Previous month:
April 2008
Next month:
June 2008

20 posts from May 2008

Are Your Financial Accounts Insured?

You've taken several steps to protect yourself and your sensitive personal data against identity theft and identity fraud. It's time to do the same for your money. While we all have money in deposit accounts insured by the FDIC, this Bankrate article highlights the point that just because your money is in an FDIC-insured account doesn't mean it is really insured:

"Well, you're safe if your account has $100,000 or less, or $250,000 in the case of retirement accounts. The Federal Deposit Insurance Corporation insures deposits up to $100,000, or $250,000 for retirement accounts, at most banks and savings associations. Credit Union deposits are covered by the National Credit Union Administration."

This is the analysis you should do to properly structure your bank accounts so all of your mony is insured:

"But you've got a problem if your deposits in non-retirement accounts add up to more than $100,000, and that happens more often than you might think. Remember that savings, checking and certificates of deposit, and the interest on those deposits, all count toward that $100,000. If your bank goes under and your accounts aren't properly structured, you could lose anything in excess of $100,000."

No matter what advice your bank gives you, it is the consumer's responsibility to properly structure your bank accounts. This includes accounts that may be in trust for a child or family member.

"Jim McLaughlin, director of regulatory affairs at the American Bankers Association, says bank personnel who open accounts should know how to structure them for insurance, but you shouldn't even think about asking a teller."

According to laughlin, bank tellers aren't trained to provide the financial advice you need. You've worked hard for your money. You don't want to lose any of it.


ID-Protection Ads Return To Bite Pitchman (Lifelock)

The Associated Press reported on May 23:

Todd Davis has dared criminals for two years to try stealing his identity: Ads for his fraud-prevention company, LifeLock, even offer his Social Security number next to his smiling mug. Now, Lifelock customers in Maryland, New Jersey and West Virginia are suing Davis, claiming his service didn't work as promised and he knew it wouldn't, because the service had failed even him.

Why are these consumers suing Lifelock? Simply:

Davis acknowledged in an interview with The Associated Press that his stunt has led to at least 87 instances in which people have tried to steal his identity, and one succeeded: a guy in Texas who duped an online payday loan operation last year into giving him $500 using Davis' Social Security number. Paris said the fact Davis' records were compromised at all supports the claim that Tempe, Ariz.-based LifeLock doesn't provide the comprehensive protection its advertisements say it does.

This is not just a case of the media bashing Lifelock. The trustworthy Consumer Reports publication reviewed Lifelock in April and came to the same conclusion, and casted severe doubts on the million-dollar guarantee Lifelock offers. Plus, Lifelock won't protect you against medical identity theft, identity fraud during the commission of a crime, or identity fraud outside of the USA. And I seriously doubt that Lifelock can protect consumers again income tax identity fraud.

In my opinion, Lifelock is no help. What the company offers, I've already done on my own -- for free. I placed Fraud Alerts on my credit reports, and later renewed them. I have already opted out of pre-approved credit offers and telemarketing lists -- again, for free. I've also placed a Security Freeze on my credit reports.

To be fair, some consumers who are novices at identity theft may find Lifelock beneficial. Then again, novices will find almost all credit monitoring services helpful.


Safe Credit Card Shopping Habits And Poor AirTran Credit Card Verification

This story highlights two important items:

  1. Consumers should use safe credit card shopping habits
  2. Retailers should correctly perform credit card verification

While drinking and dining one evening in April a coworker, Paula (her real has been withheld by request) lost her credit card. Like we all do, Paula gave her credit card to the waitress to pay for her restaurant bill. The waitress returned later with the card and receipt, which Paula signed. Paula placed the charge card back into her purse.

A few days passed and Paula used the credit card to purchase online an airline ticket on AirTran for travel between Boston and Florida. Some more time passed. Then, Paula noticed that the credit card in her purse that she had used wasn’t hers.

The credit card looked like her card. It had the same bank, same card design, and colors, but the name and number were different. Apparently, the waitress had accidentally swapped Paula’s credit card with somebody else’s card. That can easily happen in the dim lighting at a bar or restaurant.

Paula contacted her bank to check for any fraudulent charges and to close her old credit card account. Her bank was helpful: it closed the old credit card account, opened a new credit card account, and issued her a new credit card. Note: good customer service by the credit card issuer.

There was the issue of the outstanding airline ticket. Paula contacted AirTran customer service since she had accidentally used somebody else’s credit card to pay for her ticket. The customer service rep said that there wasn’t anything AirTran could do. Paula asked the airline to transfer the charge to her new credit card since she had paid accidentally with somebody else’s credit card. Note: poor customer service by AirTran.

Fortunately, Paula contacted her bank and it transferred the airline ticket charge from the other person’s credit card to her new credit card. However, AirTran didn’t perform adequate credit card verification when it processed Paula’s online ticket purchase. Why? AirTran didn’t follow its own online policy.

According to the AirTran Booking Overview:

“AirTran Airways accepts the following credit cards: American Express, Diners Club, Discover, MasterCard, UATP Card, and Visa. Enter and verify your credit card information, with the name appearing exactly as it appears on the credit card. Enter the security number that appears on your credit card. For MasterCard, Visa and Discover, the 3-digit security number appears on the signature strip on the back of the card. For American Express, the 4-digit security number appears on the front above the embossed account number. Enter and verify the billing address for the credit card you will be using. For your own security as well as ours, we perform address verification on all credit cards. Please ensure your billing address is entered correctly.”

