Previous month:
May 2008
Next month:
July 2008

21 posts from June 2008

The Latest Data Breach At Facebook

According to the MediaPost Daily Online Examiner blog:

"Chalk up another privacy fiasco for Facebook. Turns out that Top Friends had a glitch that allowed any users who downloaded the application to see information like the birthdays and gender of any other Top Friends users."

Facebook suspended the application after CNet journalists reported the problem. Who's fault is it: Facebook's or the application developer's? As expected, Facebook blames the application developer. A quality, customer-focused service would screen or test developers' applications before making them "live." The more important point:

"Facebook was specifically warned that this type of data breach could occur. Last month, Canadian advocates filed a privacy complaint that specifically highlighted the privacy risks posed by third-party applications. The complaint criticized Facebook for setting up an installation system that requires users to give developers permission to access their personal data by default. A pre-checked box says that users will allow the application to “Know who I am and access my information.” Users who uncheck that box can’t install the application... While there is a way to opt out of sharing information with developers, users can only do so from a separate privacy page on the site, according to the Canadian complaint."

Several I've Been Mugged posts have covered issues about Facebook's privacy and data security lapses. Hence, I don't have a Facebook account. However, everyone at my new job has a Facebook account, so there is considerable pressure on me to sign up. I'm giving it some thought... perhaps a Facebook page about the service's data security issues with a link to I've been Mugged.

The Consequences When Another Person Uses Your Social Security Number

I began studying the identity theft problem in 2007, when I started this blog. From time to time, I've wondered what would happen if two people use the same Social Security Number. The second user could be an identity thief or an illegal undocumented immigrant trying to secure a job. In his Red Tape Chronicles blog, Bob Sullivan described what happens:

"... Holli knew something was wrong when she pulled up the statement from her new 401(k) account and saw a stranger's name there. Under her name and account information, she found a second name: Paulino Rodriguez. But was it an accident, random vandalism or a serious crime?"

Holli lived in Fountain Valey, California. Rodriguez lived with his family in Escondido, California. Rodriguez was a restaurant worker in an Escondido Burger King and an illegal undocumented immigrant. Married with four children, Rodriguez had used Holli's Social Security number for about three years.

Sullivan clearly stated a situation few people realize:

"Across America, perhaps millions of U.S. citizens are sharing their identities with undocumented workers who are virtually hiding behind Social Security numbers like Rodriguez. The data on the subject are incomplete, but each year nearly 10 million workers pay their taxes using the wrong Social Security number. While this can happen for a variety of reasons, most often it involves restaurant and farm workers, suggesting many of those 10 million workers are employees who are using someone else's SSN to satisfy federal employment requirements."

Upon learning that another person was using her Social Security number, Holli did what any of us would do. First, she panicked. With her Social Security number, an identity thief could easily wreck her credit and finances. Then, she took action:

"She called his employer, Reddy Restaurants Inc., which supplies workers to Burger King. Holli says she was told that nothing could be done because Rodriguez fulfilled the requirements for employment when he started work -- namely, he supplied what appeared to be a valid Social Security card. Mike Holly, owner of Reddy, confirmed that Rodriguez was an employee but refused to otherwise discuss the situation. Holli then called the local police, who took a report but said nothing could be done. She contacted the Social Security Administration, the Federal Trade Commission, even her 401(k) administrator. The message she heard from each was the same: We can’t help you."

The response by Reddy Restaurants sounded like bulls---; an attempt to avoid responsibility since the company probably doesn't perform adequate background checks of new employees. The company should have taken action and fired Rodriguez once they learned that he had used a valid Social Security Number fraudulently. Holli also contacted an attorney, who said that since her credit hadn't been affected, there wasn't anything he could do for her.

How frustrating!

The issue is not how Rodriguez obtained Holli's Social Security number. There are two key issues:

  • A company tried to avoid responsibility for poor background checks, and
  • A government and law enforcement seemed unable or unwilling to correct a situation that clearly needed correction

The unspoken secret: our government just may be happy with the current situation, because more people are paying taxes to local governments and into the Social Security system.

Holli persisted. She got her local police department to finally take a report, which was forwarded to the Escondido police department. She finally got the attention of a detective in the Escondido police department. A taxpayer should not have to work this long and this hard to get help from law enforcement. The Escondido police department finally staked out Rodriguez's home in May and when he arrived, arrested him since he had (allegedly) falsified his Social Security card and work visa.

Holli's story has implications for all of us:

"Since new employment rules took effect in 1983, U.S. workers must supply documentation to prove they are eligible to work; nearly always, a Social Security number is used. While employers can call the Social Security Administration to perform limited verification of the information, that's seldom done. So it's possible -- in fact common -- that employees’ names and numbers don't match."

What happens when Social Security numbers and names don't match?

