Consumer Reports Reviews Facebook And How To Use It Safely

If you haven't read it, there is a good review by Consumer Reports of the Facebook social networking website. The news media has focused on some of the controversial aspects of the report. For example, CNN reported, like many other news organizations, the survey finding that about 25 percent of Facebook users lie about information in their Facebook profile to protect their identity.

While lying about profile information may seem like an effective privacy strategy, the Consumer Report review of Facebook highlights the various ways Facebook tracks its members. Some Facebook members have made conscious choices to share personal data, and do so in status messages, sharing items, and commenting upon others' status messages. Yet other tracking methods exist.

The Consumer Reports review is a good reminder that its members are the products:

"... the company uses your data to help advertisers deliver ads that you may find useful. Suppose, for example, that you have “liked” the San Francisco 49ers page, or simply posted comments about football. You shouldn’t be surprised to see ads in the margins for football tickets, fan paraphernalia, and the like. Facebook does not share any of your information with advertisers that buy those ads unless you give permission. If you click the ad and purchase something, the advertiser obviously learns who you are. And even if you simply “like” a brand page, the company can automatically send posts to your account."

One tracking method is the facial-recognition software used to "tag" (e.g., identify) people (and places) in both photos and videos. Members who aren't careful to turn off the geo-tagging feature in their smart phones or tablets will provide even more personal data with photos and videos uploaded to Facebook.

Another method are the Facebook apps member use for music, news, and games -- which are loosely managed by Facebook:

"... according to Kevin Johnson, security consultant at Florida-based Secure Ideas, who has developed apps and tests their security. The sole credential needed to create an app is a verified Facebook account, including a cell phone number or credit card. And the company doesn’t have to review your source code (programming instructions) before it goes live..."

So, there seems to be little to no verification of apps for security or compliance when those apps have a privacy policy.

A method Facebook uses to track both members and non-members includes those "Like" buttons you have see on websites across the Internet:

"... Facebook keeps track of the other websites [its members] visit. That happens via the “Like,” “Recommendations,” and similar buttons that so many sites include. In addition to reporting your presence, the “Like” button sends along the date and time of your visit and your IP address, whether or not you click on it. The company has acknowledged that this happens even when Facebook users are logged out, a practice that had prompted class-action lawsuits in the U.S. If you’re logged in to Facebook, it can collect even more data. The company also said that it collects data from people who are not its users and have never visited its site..."

The review is also a good reminder of the scope of data Facebook collects:

"... thanks in large part to Max Schrems, a 24-year-old Austrian law student who managed to get a fuller copy of his personal information last year from Facebook's Dublin office, which oversees relations with users outside the U.S. and Canada. Schrems was surprised to discover, among the 1,222 pages of data covering three years of Facebook activity, not only deleted wall posts and messages, some with sensitive personal information, but e-mail addresses he’d deleted and names he’d removed from his friends list... Facebook collects the same type of detailed information on American users, as confirmed by documents it released to Boston police during their investigation of Philip Markoff..."

If you want to learn more about Schrems, visit Europe Versus Facebook. The review ends with a list of nine ways consumers can use Facebook (and similar social networking sites) safely:

"1. Think before you type. Even if you delete an account (which takes Facebook about a month), some info can remain in Facebook’s computers for up to 90 days.

3. Protect basic information. Set the audience for profile items, such as your town or employer. And remember: Sharing info with “friends of friends” could expose it to tens of thousands.

4. Know what you can’t protect. Your name and profile picture are public. To protect your identity, don’t use a photo, or use one that doesn’t show your face.

5. “UnPublic” your wall. Set the audience for all previous wall posts to just friends.

7. Block apps and sites that snoop. Unless you intercede, friends can share personal information about you with apps. To block that, use controls to limit the info apps can see."

Read the complete review of Facebook.com by Consumer Reports.

Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

• During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
• During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

“Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

1. Be ready to give out some personal information.
2. Know that a third-party will gain access to your personal information.
3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).

FTC Survey: The Good And Bad Experiences Of Identity-Theft Victims With Consumer Reporting Agencies

The U.S. Federal Trade Commission (FTC) released the results of its survey of consumers who had reported to the FTC that they were identity-theft victims. The survey assesses consumers experiences with recovering from identity theft and contacting the national consumer reporting agencies (CRAs). The survey also assesses how consumers exercise their rights under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA - 2003).

Overall findings:

• 68% of survey respondents were somewhat or very satisfied with their overall experiences with the national consumer reporting agencies (e.g., Equifax, Experian, and TransUnion), but many consumers said it was difficult to reach a live person.
• Less than half of the respondents were aware of most of their rights under FACTA before they contacted the consumer reporting agencies.
• Few consumers exercise their right to block selected information in their credit reports from identity theft and fraud, since most consumers (78%) don't know about this right
• Some respondents complained about feeling pressured to buy additional identity theft monitoring products when they called the consumer reporting agencies.

FACTA gave consumers the right to:

• Pace Fraud Alerts on their credit file with the nationwide CRAs,
• Request a free credit report from each of the three national CRAs when placing a fraud alert,
• Block fraudulent information from appearing in their credit reports,
• Receive a notice of these and other rights from the CRAs

When placing a fraud alert, consumer only need to contact one of the three national CRAs. After successfully placing a Fraud Alert on their credit file with one CRA, most of the time the other two CRAs will automatically add Fraud Alerts to the consumer's file on their systems. When requesting a Fraud Alert, consumers can also request a free copy of their credit report. Survey results about Fraud Alert and free credit report requests:

• 44% of survey respondents were not aware before contacting a CRA of their right to place a Fraud Alert on their credit file. Despite this, 85% of respondents ultimately requested a Fraud Alert on their file.
• When requesting a Fraud Alert, 58% of survey respondents reported that all three national CRAs placed alerts when requested. 36% of respondents were unsure what happened, and 6% reported that at least one CRA didn't place a Fraud Alert.
• 44% of respondents who requested a Fraud Alert said they were very satisfied with the process, 32% said they were somewhat satisfied, and 17% said there were either somewhat or very dissatisfied with the process.
• Most survey respondents (56%) requested their free credit report (when placing a Fraud Alert) by telephone, compared to the website (33%), and postal mail form (14%).
• Most (51%) said that they received their free credit report from all CRAs they contacted, while 33% stated that they received it from only some of the CRAs they contacted. 11% said that they did not receive any credit reports.
• 43% of respondents said that they were very satisfied with the process of requesting free credit reports after placing a fraud alert. 32% said that they were somewhat satisfied. 22% said that they were either somewhat or very dissatisfied.

