several Yahoo.com searches to confirm the scam.

One way to recognize these phone scams is that they never ask you if you alraedy have anti-virus software installed on your computer. "Dean" never asked and I never volunteered an answer.

"Dean" soon became frustrated and transferred me to his supervisor, who said he was from a company called, "Software Network Communications For Windows." Another sign that this was a scam: the company name kept changing. This new jerk wanted me to open the Run Software dialog box on my computer and enter the "www.support.me" website address. I asked him why the website address was different if he was from Windows. He answered that he was with an affiliate company.

Of course, I wasn't believing any of this nonsense -- nor should you. Of course, I didn't enter anything into the Run Software dialog box - nor should you. I told the jerk that I needed to know more about his company before visiting any website. Then, he hung up.

Later, I reported this phone fraud to the U.S. Federal Trade Commission (FTC) -- which you should too, if you receive such a phone call.

To learn more and avoid these technical support phone scams, read this Consumer Reports article, and this Microsoft alert. Other consumers have received technical support scam phone calls. Here is one that is both entertaining and serious:

Paid And Fake Product Reviews: More Deceptive Advertising

This blog has covered plenty of instances of deceptive marketing tactics by companies. The New York Times reported about a new tactic where companies pay their customers to write glowing reviews of its products. The higher the customer review rating, the more the company paid each customer.

In this case, Amazon.com did the right thing, which all online retailers must do in these instances:

"Amazon, sent a copy of the VIP letter by The New York Times, said its guidelines prohibited compensation for customer reviews. A few days later, it deleted all the reviews for the case, which itself was listed as unavailable. Then it took down the product page itself."

Of course, the companies involved do not advertise the fact that they pay their customers to write fake or glowing customer reviews or products/services. Some customers have admitted in their reviews receiving payments, but many don't.

The related issues are numerous:

1. Paid reviews threaten the credibility of the Internet
2. Is this marketing tactic honest? Of course not. It undermines the reliability and credibility of customer-submitted product reviews. I expect the U.S. Federal Trade Commission (FTC) to investigate and take punitive actions.
3. Are these paid consumer-written product reviews honest? No.
4. Should reviewers disclose these payment arrangements? Yes. If you are paid to write a review, definitely disclose both the payment arrangement and your relationship with the company, so readers can evaluate the reliability and honest of your reviews.
5. Online retailers need clear policies about reviews, which should be clearly and prominently explained in their website terms and conditions. Actions taken against violators should be swift, as Amazon.com did.
6. Yes, it is difficult to uncover paid reviews. Online retailers should explore methods to verify product/service reviews. If not, consumers can and should take their business elsewhere

And yes, that old saying still apples: caveat emptor (buyer beware).

Why You Shouldn't Install Those Entertaining Apps On Facebook

There is an excellent Facecrooks blog post that explains the risks of installing most "fun and entertaining" apps on Facebook. First, you have to understand the extreme limitations of Facebook:

"... there is no formal review process for applications or developers on the Facebook platform. Anyone and everyone (scammers included) can create apps. This is far different from the “Walled Garden” approach taken by Apple. Many unsuspecting users might be under the impression that if it’s on Facebook then it must be legitimate. That is totally not the case."

Second, think long and hard before installing any app that requires you to give it permission to:

• Access all of the data in your Facebook profile
• Access all of your Facebook friends list
• Post as you
• Just because the app address starts with HTTPS doesn't mean it is safe
• Doesn't have a privacy policy
• Has a privacy policy you don't like

Third, it is wise for Facebook members to "like" Facecrooks and follow its posts, so you are aware of emerging threats and scams.

Scammers Target American Airlines Customers With Phishing Emails

Earlier this week, a reader wrote about an email message he had received. The email message included a confirmation for tickets purchased through the American Airlines website. The reader was concerned that his bank information had been hacked, because he had not purchased any airline tickets.