"... no one gets credit for the taxes paid by the worker. The money simply ends up in the U.S. Treasury. Since 1983, more than $500 billion in uncredited Social Security wages have been earned by so-called "no match" employees like Rodriguez."

This unspoken financial benefit seems to explain why government agencies are slow to act on ID-theft reports. While Rodriguez was probably trying to find work and feed his family, the bottom line is that he used a valid Social Security number fraudulently to obtain work. He was working in the USA illegally.

The more important and truly frightening implications:

"When another person is using a consumers' Social Security Number for employment purposes only, there is almost no way to discover the identity theft. The misuse will not show up on a credit report; it won't be detected by credit monitoring. Because the wages earned are not credited to the victim, they won't show up on annual Social Security statements either. In fact, there is no way for anyone to inspect the history of their Social Security Number, or to find out where and when it's been used. Only an anomaly or coincidence – such as having an imposter show up on a 401(k) Web site -- betrays the theft."

This is alarming. I always thought that reviewing my Social Security Statement every year was sufficient protection. Apparently, not.

I believe that there is a way to discover people who fraudulently use valid Social Security numbers. It means forcing companies to consistently perform thorough background checks on new employees. That's the price for identity security.

Meanwhile, the current situation means that most (or all) of the identity and credit monitoring services advertised are somewhat of a sham. These services cannot truly discover a critical form of identity theft: another person fraudulently uses your valid Social Security number for employment. Yes, you read that correctly. With today's situation, there is no way for consumers to discover another person using their Social Security number for employment. That means, there is no way of knowing if your identity is secure.

If you find Holli's story and its implications troublesome (and I sincerely hope you find it troublesome), I encourage you to write to your elected officials and demand action.

[Editor's note: years later, it appears that MSNBC has removed the Red Tape Chronicles blog from its site. You can find the full text of the article here or here.]

Equifax "3-in-1" Credit Monitoring Service (Product Review)

After Discover changed its credit monitoring vendor, I started looking for a replacement service. Since the three national credit bureaus all offer credit monitoring services, I thought that I'd look at Equifax's offering. This blog contains posts with reviews of the Experian Triple Alert service and a comparison of several services from Experian.

I performed a simple Google search since I didn't know the name of Equifax's service. The first search result included a link to the Equifax home page, and that's where I went:

Equifax home page

First impressions are everything. In the center column, several bullet points summarized the company's credit monitor service features. This was easy and quick to read. Next, the page presented a huge "Get Started' button. The problem: the page lacks links to important service details. To properly evaluate a service, consumers need:

  • Examples of their credit report formats from all 3 national credit bureaus
  • Examples of the e-mail notices
  • Details about the ID-theft insurance
  • Expanations of why Equifax's offering is superior to other credit monitoring services

The page didn't present links to any of this information. If the site has it, the presentation forces users to hunt for it.

My first impression: the company produced a consumer unfriendly home page that lacks links to important service details.consumers need to properly evaluate the service. The "Get Started" button links directly to a service registration form page. The home page seems arrogant in its expectation that 4 bullet points are enough for consumers to make an informed purchase decision. No, that's not enough. Either Equifax doesn't understand this, or doesn't care.

This poor presentation is a strong indication to me that Equifax would likely be a difficult brand to interact with, if I registered for their credit monitoring service.

Normally, at this point I would move on to a competitor's web site, but I decided to give Equifax another chance. I clicked on the "View All Products" button which linked to:

This page was a little better. It provides links to the service detail page for each service. The presentation makes it difficult to compare offerings. Does the "3-in-1 Monitoring" service contain everything that the "Credit Watch Gold" service contains? The copy doesn't say so explicitly, so the consumer is left to guess or to read lots of copy. If a consumer doesn't know much about credit monitoring, this page is difficult to use. (I would later discover the site has a service comparison page, but the link to that comparison is buried on the service detail pages and not on this page where it should be.) I selected the "3-in-1 Monitoring" service link.

If I've learned one thing when evaluating credit monitoring services it's this: closely read the page content. There's a lot of explanatory copy on the 3-in-1 Monitoring service detail page. The service detail page lacks links to examples of the various service features. The service contains some basic features (e.g., monitoring of the consumer's credit reports at all 3 national credit bureaus, automated alerts, insurance, 24/7 access to customer service) and some nifty value-added features (e.g., customizable alerts, lock/unlock Security Freeze on your Equifax credit report). The $20,000 of insurance is more than what's available in the Experian Triple Alert service, but the Equifax site doesn't provide any links for users to read details, terms, and conditions about its insurance offering. As a wise person once said, "the devil is in the details."