Errors occur in credit reports, either from identity fraud or from honest mistakes by the CRA or lender. Consumers can dispute this erroneous data and demand that it be removed or corrected. Survey results about credit report accuracy:

• Most survey respondents (60%) were aware before contacting a CRA that they had the right to challenge the accuracy of information on their credit report.
• 36% of respondents who contacted a CRA disputed the accuracy of information on their credit report in connection with the identity theft that led to the contact. Of those who disputed information, 72% filed disputes with a CRA and while 46% contacted the creditor that provided the information to the CRA.
• The types of credit report information disputed: 47% challenged identification and employment (47%), payments (48%) about a specific debt, and unauthorized lenders who obtained their credit report (40%).
• Of survey respondents who disputed information in their credit reports, 52% said that the information was corrected or removed, 22% said that the information was not corrected, and 18% said that they were not sure what happened.
• Of survey respondents who had information corrected by the CRA, 42% said that the error was corrected after a single contact. 27% said the error was corrected after two contacts. 24% said the correction required three to five contacts, and 4% said they contacted the CRA six or more times.
• Of survey respondents who disputed information in their credit reports, most (57%) said that they were either very or somewhat satisfied with the process. 17% said that they were somewhat dissatisfied, and 21% said that they were very dissatisfied.

Consumers can block certain information within their credit reports that resulted from identity theft and fraud. Blocks are different from disputes. CRAs must respond within four (4) days after receiving a valid request to block certain data in a credit report. Survey results about blocking fraudulent information:

• Of survey respondents who contacted a credit reporting agency, 78% were not aware of the right to block information in the credit file. Few survey respondents (21%) exercised this right to block the reporting of information resulting from identity theft.
• Of those who requested that information be blocked, 46% said that all CRAs blocked the information. 18% said that some of the CRAs blocked the information, and 9% said that none of the agencies blocked the information.

The FTC concluded in its report (bold emphasis added):

"Despite the 68% general satisfaction rate with the CRAs, the survey reveals three areas where respondents faced difficulties in exercising their FACTA rights. First, one prominent complaint was the difficulty in reaching a representative at a CRA with whom to speak about identity theft. Many respondents said that it was difficult or impossible to move past the automated response system... Second, the survey results suggest that a relatively small number of identity theft victims are aware of their FACTA rights. Less than half of the respondents were aware of most of their rights prior to contacting the CRAs. Even for the most well-understood right – disputing inaccurate information – only 60% of respondents who contacted a CRA were aware of this right prior to contacting the CRA... Third, both the survey respondents and the focus groups raised concerns about the CRAs using consumer contacts about identity theft as an opportunity to sell identity theft protection products. Several respondents and focus group participants complained that they felt pressured to buy one or more products and that, in some cases, they received services that they did not want or need."

The FTC sent survey invitations to about 3,000 consumers who had previously reported to the FTC hotline that they were identity-theft victims. The survey questions were based on six focus groups conducted in 2009. 634 consumers responded. The FTC maintains the anonymity of all survey respondents. Download the FTC, Using FACTA Remedies Report (Adobe PDF - 4.9 M Bytes), which is also available here.

Want to learn more? Suggested readings about credit and CRAs:

• Fraud Alert Renewal: Easy And Fast
• Placing a Freeze (Or Lock) On Your Credit Files
• Fraud Alert or Credit Freeze: What's The Difference?
• Are Fraud Alerts Useless?
• Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms (Part One)?
• Have You Heard About Credit Reports From Innovis?
• Directory Of Credit Reporting Agencies
• What It Means To Have An Unrequested Security Freeze On Your Credit Report
• A Primer On Credit Scores
• FTC Testifies Before Congress About Identity Theft And Fraud
• FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports
• FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

CFPB Reports List Of Consumer Complaints About Financial Products

In its annual report, the new Consumer Financial Protection Bureau (CFPB), a federal agency designed to ensure that financial products and services for consumers are beneficial for consumers, listed the leading complaints submitted by consumers. The CFPB accepts complaints about credit cards and mortgages.

The CFPB began operation on July 21, 2011. In its annual report (Adobe PDF) to the U.S. Congress, the CFPB reported that by December 31, 2011, it had received 13,210 complaints from consumers, including 9,307 credit card complaints and 2,326 mortgage complaints. 44% of all complaints were submitted through the CFPB website, and about 15% via telephone calls. The leading types of credit-card complaints received:

Leading Credit Card Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Billing Disputes	1,278	13.7%
2. Identity Theft / Fraud / Embezzlement	1,014	10.9%
3. APR or Interest rate	950	10.2%
4. Other	854	9.2%
5. Closing / Cancelling Account	478	5.1%
6. Credit reporting	437	4.7%
7. Credit Card Payment / Debt Protection	383	4.1%
8. Collection Practices	378	4.1%
9. Late Fee	364	3.9%
10. Other Fee	334	3.6%
Total for Top 10 complaint types	6,470	65.9%

The types of mortgage complaints received:

Mortgage Complaints Reported By Consumers to CFPB. July 21 - Dec. 31, 2011	Number	Percent
1. Problems when you are unable to pay (Loan modification, collection, foreclosure)	889	38.2%
2. Other	540	23.2%
3. Making payments (Loan servicing, payments, escrow accounts)	501	21.5%
4. Applying for the loan (Application, originator, mortgage broker)	235	10.1%
5. Signing the agreement (Settlement process and costs)	96	4.1%
6. Receiving a credit offer (Credit decision/Underwriting)	65	2.8%
Total Mortgage Complaints	2,326	100.0%

The FTC advises consumers who experience identity theft or fraud with financial products to both submit a complaint to the CFPB and submit a complaint to the FTC.

I like the CFPB's mission and its website. The agency's consumer response mechanisms are still new and in their infancy. They will become more beneficial as the agency identifies and resolves problems. What is your opinion of the CFPB?

PHI Project Releases Report About Health Care Data Security

On Monday, the PHI Project released a report about the state of data security within health care organizations titled, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security." Key findings:

• Weak Data Security: health care organizations are entrusted with safeguarding patient privacy, but their security efforts are not keeping pace with the growing risks of lost/stolen protected health information (PHI),
• Data Breach Activity: the number and size of data breaches including PHI are increasing. The negative impacts are financial, legal, clinical, and reputational for the organizations experiencing data breaches,
• The PHI Project recommends that health care organizations implement a five-step method – PHI Value Estimator (PHIve) -- to evaluate the risks of a breach of PHI data, and implement preventative measures.

According to Rick Kam, president and co-founder of ID Experts and chair of the PHI Project:

“No organization can afford to ignore the potential consequences of a data breach... We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI.”

The PHI Project is a partnership including the American National Standards Institute (ANSI) via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) -- with assistance from ID Experts.