Given this, AIrTran seems more interested in the revenue than accurate credit card verification. It makes any consumer wonder how secure AirTran’s web site is.

So, what should a consumer do? Here’s a brief list of what I’ve learned when shopping at brick-and-mortar stores with your credit card:

  • Don’t let your credit card out of your sight
  • If you do let your credit card out of your sight, when the waitress returns check it closely for your name on the front and for your signature on the back
  • If the cashier or waitress gives you somebody else’s credit card, don’t pay the bill until you get your credit card
  • It still safer to use a credit card and not a debit card

For safe online shopping advice for your credit card, read this fact sheet from the Identity theft Resource Center.

[Editor's note: this post originally ran on May21, 2008 but due to a technical glich with the new Typepad post composition software it was accidentally deleted.]


Bank of New York Mellon Data Breach Affects At Least 4.5 Million Consumers

Last week, several news media reported a data breach at Bank of New York Mellon Corporation. According to  a May 21, 2008 Reuters news report:

Bank of New York Mellon Corp lost the Social Security numbers and other information of about 4.5 million customers when a box of data storage tapes went missing in February... The computer storage tapes were unencrypted, containing sensitive information of 4.5 million consumers... Bank of New York Mellon, one of the world's largest asset managers, said an archiving vendor lost the tapes containing information from its Shareowner Services unit.

Gee, how dumb. Unencrypted data storage tapes. Also, this incident erily sounds just like the February 2007 data breach at IBM where a vendor lost the company's backup data tapes. IBM never disclosed how many employee, former employee, retiree, and contractor files were lost/stolen. At least BNY was honest enough to admit the number of files lost/stolen. However, the company still tries to deflect and avoid responsibility. First, BNY refuses to publish a data breach notice on its press releases page. Second:

"Shareowner Services has no evidence suggesting that any of the data has been inappropriately accessed or used. Communications with affected clients and shareowners include that assurance," BNY Mellon said in a statement.

What? I guess that the lost/stolen data tapes aren't enough evidence for BNY. How stubborn can company executives be about data security? Apparently, very stubborn. According to a May 23 Reuters news report:

"Connecticut authorities widened a probe on Friday into a security breach at Bank of New York Mellon Corp... Governor Jodi Rell said she had directed the state to issue two more subpoenas, one each to Webster Bank and Wachovia Corp. Bank of New York Mellon and People's United Bank of Bridgeport were issued subpoenas seeking evidence on Thursday."

Governor Rell was rightly concerned about the unacceptable delay between the data breach and the notification of affected consumers. Consumers should be concerned too because of the delay in notification, the data tapes were unencrypted, and account-holders at other Connecticut and New England banks were affected:

Connecticut Attorney General Richard Blumenthal said on Wednesday that customers of People's United Bank of Bridgeport and possibly other banks were affected, calling the loss of the storage tapes "highly dangerous" and "possibly devastating".

Dangerous and devastating indeed. The bank should provide the ID-theft victims with at least ten (10) years of free credit monitoring and credit resolutions services. Plus, bank executives should serve jail time since they treated data security in such a lax manner.


Securing Your Web Browser

You've done a lot of good work to protect your identity and sensitive data. You've updated the anti-virus software on your computer. When logging into web sites, you use well-constructed passwords. What about your web browser? How secure is it?

The ZDNet site has a couple tutorials you can use to make your web browser more secure:

The tutorials are fairly easy and take about 20 minutes each, and they are for intermediate-level computer users. I have used them and I am pretty happy with the results. After modifying my IE browser, I was surprised to see how many companies' web sites include requests by co-marketing partners to save information to the user's cookies.txt file. These co-marketing partner sites include both companies that  are advertising partners to the web site you are visiting, and vendors who help the site track your usage. This is a situation that can easily get abused by less than honorable companies.

Remember, the security settings for your browser(s) may vary from the tutorials, given your web surfing habits and work requirements.


Secure 'Thumb Drives' To Keep Your Personal Data Safe

I love the convenience of flash drives (or 'thumb drives' as many refer to them). I use a SanDisk flash drive to back-up and store data (e.g., photos, data files) in case my laptop is stolen or crashes. And for a remote back-up solution, a flash drive easily fits into a bank safety deposit box. However, my current flash drive has very few data security features.

To better protect users' sensitive personal data, InformationWeek magazine advises users to consider the latest flash drives which offer security options:

"What can be done to ensure that enterprise data remains safe even if a drive is lost? USB-drive vendors offer a wide range of "secure" devices, addressing the demand for a more secure sneakernet. Here are a few things to look for:

    • Authentication
    • Encryption
    • Road-worthiness"

The article lists twelve flash drives with storage capacity ranging from 1 to 8 GBytes:

  1. Kingston DataTraveler Elite Privacy
  2. Kanguru Bio AES
  3. Transcend JetFlash 220
  4. SanDisk Cruzer Enterprise
  5. Lexar SAFE PSD S1100
  6. Lexar JumpDrive Secure II Plus
  7. EDGE Tech DiskGO Secure Flash Drive Enhanced for ReadyBoost
  8. ACP-EP Memory USB 2.0 Privacy Flash Drive
  9. Imation Pivot Plus
  10. IronKey Enterprise Special Edition
  11. Corsair Flash Padlock
  12. Roll-Your-Own Encryption

See the article for specifications, features, and pricing for each product. When I buy my next flash drive, I'll look for one of these secure flash drive products.