This is important: the 3-in-1 Monitoring service summary on the All Products Page says, "... unlimited access to your Equifax Credit Report." This is important because only provide the full text of the consumer's Equifax credit report. If there's a problem with the consumer's Experian or TransUnion credit reports, this service provides minimal help. It only alerts you to any changes in those credit reports, and does not provide access to the full text of other branded credit reports.

This means the consumer is left on their own to retrieve their TransUnion and Experian credit reports from those services or another credit monitoring service provider. This could be time consuming; a potential inconvenience if the consumer is trying to determine and fix a credit report with errors, or damage done by an identity thief. Also, additional fees will probably apply to retrieve other branded credit reports.

Consumers need access to the full text of all three credit reports, not just one. Any service that describes itself as comprehensive really isn't comprehensive if it doesn't provide the full text of a consumer's credit reports from all three national credit reports.

Note: the "3-in-1 Monitoring" service page does not mention outsourcing and whether Equifax offshore outsources any of its operations. I know from prior research that all three national credit bureaus announced offshore outsourcing in 2003. (I haven't seen any evidence since to the contrary.) To stay competitive and to manage costs, credit bureaus currently offshore outsource portions of their credit reporting operations, and likely do the same for their credit monitoring services. I would expect a credit bureau like Equifax to mention its offshore outsourcing arrangements so consumers can make a truly informed purchase.

Is $20,000 in insurance enough? You have to decide that for your situation. It's hard to tell because the site doesn't provide a link to the contract or legal terms and conditions. I've Been Mugged readers should read my review of the Experian Triple Alert service to understand the insurance issues.

The bottom line: the Equifax 3-in-1 Monitoring service didn't look like a good deal to me. It claimed to be comprehensive, but isn't. It was a frustrating site to use, and my guess is the actual service isn't any better. Site pages lacked links to important service details and examples. While the service detail pages include a "Take a Tour" link to examples, this content was incomplete and didn't answer most of my concerns. Plus, the "Take a Tour" link was in a tiny font size and easy to miss.

Like the Experian site, the Equifax site was skimpy on explaining important details and benefits. The site didn't show me how its customized alert feature works. The site did a poor job of proving the benefits it claimed. The site didn't contain a copy explaining why it is better service than competitive services. I got the impression that the site pitched weak claims that would be easily believable by uninformed consumers.

Frankly, if the site pitching Equifax 's services to potential customers is this bad, then the actual service for customers probably is worse.

All of this left me with the impression that Equifax is: a) a difficult brand to do business with, and b) not very consumer focused. If I signed up for Equifax's 3-in-1 Monitoring service, it would probably be a frustrating experience. No thanks. I'll continue looking elsewhere for a credit monitoring service.

If you use the Equifax 3-in-1 Monitoring service, please share your experiences. Why did you sign up? What works well? What works poorly? How well do the alerts, credit resolution, and insurance reimbursement services work?

Another Data Breach At Bank Of America

Bank of America When will this bank's senior executives take data security seriously? In the ZDNet Between The Lines blog, Larry Dignan reported that he had received a breach notice from Bank Of America:

We have learned that information from certain Bank of America Check Cards may have been compromised. Your Check Card number may have been part of this compromise.

The bank didn't disclose the number of check cards exposed or stolen. Sadly, this data breach is another in a long series of data breaches:

  • February 25, 2005: lost data tape: Charlotte, North Carolina: 1.2 million records exposed
  • June 29, 2005: stolen laptop computer: 18,000 records exposed
  • September 23, 2005: stolen laptop with undisclosed number of Visa debit card records
  • December 14, 2006: a former contractor unauthorizedly accessed the personal data of an undisclosed number of customers
  • April 12, 2007: stolen laptop exposed the personal data of an undisclosed number of current, former and retired employees

Data source: Privacy Rights Clearinghouse

Actions speak louder than words. And the bank's string of data breaches speak loudly. Bank of America isn't protecting consumers' and employees' data as it should. Stronger systems and more effective employee training are required.

My guess: some bank of America consumers and employees will soon receive a Privacy Assist credit monitoring offer from the bank. If you receive such an offer letter, I suggest that you demand that Bank of America provide credit monitoring services for life, since the bank has such a poor historical record of data security. More breaches are likely until something changes at the bank.

How Many Experian Credit Monitoring Services Are Enough? (Product Review)

Since Discover changed its credit monitoring vendor, I have searched for a replacement credit monitoring service. While surfing the Internet I learned that Experian offers at least four (4) different credit monitoring services:

  4. Triple Advantage (a partnership with McAfee)

Why several credit monitoring services? What's up with that?

At least one is a partnership with another company. Partnerships are good, as long as the service provides significant value. Maybe Experian wants to be the General Motors (GM) of credit monitoring services. GM offers several auto brands: Buick, Pontiac, Chevrolet, GMC Trucks, Hummer, and so forth. But credit reports are not cars. I wonder if a single credit monitoring service from Experian would be better.

