Previous month:
October 2007
Next month:
December 2007

32 posts from November 2007

Debix, LifeLock, and TrustedID

A recent issue of the New York Times discussed three new companies which offer consumers identity protection solutions:

"This week, a young company called Debix, which places automated calls to its customers every time someone opens credit in their name, will announce that it has raised a round of financing from private investors..."

Investors in Debix include Gideon Yu, the former chief financial officer of YouTube and the current chief financial officer of Facebook, and Launny Steffens, a former vice chairman of Merrill Lynch.

"A raft of new companies like Debix, LifeLock, and TrustedID say they can make it easier for consumers to protect themselves — for a monthly fee of about $10."

Time will tell if theses companies can deliver the promised value to consumers. In my opinion, the value for consumers is based on a complete solution covering several services:


The McAfee and FBI Webinar About Safe Online Shopping Tips

Are you a safe online shopper? On Wednesday, I attended an online seminar by McAfee (the security company) and the F.B.I. (the U.S. Federal Bureau of Investigation). The online seminar titled, "Shopping Online: How to Minimize Your Risk" included some useful tips for a safe online shopping experience for the holidays.

The F.B.I. representative explained some of their online resources used to hunt and capture identity thieves worldwide. The representative also explained the key identity theft scams and threats:

  1. Unsafe web surfing: includes, "download program from an untrusted Web site; visit a dangerous Web site with an unprotected computer; your computer lacks firewall software; visit a legitimate site taken over by hackers"
  2. Botnets: a "network of computers that have been infected by Trojans or other threats. This allows a hacker to control these 'zombie machines' remotely."
  3. Spam
  4. Phishing... especially "charity phishing"
  5. Holiday greeting cards infected with mal-ware and computer viruses

The McAfee reperesentative explained the 10 best things consumers can do to protect themselves and ensure safe online shopping:

  1. Install comprehensive security software on your home computer
  2. Keep your security software up-to-date
  3. Ensure that the Web sites you shop at are secure (there are several ways to tell)
  4. Install patches for Microsoft and other software on your home computer
  5. Don't go phishing
  6. Don't use the links in an e-mail solicitation. (Instead, enter the company's web site address in your web browser)
  7. If an e-mail solicitation says it's free, then you'll probably pay (by downloading a virus or mal-ware)
  8. Use strong passwords
  9. Avoid spam
  10. Avoid high-risk Web sites

To see if you are a safe online shopper (or not), take this short online quiz. I scored 9 out of 10 correct. For more security tips and information, see the McAfee Security Advice Center. A prior I've Been Mugged post discussed online identity theft quizzes. Or, you can download the McAfee presentation (Adobe PDF; 634 KB).


Doctors May Be Fined For Not Protecting Patients' Data

From the ZDNet U.K. site:

"Doctors who lose confidential patient information should be held accountable for the loss, according to the Information Commissioner's Office. Information commissioner Richard Thomas, giving evidence at a House of Lords Constitution Committee inquiry into data collection and surveillance on Wednesday, proposed that a doctor who is found to be "flouting data-protection principles" should be fined £5,000 by magistrates, or alternatively face an unlimited fine in a Crown Court."

I agree 1,000 percent. Given the problems with identity theft in the healthcare industry, this should be the law here in the USA, too.


Facebook: Beacon Of Light Or Darkness?

Over at the Just an Online Minute blog, Wendy Davis has highlighted some very valid and disturbing web site usability practices at the Facebook.com site. From a November 26 post:

"It’s glaringly obvious that the new program — which alerts people’s friends of their online purchases — violates users’ privacy. And, while Facebook argues that the program poses no threat because users can always opt out of it, it’s now come to light that the opt-out mechanism itself is seriously flawed... That’s because the opt-out mechanism consisted of a small pop-up that vanishes 20 seconds after it appeared. After the window disappears, so does the user’s chance to opt out."

A quickly vanishing opt-out mechanism? That doesn't sound right nor acceptable. Reportedly, about 44 companies participate in Facebook's Beacon program. Notables include Fandango, Travelocity, and Zappos. What business wants their name associated with Facebook's foolishness?