The email message:

Subject: Your Order#647842534
Date: 15 Jan 2012 07:14:55 -0000
From: American Airlines (news-nr221@aa.com)
Reply-To: American Airlines (news-nr221@aa.com)
To: XXXXXXXX@XXXXX.com

Hello
FLIGHT NUMBER AA683
ELECTRONIC 885741402
DATE & TIME / JANUARY 30, 2012, 10:22 PM
ARRIVING / Raleigh
TOTAL PRICE / 395.22 USD

Please find your ticket attached. You can print your ticket. Thank you for your attention.
American Airlines.

The email included a ZIP file attachment. Clearly, this was a phishing email scam since it included an incomplete itinerary and the ZIP file attachment. A real airline wouldn't do either. Like most phishing emails, this one tries to trick consumers to open the ZIP file attachment which installs a computer virus on the victim's computer to collect password data, directs the victim's web browser to a fake American Airlines website to collect personal data, or both.

If you receive a phishing message like this, or from any other airline, experts advise consumers to:

• Don't click on any links within the email message,
• Don't open any files attached to the email message,
• Don't send a reply email message to the sender,
• Manually enter the website address into your web browser to visit the airline's official website to verify the email message, and
• Check your credit card or bank statement for any fraudulent charges

The official American Airlines website has a page devoted to phishing email scams. It provides examples of various email scam messages, and advises consumers:

"American Airlines will never ask you to perform security-related changes to your account in this fashion or send emails to collect user names, passwords, email addresses or other personal information. If you receive an email claiming to be from American Airlines, that asks for account information, it should be considered fraudulent... do not click on any links, open any attachments, call any phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to webmaster@aa.com so that we can investigate further."

The Snopes.com website also contains information verifying email phishing scams, including the above scam.

Plenty Of Collateral Damage From a Credit Card Theft

There is a good article in PC Magazine that describes the scope of damages from identity theft when credit cards, smart phones, and spammers intersect. Jacqueline, a sales manager, had her credit card stolen and cloned, which resulted in over $2,000 in fraudulent charges. (Damages #1.) Her bank cancelled the exisitng credit card account and issued her a new credit card account. You would assume that was the end of the story, but sadly it wasn't.

Then, the credit card theft and card cloning happened with the replacement credit card -- which suggests an insider identity-theft problem at the bank Jacqueline uses.  Her bank cancelled the replacement credit card account, and issued her a second replacement credit card. End of the story, right?

Wrong. Next, Jacqueline and her contacts began to receive a flood of text message and phone call spam from unknown phone numbers. Apparently, the identity criminals had also stolen Jacqueline's mobile phone number (Damages #2.) along with her credit card information. Jacqueline's company-issued Blackberry-brand smart phone had been spamming people and phishing for consumers' Sovereign Bank sign-in credentials.

Jacqueline doesn't work at Sovereign Bank. After more investigations by the IT department at Jacqueline's employer, her mobile carrier, Verizon, informed them that the text message spam wasn't coming from its network, but from a computer pretending to be Jacqueline. Apparently, the credit card thieves re-sold Jacqueline's personal data and mobile phone number to other identity criminals, which included a spammer (Damages #3.):

"Someone had gotten a hold of her mobile number and was spoofing other phones using her digits. It turns out there's software designed specifically for businesses to send bulk SMS to lists of phone numbers from a computer."

Wow! What a mess. This saga highlights several issues, including the:

• Creativity and persistence of identity thieves,
• Efficiency of online forums where consumers' stolen personal data is resold and traded,
• Value of consumers' (digital) personal information, and
• Duration of damages from identity theft and fraud.

The average consumer doesn't think about how valuable the various bits of their personal information are. But, identity criminals think about it deeply.

The good news in this story was that the IT department at Jacqueline's employer was able to rule out any leaky smart phone apps that could have compromised her data security.

Today, there's not much more Jacqueline or her employer's IT department can do. Her personal identity information is out there in the thieves' domain. As I see it, all she can do is file police reports to document the trail of theft, and lock down her credit reports to keep the damage from spreading to her financial accounts. If the thieves also have her Social Security number, then they can obain fraudulent identification cards and drivers licenses. And, there's nothing to restrict the thieves' action with the USA borders.