Verification Messages to Both New & Old E-Mail Addresses (Part Two)

One goal for this blog has been to highlight effective practices by companies to protect consumers' sensitive personal data. Recently, I changed several items in my Amazon.com profile. Amazon did an excellent job of alerting me at both my new and old e-mail addresses.

Amazon sent the following message to my old e-mail address:

"From: Amazon Account Update
Sent: Sunday, May 11, 2008 3:41 PM
To: George Jenkins
Subject: Revision to Your Amazon.com Account

Thanks for visiting Amazon.com! Per your request:
The e-mail address associated with your account has been changed. The old address was [email protected]. The new address is [email protected] .

You have successfully changed your password.

IMPORTANT: If you did not request this change, or if this request appears to have been made by an unauthorized person, please simply reply to this email. DO NOT include any personal or account information in your reply. Visit Your Account at Amazon.com to view your orders, make changes to any order that hasn't yet entered the shipping process, update your subscriptions, and much more.

Should you need to contact us for any reason, please know that we can give out order information only to the name and e-mail address associated with your account.

Thanks again for shopping with us.

IMPORTANT - Safe Shopping Tips

  • Amazon.com will never e-mail or call a customer and ask that they disclose or verify their Amazon.com password, credit card, or bank account number. Do not respond to e-mails that ask for personal information.
  • Always pay for Marketplace items through the Amazon.com Shopping Basket or 1-Click which are the only authorized and recognized form of payment on the Amazon.com website. Amazon Payments is safe, secure, guaranteed, and provides buyers with a convenient method of payment.
  • Never send money directly to Marketplace sellers through wire transfer, credit card, money order, check, cash, etc.
  • If you receive a suspected fake Amazon.com e-mail, or discover a spoof Amazon.com Web site, please report the incident to Amazon.com by sending the original spoofed e-mail as an attachment or forwarding the e-mail directly to [email protected]
  • Please report suspicious activity to [email protected] so that we may serve you better in the future."

Amazon sent the following message to my new e-mail address:

"From: Amazon Account Update
To: George Jenkins
Sent: Sunday, May 11, 2008 3:41 PM
Subject: Revision to Your Amazon.com Account

Thanks for visiting Amazon.com! Per your request:

The e-mail address associated with your account has been changed. The old address was [email protected]. The new address is [email protected].

You have successfully changed your password.

Visit Your Account at Amazon.com to view your orders, make changes to any order that hasn't yet entered the shipping process, update your subscriptions, and much more.

Should you need to contact us for any reason, please know that we can give out order information only to the name and e-mail address associated with your account.

Thanks again for shopping with us."

When evaluating any company you do business with, dual verification messages is a security feature consumers should expect. If the company doesn't provide it, look for another company to do business with.


Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 4)

Prior posts discussed offshore outsourcing about TransUnion and TrueCredit. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion (and TrueCredit) outsource their operations and her credit information, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions. So far, I've learned that both TransUnion and TrueCredit, its credit monitoring service, both offshore outsource.

To learn more about offshore outsourcing within the credit bureau industry, I reviewed the 10K document Equifax filed with the U.S. Securities and Exchange Commission. Equifax is publicly-traded while TransUnion is privately-held. The S.E.C. requires public companies to submit certain filing documents. Both collect consumers credit information, sell credit reports to potential lenders, and operate credit monitoring services. A publicly-traded company's 10K filing usually tells more about its operations than its Annual Report document.

A view of Equifax's operations would provide a perspective about TransUnion, since both companies perform similar activities. To stay competitive, TransUnion would attempt to maintain a similar cost structure to its competitors -- Experian and Equifax.

From the Equifax 10K document:

"Upon our acquisition of TALX Corporation, or TALX, on May 15, 2007, we became a leading provider of payroll-related and human resources business process outsourcing services in the United States of America, or U.S. We currently operate in three global regions: North America (U.S., Canada and Costa Rica), Europe (the United Kingdom, or U.K., the Republic of Ireland, Spain and Portugal) and Latin America (Brazil, Argentina, Chile, El Salvador, Honduras, Peru and Uruguay). Of the countries in which we operate, 73% of our revenue was generated in the U.S. during 2007."

Some interesting information about the business risks Equifax sees and how that risk relates to outsourcing activities:

"Our ability to provide reliable service largely depends on the efficient and uninterrupted operation of our computer network systems and data centers. Some of these systems have been outsourced to third-party providers. Any significant interruptions could severely harm our business and reputation and result in a loss of customers."

If you read further into the 10K document, Equifax lists its contractual obligations which include outsourcing expenses:

Payments Due By: Total Less Than 1 Year 1 To 3 Years 3 To 5 Years Thereafter
Data processing, outsourcing agreements and other purchase obligations* ($millions) $305.5 $88.5 $103.3 $90.2 $23.5
* These agreements primarily represent our minimum contractual obligations for services that we outsource associated with our computer data processing operations and related functions, and certain administrative functions. These agreements expire between 2008 and 2014.