I reviewed the Experian service in a prior post. After comparing all four services (the Experian site is so consumer unfriendly, it doesn't provide a comparison), I noticed that while the monthly fee varies greatly between services, the features and benefits are often marginally beneficial for the average consumer. Consider:

Item FreeCredit Triple Advantage
Report Coverage:




Credit Score Included Yes No Free only during 30-day trial No
Advantages Access to full text of three national credit reports; free if consumers are careful Daily monitoring of 3 national credit reports; e-mail alerts of changes to credit reports; fraud resolution staff
Daily monitoring of 3 national credit reports; e-mail alerts of changes to credit reports; fraud resolution staff
Daily monitoring of 3 national credit reports; e-mail alerts of changes to credit reports; credit content; includes CreditCheck Monitoring service
Disadvantages Misleading site with automatic opt-in to credit monitoring service; not the official site for free credit reports; doesn’t show sample reports Somewhat helpful for consumers unfamiliar with credit monitoring; lacks features offered by comprehensive services Unlimited access to full text only of Experian credit report Full text of only the Experian credit report; no fraud resolution services; the claim  “Unlimited FREE credit reports with paid membership” is not a free service; sample report at non-Experian URL may discourage users
Guarantee / Insurance None $10,000 The site claims that insurance is available but doesn't state an amount
Cost / Fee Free credit reports within the 7-day trial. Otherwise $14.95 monthly $ 4.95 monthly Free Experian credit report within 30-day trial. Otherwise, $12.95 monthly Free credit reports within the 30-day trial. Otherwise, $11.95 monthly
Offshore Outsourcing of certain service portions Yes Yes Yes Yes

Additional observations:

  • All of the sites are skimpy on details
  • When available, details are either difficult to find or include hard-to-read legal contract language
  • All sites include the "free credit report" pitch, which makes the consumer wonder what the difference is between services
  • All Web sites make it difficult to understand what the service offers
  • All reinforce my impression that Experian is a difficult brand to work with

If your personal data was exposed in a corporate data breach, then you need a credit monitoring service that provides the full text of your credit reports at all three national credit bureaus, not at one credit bureau. You'll also need insurance or a guarantee, which most don't provide. You'll definitely need credit resolution services, which several don't offer. And, you'll probably want access to all three of your credit scores, not just one credit bureau's score.

Maybe if Experian cobbled together all four services, they'd have a single useful service. As the services are currently configured, i would not recommend any of them.

Medical Fraud A Growing Problem

We all want effective government, not just small government. When fraud occurs, all taxpayers end up paying. According to a recent news item in the Washington Post:

"All it took to bilk the federal government out of $105 million was a laptop computer. From her Mediterranean-style townhouse, a high school dropout named Rita Campos Ramirez orchestrated what prosecutors call the largest health-care fraud by one person. Over nearly four years, she electronically submitted more than 140,000 Medicare claims for unnecessary equipment and services... the simplicity of Campos Ramirez's scheme underscores the scope of the growing fraud problem and the need to devote more resources to theft prevention. Law enforcement authorities estimate that health-care fraud costs taxpayers more than $60 billion each year."

To combat the problem, authorities have formed a Washington-based strike force, which works with a small group of U.S. attorney's offices. This strike force has opened in the past year about 900 criminal investigations and convicted 560 defendants in health-care fraud offenses across the country. But there's lots more to do.

Will Ramirez serve jail time? Yes, but:

Sentenced to 10 years, Campos Ramirez, 60, may yet reduce her prison term by helping authorities unwind "the large web of medical clinics, doctors, nurses, money laundering companies and HIV clinic financiers who participated in this massive fraud," prosecutors wrote earlier this year in court papers.

The FTC Urges Consumers To Use Caution When Selecting A Locksmith

Part of protecting your sensitive personal information includes the physical security of your home. And physical security includes a locksmith, when we need duplicate keys made or the locks changed on our doors. The U.S. Federal Trade Commission (FTC) advises consumers to use caution when selecting a locksmith:

What’s the best way to pick a reputable – and local – locksmith? Do the research before you need one – the same way you would a plumber, electrician, or other professional – and then program his or her number into your phone.