If you have followed I've Been Mugged posts, then you know that opt-out mechanisms are a critical tool are for consumers. Consumers want and demand control over who has access to their personal information.

Since I don't use Facebook, I have not experienced the problems Davis reported with Facebook. I use LinkedIn, since the professional people I need to stay in contact with use LinkedIn. It's always been clear to me that sound business rule is to give your customers what they want. Facebook seems to insist on giving users an unwanted feature.

In a November 27 post, Davis responds to Facebook's claim that Facebook has fixed the problem. Perhaps not. The bottom line according to Davis:

"If Facebook wants to implement a real fix here, it will listen to the 25,000-plus users who have joined the MoveOn protest group, “Petition: Facebook, stop invading my privacy!” and stop telling members’ friends about their purchases when there’s any doubt about whether the members want to share that information."


Data Security Gaps At Retail Stores Where you Shop

This past Sunday evening, the 60 Minutes television show presented an excellent segment on identity theft, titled "Hi-Tech Heist." The segment explained the poor data security use by many of the retail stores and chains we shop at. More importantly, the segment showed how identity thieves steal consumers' credit card (and debit card) data via the retail stores' wireless data connections:

"When you swipe your credit card, your data is often transmitted through a wireless router either to a bank for approval or to the store's main computer. But the signal carrying your information bleeds easily through the walls."

The segment did a good job explaining how identity thieves steal data:

"[60 Minutes Correspondent] Stahl got her first lesson in something called "war driving" from Kris Harms, a computer forensic investigator for Mandiant, a computer security company, who showed her how hackers, outside in a van, can grab the stores' wireless data."

When retail stores use unsecure or poorly protected wireless connections, stealing data is easier than you think:

"We can just pluck it, is what you're saying, right through the wall," Stahl remarked. "Absolutely," Harms replied. All you need, he says, is a regular computer; the software he got for free. Within moments, Stahl and Harms started getting results. "Right now, we're right in front of Best Buy," Stahl remarked. "Right so, Best Buy has a wireless network," Harms explained. The computer identified which stores have wireless signals. Some stores hide their identities, others don't. Besides Best Buy, Staples popped up, and Home Depot -- with its signature color -- wasn't hard to identify either.

What I found most irritating was the segment reported that many retail stores still refuse to invest in effective and current data security methods, while being fully aware of the TJX/TJ Maxx data breach debacle. In an attempt to cut costs and save money, retail companies still install and use obsolete encryption methods for their wireless transmission of your (and mine) credit card information:

"WEP was encryption code developed in 1999, just as big chains started going wireless. But within a couple of years, hackers had cracked WEP, rendering it obsolete. If you go on YouTube today, you can learn how to disable it in minutes. Now, there's much better encryption code called WPA. In fact, credit card companies urge retailers to upgrade to WPA. But that's expensive, so many stores resist it even though hackers can tell who hasn't upgraded."

More about TJX / TJ Maxx:

"At the time of its break-in in 2005, TJX did have a security system. The problem was it was the outdated encryption code WEP. "Was TJX aware that they were using a system that was pretty much useless? Did they know that?" Stahl asks Jennifer Stoddart...  TJX did know, but in a letter told 60 Minutes - in their defense, that they believe 'our security was comparable to many major retailers.' "

So, the retail chain with the largest data breach in USA history admits that their wireless security was no better (or worse) than other retailers! That's pretty damning evidence about the retail industry, which seem more interested in making money that providing secure transactions for consumers.

To me, this is a clear reminder that you should never use a debit card at a retail store. It's best to shop with cash until retailers improve their data security. If you haven't seen this 60 Minutes show, you can watch the 60 Minutes video online.


What Data Is Apple Collecting About Its iPhone Users?

At the ZDNet Apple Core blog, Jason O'Grady reported the following:

"Uneasy Silence is reporting that Apple is collecting data on iPhone customers as they use their popular weather and stock applications on the device. According to the report Apple is sending data about the information requested to a special tracking server..."