The document also states:

"Data Processing, Outsourcing Services and Other Agreements. We have separate agreements with International Business Machines Corporation, or IBM, Acxiom, GenPact, TCS and others to outsource portions of our computer data processing operations, applications development, maintenance and related functions and to provide certain other administrative and operational services. The agreements expire between 2008 and 2013. The estimated aggregate minimum contractual obligation remaining under these agreements is approximately $305.0 million as of December 31, 2007, with no future year expected to exceed approximately $90.0 million... In certain circumstances (e.g., a change in control or for our convenience), we may terminate these data processing and outsourcing agreements, and, in doing so, certain of these agreements require us to pay a significant penalty."

I wonder exactly what's in "related functions and to provide certain other administrative and operational services." That sounds like call centers. Equifax's outsource agreement with IBM:

"Our data processing outsourcing agreement with IBM was renegotiated in 2003 for a ten-year term. Under this agreement (which covers our operations in North America, Europe, Brazil and Chile), we have outsourced our mainframe and midrange operations, help desk service and desktop support functions, and the operation of our voice and data networks. The scope of such services varies by location. During 2007, 2006 and 2005, we paid $115.0 million, $112.1 million and $120.8 million, respectively, for these services. The estimated future minimum contractual obligation at December 31, 2007 under this agreement is approximately $255.0 million, with no year expected to exceed approximately $55.0 million. We may terminate certain portions of this agreement without penalty in the event that IBM is in material breach of the terms of the agreement."

If my friend, Laurie, decides to switch credit monitoring services... drop TrueCredit and sign up for another credit monitoring service by Experian or Equifax, she can reasonably expect that they outsource also. Like TransUnion, Equifax also operates several credit monitoring services, with varying features.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so if the company can't provide a high-quality call center operation?

I had to dig deep to find some information about the company's offshore outsourcing activities, since this data isn't readily available in the company's web site. Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise?

The three national credit bureaus assume that the lowest-cost for credit information is best for consumers. Laurie's concerns suggest otherwise, that consumers want both protection and a reasonable price; not the absolute lowest price. A service with a low price and no data security isn't worth much. Consumers now realize that bad things happen: data breaches. There is always risk. And, one can reasonably expect bad things to happen with offshore outsourced credit information just like data breaches within the USA.

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers now know today that companies suffer data breaches. Some consumers know first-hand the expense, hassle, and grief involved with restoring their information and credit after a criminal has hacked their financial accounts.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. Laurie's concerns reflect this. It all goes to the level of risk people are willing to accept. Experts have identified the data security risks of offshore outsourcing. The fewer places credit and financial data are transmitted, the less chances for bad things to happen. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

What do you think? Take our poll today or submit a comment below.


How To Properly Erase A Hard Drive

A prior post covered a humor story about how to destroy a hard drive in 5 seconds. At that time I was discarding an old computer. In its year-in-review, ZDNet lists the "How to Really Destroy a hard Drive" post by Robin Harris as one of its most popular posts. I found it highly informative:

"You may already know that “deleting” a file does nothing of the sort. But did you know that your disk drive has a built-in system for the secure erasure of data? No? Then read on... if you keep business, medical, or personal financial information on disks, simple deletion isn’t enough to protect the data when disposing of the equipment.... Something called Secure Erase, a set of commands embedded in most ATA drives built since 2001."

Robin's post explains how you can download and use the Secure Erase utility to fully wipe your old hard drive clean. The instructions are for intermediate to experienced computer users.


Should You Switch To Online Statements For Your Credit Card?

A coworker, Lisa, recently sent an e-mail asking me:

"Should I have all my credit card bills (I don’t even use them, only pay them) sent via email ONLY and stop receiving the mailed paper versions?"

What Lisa meant: should she pay her credit card statements online or not? The credit card issuers never send statements via e-mail because e-mail is not secure. (Consumers should assume that everything you send via e-mail is open to the public.) Credit card issuers will send an e-mail notice that the card-holder's monthly statement is ready for viewing and payment.

Experts advise consumers to switch to online statements. Online statements eliminate the risk of an identity thieves stealing paper credit card statements from your snail-mail mailbox. An unlocked snail-mail mailbox makes it easy for criminals to steal your sensitive snail mail. Similarly, consumers should mail credit card payments by dropping the letter in a secure U.S.P.S. mailbox. Don't attach the payment letter to your snail-mail mailbox with a clothes pin.

Experts say that online statements are somewhat more secure than paper statements. This relies upon the consumer to keep the anti-virus software updated on their home computer. Of course, the company wants you to switch to online statements since it is cheaper for them to administer your account.

And, consumers that do online shopping should use additional safety measures beyond online statements.

Of course, you should opt-out of pre-approved credit offers sent via snail mail. These are tempting letters for identity thieves to steal from unlocked snail-mail mailboxes. (See this prior post for resources to opt-out of telemarketing and junk mail.)

Several months ago, I switched to monthly online statements for my bank. I’m happy with that. Some credit card issuers still print the entire credit card number on consumers’ paper statements. Another reason to switch to online statements is that you'll have fewer documents to shred.

And there are more reasons to switch to online statements. One, you can set up alerts via e-mail or text message to monitor activity on your credit card account. Experts have found that the sooner a consumers notice fraudulent items on their bill, the less money lost or stolen. Some credit card issuers also provide high-yield interest savings accounts. So, that may be another reason to switch to online statements.

What did Lisa think of these suggestions?