Report Warns Proposed MBTA Cuts Would Hamper Boston Metro Area's Economy, Jobs And Growth

A Better City (ABC), a nonprofit transportation advocacy organization, has released a position paper about the fare increases and services cuts proposed by the MBTA. ABC analyzed both proposals by the MBTA to close a $161 million budget deficit forecast for the fiscal year beginning July 1, 2012. In its paper, ABC concluded:

"... the T should seek to close part of its budget gap with a more reasonable fare hike and limited service cuts. The T should then work with MassDOT, Massport, the Patrick administration and the legislature to address the remaining budget shortfall for FY 2013, and to begin work on a long-term, comprehensive finance plan for the Commonwealth’s entire transportation system."

The MBTA had proposed service cuts including the termination of late night and weekend commuter rail service, weekend "E" Green Line service, Mattapan Line, many bus routes, and all ferry service. About these cuts, ABC stated:

"... The T should not cut Commuter Rail service after 10pm and on weekends, nor should it cut weekend service on the E Branch of the Green Line or the Mattapan Trolley. Commuter boat service should be preserved, with a lower public subsidy and operated under the auspices of Massport. Due to the severe impact on riders, bus route service eliminations or reductions should be limited to the ten least efficient routes in the system. Going forward, the T should adopt more stringent and rational service planning criteria across all modes and commit to adjusting service accordingly."

According to ABC, everyday the Boston's population doubles as people commute to work. 55% of those work trips, and 45% of all MBTA trips, include commuting to work. The service cuts proposed by the MBTA would make it difficult for employees to get to work, employers to staff positions, patients to visit doctors and hospitals, and customers to visit entertainment venues:

"Across all sectors, ABC member businesses told us they are concerned about the impact that fare hikes and service cuts would have on their employees’ ability to get to work. Some of our members in the hospitality industry noted that the T’s current service hours are not adequate for employees working odd shifts... The viability of T service, then, has a direct impact on the size of this industry’s job shed, and particularly on the job prospects of low-skilled workers... The health care industry operates 24 hours a day, 7 days a week, and the hospitals of the Longwood Medical Area would be particularly impacted by the proposed service cuts to the Green Line E Branch and the Commuter Rail. These cuts would impact the ability not only of doctors, nurses and support staff to get to their jobs, but also of patients to make their appointments... These businesses have also deployed flexible scheduling and staggered shifts to best utilize their real estate and cope with our already-congested transportation network."

The service cuts would force more autos onto already congested roads, resulting in:

"... 55,000 and 92,000 more cars on the road daily... if there were no public transportation in the Boston area, the additional traffic congestion would cost the regional economy $663 million annually. Based on this estimate, if one-tenth of the T’s current ridership elect to abandon the T and drive their commutes... the additional congestion could cost Massachusetts $66 million a year."

Parking around the city, already a problem, would become worse as more people drive and many parking lots are replaced by office buildings:

"ABC members located in the South Boston Waterfront were particularly concerned that changes at the T would increase demand for parking at a time when large lots currently used by commuters to the Waterfront and to the Financial District are slated to be developed over the next decade. South Boston, East Boston and Downtown are all subject to Parking Freezes. The City of Cambridge also enforces a Parking and Transportation Demand Management ordinance. These policies, implemented to curb air pollution, have made both cities heavily reliant on transit to support future economic growth..."

The higher education industry would be similarly affected:

"... increased demand for parking is at odds with their plans to expand. UMass Boston is a commuter school with a 45% transit share. It’s attempting to increase that number to 60% so that it can utilize its surface parking lots for staging construction of new campus buildings. Boston University, which purchases $2.1 million in T passes for faculty, staff and students, and spends $1.6 million operating its shuttle service, is also planning to reduce its parking spaces in order to make room for new construction. T fare hikes and service cuts will make it harder for both these institutions to grow..."

The entertainment and tourism industries would be similarly affected:

"The proposed cuts to evening and weekend Commuter Rail service would have a significant impact on fans’ and patrons’ ability to get into and out of the city for games, concerts and other cultural events."

ABC suggests that the MBTA:

• Limit its fare increase to 25% and pursue smaller, more frequent increases,
• Maintain commuter rail, trolley, and ferry services,
• Cut only the "10 worst" bus lines,
• Better match resources (e.g., buses and trains) to demand

ounded in 1989 as the Artery Business Committee, A Better City is a nonprofit association representing Greater Boston’s business and institutional community on transportation, land development and environmental sustainability. Download the ABC position paper (Adobe PDF, 1.9M Bytes), which is also available here (Adobe PDF, 1.9M Bytes).

FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

Earlier this week, the U.S. Federal Trade Commission (FTC) released its annual report of the leading complaints filed by consumers. During 2011, identity theft (again) led the list of complaints. This is the 12th consecutive year that identity theft has led the list:

Type of Complaint or Scam	Number	% Of Total
1. Identity Theft	279,156	15%
2. Debt Collection	180,928	10%
3. Prizes, Sweepstakes and Lotteries	100,208	6%
4. Shop-at-Home and Catalog Sales	98,306	5%
5. Banks and Lenders	89,341	5%
6. Internet Services	81,805	5%
7. Auto Related	77,435	4%
8. Imposter Scams	73,281	4%
9. Telephone and Mobile Services	70,024	4%
10. Advance-Fee Loans and Credit Protection/Repair	47,414	3%

Other notable findings:

• Fraud: 990k of the 1.8 million complaints were fraud-related. 68% of consumers reported a fraud complaint where they paid an amount. The total amount paid was $1.5 billion, and the median amount paid was $537. 43% of consumers were contacted via email. The five states with the highest per-capita fraud reported were Colorado, Delaware, Maryland, Nevada, and Virginia.
• Identity Theft: Government documents/benefits fraud (27%) was the most common form reported, followed by credit card fraud (14%), phone or utilities fraud (13%), bank fraud (9%), and employment fraud (8%). 45% of consumers reported they contacted local law enforcement. The five states with the highest per-capita identity theft were Florida, Georgia, California, Arizona, and Texas.
• Countries: the top five countries were the USA (80%), Canada (4%), the United Kingdom (4%), Nigeria (2%), and Jamaica (2%).
• Age: consumers that filed complaints during 2011 were ages 50-59 (23%), followed by ages 40-49 (20%), ages 30-39 (17%), ages 60-69 (15%), and ages 20-29 (15%).
• Military: members from all four branches plus the Coast Guard reported complaints. For this group, identity theft ranked as the number one complaint, followed by Debt Collection. Mortgage Foreclosure Relief and Debt Management ranked as fourth for this group, compared to 13 for all consumers.

During 2011, consumers submitted about 1.8 million complaints, an increase of 24% over 2010. All complaints submitted by consumers are collected in the FTC Consumer Sentinel Network database, which contains 30 different categories of complaints. Download the 2011 FTC Consumer Sentinel Network Data Book (Adobe PDF).