Jason's post describes details about the data collection. The question is: is Apple tracking general application data (e.g., which applications you use on your iPhone), or is Apple tracking personally identifiable information (e.g., the specific data you submit or retrieve)? One of the readers summed up the situation well in this comment:

"It's really a dual-edged sword, isn't it??? I mean, like most everyone else, I don't really like the idea that Microsoft, or Apple, or my cable company, or my credit card company, or whoever else is collecting and compiling data about every single thing I do in my life they can possibly track... It IS, invasive, intrusive, and quite possibly abusive, or prone to abuse -- particularly if people with criminal intent get hold of the WRONG data..."

Yes. Nobody wants irrelevant ads or content forced upon them: online or on television. So, many of us provide some personally identifiable information at Web sites so we see (in theory) only that content and ads which is relevant to our needs and interests.

Criminal intent is key. One example is a corporate data breach. This is why I started writing the I've Been Mugged blog about identity theft, data breaches, and corporate responsibility. There is an explicit agreement between the consumer and the company that when the user shares, submits, or retrieves personally identifiable data, that the company will protect this sensitive data with effective and current data security measures.

Companies shouldn't get a free pass on this responsibility. And when a company violates this agreement, they need to be held accountable to suffer the consequences.


Nothing But Silence From Choicepoint

During the past few months, the three national credit bureaus announced new options for consumers to lock down or "freeze" their credit reports. This new option provides far stronger protections for consumers against identity theft, compared to the older Fraud Alert option.

Anyway, I was wondering when Choicepoint, the dominant provider of C.L.U.E. insurance reports through its Choicetrust site, would offer a similar nationwide Security Freeze option for its insurance reports. According to the Choicetrust site, the Security Freeze option for insurance reports is available in 12 states: Colorado, Delaware, Illinois, Maine, Massachusetts, Montana, Nevada, New Hampshire, New Jersey, North Carolina, Tennessee, and the District of Columbia.

I sent my first letter in September 2007. No answer. I sent a second letter last week. Still no answer.

My letter to Choicepoint:

"Hello. I am an independent journalist and I am also a customer of your C.L.U.E. reports. As you probably know, TransUnion and Equifax have announced a nationwide credit report freeze service available in October. They are not waiting for legislation in additional states. When will Choice Trust offer a similar, nationwide freeze service? As the dominant provider of C.L.U.E. reports, this is an opportunity for you to take a leadership position. I look forward to your reply."

I spent good money ordering my two insurance reports (e.g., auto and homeowners property) from Choicetrust. It does not seem to be good customer relations to ignore a customer.

While the Choicetrust site does provide the Security Freeze option for my state (Massachusetts), the site does not explain why for my state I can freeze my Employment and Tenant reports but not my C.L.U.E. insurance reports.

Moreover, identity thieves are not stupid. They will take the path of least resistance to steal consumers' sensitive data. If consumers' credit reports are locked down, of course they will try to access insurance and medical reports. So, it seems wise (for both Choicepoint and consumers) for the Choicetrust site to offer a nationwide Security Freeze option.

What do you think? If you have written to Choicepoint, share your letter and response you've received from Chicepoint. I've Been Mugged readers want to know.


Wildfire Victims Targeted By Identity Thieves

As if the wildfire victims didn't have enough bad news. The Redlands Daily Facts reported:

"Redlands fraud investigators are warning of an increased risk of identity theft targeting victims of the recent wildfires. Following the Old Fire in 2003, Redlands police saw an increase in identity theft among those who had homes damaged or destroyed in the fires and those who were evacuated from their homes... looters often sift through damaged property or homes under evacuation orders, making off with bank and credit card statements, tax documents, and other financial information. The information is then used or sold to others to access victims' accounts or rack up thousands of dollars in debt charged to the victim."