BBB: Top 10 Scams Of 2011

Earlier today, the Better Business Bureau (BBB) announced the top ten scams of 2011. With these scams, consumers can lose their money, personal identity and bank information, or both. The leading scams were:

1. Job Scams: included secret shopper schemes, work-from-home scams, and phony job offers. Typically, the scammers seek to trick victims to reveal bank account information.
2. Sweepstakes and lottery scams: supposedly you've won a lot of money. The pitch often includes a bogus celebrity participation.
3. Social networking and online dating scams: scammers may pretend to be on of your "friends" or have hacked the online accoount of one of your "friends." Typically, the pitch is to get you to click on a link -- sometimes a racey video-- which downloads a computer virus that invades your computer and steal sign-in credentials for several social networking accounts.
4. Home Improvement scams: contractors visiting your neighborhood offer a low price for the work, accept your deposit, and then never complete the job -- leaving your home in worse condition than before. Sometimes, the pitches come after a natural disaster.
5. Check cashing scams: scammers use legitimate companies (e.g., Craig’s List, Western Union) offering to buy something you are selling online. The scammer's check is larger than the price of the item you are selling. The victim sends the scammer a valid check for the difference, and the victim deposits the scammer's bogus check in their bank account. Of course, the scammer flees with money from cashing the valid check, the bogus check bounces, the victim still hasn't sold their item, and the victim's bank charges bounced check fees.
6. Phishing scams: these can be offers via phone, email, or a fake website. The typical pitch is to trick victims into revealing sensitive personal and bank account information. When you visit the bogus website to "verify" your account information, the website installs a software virus on your computer to steal more information.
7. Financial scams: these target consumers in tough situations, and include bogus offers about debt reduction and home mortgage modifications. The promised services are never delivered.
8. Sales scams: these include "penny auctions" or ways to supposedly pay far less than standard retail prices. Usually, there is a fee to bid. The BBB states clearly that not all penny auctions are scams, so consumers should treat these as a gamble and inspect closely the website policy and terms before entering.
9. BBB scams: a bogus email that looks like it's from the BBB, claims that a complaint has been filed against your business. To reply to the complaint, the email includes a link which instead downloads a document that spawns a software virus that can steal banking information, passwords and other sensitive personal information.

Last month, I received one of these fake-BBB phishing emails, with the telltale bad grammar and other clues. So you are aware, here is the text of the phishing message:

Subject: Your customer complained to BBB
From: "Better Business Bureau"
Date: Tue, 20 Dec 2011 08:47:19 +0000

Good afternoon,
Here with the Better Business Bureau notifies you that we have been filed a complaint (ID 37975886) from a customer of yours in regard to their dealership with you. Please open the COMPLAINT REPORT below to find the details on this issue and inform us about your opinion as soon as possible. We are looking forward to your prompt reply.

Faithfully,
Fernando Grodhaus
Dispute Counselor
Better Business Bureau Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277

Timeline Security Hoax Circulates On Facebook

If you use Facebook.com, perhaps you have seen the following status message:

"With the new 'FB timeline' on its way for EVERYONE, please do both of us a favor: Hover over my name above. In a few seconds you'll see a box that says "Subscribed." Hover over that, then go to "Comments and Likes" and uncheck it. That will stop my posts -- and yours to me -- from showing up on the side bar (ticker) for everyone to see, but MOST IMPORTANTLY it LIMITS HACKERS from invading our profiles. If you re-post this I will do the same for you. Thanks! (Click like on this post so I will know you unchecked.)"

Beware. This status message is a hoax -- an effective one too, since it trades on consumers' security fears. To learn more about why it is a hoax, visit Snopes and Facecrooks.

I can share this from personal experience. A couple Facebook friends sent this status message to me, and this hoax tricked me, too. The whole experience is reminder:

• Don't believe everything you read on social networking sites, and
• Verify claims before forwarding them as status messages to your friends.