Consumers Adapt Their Social Media Use Given Privacy Concerns

Pew Internet recently released the results of a second quarter 2011 survey about consumers' usage of social networking web sites and privacy. The survey found that consumers are adapting their usage of social networking web sites given privacy concerns:

• 63% of survey respondents have deleted people from their “friends” lists, up from 56% in 2009,
• 58% of users restrict access to their profiles on social networking websites. More women (67%) do this than men (48%),
• 48% of users have had some difficulty managing their profile privacy settings on social networking web sites,
• 44% have deleted comments made by others on their profile,
• 37% have removed their names from photos that were tagged to identify them, and
• 11% have posted content they regret.

It will be interesting to see how much further adaptation occurs in next year's survey results, since users will have had more time to use features, like the Timeline feature from Facebook. I have talked with consumers who use the Timeline feature to delete harmful archived status messages, since employers now use social networking web sites to screen job applicants, to determine credit worthiness, and to evaluate insurance worthiness.

Some consumers use the new Facebook Profile Preview feature to screen and reject their friends' attempts to tag them in status messages and photographs. That seems very wise since too many users (42% total) don't restrict access to their profiles.

Should companies use social networking websites for financial, insurance, and employment screening uses? That's debatable, but the reality is that companies use the data anyway for screening, and the social networking sites are happy to make more money. My advice: prune your profile of harmful archived posts, and don't post anything at a social networking web sites that you don't want read/shown in court.

Big Banks vs. Credit Unions

If you are unsure about whether or not to move your money from a big banks to a small, community bank and credit union, consider the statistics below from Consumer Reports:

Item / Fee	Big Banks	Credit Unions
Non-interest Checking (per month)	$10.27	$6.00
Minimum Balance to Waive Fees	$1,115.97	$500.00
Online Bill Payment (per month)	$6.95	$0.00
Use Another Bank's ATM (per transaction)	$2.21	$1.07
ATM Surcharge (per transaction)	$2.96	$2.79
Overdraft (per transaction)	$34.48	$27.82
Insufficient Funds (per transaction)	$34.48	$27.82
Stop Payment (per transaction)	$31.09	$19.43

To learn more:

• Javelin Research Reports Results About Bank Transfer Day
• Learn About Credit Unions. Free Workshops At A Nearby City
• Keeping Its Commitment To Its Customers: A Bank Does The Right Thing
• Bank of America Merchant Services And Money Network Announce New Payroll Solution
• How To File A Complaint About A Bank
• Move Your Money To... Walmart? A Good Deal?
• Some Banks Reverse Decisions To Add New Debit Card Fees

Javelin Research Reports Results About Bank Transfer Day

Finally, some firm statistics are being released about the results of Bank Transfer Day, when consumers moved their money from big banks to credit unions and local community banks. Based on extensive research, Javelin Strategy & Research estimated that 5.6 million U.S. adults moved their money during a 90 day period. Some details:

• 11% (610,000 of the 5.6 million) mentioned Bank Transfer Day as the reason they moved their money
• 26% said that high banking fees were the reason they moved their money

Javelin concluded that both Bank Transfer Day and the Occupy Movement had a measurable impact when compared to research results from prior years. So, a true grassroots movement can have an impact.

Previously, CUNA revised downward its estimates of Bank Transfer Day results due to a flawed methodology. CUNA did not change its estimate of more than 40,000 new credit union accounts opened by consumers on November 5, Bank Transfer Day.

Javelin designed the online research questionnaire and surveyed 5,878 consumers during December 2011. The survey process included:

"... targeted respondents based on representative proportions of gender, age, income, and ethnicity, and data was weighted to U.S. census proportions. The survey is based on a set of questions that were first fielded in 2003, and are now deployed on a twice-annual basis."

Javelin has research identity theft and fraud, with reports covering 2008 and 2010, plus trends in corporate data breaches. I have found Javelin's work reliable, but still await more results about Bank Transfer Day. It would be great to know the average bank account balance transferred, since the big banks seem to have focused on getting consumers to consolidate their accounts (e.g., checking, savings, and investments). The big banks are probably willing to lose consumers with smaller balances.

In a recent conversation with banking industry analysts, the Bank of America CEO reported a 20 percent increase in account closures during the fourth quarter of 2011.

Slowly, More Consumers Consider Website Privacy Policies Before Buying

PC Pro recently reported the results of a recent Forrester Research study. Forrester surveyed 37,000 consumers in North America, and found that a growing percentage of consumers consider companies' website privacy policies in their decisions about whether to do business with a company:

"Websites need to rethink their privacy policies as consumers ditch those that hide data rules or leak information, according to research from Forrester. The analyst found that a growing number of consumers were reading how companies dealt with their privacy and voting with their feet if they didn’t like what they saw."

More than half of survey respondents over 55 years of age said that they refused to complete an online transaction because of the company’s terms of use or privacy policy. In 2008, 40% answered this question the same way.

The PC Pro article would have been more helpful if it linked directly to the Forrester Research report and included more facts. The Forrester research study found:

"Individuals see different types of data differently -- they're most worried about what we consider individual identity data, and far less concerned about the capture and use of their behavioral data... Most consumers are willing to share their data in exchange for value. But, what they consider "valuable" is very age-dependent..."

If the article had included examples of well-crafted privacy policies, this would help consumers learn about what to look for in privacy policies -- at websites, social networking websites, and with mobile-device apps. In 2011, the European Union Justice Commissioner described four pillars of online data privacy, which is a good start for any corporate privacy policy.

In 2008, a brief review of the privacy policy at Mint.com prompted a huge discussion on this blog -- that still continues today.

The Personal Data Elements Consumers Want To Keep Private Online

At the All Things D blog, Liz Gannes has posted a very interesting inforgraphic about the data elements consumers care about and want to keep private online. The inforgraphic was created from a research report by Forrester Research. Some of the data elements and the percent of consumers that care about each item:

• 72% - Social Security number
• 71% - credit card number
• 62% - driver's license number
• 57% - credit score
• 52% - Internet browsing history

This was a good infographic. It would have been even better if it included consumers' GPS location history, since so many mobile phone companies, telecommunications companies, and social networking websites collect this data. When and where you go in the physical world is very valuable and equally sensitive data. It is a way of uniquely defining you.

CUNA Revises Downward Its Estimate Of New Accounts

An I've Been Mugged reader at the American Bankers Association provided a link to this December 6 American Banker article: Credit Unions Eat Crow On Customer Numbers. The article reported that the Credit Union National Association (CUNA) revised downward its initial estimate of the number of new accounts opened at credit unions by consumers who moved their money from large banks during the weeks leading up to Bank Transfer Day.