According to the Earth Times on November 13, 2007:

"TrustedID, a leading provider of proactive identity theft protection solutions, today announced it will offer free identity theft protection services to families affected by the California wildfires to prevent identity theft while they recover and rebuild. During the month of November, residents can call TrustedID's special hotline to receive three months of free coverage under TrustedID's IDFreeze service, which offers the strongest proactive identity theft protection available today for families."

According to a news release at PR-USA:

"... AxcessPoints is offering a free year of service for its secure, online repository through Nov. 30, 2007. AxcessPoints is $9.95 per month. AxcessPoints, a highly secure online planning resource for organizing and retrieving critical personal, medical and financial information, said disaster victims often suffer a second tragedy following a catastrophe by failing to have key financial records and other critical data readily available to work with insurance companies, banks, utilities and other service providers."

Note: the I've Been Mugged blog does not endorse the above services. I do not have a business relationship with either company. Like any other services, consumers should research the company, its services, and shop around to compare services before making a purchase decision.


When Heads Must Roll (UK Data Breach)

Last week, and the BBC News reported:

"Two computer discs holding the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people."

Yes, you read that correctly. Not some families, but all families with children under 16. The missing (probably stolen) data covers sensitive details about 7.25 million families. The disks were lost during transport from HM Revenue and Customs (HMRC) to the National Audit Office (NAO). According to the New York Times:

"... the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16."

While this data breach was not as big as the TJX/TJ Maxx breach, it was still a catastrophic data security lapse. The delivery package was not recorded nor registered. The data was password protected but not encrypted. The timeline reported by the BBC:

"The data was sent on 18 October and senior management at HMRC were told it was missing on 8 November and the chancellor on 10 November. Mr Darling said banks were adamant that they wanted as much time to prepare for his announcement as possible."

It would seem that both companies and government agencies in the United Kingdom are slow to inform their identity theft victims, just like in the United States. Gil Sever, the CEO of Safend, described clearly the HMRC data breach:

"This is a glaring and unfortunate example of what happens when organizational policy is not followed and enforced and adequate technological safeguards are not utilized...HMRCs data security issue was twofold: first the information was stored on a vulnerable medium with inadequate protection. Secondly, there was no monitoring procedure to track or record where the data was going or how it was being accessed.

Gee, that sounds a lot like IBM's data breach. Appropriately enough, heads began to roll at the HMRC:

"HMRC chairman Paul Gray resigned earlier after the latest incident came to light."

To my knowledge, nobody at IBM lost their job after IBM's data breach. Not even the delivery vendor that lost IBM's data tapes was fired. Where's the accountability? The consequences?


Going Paperless With My Bank

Like most people, I have had a bank account for years... decades. The monthly arrival of my paper bank statement was familiar and reassuring status of how much money I'd saved. Last week, I switched to paperless bank statements.

Nothing bad has happened with my bank accounts, even though IBM's data breach in February of 2007 exposed my personal data. My switch to paperless statements was about heeding the advice from a prior post. What has changed was my attitude about snail-mail. The benefits of going paperless:

The switch to paperless statements was relatively easy. The hardest part: I first had to call my bank to update my password since I had forgotten it. The easy part: I logged into my online account and checked the necessary option to switch to online-only statements, and then set up several e-mail alerts.

Alerts are a valuable tool to protect yourself against fraud and identity theft. If a fraudulent charge appears on my bank account, I want to know about it as soon as possible; not wait 30 days for a paper statement to arrive. My bank provides several alert options. I set up alerts to notify me about specific types of account transactions and deductions greater than a certain dollar amount, which I specified.

When I was done, I felt really good. I could check off another positive step on my list to protect myself and my identity. If your bank (and credit card issuer) doesn't provide you with options for paperless statements and a variety of alerts (e.g., e-mail, cellphone), then I suggest you consider switching to another bank.

Last, I'd like to wish you a happy and safe Thanksgiving Holiday and weekend. I will resume posts on Monday after the long holiday weekend.


Attempts To Stop Medical Identity Theft

From the North Carolina News & Observer:

"About six months ago, Family Medical Associates of Raleigh started taking photos of its patients to add to its permanent electronic file. That way, when someone comes in for an appointment, the administrator can quickly pull up the medical records and confirm that the person seeking treatment is indeed the correct patient, said Janet Spangler, administrator for the practice."