The problem is many locksmiths in your local yellow pages aren't local at all. There are more useful tips in the FTC publication: "The Keys to Hiring a Reputable Locksmith:"

  1. If you are locked out of your car and have a roadside assistance service, call them first
  2. Call family or friends for recommendations (or for spare keys)
  3. If you find a locksmith in the phone book, on the Internet, or through directory assistance, and a business address is given, confirm that the address belongs to that locksmith
  4. If you call a locksmith who doesn’t list an address, ask why. Get an answer to your satisfaction, or look elsewhere
  5. If a company answers the phone with a generic phrase like “locksmith services,” rather than a company-specific name, be wary
  6. Get an estimate for all work and replacement parts from the locksmith before work begins
  7. Ask about additional fees before you agree to have the locksmith perform the work
  8. Ask if there is a charge for mileage, or a minimum fee for a service call
  9. If the price the locksmith provides when he arrives doesn’t jibe with the estimate you got on the telephone, do not allow the work to be done
  10. Never sign a blank form authorizing work
  11. Find out if the locksmith is insured. If your property is damaged during a repair, or if faulty work leads to loss or damage, it’s important for the locksmith to have insurance to cover your losses
  12. When the locksmith arrives, ask for identification, including a business card and, where applicable, a locksmith license. Nine states require locksmiths to be licensed: Alabama, California, Illinois, Louisiana, New Jersey, North Carolina, Oklahoma, Tennessee and Texas
  13. Make sure that the company name on the estimate matches the name on the truck, and both match any business cards you receive
  14. Expect the locksmith to ask you for identification,.. a legitimate locksmith will confirm your identity to ensure you’re the property owner before doing any work
  15. In case you are locked out, be wary if the locksmith says up-front that the lock has to be drilled and replaced
  16. After the work is completed, get an itemized invoice that covers parts, labor, mileage, and the price of the service call
  17. Verify the locksmith with your state Attorney General (, local consumer protection agency (, and the Better Business Bureau ( to make sure there are no unresolved complaints on file

Basically, you don't want to hire a crook and give them the keys to your home.

Study Concludes That Corporate Data Breaches Are Due To Incompetence And Carelessness

The InformationWeek Security blog reported the results of a study by Verizon:

"Eighty-seven percent of data breaches could have been prevented with reasonable security precautions, according to a study of over 500 forensic investigations conducted by Verizon Business Security Solutions. Verizon's study of actual data breach investigations from 2004 through 2007 suggests that incompetence and carelessness represents the greatest threat to business information."

This is no surprise to I've Been Mugged readers. The study categorized the corporate data breaches:

"... breaches were attributable a combination of events more frequently than a single action, including: a significant error (62%), hacking and intrusions (59%), malicious code (31%), an exploited vulnerability (22%), and physical threats (15%)."

The study also categorized the type of information exposed or stolen:

"... the type of data compromised falls into the following categories: payment card data (84%), personally identifiable information (32%), non-sensitive data (16%), authentication credentials (15%), other sensitive data (10%), intellectual property (8%), corporate financial data (5%), and medical/patient data (3%)."

The study also listed who (e.g., executives, employees, staff, contractors, etc.) was responsible for the corporate data breach:

"... those responsible for data breaches were: external sources (73%), insiders (18%), business partners (39%), and multiple parties (30%). While insiders accounted for the smallest percentage of breaches, the breaches traced to them involved more than ten times as many records (375,000) as breaches traced to outsiders (30,000) and about twice as many records as breaches traced to partners (187,500)."

An alarming statistic from the study: in 63% of cases, months or years passed between the data breach and its discovery.

It's important to understand the relationship between the data breaches in the Verizon study and the total number of publicly disclosed data breaches:

"According to the Identity Theft Resource Center, there were 446 data breaches publicly reported in 2007, 312 in 2006 and 158 in 2005. Verizon's report says that the more than 500 cases its investigators looked at include about one-third of the publicly disclosed data breaches in 2005 and a quarter of the publicly disclosed data breaches in 2006 and in 2007.

So, one must cautiously interpret the conclusions from the Verizon study. which covered a limited subset of the total number of corporate data breaches. The study did not mention offshore outsourcing. What's crystal clear from the study: there's plenty of room for data security improvement by companies, their management, and employees.

A Threat To Our Democracy: The Lack Of Free And Independent News Media

Recently, Bill Moyers spoke at The 2008 National Conference For Media Reform about the failure of mainstream media and our individual need “to fight for the freedom that makes all other freedoms possible” – responsible journalism. We cannot have a fully functional democracy without a free and independent press. Why? In order to cast informed votes, we all need reliable trustworthy information from the press.

Without a free and independent press, we citizens cannot expect to read and hear about what we need to know: corporate data breaches, executive incompetence regarding data security, corporate failures to protect your sensitive personal information, upcoming deadlines about FCC, FTC, and other government agency hearings seeking consumers' input, threats to the blogosphere, threats to the open and independent Internet we all use, or whatever.

Moyers' speech is long, but crucial. You will feel outraged, but more importantly, also inspired. I urge you to find the time to watch Moyers' speech [39:58 minutes]. And yes... we citizens all have an individual responsibility to fight for a free and independent press.

Water-fuel Car Announced In Japan

[Editor's note: this has nothing to do with identity theft, but it has everything to do with the environment, global warming, and our country's economy.]