A Wide Variety of Scams Target Senior Citizens

The Detroit Free Press reported about a local workshop to help seniors stay alert about a variety of fraud schemes run by scam artists:

"Michigan AARP says, based on a recent survey, that 79% of its members are concerned about fraud... Seniors are losing $2.9 billion a year nationwide to financial abuse..."

Seniors are vulnerable, since many live on a fixed income and seek ways to to increase their income due to financial pressures and fears. Scam artists use these fears.

FBI agents spoke to seniors at the Fraud Fighter College workshop at Marygrove College. Linda Cena, a securities manager at the Michigan Office of Financial and Insurance Regulation also spoke. Cena advises seniors to call her office to verify brokers and investments before investing large sums of money. Residents in other states can often find identity theft and scam resources in the division of insurance, secretary of state, or attorney general offices in their state government.

Typical scams targeting seniors include:

"... con artists promising a shopping spree in return for a small processing charge on a debit card to crooked financial advisers talking someone into shifting retirement money from a 401(k) plan into a self-directed IRA, and then putting that money into some fraudulent movie scheme. And, yes, a grandson or granddaughter on drugs can become a predator, too."

Experts warn seniors, and their caregivers, that the best defense against identity theft and fraud is to not disclose personal and financial information -- especially over the phone. Another tip: don't leave papers with sensitive information lying on tables around the home where visitors can steal valuable data like Social Security numbers.

Houston Identity Theft Theft Ring Arrested After Ordering Smart Phones

The Houston Examiner reported the arrest of members of an identity theft ring that used the stolen identities of Sprint customers to order fraudulent replacement smart phones, which they resold:

"Customers are routinely asked for their secret PIN numbers when they walk into Sprint stores, and federal agents say employees of the store were giving that information to thieves who were using it to get replacement phones that could be sold online."

What I found interesting about this case were the three points where data security failed. Better security at any one of these points could have stopped this theft ring before it started.

First, insider identity theft by employee facilitated the thefts. Using the stolen identities, the thieves ordered replacement smart phones from the insurance company, Asurion, used by Sprint mobile customers. A data breach like this highlights the need for a mobile service provider to implement a Red Flags program to identify and address problem data-security areas.

Second, the insurance company didn't seem to notice the rise in replacement phones within a specific geographic area:

"After filing the insurance claims, Secret Service agents say brand new phones were mailed out to hotels throughout the Houston area."

Most banks regularly flag purchases outside a consumer's normal credit card purchase patterns. Mobile service providers and mobile device insurers could and should do the same; especially where insurance claims include a different delivery address than the customers' home address. The new overage alert features by mobile service providers is a good first step in this direction, but it shouldn't require prodding by the FCC.

Third, several Houston area hotels seem to routinely accept and deliver packages to people who routinely made reservations but never checked in. This is like airlines accepting luggage for passengers who make reservations but never buy a ticket. Airlines have identified this security risk, and so too should hotels. Accept packages if you want, but deliver them only to customers have they have registered and checked in; or make it a perk only for loyalty program members.

Congressional Representatives Ask FTC To Investigate Companies Online Tracking Practice With "Supercookies"

On September 27, Congressional representatives Joe Barton (R-Texas) and Edward J. Markey (D-Mass.), Co-Chairmen of the House Bi-Partisan Privacy Caucus, sent a letter to the U.S. Federal Trade Commission (FTC) asking the agency to investigate “supercookies,” files that can be installed on consumers' computers without their knowledge or consent. Websites use supercookies to collect detailed personal information about consumers and to track consumers' online usage across the Internet.

Supercookies represent the latest effort in the Internet technology race for companies to track consumers' online behaviors versus consumers' need for privacy. First there were browser cookies, which were fairly simple text files websites used to recognize whether or user had visited that website before -- without requiring the user to identify their self.

As consumer awareness increased about the tracking and privacy issues with web browser cookies, some companies began to use the Flash cookies, with the Flash technology, to track and store consumer information data, since most consumers have the Flash plugin installed with their web browsers. As consumers supported "do not track" legislation and began using "do not track" options with their web browsers to delete standard browser cookies, some companies began using "zombie cookies"-- a tracking method to both save tracking information within other folders on consumers' computers and to continually regenerate standard web browser cookies deleted by consumers.