The CUNA is a trade association of 90 percent of 7,400 state and federally chartered credit unions serving about 93 million Americans. The CUNA originally estimated on November 3 that consumers opened 650,00 new accounts at credit unions from September 29 to November 2. The revised estimate is a third of the initial estimate: 214,000 new accounts at credit unions during this period. The American Banker article concluded:

"The [CUNA] association's scaling back of its numbers on Monday gave credence to banking industry officials and others who criticized the association's methodology last month."

The CUNA has admitted that its initial estimate was "rushed and flawed." The CUNA has not changed its estimate of more than 40,000 new credit union accounts opened by consumers on November 5, Bank Transfer Day.

I found the title of the American Banker article unnecessarily excessive: "Credit Unions Eat Crow On Customer Numbers." First, final new account numbers are not yet available, only estimates. Second, I hope that ABA members stay focused on the needs of consumers rather than this one-upmanship about a single flawed CUNA survey. If big banks truly were meeting consumers' needs, then this move-your-money situation would not exist. Banks have a lot of consumer trust to regain after huge credit card interest rate increases and alleged foreclosure abuses during the past two years. A recent consumer satisfaction survey found:

"Consumer satisfaction with credit unions has soared this year, posting scores well above their large-bank competitors, according to the 2011 American Customer Satisfaction Index... The satisfaction score for credit unions rose 8.7 percentage points to 87 points on a scale of 0 to 100. The index said it is the highest satisfaction score ever for any of the 47 industries."

Third, if you read about the genesis of Bank Transfer Day, it was a voluntary call by a person for consumers to move their money by November 5. Consumers can continue to move their money after November 5, and it may simply take consumers longer to move their money. Fourth, consumers value stability. This analysis suggested that credit unions survived recent economic crises better than commercial banks.

On December 1, the National Credit Union Administration (NCUA) agency reported performance results about credit unions during the third quarter of 2011:

"Membership and Total Assets Growth Continues: Despite a slight decline in number, federally insured credit unions added more than 450,000 members during the third quarter, growing to 91.4 million individuals. In all, membership has increased by almost 1 million during the first 9 months of 2011. Credit union total assets also continued to expand, standing at $951.1 billion on Sept. 30, an increase of almost $8.7 billion for the quarter... For the second quarter in a row, credit union lending increased to end the period at $567.1 billion, an increase of $3.1 billion over the prior quarter. New auto loans and other real estate loans continued to decline, while used vehicle loans, unsecured loans—including credit cards—and first mortgage real estate loans again all rose during the quarter. Notably, demand for non-federally guaranteed student loans jumped 20.5 percent during the third quarter to end at $1.3 billion on Sept. 30."

The NCUA report included only the 7,179 federally insured credit unions, and excluded results for October 2011 and Bank Transfer Day. I look forward to reading in January comprehensive actual results, not estimates, from all sources for all of 2011.

Wanting, Waiting -- For Facebook To Justify My Love

[Editor's Note: Today's blog post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Today, Michelle tackles the practice by Facebook to selectively display your friends' status messages.]

By R. Michelle Green

On Facebook (FB), I have 150 friends (like Dunbar, I think more than that is just not manageable, maybe even absurd). That’s above FB’s quoted avg of 130 friends, (likely higher now since I quoted that same stat last December, and anecdotally but obviously, that number differs by age). I embraced some of the early FB tools, like Groups, to manage multiple and disparate friend networks. But Facebook’s tools aren’t cutting it for me. I’m not happy.

FB is a creature by, of and for digital natives – like some huge shark, it’s always moving, changing. As a result, FB can be disorienting, even alienating, for those of us who don’t “live” there, and only occasionally visit. (Who knew one day my tech geek disdain for AOL’s simplicity would become an elder n00b nostalgia for consistency and predictability?...) I feel frustrated at not seeing more from some of my friends, particularly those who, like me, are busy enough that the quick and easy broadcast of an interest or whim is attractive. I believe such friends also tend to visit, rather than inhabit, Facebook. FB (understandably so) caters to its residents far more than its tourists, so I hear a lot from a few, and nothing from many.

With more and more social network choices* available to me, I decided to run an experiment or two. I knew a little about Edge Rank, FB’s way of privileging photos and links over text updates to maximize time on site, so I used a photo for my first test. I asked people to like the post if they saw it. Over three weeks, just 23 of my 150 friends liked, messaged or commented on a beautiful picture of bananas foster. Maybe it’s just the 80/20 rule, where 80% of the outcomes are provided by 20% of the users; 20% of 150 is 30, not too far from my unscientifically identified 23.

I might have stopped there were it not for the unfortunate death of a friend. Within an hour of his death, I posted a status update saying goodbye, sharing it only with the 14 people sub-group on FB who knew him. No one commented, messaged or in any way acknowledged the post. I saw these same people IRL three days later – no one mentioned having seen it. What happened? Was it just a glitch, and somehow the post was never seen? I might once have thought so, but I no longer trusted Facebook. The silence after my friend’s death struck me viscerally, not just intellectually.

I’m enough of a scientist to ask a lot of questions. Was it age? Bananas Foster responders ranged from 15 to 64. Could it be access? If only 15% of my friends responded, maybe 85% aren’t logging on? Not likely, based on Pew Internet Life studies. Two thirds of adult Americans use some social network site; and 96% of them use FB. Of those who are FB users, 83% log on at least once a week; 52% log on daily (FB agrees), and 31% several times a day. And while we’re not Australia or Israel, Americans spend about 6 hours per month logged in. Parse that another way: the average online FB session in the US is 23 minutes and 20 seconds. Surely that’s enough time for a friend to see my post and respond…

Almost exactly a year ago, I warned my FB friends that if they wanted to stay in touch with someone, they shouldn’t rely on FB to do it for them. Satisfaction is the difference between expectations and outcomes; maybe I just want too much from Facebook Nation. I am conducting one more test, posing a question to a specific sub-group of 35 FB friends. My question – can you hear me? And if not, should I follow 6 million other Americans, and leave FB behind?

(*What are those choices, you ask? Google+ or another competitor? And what of FB? Take down everything? Abandon the site, leaving a profile pic with forwarding information? Use HootSuite or TweetDeck to mechanically update my status every other week with “I’m not really here?” Another post, for another day, Gentle Reader. What would you suggest?)

---

© 2011. R. Michelle Green. Reprinted with permission.

FTC Testifies Before Congress About Identity Theft And Fraud Affecting Children

On September 1,the U.S. Federal Trade Commission (FTC) testified before the House Committee on Ways and Means Committee Subcommittee about identity theft and children. At the hearing in in Plano, Texas, Deanya Kueckelhan, Director of the FTC’s Southwest Regional Office, delivered the FTC testimony.