This is amazing! FYI:

Water-fuel car unveiled in Japan

I want one now!!

Meanwhile... despite the objections of U.S. citizens, once again the Bush Administration proposes drilling in the Arctic National Wildlife Refuge. More drilling does not decrease our country's dependence on fossil fuels. Nor does it promote renewal energy sources.

Where is the focus on American innovation and ingenuity?

When A Free Credit Report Offer Isn't Free

The AARP Bulletin published an important article about free credit report offers:

"Any service that asks for a credit card is NOT free."

Many credit monitoring services claim to offer free credit reports. The smart consumer reads the fine print to discover the real deal. Too often, the real deal is that the "free" credit report isn't really free. A membership or ongoing service is usually attached. Look for the "Important Notice," which usually includes fine print like this:

"When you order your free report here, you will begin your free trial membership in [insert brand name] Credit Monitoring. If you don't cancel your membership within the XX-day trial period, you will be billed $XX.95 for each month that you continue your membership."

How do you get a truly free credit report? According to the AARP Bulletin:

"By going to only one place: Type that URL carefully into your browser... In 2005, the World Privacy Forum reported 233 copycat sites with similar addresses."

Another important tip: know your FICO credit score:

"... the number between 300 and 850 that’s a snapshot of your credit worthiness: It reflects your credit history, including late or missed payments, employment, number of credit cards you have and how much credit you have used. A high score of 700 or more means you may get lower interest rates on mortgages and car loans while a score of 450 could have the opposite effect or cause a lender to reject your loan outright."

The AARP Bulleting article suggests that consumers visit or to get their FICO score, which costs about $15. I've noticed that several credit bureaus and some credit monitoring services sell FICO credit scores. I prefer a comprehensive credit monitoring service that includes my FICO credit score as part of the monthly fee. Your FICO credit score changes over time, especially if you apply for loans or are late with payments on your existing loans or credit cards.

A word to the wise: shop around, compare services, and read the fine print. Be an informed consumer.

How To Find A Job While Safeguarding Your Personal Data

Recently, when I changed jobs I had a chance to practice identity protection habits during the application and interview process. Given the current identity theft problem, it is important for job seekers to disclose enough information to get the interview (and job), but not disclose too much information.

Yes, it is possible to disclose too much information.

The Identity theft Resource Center advises consumers not to disclose the following on your resume or an application form:

  • "Your Social Security Number (SSN)
  • Date of birth (DOB)
  • Marital status
  • The year you graduated from various schools and the school name. The school name is a personal choice issue. By knowing what school you attended and graduation date, a thief could discover more about you via alumni lists. An option is to just list your degree and subject or area of specialty.
  • Professional license number
  • Sex – it is against the law for them to ask you for this information
  • Age- it is unlawful for an employer to ask for this information
  • Disabilities – unless the job specifies a request to describe any physical limitations, you should not offer this information up front
  • The reason why you left a past employer
  • Hobbies
  • EIN (taxpayer id number if you use that as an alternate to the SSN)
  • Driver’s license number
  • Any of the above information can be provided to an interested employer in person upon request. Keep in mind, a resume only opens the door to an interview. Jobs are not offered based on resume or application information."

The reality is that not all companies, human resource departments, and employment agencies adequately protect the sensitive data on your resume. You don't know who might see your resume and for how long the company will archive your resume. If you get the interview (or the job offer), you can always disclose the additional information as needed later.

I chose to include on my resume the school names and graduation years, since I sent my resume directly  to the hiring manager. i did not use a job search web site. If I had, then I would have included less information on my resume. Since I have a freeze on my credit reports, I will temporarily left that freeze when (and if) my new employer needs to complete a background check.

Bank Of New York Mellon's Offer To Its Data Breach And ID-Theft Victims

A prior post discussed the data breach at Bank of New York Mellon Corporation (BNY). On Monday June 2, 2008 my wife received the following letter from BNY:

"May 21, 2008

Dear Sir or Madam:
BNY Mellon Shareowner Services provides stock transfer agency, employee plan administration and related services for issuers of securities such as publicly traded corporations. This includes records for accounts that are currently active, as well as those that have been closed for some years. While we have no reason to believe your information has been or will be accessed or misused, we are writing to inform you of an incident involving personal information that we maintain in connection with these services. On February 27, 2008, our archive services vendor notified us that they could not account for one of several boxes of data backup tapes that they were transporting to an off-site storage facility. The missing tapes contained personal account information that we are required to maintain for the provision of these services."

Wow! The data breach happened on February 27 and BNY notifies consumers in June! That's a three-month dalay! Unacceptable. That's too long and it gives plenty of time for identity thieves to do damage. The letter didn't explain the three-monthly delay in notification. Nor did the letter explain why the BNY data tapes were not encrypted, a serious lapse in data security.