Most recently, some companies began using "zombie e-tags." The term "supercookies" seems to be a catch-all term for both covert tracking approaches: "zombie cookies" and "zombie e-tags." According to PrivateWiFi:

"... supercookie files can store more information than a normal cookie and can sometimes be stored in different places than regular cookies, such as a file used by a plugin (such as Flash), which makes them harder to identify and remove. In addition, some supercookies have the capability of regenerating regular cookies to prevent their removal. Supercookies track things differently from ordinary cookies. A normal cookie can be written, read and ultimately removed by the website that created it. However, the supercookie operates much more stealthily by tracking and recording user behavior across multiple sites. It’s ethically questionable that a website should be able to record a user’s actions beyond its borders. Websites that have been found to use supercookies include MSN.com, Hulu.com, and Flixster.com."

The ethics is definitely an issue. Is it ethical for a website, like Hulu.com or Facebook.com, to track consumers' usage beyond their websites and across the entire Internet? Perhaps, it is okay if the website policies are transparent, provide legible notice, and gain consumers' opt-in consent first. So, the letter by Barton and Markey is very timely and appropriate. Their September 26 letter read in part:

"As C-Chairs of the Congressional Bi-Partisan Privacy Caucus, we believe this new business practice raises serious privacy concerns and is unacceptable. We are also very concerned about the extent of this practice by websites as well as the impact supercookies have on consumers. Furthermore, we believe the usage of supercookies takes away consumer control over their own personal information, presents a greater opportunity for the misuse of personal information, and provides another way for consumers to be tracked online. In an effort to protect consumers, we are interested in any actions the Federal Trade Commission (FTC) has taken or plans to take to investigate the usage and impact of supercookies on the Internet and consumers. We believe that an investigation of the usage of supercookies would fall within the FTC’s mandate as stipulated in Section 5 of the Federal Trade Commission Act with respect to protecting Americans from ‘unfair and deceptive acts or practices.’”

Read the full text of the letter by Barton and Markey (PDF).

What I'd really like to see is legislation that requires companies to fully disclose their tracking methods and the precise data collected, much like labels on food attempt to descibe what is in the packaging. Why? It's all about consumer trust.

Similar to food, ingredients will change. For the Internet, tracking technologies will change. And change quickly, too. Yesterday's browser cookies morphed into "zombie cookies" and "super cookies," which has morphed again into "zombie e-tags." So, the companies' website terms-of-use and privacy policy should explain in simple English:

1. The tracking technologies (e.g., hardware and software) currently used,
2. The names of all affiliate companies and business partners they do business with for #1,
3. The services, products, software, and consumer dinformation exchanged in #2,
4. The length of time the data collected in #3 is archived,
5. The anonymization process used, and verified by an independent third-party, and
6. A large, easy-to-find and easy-to-understand opt-in button, because the program only includes consumers who choose to opt-in or register.

iPrank = iPad Scam

Do you think that two guys selling a couple Apple iPads in a McDonald's fast-food restaurant is legitimate? Say, they offered each iPad for $300. Would you buy one?

A South Carolina woman did, and sadly found out that when she arrived home that she had bought "a brick in a box." More precisely, the 22-year-old woman, Ashley McDowell, bought a fake Apple iPad made of wood and painted with an Apple logo on it. You can view a photo of this fake iPad at the Smoking Gun website.

Ashley offered and paid the scam artists $180 for the iPad, which was sealed inside a FedEx shipping box:

"But when McDowell drove home and opened the FedEx box containing the iPad, she instead discovered the wood with the Apple logo. The “screen”--which was framed with black tape--included replicas of iPad icons for Safari, mail, photos, and an iPod."

Police are searching for the two scam artists.

A word to the wise: if an offer sounds too good to be true, it usually is. Or, at least inspect the device before you hand over the cash.