"Many thanks. You have answered ALL of the questions that I had about this and it makes total sense. I monitor my accounts online and pay online, so what would I possibly be missing (except having someone steal my statements, hence my number) from losing the paper? Sounds like a win-win. Thank you George!!!"

A word of caution: if your credit card issuer performs outsourcing, they are going to do that regardless of whether you receive paper or online statements. In my opinion, offshore outsourcing presents some data security issues which online statements can't solve.

Want to learn more about how to safeguard your sensitive personal data? See the List Of Lists page, or the Advice / Tips / Solutions section of this blog.


'Whaling' Is The Latest Phishing Threat

From Yahoo News:

"US federal court officials have warned that hackers are emailing phony subpoenas embedded with malicious software to high-ranking executives to steal valuable corporate information. Thousands of powerful US executives have received the bogus emails that contain links which, if clicked on, install software letting hackers take control of computers and swipe passwords or other sensitive data. Internet security insiders refer to the attacks as "whaling" because they use social-engineering trickery involved in "phishing" but target individual "big phish" instead of casting nets in a sea of Internet users."

Apparently, these whaling attacks have had a high success rate with getting executives to open those bogus e-mails and either click on attachments or click on links. Consumers should be aware that within the USA, subpoenas are usually served in person by process servers, to assure judges that the orders from courts have been properly received by those named.

This news article also appears at AFP. If you are unsure how to recognize a phishing scam, read:

Whether or not you are caught by a phishing scam, you should always report it.


Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 3)

TrueCredit - online personal credit reports and credit scores Prior posts discussed offshore outsourcing and TransUnion. Laurie has problems with TransUnion's credit monitoring service, TrueCredit, and support from its call center. Laurie is worried that if TransUnion and TrueCredit outsource portions of their operations, she won't have the same protections she would have otherwise -- since data security laws vary in other countries. I'd promised Laurie that I'd try to find some answers to her questions.

A wider search found information about TransUnion's participation in industry events for outsourcing professionals. The International Association of Outsourcing Professionals published information about a June 2007 event:

"Performance Monitoring Goals and Requirements for BPO Operations (Call Centers)
Brad Rubin, Director of Operations for TransUnion Interactive (formerly TrueCredit)

  • Overview of the business requirements for using tools to monitor the overall performance of BPO Call Center Operations
  • Discussion of the functionality needed and the types of tools that were examined to achieve TransUnion’s goals.
Brad Rubin is responsible for managing all BPO operations where he has transformed the service operations into a global multi-site operation. Prior to TransUnion, Brad was with Accenture in San Francisco.

So, it appears that TransUnion, parent company, and TrueCredit both perform offshore outsourcing. This is the first time I have ever heard of a credit monitoring service that performs offshore outsourcing. According to a 2006 Janeeva, Inc. press release:

"Janeeva, Inc., the industry leader in ORM (Outsourcing Relationship Management) software, today announced that TrueCredit, a division of TransUnion and a provider of credit management services, has implemented Janeeva Assurance™ software to manage multiple outsourced vendor relationships. True Credit is experiencing rapid growth, and customer care via their call centers is critical to their success. With multiple offshore call center locations comes increased complexity that Janeeva helps manage."

So, TrueCredit has contracts with several outsourcing firms. According to a November 2006 entry at Outsourcing Magazine (OM):

"About Blogger Brad Rubin: Brad Rubin is currently the Director of Operations for TrueCredit, a wholly-owned subsidiary of TransUnion, LLC. While at TrueCredit, Mr. Rubin has been responsible for managing all business process outsourcing (BPO) operations. He has successfully transitioned the TrueCredit service delivery platform into a global, multi-site operation. In addition to his work at TrueCredit, Mr. Rubin is an active speaker within the outsourcing community. In 2006, he participated in the Outsourcing Relationship Management Forum at the University of Michigan and the Telecommunications Risk Management Association (TRMA), Summer Conference. In 2007, he will be presenting a case study entitled Managing Multi-Vendor Environments with Relationship Management Software at the International Association of Outsourcing Professionals (IAOP), World Summit."

The OM site provides Mr. Rubin's e-mail address and his blog address: www.sourcingprofessional.com. I scanned several posts in Mr. Rubin's blog. He mentioned TransUnion's offshore outsourcing activities with vendors in Manila (Philippines), Central America, and New Delhi (India). According to Mr. Rubin's blog, TransUnion is considering new offshore outsourcing arrangements in Cebu (Philippines) and Guatemala. While I haven't read all of the posts in Mr. Rubin's blog, so far I haven't seen any posts about data security or data breach notification.

Now, my friend Laurie knows that both TransUnion and TrueCredit perform offshore outsourcing. We now have idea of some of the country locations. We don't know yet which outsourcing firms. Maybe Mr. Rubin can help Laurie resolve her problems with TrueCredit's customer service department. Maybe Mr. Rubin can explain the scope of TrueCredit's offshore outsourcing activities. Maybe Mr. Rubin can explain the data security processes TransUnion takes to ensure the protection of Laurie's and others' credit information. Maybe Mr. Rubin can provide a list of the specific offshore outsourcing locations and firms.

Last weekend, I wrote to Mr. Rubin asking for answers to the questions above. In my e-mail message to Mr. Rubin, I shared Laurie's message and concerns. So far, I haven't received a response from him, or from anyone at TransUnion. If he responds, I will post his reply in the I've Been Mugged blog.