Moreover, the BNY letter includes this absolutely pathetic and insulting, "we have no reason to believe your information has been or will be accessed or misued..." Is BNY serious? The missing data tapes are not enough evidence of theft? Do BNY executives not realize how smart identity criminals are today? And how can BNY make a claim about the future ("... or will be accessed...)? What arrogance! If BNY has a crystal ball to see into the future, maybe they should have put it to better use to monitor their archive services vendor before "losing" any more data tapes. Geez!

What makes this letter even worse is that BNY never comes clean and informs its data breach and ID-theft victims exactly what sensitive personal data was exposed. So consumers have to assume the worst that name, birth date, Social Security Number, and bank account number were all exposed. The letter continues:

"As stated above, we have no indication of any improper access to this data. As a precaution, however, to help you detect any possible misuse of your data, we are offering to you free credit monitoring for a 12-month period. We have engaged, an Experian® Company, to provide you with their Triple Alert Credit Monitoring product, which includes daily monitoring of your credit reports from three national credit reporting companies (Experian, Equifax and TransUnion), e-mail monitoring alerts of key changes to your credit reports, and additional services."

"For more information, please visit our Web site at You have 90 days from the date of this notice to activate this credit monitoring by using the activation code [code omitted]. This code is unique for your use and should not be shared. to learn more about Triple Alert and to enroll, go to and follow the instructions. To enroll by phone, of if you have any questions, please call us toll-free at 1-877-278-3460. Our customer service representatives are available Monday through Friday, between the hours of 8 am and 8 pm ET; and Saturday between 9 am and 4 pm ET."

Well, BNY seems to be doing the absolute minimum to help its ID-theft victims. One year of free credit monitoring is pitiful, since identity criminals can attempt identity fraud for a period far longer than one year. The letter does not explain how BNY arrived at this one-year period. The letter continues:

"Even if you do not feel the need to register for the credit monitoring, we recommend that you regularly review statements from your accounts and obtain your credit report from one or more of the national credit reporting companies. You may obtain a free copy of your credit report once every 12 months by visiting or by calling one of the three national credit reporting companies, toll-free..."

This is some good advice. It is always wise to remind consumers to check their credit reports periodically for accuracy and fraudulent entries. And, the letter mentioned the offical Web site for consumers to get free credit reports. Now that BNY has exposed consumers' sensitive personal data, consumers must check their credit reports more frequently for fraudulent entries. The letter continues:

"We recommend you remain vigilant and that you report any incidents of suspected identity theft to us and to proper law enforcement authorities, including the Federal Trade Commission (FTC). You have the right to obtain a police report if you are the victim of identity theft. Please visit the FTC's Web site,, to learn more about protecting yourselft from identity theft, such as requesting a fraud alert.

I've Been Mugged readers know all about this since my blog has covered fraud alerts, the FTC, and consumers' rights to free credit reports annually. It would have been better if the letter provided the specific Web site address for consumers to report incidents to the FTC. The ID-Theft Resources page contains the FTC link and many other resources.

I also spent some time reading the BNY data breach web site. Consumers have to dig deep to find that it took BNY a while to determine which consumers were affected. The bank didn't know what was on the lost/stolen data tapes. How disorganized! According to the BNY data breach site, BNY:

  • "Engaged Kroll Inc., along with independent legal counsel, to assist in conducting a forensic investigation into the circumstances of the loss and assessment of the data on the tapes.
  • Terminated the courier services of the third-party vendor responsible for transporting these back-up tapes.
The forensic investigation initially identified approximately 270,000 individuals and 409 institutions with data on the tapes. The Company worked closely with its institutional clients to notify these individuals, which was completed by early April. The continuing forensic investigation also identified approximately four million additional individuals and 293 additional institutions with data on the tapes. This data took longer to identify and extract because of the manner in which it was stored on the tapes..."

Do the math: that's data lost/stolen affecting 4.5 million consumers and 702 companies. How lax can a bank be about its data security? I agree with Michael Krigsman's conclusion in his IT Project Failures blog: "BNY Mellon should fire Todd Gibbons immediately for this serious breach of public trust and fiduciary responsibility." Jail time is the only way to get company executives to pay appropriate attention to data security.

[Editor's note: in September 2008, Bank of New York Mellon revised its estimate of affected consumers by the bank's data breach from 4.5 million to 12 million, covering several states. At the same time, the bank also changed its offer to it's data breach victims.]

Experian Triple Alert Credit Monitoring Service (Product Review)

After Discover changed its credit monitoring vendor, I started looking for a replacement credit monitoring service. Since the three national credit bureaus all offer credit monitoring services, I thought that I'd start there. First up: Experian.