The theft and fraud involving children's Social Security numbers is a growing problem. Identity thieves can access and steal Social Security numbers from children’s records in schools, doctors offices, social services agencies, and other sources. Sometimes, family members who have fallen on hard economic times use the identities of their children to obtain credit they couldn't obtain otherwise. Experts explore the problem recently in the Stolen Futures forum, hosted jointly by the FTC and the Department of Justice’s Office for Victims of Crime.

For adult identity theft, the Bureau of Justice Statistics reported in its National Crime Victimization Survey Supplement that about 11.7 million persons, about 5% of all Americans ages 16 or older, were identity-theft victims during a two-year period ending December 2008. The financial of that theft was $17.3 billion.

For child identity theft, a study by ID Analytics found 142,000 instances of identity fraud each year in the United States where children are the victims. Another study by the Carnegie Mellon CyLab of 40,000 children who had been enrolled in an identity protection service found that 4,311 of those children -- about 10.2 percent -- had loans, property, utility, and other accounts associated with their Social Security numbers.

In her testimony, the FTC's Kuechelhan describe another aspect of the child identity theft:

"... a child’s unused SSN is uniquely valuable to a thief because it typically lacks a previous credit history and can be paired with any name and birth date. In effect, a child’s identity is a blank slate that can be used to obtain goods and services over a long time period because parents typically do not monitor their children’s credit..."

Kuechelhan also described the identity protection problem:

"... fraud alerts, a key tool used by adult victims of identity theft to warn potential creditors of possible identity theft, are premised on the existence of a credit file. Parents ordinarily cannot place a fraud alert on their child’s credit file if the child has no such file. Further, remedies available under federal law such as extended fraud alerts, access to documents underlying the theft, and blocking of erroneous debts typically require a victim to obtain a police report to document the crime... children victimized by parents or guardians are often reluctant to file a police report naming a loved one or a source of financial support as the perpetrator."

Read the FTC testimony (PDF).

What is a parent to do? First, concerned parents should understand the available credit file protection tools: fraud alert, credit-file freeze, and the differences between the two tools. Second, investigate a credit monitoring and identity protection service to cover both parents and children in your family. Several services exist, which I will explore in future blog posts. Shop around because monthly prices and features vary.

Third, teach your children, tweens, and teens about money, credit, the sensitive personal information they must protect, and their responsibility when they become adults to monitor their credit files produced by the major credit-reporting agencies: Equifax, Experian, and TransUnion. You can find plenty of information in this blog.

In my opinion, a broader solution to the problem would be for credit reporting agencies to automatically place a free Security Freeze on the credit reports of all children. This freeze would automatically be lifted (for free) when the child turns 18. Parents could temporarily lift the freeze for children younger than 18 for instances to apply for education loans for that child.

What do you think of child identity theft?

KPMG Survey: A Typical Corporate Fraudster Is...

KPMG recently released its 2011 Who Is A Typical Fraudster? report, describing the profile of a typical corporate fraudster, the impacts and amounts stolen, industries where fraud tends to concentrate, and the conditions which enabled the fraud. The report included 348 events in 69 countries. The fraud events included "white collar" crimes such as:

"... misstatement of financial results, theft of cash and/or other assets, abuses of expenses, and a range of other fraudulent acts."

The report excludes acts of no material value and misconduct.The report does not mention names. The average duration of the fraud was almost three and a half years from the start until its detection. In 74% of the incidents, fraudsters exploited weak internal controls. Companies fail to read and act quickly on the warning signs:

"The number of fraud cases preceded by a red flag rose to 56 percent of cases in 2011, from 45 percent in 2007... Just 6 percent of initial red flags were acted on in the 2011 analysis... Rarely is an act of fraud a one-off... In 2007, 91 percent of fraudsters were repeatedly fraudulent, compared with 96 percent in the 2011 analysis."

The average loss was $1.4 million in Asia Pacific, $1.1 million in the Americas, and $900k in Europe. The report described the following as one of the most interesting cases in the United States:

"At a U.S. financial institution, a larger-than-life chief executive surrounded himself with an inner circle of "yes men." The fraud, which involved subterfuge and complex bundling and unbundling of loans and transactions to make bad loans appear good... The investigation quickly uncovered conflicting stories told by the CEO's inner circle and the people working with the loans and customers. This case illustrates, in particular, how dominant and bullying behavior can coerce others to participate in fraudulent activity."

The corporate fraud includes identity theft. A case from Switzerland:

"Fraudsters attempt to extract money from dormant accounts or they assume the identity of a customer to trick advisers into making payments or transfers. Often this involves the collusion of an external party with an internal ally..."

I also found the consequences interesting:

• Disciplinary action: 40% of cases (54% in the Americas; 23% in Asia Pacific)
• Regulatory, legal enforcement: in 45% of cases
• Civil recovery: 23% of cases
• Resignation/voluntary retirement: 17% of cases (25% in Asia Pacific)
• Out-of-court settlement: 6% of cases
• No action taken: 3% of cases

The profile of a typical corporate fraudster:

• Male (87% were men)
• 36 to 45 years of age (41% were ages 36 to 45; 33% were ages 45 to 55)
• Committed the fraud against his own employer (90% committed the fraud against their employer)
• Works in the finance function or in a finance-related role (32% worked in finance; 26% were CEOs; 25% were in operations/sales)
• Holds a senior management position (29% were in management; 53% were in senior management)
• Employed by the company for more than 10 years (33% employed more than 10 years; 29% employed 3 to 5 years; 26% employed 6 to 10 years)
• Committed the fraud in collusion with another employee (61% acted with others)

The report mentioned this about collusion:

"... male perpetrators (64%) are almost twice as likely to collude than women (33%). After taking account of male dominance in the perpetrator group, collusive females account for just 4 percent of activity. Perpetrator groups are most typically all-male or mixed gender."

KPMG is a tax, auditing, and advisory firm operating in 144 countries. A KPMG auditor caused a data breach in May 2010 when the auditor lost a flash drive containing 4,500 unencrypted patients records.

How Secure Are Today's Smart Phones?

Smart phones are popular. An estimated 55 percent of consumers buy them, up from 34 percent in 2010. For the latest three months ending May 2011, the share of the smart phone market is dominated by Google/Android (38.1%), Apple/iOS (26.6%), RIM (24.7%), Microsoft (5.8%), and others (4.8%). Companies are racing to replace consumers' credit cards and cash with mobile wallets (a/k/a mobile payments) on smart phones.

My wife bought me a smart phone in December as a Christmas present. My Windows Phone is very convenient. The camera, handling of multiple e-mail accounts, ESPN ScoreCenter, Twitter, Ars Technica, and BBC News apps are my favorites. However, I have a love-hate relationship with my smart phone.

The interface is inconsistent across apps. Different apps use different buttons and controls. Some apps automatically collect updates using my data plan, and others let me control the refresh/update. The voice-activated Bing search on my phone is great, but I don't have yet Google/Bing searches integrated with McAfee SiteAdvisor on my smart phone as I do on my laptop.