The economic reasons for companies to outsource work are understandable: to manage costs and stay profitable in a competitive business environment. That's one reason why I titled these posts, "Is It Wise...?" and didn't title it "Is It Profitable...?" Of course, outsourcing and offshore outsourcing are profitable. That's why companies do it.

My point is this: should they? Is it wise to offshore outsource work involving sensitive financial data? Is it wise to do so without informing consumers? Is it wise to do so if consumers prefer otherwise? Is it wise to do so if the company can't provide a high-quality call center operation?

There has to be a balance between a company's need to manage costs, and consumers' need to trust the companies they do business with. Consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

I'll bet that when given a choice, consumers prefer that their credit and financial data is kept within their country's borders, rather than being transmitted around the globe. It all goes to risk. The fewer places credit and financial data are transmitted, the less chances for lost or stolen data. More importantly, it is unclear about exactly which country laws govern the protection of consumer credit and financial data. It is unclear which country laws govern the notification when the company (e.g., TransUnion, True Credit) suffers a data breach by an outsource call center vendor in another country.

That data breach in another country may never happen, but if and when it does, consumers have a right to know - promptly.

More about this next week.


Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 2)

TransUnion Yesterday's post discussed the problems Laurie is having with her TransUnion credit monitoring service, and the related questions about legal protections when credit companies perform offshore outsourcing. I'd promised Laurie that I'd try to find some answers to her questions.

Meanwhile, Laurie contacted me again:

"I continue to call TransUnion (TrueCredit) and I leave messages for somebody in a managerial position to contact me but I never get a domestic employee. When I ask the phone associates where they are located they tell me they are prohibited from telling me. It's a vicious cycle because there's no mailing address and the potential for online help abuse is the same as telephone support. This is sensitive information I'm disclosing and all my alarms are going off like bells and buzzers."

Yesterday's post covered news reports from 2003 and 2004 about the credit bureaus' offshore outsourcing activities. In 2003, the bureaus promised more openness about their outsourcing plans, but the call center representatives' answer above does not show any openness.

So, I decided to look more closely at TransUnion, since that company was the source of Laurie's difficulties. Like most companies, TransUnion publishes its Corporate Privacy Policy on its main Web site. This seemed like a good starting point, since this document usually discloses what the company does with any sensitive consumer data collected within the site:

"Please carefully read our privacy policy to understand how we will treat the information you provide while visiting this web site or the web sites of most of our domestic subsidiaries and affiliates ("Web Site")... This privacy policy applies to TransUnion and its domestic subsidiaries and affiliates, except for TransUnion Consumer Solutions and TrueLink, Inc., who maintain their own privacy policies."

Note the emphasis on domestic subsidiaries. That refers to TransUnion divisions, companies, or business units within the USA. It implies that divisions, companies, or business units elsewhere are not subject to this Privacy Policy, a different Privacy Policy, or none at all. That should be unsettling to consumers. Why? TransUnion's approach to privacy policies forces users to wade through several documents that aren't that easy to read nor find. TransUnion has operations in 25 countries on 5 continents. So far, no explicit mentions about outsourcing in this TransUnion Privacy Policy.

Next, I checked the Privacy Policy at TrueCredit, TransUnion's credit monitoring service, since Laurie is a subscriber. The TrueCredit Privacy Policy is more detailed and more comprehensive. It contains details about several subjects: what data the company archives, what happens when users opt-in to e-mail updates, how its web site works with the user's Web browser, the company's approach to online advertising, what situations TransUnion shares data with contractors, and so forth.

I'd like to give TransUnion and TrueCredit at least one "attaboy" for sharing this amount of detail in the TrueCredit Privacy Policy. However, this document didn't mention outsourcing either.

I also checked the Public Policies pages within the TransUnion site. No mentions of outsourcing there, either. Sadly, this site section was very thin regarding content. The little bit of copy on three pages could have easily been presented on a single page. Whatever promises TransUnion made in 2003 about more openness about its outsourcing activities, weren't being fulfilled in 2008.

Next, I looked for TransUnion's Annual Report and 10K filings; documents by publicly owned companies within the USA. TransUnion is privately held, so it is not required to provide these filings which the U.S. Securities & Exchange Commission requires of publicly-traded companies. Hence, it is more difficult to obtain detailed information about a privately-owned company... and any offshore outsourcing activities it might be engaged in.

Difficult, but not impossible. More about this tomorrow.


Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1)

A friend, Laurie, wrote to me recent about difficulty she is having with her credit monitoring service:

"In my effort to reduce the likelihood of identity theft, I've ordered a credit check from TransUnion this year as I have for the past 3. This year I had a hard time logging on so I called the help line. It was answered instantly by somebody who asked for my Social Security number. Of course it seems like a natural question from a credit bureau but I had the feeling the operator was an outsourced worker from India. I gave her my data but I still couldn't log in. After further attempts to reach TransUnion in the USA I've discovered it is nearly impossible. I feel like I got sucked into a trap door set for the financially paranoid! Have you heard of this being a problem? Do institutions outsourcing labor in other countries have to comply with the same laws? Do you have any way around credit reporting when it's done overseas?"

TransUnion Laurie's situation caught my attention first because a friend was having difficulty getting the help she needed. Her situation also caught my attention because of the increasing popularity of credit monitoring services. All consumers demand effective and high-quality customer service... perhaps more so when it involves sensitive personal data, like credit reports.