Medical identity theft is a problem needing more discussion:

Medical identity theft occurs when someone uses another person's personal information to get medical services or prescriptions or collect money from medical claims.

Most of the attention on identity theft so far has focused on financial fraud: opening credit or getting loans in another person's name; using another person's credit card number; and stealing from another person's financial accounts.

From an MSNBC news article, why consumers should check the accuracy of their medical files:

"...if an identity thief presents himself at the hospital in your name and is identified as having a different blood type, that blood type ends up registered in your medical history, with potentially disastrous consequences if you end up in a serious accident. Or suppose you apply for a new job. Even if you’re fit as a fiddle, you could still fail a pre-employment medical screening or be rejected for company-provided health insurance because of the inaccurate presence of an ailment in your medical history that you don’t have."

The same MSNBC article reports medical identity theft as a growing problem:

"In a report last year, the World Privacy Forum found that the number of Americans identifying themselves in government documents as victims of medical identity theft had nearly tripled in just four years, to more than a quarter-million in 2005. Motives for medical identity theft can vary. Some thieves, as in these cases, are seeking controlled medications. Others are seeking federal money."


Chase Harasses A Credit Card Fraud Victim

This post at the Consumerist blog is a worthwhile read. Brandon's story highlights how a company can harass an identity theft victim instead of working with the victim to resolve the fraud. Brandon's story:

"In January 2007, I was traveling in Mexico and was mugged, having my wallet and passport stolen. By the time I got back to the hotel and began calling my credit card companies to cancel, the criminal had charged close to $3,000 on my CHASE Circuit City Visa card. I explained to CHASE that the charges were fraud, and they sent me a fraudulent charge affidavit to complete and have notarized. As I couldn't take care of this until I returned from my trip, and had more important things like a passport to worry about, I waited a few weeks before completing the paperwork and during those weeks received those weeks received about 2 calls a day from CHASE urging me to send the documents."

According to the post, Brandon did a lot of things correctly. He completed the necessary documents and communicated with Chase in writing. The post includes a copy of Brandon's correspondence. But, Chase continued harass him for payment.

The best advice (from the Consumerist) is at the end of the post:

"You called and reported the fraud the day of, and yet they're still trying to collect. Under federal law, you have no responsibility for unauthorized charges after reporting loss or theft of a credit card. That you waited a few weeks to send in the papers doesn't matter. Worst case scenario, your maximum liability is $50. Have you sent them a "drop-dead" letter? Or a letter of dispute? Include the information in the preceding paragraph in your letter. You could also try kicking it up to Chase executive customer service: 1-888-622-7547 - extension 4350 or 847-488-6833, or 888-622-7547 x 6833."


Dilbert Promoted To The Boss

For years, Scott Adams has made fun of bosses in his Dilbert comic strip. Now, the tables have turned and Mr. Adams is the boss. What company was Adams promoted at? The details are available in a New York Times article. Or you can read the My Pointed Haired Ways post at the Dilbert blog.

To celebrate Adams' promotion, I thought it appropriate to share some of Dilbert's advice about corporate data security -- which probably applies also to many companies' data breach notification plans:

Dilbert on Data Security


The Tangled Web of Data Breach Notification Laws

I recently read this in a post by Mark Tordoff at the Compliance and Security Connection blog:

"The issue is the variation between the different state consumer notification laws. Of the 38 states who currently have a law on the books, 18 require notification of any breach, while 20 require notification only when risk of harm is present. All 38 provide exemptions if the compromised data was encrypted. Finally, 24 states require that, in addition to the affected consumers, certain government officers or agencies must be included in their notification."

"Another variable is when the consumer must be notified. “Some states require that consumers be notified when their information is lost. Other states will allow the breached entity to perform some analysis to determine the degree of risk to consumers,” says Jorge Rey, information security and audit manager at independent accounting firm Kaufman Rossin Co. in Miami."