While browsing various websites with my smart phone, I often see a warning message that my phone uses an obsolete web browser. While browsing Marketplace Hub for new apps to download and install on my smart phone, I have noticed that some apps have privacy policies and many don't. Not good.

When I start to think about poor smart phone data security, apps lacking privacy policies is one example. Apps that lack privacy policies make no promise or commitment to consumers about how that app (and its developer) will protect, use, sell, and/or share consumers' data collected by that app. Nor does the app make any promises about what data it will, or won't, collect and transmit back to the app developer.

I don't install apps that lack a privacy policy.

I have also noticed that several privacy policies apply. There are separate privacy policies from the phone manufacturer (HTC), the operating system developer (Microsoft), the telecommunications provider (AT&T), and each app developer. Simplicity and integration would be a huge benefit. A single, comprehensive privacy policy would be better. The current multitude of policies makes it difficult for consumers to assess how private (and secure) the information on their smart phone really is.

After discussing this with friends, my phone experience doesn't seem much different from other brands: Apple/iOS, and Google/Android.

All of this leads me to wonder how secure smart phones really are. So, I've started to compile a list of smart phone data security statistics. According to Infosec:

"Existing mobile operating systems are under attack... Current research is primarily geared towards securing mobile payments, but there is a lack of coordination between mobile payment developers, device manufacturers, and mobile operating system platform developers. Hackers are taking advantage of the loophole created by this lack of coordination."

The New York Times reported on another measure of smart phone (in)security:

"Phishing is also a growing problem on all smartphone platforms... Mobile users are three times more likely to fall for these scams than PC users, according to statistics on phishing recently gathered by one security company, Trusteer. The company believes that is because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to spot. It cautions people not to click on Web links in messages."

In prior blog posts, I have reported about class-action lawsuits against OpenFeint and Apple which included allegations of unauthorized tracking and data collection by apps of consumers' sensitive personal information. That is another measure of smart phone data security (or lack thereof).

Since there are reportedly 200,000+ apps in Apple's App Store, 70,000+ in Android's Market, and 25,000+ apps for Windows phones, I spent some time reading app-related studies.

In October 2010, researchers at Intel Labs, Penn State, and Duke University released results of their study of Google/Android apps. The researchers randomly selected 30 apps from the 358 most popular free apps in Android market, and developed a method called TaintDroid to track what private information was shared. The researchers found:

"In a study of 30 popular applications, TaintDroid revealed that 15 send users' geographic location to remote advertisement servers. The study also found that seven of the 30 applications send a unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers."

The researchers also studied notification of consumers, because privacy violations can occur when data is used in unexpected or unauthorized ways. The researchers also found:

"... the install-time permission checks do not indicate to the user how these services and data will be used. There is no way to determine simply from the set of permissions how data will be used, and in some cases misused. Users can also be notified of an application's behavior via a license agreement that is displayed on first use. With one exception, we found the user license agreements in the studied applications, if present at all, do not provide any additional information on how data is used."

In June 2010, SMobile Systems (now Juniper Neworks) released the results of its study about Google/Android apps (PDF):

"... one in every five applications request permissions to access private or sensitive information that an attacker could use for malicious purposes. One out of every twenty applications has the ability to place a call to any number without interaction or authority from the user. More frighteningly, 29 applications were found to request the exact same permissions as applications that are known to be spyware and have been categorized and detected as such by SMobile’s solution. A full eight applications explicitly request a specific permission that would allow the device to brick itself, or render it absolutely unusable. 383 applications were found to have the ability to read or use the authentication credentials from another service or application. Finally, 3% of all of the Market submissions that have been analyzed could allow an application to send unknown premium SMS messages without the user's interaction or authorization."

SMobile concluded (bold emphasis added):

"... the fact remains that there is no means available for a user to know for sure that the app they just downloaded is doing only what the user sees it doing. One must look at the permissions it has requested to determine what the application's true capabilities might be."

These permissions are the actions an app could perform: make a phone call, send an SMS/text, send an e-mail, transmit data, save/edit/delete a file in the smart phone's memory, modify a phone setting, access a smart phone feature (e.g., camera), and so forth.

Another measure of data security has been document by the News Of The World and News Corporation phone-hacking scandal. The Boston Globe explained well the vulnerability from "caller ID spoofing" combined with the lack of voice-mail password access by most mobile carriers:

"... caller ID spoofing, which can make a call appear to be coming from any phone number. Hackers can use it to access someone else’s voice mail messages by fooling the system into thinking the call is coming from the owner’s cellphone... Three of the four major US cellphone carriers - AT&T, T- Mobile, and Sprint - do not require customers who call voice mail on their own phones to use a password to listen to messages, making them vulnerable to malicious spoofers. That is a serious shortcoming..."

Smart phones don't seem nearly as secure as I though before compiling the above list of statistics. There seems to be several ways to assess smart phone data security:

• Consistency of privacy policies across the manufacturers, service providers, and app developers
• Presence of privacy policies across apps
• Compliance rates by app developers with an app store's security policies and guidelines
• Whether app privacy policies disclose both data collected and how that data will be used
• Whether apps collect and transmit data beyond the privacy policy disclosure
• Whether apps perform permissions beyond what the user sees or is stated in the privacy policy
• Whether apps perform actions (e.g., transmit e-mail, SMS/text, or data) without first notifying users and gaining authorization. Some of these actions can produce charges on consumers' monthly mobile bills
• Whether apps collect and transmit data to third parties (e.g., advertisers, manufacturers, affiliates)
• Whether apps that mimick known spyware's features and behaviors are indeed acting as spyware
• Malware installed secretly on consumers' smart phones by phishing attacks via websites, email, text/SMS
• Whether the telecommunications carrier provides a secure access to voice-mail with a password, and builds this into the app on the smart phone

Besides this list of discrete data security measurements, there is an overarching consideration. Today's mobile devices (e.g., smart phone and tablets) are pre-programmed and designed by manufacturers to be always tethered to some telecommunications service, unlike traditional desktop and laptop computers which can be configurred to operate with any of several telecommunications networks chosen by the user. The Observer concluded:

"... we are on the slippery slope towards a much more controlled, less open, internet. If these trends continue, then it won't be all that long before a significant proportion of the world's internet users will access the network, not via freely programmable PCs connected via landline networks, but through tethered, non-programmable information appliances (smartphones) hooked up to tightly controlled and regulated mobile networks... The danger, in other words, is that we move from an internet designed for people to a networked tailored only to the needs of corporations."

It seems to me no accident that mobile the device manufacturers use the term "jail-break" to describe consumers' desire to use mobile devices on the telecommunications network of their choice (and not the manufacturer's choice). My view: the Internet was designed to be flexible for users to explore and to innovate. Otherwise, why bother?