So, I promised Laurie that I'd try to find answers to her questions. Maybe Laurie had encountered a new or poorly trained call center representative; or a representative with a thick accent. This could happen with any business. Regardless, consumers have an expectation for efficient, quality customer service. And according to Laurie's message, TransUnion's customer service isn't helping and is difficult to contact.

Some background: TransUnion is one of three national credit bureaus (also called credit reporting agencies) in the USA. The national credit bureaus play three roles in the credit services industry:

  1. Collect and archive credit reports with consumers' sensitive personal and financial data
  2. Sell credit reports to potential lenders
  3. Sell credit monitoring services to consumers

The data collected in role #1 includes: Social Security Number, birth date, full legal name, current and past residential addresses, credit cards, loan accounts and information, credit score, employer information, e-mail address, and payment histories. But this data isn't always accurate. Even though credit bureaus make money by selling consumers' credit reports, it is the consumers' responsibility to check their credit files for accuracy at each of the three national credit bureaus.

Regarding role #3, TransUnion operates the TrueCredit credit monitoring service.

One could debate whether roles #2 and #3 present a conflict of interests, perhaps similar to the role a computer software company has when it sells operating system software and application software. But, that debate must wait until after I answer Laurie's questions.

Laurie's message raised the subject of outsourcing, but more specifically off-shore outsourcing. Like many Americans, Laurie probably has an impression that the three national credit bureaus support their credit monitoring service subscribers with systems entirely within the subscriber's home country. In other words, consumers intuitively sense that there's less risk to their sensitive data if companies keep it within their country borders. Some experts have identified the data security risks of offshore outsourcing.

If this local-same-country processing and archiving isn't the case, then consumers intuitively assume that their personal data is at greater risk. How much more risk? Consumers don't know and the companies rarely say. Laurie has gone the extra step and asked: if her credit service offshore outsources, does she have the same data protections? Does the outsource firm have the same rigorous data security processes and policies? Which country's laws apply, if any, regarding data security standards? If there's a data breach by the outsource vendor in another country, will she be notified? Will that notification be accurate and timely?

Consumers' impressions that the three national credit bureaus don't outsource work are inaccurate. A news literature search found this San Francisco Chronicle article from November 2003:

"Two of the three major credit-reporting agencies, each holding detailed files on about 220 million U.S. consumers, are in the process of outsourcing sensitive operations abroad, and a third may follow suit shortly, industry officials acknowledge for the first time. Privacy advocates say the outsourcing of files that include Social Security numbers and complete credit histories could lead to a surge in identity theft because U.S. laws cannot be enforced overseas... The top credit agencies -- Equifax, Experian and Trans Union -- have refused in the past to comment on their outsourcing plans. No longer."

The article also reported this about TransUnion:

"A hundred percent of our mail regarding customer disputes is going to go to India at some point," said David Emery, executive vice president and chief financial officer of TransUnion in Chicago. "We are now testing the system and negotiating a contract with an outside vendor. We expect to sign that contract by the end of the year." Emery said in an interview that the decision to have an Indian firm handle thousands of written requests for changes to credit files each year was necessitated in part by the amended Fair Credit Reporting Act, which was approved by the U.S. Senate on Wednesday.

So, it would appear that (for a variety of reasons) at the end of 2003, TransUnion was planning to outsource work to firms in other countries. Since I am not a lawyer, I cannot provide a legal opinion on the laws which govern outsourcing and the credit industry. Nor can I provide an interpretation of the Fair Credit Reporting Act referenced by Emery above. For legal assistance regarding credit information, the Privacy Rights Clearinghouse recommends that consumers contact the National Association of Consumer Advocates, or the list of attorneys at My Fair Credit.

A Wired story from 2004 titled "Outsourcing: Danger to Privacy" reported:

"Democratic Sen. Dianne Feinstein warned the chief executives of banks and credit companies this week that she would crack down on them if they didn't take steps to protect their customers' private data, such as medical and financial information, which is increasingly being handled by clerks working abroad. In a letter to the CEOs of Citigroup, Bank of America, Equifax and TransUnion, Feinstein (D-California) said she might introduce federal legislation to protect the personal data of Americans if the companies don't establish safeguards... All of the recipients of Feinstein's letter already have outsourced clerical services, or have stated their intent to do so."

To my knowledge, that crack-down never happened. It would seem that the US Congress has basically said to credit bureaus: go ahead and outsource, but you'd better not have any consumers' credit or financial data lost or stolen. And, we consumers have elected those members of Congress.

The article didn't explain exactly how Congress would oversee the companies' outsourcing activities in other countries. The article didn't say how Congress would monitor or audit the companies' compliance with the safeguards, or collect timely and accurate data breach notices about any lost, stolen, or mishandled consumer data by firms operating outside the USA.

A lot has happened since that 2003 article. Maybe, the companies' outsourcing plans, activities, or scope have changed. The fact is identity theft and fraud have blossomed as a problem since 2003. Plus, the 2003 San Fran Chronicle article made it clear that the credit bureaus were no longer going to hide their off-shore outsourcing plans and activities.

More about all of this tomorrow.


Where's The Value: Credit Monitoring Or Credit Restoration? (Poll Results)

Last year, American Banker interviewed me and representatives from Kroll and IBM for an article about the obligation companies have to assist ID-theft victims after a corporate data breach. IBM and Kroll representatives argued that ID-theft victims benefit more with credit restoration services: the processes and work to fix or clear the fraudulent records and accounts created by identity thieves. I argued that ID-theft victims would benefit more from credit monitoring services.