A good statement of the situation, but a narrow definition of the problem.

The problem is more extensive. As a nation we seem to be in our infancy regarding data breach notification and identity theft. A year ago, far fewer states had any type of identity theft laws. Before California in 2003, there were none. We still don't have a good profile of the typical identity thief. We still don't have a good profile of the number of companies that employ effective data security processes. (See the TJX debacle.)

Even with the above laws, some states have exceptions where the company is not required to notify identity-theft victims of its data breach. In Massachusetts' new identity theft law, there is one notification exception called "Substitute notification." If notification is too expensive for a company, they can opt for a more general notification approach (e.g., print or online ads) instead of notifying each identity theft victim individually via postal mail.

While a federal breach notification law seems tempting, I don't see it as an effective solution. Too many companies have business units in other countries or employ offshore outsourcing subcontractors -- methods to avoid the laws. Some companies (like IBM) archive employee and former employee data forever -- increasing the risks to the company and to its former employees. And the existing notification laws don't seem to cover the full scope of companies that trade consumers' sensitive personal data, like C.L.U.E. insurance reports from Choicepoint.


How Secure Is Your Bank?

Last week, Javelin Strategy & Research announced the results of their 2007 Banking Identity Safety Scorecard. The report studied identity fraud prevention, detection and resolution for the top 25 banks in the USA. According to the report:

"This year, financial institutions showed strength in resolution practices, but vulnerability in prevention and detection. Javelin analysts recommend that banks provide more account monitoring tools to its customers and empower them to “watch and catch” identity fraud earlier."

Selected ratings for some banks (100 points total possible score):

  • Bank of America -- 78 points
  • (Tie) JP Morgan Chase, Washington Mutual and Wells Fargo -- 70 points
  • Citibank -- 69 points

According to the report:

"... the average financial institution met 77% of the recommended resolution criteria, but showed slower progress in detection and prevention measures. In the 2007 Scorecard, the average bank achieved only 44% of Javelin’s recommended prevention standards and 51% of the detection criteria."

The report included 5 recommendations for consumers:

  1. "Enroll in mobile and email account alerts."
  2. "Turn off paper statements."
  3. "Stay alert for phishing scams."
  4. "Frequently monitor accounts."
  5. "Don'€™t use your full social security number."

That's definitely good advice.


Fines For "Do Not Call" Violators

At his Red Tape Chronicles blog, Bob Sullivan has written an excellent post about recent corporate fines for telemarketers who have violated the Do Not Call phone rules:

"Craftmatic and three of its subsidiaries agreed to pay $4.4 million -- the second largest Do Not Call penalty ever -- to settle various FTC telemarketing-related charges. The agency alleged that Craftmatic obtained consumers’ phone numbers through sweepstakes entries, then placed tens of thousands of calls to entrants who were on the Do Not Call list. Because the sweepstakes form did not expressly seek their assent to receive telemarketing calls, the calls violated federal regulations..."

"ADT agreed to pay slightly more than $2 million to settle charges that two of its authorized dealers -- Alarm King and Direct Security Services -- placed telemarketing calls to consumers on the list. While ADT did not place the calls, the FTC held it responsible for the marketing tactics of its affiliates."

"Ameriquest was fined $1 million after the FTC found the firm had purchased consumers' phone numbers from "lead generation" companies. Consumers had been enticed to provide their phone numbers and other personal information to Web sites offering various financial products. Because the consumers had not expressly given Ameriquest permission to call them, the calls were a Do Not Call violation, the FTC said."

I am sure that some of you are wondering how this relates to identity theft. I say plenty.

How companies comply (or don't) with federal regulations regarding telemarketing is related to how these companies respect (or don't) consumers' private information and requests not to receive telemarketing calls. It is related to whether (or not) these companies employ effective data security processes to protect consumers' sensitive information. This is the first step in holding companies responsible. It's also an important step to restoring balance to the tilted playing field where companies make money selling consumers' personal information while consumers bear the post-breach burden.