How To Recognize Disaster Related Scams

You have just survived a natural disaster event. Perhaps you have some damaage to your home. Nobody wants to be victimized twice: once by the natural disaster and then by scam artists and identity thieves.

To help consumers and businesses deal with disasters and the scam artists that often follow, the U.S. Federal Trade Commission (FTC) operates the Disaster Recovery website. The website contains a variety of content including emergency preparation tips and advice about scams.

Unfortunately, several types of disaster-related scams target consumers:

• Debris Removal Scams: The FTC advises consumers to get a written work estimate from any company promising to remove debris from your property. Don’t make the final payment until you have inspected the job and are happy with it. Shop around and compare prices to make sure you are not overcharged.
• Fake Disaster Officials: Some scam artists claim to be government officials offering assistance to qualify for disaster relief payments. A “processing” fee is often included. Others masquerade as safety inspectors or utility repair workers who claim that immediate repair work is required. Some claim they can get you FEMA funds, for a fee. FEMA does not charge application fees. In fact, no government agency charges application fees. Always ask for identification from any officials who visit your home or your temporary shelter. Call the local agency office to confirm the person's identity.
• Home Repair Scams: often the scam artists claims that the work must be done "now or never." Collect phone numbers to verify identities. Demand the time to consider the offer overnight. Before selecting a contractor, get at least two bids, get references, get the contractor's business license, check the Better Business Bureau website, deal with established vendors, don't give out personal financial information (e.g., credit card numbers), and structure payments in installments (e.g., upfront, 50% of work completed, 100% of work completed). The U.S. Federal Emergency Management Agency (FEMA) operates a Disaster Housing Program to help homeowners who have been forced out of their homes by disasters. This includes Disaster Home Repair Assistance, which provides grants to homeowners for minor but necessary disaster-related repairs. Call the FEMA Disaster Helpline at 1-800-621-FEMA. The U.S. Small Business Administration makes low interest loans of up to $200,000 to homeowners to repair or replace damaged or destroyed real estate.

To learn about more types of scams, visit the FTC Disaster Recovery website. Often, many of these scams lead to identity theft and fraud. The website recommends when you should and should not disclose your sensitive personal information (e.g., bank account numbers, credit card numbers, Social Security number, birth date, mother's maiden name).

Identity Thieves Target Phishing Attack On Users Interested In Cloud Computing

Interested in cloud computing? Want to store your files and documents in the "cloud?" Considering the Apple iCloud service? Identity thieves have adapted a phishing email for cloud computing services.

The good folks over at Sophos Naked Security blog reported a new email phishing attack which targeted at prospective Apple iCloud users:

"The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple's MobileMe service. Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in 'the cloud' and wirelessly push them to all of your devices)."

Many consumers consider Apple products relatively immune to malware and phishing attacks. You have been warned. Be alert for phishing emails about cloud computing.

The Dangers of Public WiFi Hotspots

[Editor's note: this is not an endorsement. This video is presented for informational purposes. Always shop around and compare before purchasing a product or service.]

If you are unfamiliar with wireless or WiFi technology, then you will likely find this video informative. If you seek a solution for a secure connection at public WiFi hotspots, this is one of several solutions available.

10 Dangerous Habits Consumers Still Do Online

Based on a recent Symantec survey, the ZDNet Security blog posted a list of ten dangerous habits consumers still do online. The list can be summarized into two broad behaviors:

• Consumers trade convenience for security
• Consumers ignore online risks they are aware of

The list of detailed dangerous habits:

1. Sharing too much information in social networking websites
2. Trusting company websites to protect their information
3. Assuming the links in email, text messages, and social networking posts are safe to click on
4. Not educating themselves enough about the threats and ways to protect themselves
5. Not updating the anti-virus and malware software on their computers and mobile devices

My pet peeve is number four. Regarding number three, every Facebook user should follow the alerts from websites like Facecrooks, which greatly helps you learn about which links to avoid.To view the complete list of dangerous habits, visit the ZDNet Security blog.