To explore this subject further, I ran a poll on this blog to see what I've Been Mugged readers value more: credit monitoring services or credit restoration services. The approach by companies should focus on the greatest need consumers have (and not what some corporate executive believes is best to minimize their company's post-breach costs). Since I began this blog, I've talked with dozens of consumers, both in-person and via e-mail. Most people seem to need the basic services first: monitoring their credit information, an understanding of the basic threats/scams, and ways to protect their data.

I know my poll does not contain a rigorous scientific design. Participants weren't chosen at random, but included readers of the I've Been Mugged blog who decided to take the poll.

The poll question: What is the most important feature of a credit monitoring service?

The results:

Question%Votes
Continuous monitoring of your data 45% 22
Credit restoration services 39% 19
Non-financial crime monitoring 2% 1
Credit score and credit analysis tools 6% 3
I don't know 8% 4
I don't care 0% 0
Total 100% 49

I'm impressed that 4 people were honest enough to admit that they didn't know what feature in a credit monitoring service was most important to them. I think that this statistic highlights an important need in the marketplace. It suggests that roughly 8% of consumers don't know or aren't sure what to look for in a credit monitoring service.

Knowing what to look for is important since after a data breach ID-theft victims must decide whether or not to accept their employer's (or former employer's) credit monitoring service offer. Even if the offer includes free services, it may not of value. Knowing what to look for is important for any consumer trying to decide which credit monitoring service to register with.

If you missed this poll, don't worry. There's another poll running on our ID-theft Polls page.

During the next few weeks I will share my reviews of the various credit monitoring services. You should judge for yourself, as your personal data and identity protection needs may be very different than mine. Like the ads say, your mileage may vary. So, shop around and shop wisely.


BBC Exposes Facebook Flaw

This May 1, 2008 BBC News video is short, clear, and informative for both current Facebook members and consumers considering Facebook. I strongly recommend that you view the BBC video. Be an informed user of social networking sites.

You may also find these prior I've Been Mugged posts helpful:

You may also want to browse this MoveOn petition.

If all of the above has scared the daylights out of you, then you might want to view this YouTube video:


Wachovia To Pay Huge Fine For Conspiring With Fraudulent Telemarketers

President George W. Bush on board the aircraft carrier USS Abraham Lincoln on May 1, 2003 [Editor's Note: today is the anniversary of an important event in U.S. history. May 1, 2008 is the fifth anniversary of "Mission Accomplished" - the day George W. Bush stood proudly on the aircraft carrier USS Abraham Lincoln and declared major combat operations over in Iraq. 140 U.S. military personnel died before May 1, 2003. During March 2008, the number of U.S. military deaths passed 4,000. Today, Osama Bin Laden has not been brought to justice and still remains at large. I think that it is important to judge a President, his administration, and his policies by the results achieved, and not on good intentions. Now, on to today's post.]

You could have labeled today's post, "When A Bank Goes Bad." The New York Times reported on April 26:

"The Wachovia Corporation agreed on Friday to pay as much as $144 million to end an investigation that accuses the bank of allowing telemarketers to use its accounts to steal millions of dollars. The settlement, one of the largest penalties ever demanded by the federal Office of the Comptroller of the Currency, concludes an 18-month inquiry into Wachovia’s relationships with schemes that investigators say stole from thousands of victims, many of them elderly."

The New York Times also reported:

"Though Wachovia did not admit or deny wrongdoing, the investigation found that Wachovia, one of the country’s largest banks, engaged in unsafe practices — failing to conduct suitable due diligence, failing to monitor accounts used by telemarketers and failing to follow normal procedures that would probably have uncovered the thefts. The bank’s actions were “part of a pattern of misconduct” that resulted in Wachovia’s collecting millions of dollars in fees, regulators wrote. Wachovia has agreed to pay a $10 million fine, contribute $8.9 million to consumer education programs and make restitution to victims that could top $125 million."

For consumers, it's tough enough to protect yourself against identity theft and identity fraud. Your bank should not facilitate identity fraud. For background, also read this February 2008 post about Wachovia. The huge fine is great, but jail time should also apply:

"Internal Wachovia e-mail messages and documents collected as part of that lawsuit showed that high-ranking employees long knew about accusations of fraud, but that some bank workers continued to solicit business from the telemarketing companies accused of crimes. “YIKES!!!!” wrote one Wachovia executive in 2005, warning colleagues that an account used by telemarketers had drawn 4,500 complaints. “DOUBLE YIKES!!!!” But Wachovia continued processing fraudulent transactions for that account and others."

That's 4,500 complaints! Not 45, but 4,500! For perspective, the Hannaford data breach included 1,800 cases of fraud. Thankfully:

"The settlement also does not preclude the United States attorney in Philadelphia, Patrick L. Meehan, from prosecuting Wachovia or bank employees. Mr. Meehan’s office is considering a criminal investigation, according to two people close to the matter who spoke on the condition of anonymity because they are not authorized to speak to the media."

Go Meehan! This type of crap will stop when senior executives serve significant jail time. Otherwise, banks will pass along the cost of the fine to consumers and account-holders through more and higher fees or other mechanisms.