Want to learn more? Click on any of the above links and definitely read opt-out resources for consumers.


Unfortunately, Your Average Joe's Data Breach (Part 2)

Over at his Mostly Harmless blog, Dave Owczarwk provides a good summary of the restaurant chain's data breach, plus a solution for consumers who want to continue eating at the restaurant:

"Anyway, this is a tough break for Joe's, but what is the consumer to do? My recommendation, if you like the place, is to continue to patronize it and just use cash."

That's good advice I recommend for any other retail stores consumers want to shop but and are worried about the security of their credit card information. Definitely don't use your debit card! Read this post why credit is better debit.


Thought Crime Bill Video

[Editorial note:] While this post does not discuss identity theft, I consider its subject critical to a functioning and healthy democracy. The topic is worthy of at least one off-topic post.

In her Time Goes By blog, Ronnie Bennett wrote an excellent post about the Violent Radicalization and Homegrown Terrorism and Prevention Act of 2007. You haven't heard about this bill working its way through the U.S. Congress? Most people haven't as the traditional news media have done a lousy job. Ronnie wrote:

"Designated H.R.1955 and titled the Violent Radicalization and Homegrown Terrorism and Prevention Act of 2007, it is an amendment to the Homeland Security Act of 2002. The bill was sponsored by Rep. Jane Harmon [Dem-CA] and overwhelming approved by the House on 23 October by a 404 to 6 vote. Some people have called this the “thought crime bill”... This is the first terrorism-related legislation that specifically targets U.S. citizens and the vagueness of the wording is a dangerous threat to the First Amendment and to each of us in ways that have not been attempted before in the United States."

Watch the video:

Whatever your opinion on the subject, I hope that you will write or call your U.S. Senator.


Pass The (Password) Salt, Please

The Working Assets data breach reminded me of one frustration computer users experience: how to securely manage the sign-in information (e.g., ID and password pairs) for all of the Web sites and databases we access. The company's breach notification included this about  its stolen sign-in information:

There is potential for misuse of this information however, should you use the same email address and password on other personal accounts, whether Working Assets products, banking, PayPal, Amazon, etc. Convio would like to advise you of important steps that you can and should take to prevent misuse of your personal information:

- If this email address and password are used together on any other accounts, it is recommended that you change your password on those accounts and sites immediately. We recognize that this is an enormous inconvenience, but this step will minimize your security risk.

Managing sign-in information for several web sites is a chore. Experts advise us not to use the same sign-in information at multiple web sites. The obvious reason: an identity thief can use your sign-in information for one site to easily access and steal at the other sites you use... and quickly drain your financial accounts. So, varying your sign-in information for each site makes sense.

Experts also advise us not to write down our sign-in information on paper. The obvious reason: once a thief gets your printed information, they have access to all of your accounts. Plus, the thief can copy your printed list and you may never know it was stolen.

So, what's a computer user to do? Writing it down is risky and memorizing it is impossible.

If I had the answer to this dilemma I'd patent it, sell the answer, get wealthy, and retire to my own private island in the Caribbean. But, there doesn't seem to be a silver bullet for this dilemma. Some people suggest password salting, but that solution is not 100% secure either. To learn more, try DailyKos or Digg.

Some suggest password manager software. To me that seems even less secure and foolhardy. If somebody steals your computer (and laptops are very vulnerable), they have all of your passwords. Plus, you won't even know the passwords to your accounts since the password manager stored that information. That like storing telephone numbers in your cellphone. After a while, you don't remember the phone numbers of the people you call frequently. For these reasons, I do not use the password manager features in my web browsers.

Others suggest a combination of password salting and password manager software. To me, that still doesn't solve the problem if you your laptop gets stolen. The dilemma is worse if you consider password rotation... how often Web sites require you to change your sign-in information. Since different Web sites require users to change their passwords at different intervals (e.g., some every 30 days, others every 90 days, and others never), whatever solution you choose must be flexible enough to accommodate password rotation.

If you have any solutions to this sign-in information security dilemma, I've Been Mugged readers want to hear your suggestions.