What's your opinion about smart phone data security? What studies have you read?

Smart Phones Still Don't Deliver The Privacy, Data Security, And Trust Consumers Want

Consumers love their smart phones. Over at Column Five Media, there is a really good infographic that displays the problem with today's smart phones. Some of the key statistics highlight the problem:

• When using their smart phones, 99% of consumers consider their privacy as Extremely Important, Very Important, or Important
• 99% of consumers rate knowing what data their smart phone apps collect as Extremely Important, Very Important, or Important
• 99% of consumers rate access to controls about what information is shared as Extremely Important, Very Important, or Important

Yet, trust isn't there yet. Not for any of the brands. The portion of consumers who feel safe with each brand smart phones:

• Apple/iPhone: 28%
• Blackberry: 28%
• Google/Android: 22%
• Windows Mobile: 18%
• All Other brands: 12%

From what I have read, the above statistics include adults as teens give little to no thought, consideration, or priority to privacy. Google/Android users may find the My Data Manager app helpful at tracking what data your apps collect and share. Read the entire Lookout Mobile Security inforgraphic.

FTC Testifies before Congress About Mobile Privacy

With several mobile device tracking, data collection, and app abuse issues emerging recently, it is important to know the position of one of the chief regulatory agencies in the United States. On May 10, Jessica Rich, Deputy Director of the Bureau of Consumer Protection at the U.S. Federal Trade Commission (FTC), testified before the Senate Judiciary Committee Subcommittee for Privacy, Technology and the Law about mobile device privacy.

Rich first cited some CTIA statistics: wireless penetration of 96% in the United States with 27% having smart phones. During 2010, about 62% of marketers used some form of mobile marketing for their brands.

Rich emphasized that the FTC has explored mobile and wireless issues since 2000, and hosted mobile wireless and consumer privacy workshops that explored some of the issues. As additional proof of the FTC's commitment to mobile privacy for consumers, Rich cited FTC actions against:

• Google for allegedly deceiving consumers by using information collected from Gmail users to generate and populate a new social network, Google Buzz, without users’ consent,
• Twitter for serious lapses in the company’s data security that allegedly allowed hackers to hijack accounts and to obtain access to private “tweets” and non- public data,
• Reverb Communications for alleged deceptive mobile gaming endorsements in the iTunes store,
• Philip Flora for using 32 pre-paid cell phones to over 5 million unsolicited text messages to the mobile phones of U.S. consumers.

Based upon several privacy roundtable discussions, the FTC drafted a preliminary report with privacy recommendations:

"First, staff recommends that companies should adopt a "privacy by design" approach by building privacy protections into their everyday business practices... Second, staff recommends that companies should provide simpler and more streamlined privacy choices to consumers. This means that all companies involved in data collection and sharing through mobile devices -- carriers, handset manufacturers, operating system providers, app developers, and advertisers -- should work together to provide these choices and to ensure that they are understandable and accessible on the small screen... Third, the staff proposed a number of measures that companies should take to make their data practices more transparent to consumers, including improving disclosures to consumers..."

All of this was nice a start, but the FTC's position is still weak and is heavily tilted for corporations at consumers' expense. More balance is needed.

As I read the FTC' Richs testimony (PDF), the recommendations are not mandatory but voluntary. And she skipped an important issue: that most or all tracking programs are opt-out based (e.g., where consumers are automatically included), instead of opt-in based (e.g., where consumers are in control and must opt-in or register first before companies can track them).

What do you think?

Ponemon Report: Costs of a Data Breach

Given the massive Sony Playstation Network data breach in April, and the claim by a Marketplace expert that Sony delayed customer notification to lower its post-breach costs, I thought that I would take another look again at the report about breach costs.

Back in March 2011, the Ponemon Institute released findings for breach costs for 2010. There are separate reports for the U.S. and the U.K.. Findings from the U.S. report:

• More organizations respond faster to data breaches. In 2010, 43% notified breach victims within a month, up 7% from 2009.
• Faster response costs more. Organizations that notified breach victims within a month incurred an average cost per-record cost of $268 in 2010, up $49 (22%) from $219 during 2009. Companies that took longer to respond incurred an average cost per record of $174, down $22 (11%) from 2009.
• Malicious or criminal attacks were about a third (31%) of all data breaches.
• Malicious or criminal attacks are more expensive, too, averaging $318 per record during 2010, up $103 (48%) from 2009.
• The average cost per record comprised $74 of direct costs (34%), up 22% from 2009, and $144 of indirect costs (66%). Ponemon found that direct costs have been increasing since 2008 while indirect costs have declined. Direct costs include expenses for organizations to comply with data security regulations (Federal, state, and local), breach detection, and the notification of breach victims and government officials.
• Data breach costs have risen for a fifth consecutive year. The average organizational cost of a data breach was $7.2 million during 2010, up 7% from $6.8 million in 2009.
• The customer churn after a data breach contributed to breach costs, and varied by industry. While the average churn rate across all companies studied was 4%, the highest churn rates were in pharmaceuticals and healthcare (7% each). The industries with the lowest churn rates were the  public sector (less than 1%) and retail (1%).
• Similarly, the average cbreach ost per record varied by industry. In 2010, the industries the highest average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). The industries with the lowest per-record costs were media ($131), education ($112), and the public sector ($81).

The causes of data breaches and their associated costs:

Breach Type	Frequency 2010	Avg. Cost/Record
First Timer YES	20%	$326
Malicious or criminal attack YES	31%	$318
Third-Party Mistake YES	39%	$302
Quick Response YES	43%	$268
Lost or Stolen Device YES	35%	$258
System Failure YES	27%	$210
Negligence YES	41%	$198
CISO Leadership YES	45%	$193
External Consulting Support YES	37%	$191

The analysis of costs:

Cost Type	2010	2009
Lost Customer Business Due To Churn	39%	40%
Legals Services: Defense	14%	14%
Investigations & Forensics	11%	8%
Audit and Consulting Services	10%	12%
Customer Acquisition Costs	9%	9%
Contact Costs: Inbound	6%	5%
Contact Costs: Outbound	5%	6%
Legal Services: Compliance	2%	2%
Identity Protection Services	2%	2%
Free or Discounted Services	1%	1%
Public Relations / Communications	1%	1%
TOTAL	10%	102%

Based on the above cost analysis, the free or discounted credit monitoring services organizations often provide breach victims (e.g., consumers, employees) is not a major cost component. It suggests that companies could provide longer periods of free credit monitoring and credit restoration services. For example, the State of Texas is offering its breach victims a single year of complimentary credit monitoring.

Ponemon studied breaches for 51 companies. Download the 2010 Ponemon U.S. Cost Of A Data Breach report (PDF format).