I'd heard that Experian’s service is called "Triple Alert,", but I wasn't certain. So I did a Google search to find the site. For me, one way to judge a product or service is determine how easy it is to find that service on the Internet. A well organized service (or company) makes it easy for consumers to find them via search engines like Google. The site should appear high up on the first results page and its Web site address (e.g., URL) should include the product or service name. I entered "Experian Triple Alert” in and received the following results page:

Google results page for my Experian Triple Alert search

The results page included several Experian links in the left column:


None of the links mentioned "triple alert," but several competitors' links mentioned "triple alert." In the right column, one "Experian Triple Alert" link seemed to go to a site (e.g., that wasn't an Experian site. So, I didn't click on that link. The second "Experian Tiple Alert" link in the right column had a question mark next to it, which my anti-virus software indicated was a risky or untested site to visit. So, I definitely wasn't going to click on that link.

The "Experian VA Data Breach" link didn't seem relevant. I was hoping that the results page would include something easily identifiable like "" or " alert." My first impression was that Experian wasn't going to make my experience with their brand easy. I clicked on the "" link and see if it would take me where I wanted to go. It brought me to:

Experian Triple Alert site home page

The page include a Triple Alert so I felt better; that I’d had arrived at the right site. I thought that the page would present only the Triple Alert service from Experian. Instead, the page was cluttered with several Experian service options. The page presented the Triple Alert service for $4.95 per month, a single credit report plus credit score option for $15, a three credit report plus my credit score option for $24.95, and an online credit report option for $10. Are all of these options Triple Alert services, or only the first option?

The options hyping “online credit report in seconds” and “get your credit report and credit score instantly” seemed silly. Most services on the internet are fast and instant. That's why consumers use the Internet. The copy didn't explain if or why Experian's options are faster than others. Plus, I can see the page thoroughly confusing users who are unfamiliar with credit bureaus and the credit report/score process. The site lacks adviser mechanisms to guide unfamiliar consumers to the appropriate option.

For my needs, I seek a comprehensive credit monitoring service... far more than just a one-time peek at my credit score or my Experian credit report. I need access to the full text of my credit reports from all three national credit bureaus. I also need e-mail or text messaging alerts about the status or changes to my credit reports, credit resolution support and insurance, criminal fraud monitoring, identity fraud assistance when traveling outside the USA, my credit score, credit assistance tools, access to phone support, and easy options to add a Fraud Alert or Security Freeze. The copy on this page did not address all or most of these needs. The closest option seemed to be the Triple Alert option. For my needs, I want both monthly e-mail alerts and customizeable e-mail and text messaging alerts, options many banks and credit card issuers already provide. Why? The sooner you learn about fraudulent charges, the less money you'll lose.

I needed to understand exactly what Triple Alert will and won’t do with its credit resolution services. (Thanks to IBM’s data breach, my personal data has already been exposed.) I selected the “View sample alert” link to learn more about the basic credit reporting features. The sample alert page looked very similar to what I currently receive via my Discover credit monitoring service.

The feature mentioned on the home page: "e-mail alerts to key changes in any of my 3 credit reports” is nice, but the page copy didn't explain how the alerts work: how often, any customization options, and e-mail or text messaging options. Regarding credit monitoring services, I do not look for the cheapest service. I look for the service with the most value and effectiveness. Value is what I get for the monthly fee. Effectiveness includes addressing my needs: protection, alerts/warnings features, customization features, resolution services, adequate insurance and guarantee coverages, support, and reliability.

Next, I clicked on the “10,000 Triple Alert Guarantee” link to learn more about that feature. I expected the guarantee page to explain simply the guarantee and its benefits. Instead, the page presented a word-dense legal agreement in hard-to-read lawyer-speak. I was getting the distinct impression that Experian is a difficult brand to do business with. The guarantee page stated:

“If you (hereinafter "you") become a victim of Identity Theft (as defined below) while enrolled in and using the Triple Alert product,, Inc. (hereinafter "we", "our" or "us") will reimburse you for certain Identity Theft Expenses (as described in Section 3, below) up to $10,000, subject to the terms and conditions of this Guarantee. "Identity Theft" means that your name, address, Social Security number, bank, or credit card account number, or other personally identifying information was used without your knowledge or approval to commit fraud or other crimes. The maximum amount that we will pay you is $10,000 for Identity Theft Expenses as a direct result of an Identity Theft.”

Why does the copy mention I didn't ask for that site. Did I arrive at the wrong site? What is Is it a better credit monitoring service? This was confusing and it caused more questions than it answered. Further down the page, it included a description of the types of expenses are covered:

“(a) Stolen Funds: Funds directly stolen from you that are related to any account that is included on your Experian credit report…”
“(b) Legal Expenses: Reasonable and necessary attorney fees or court costs associated with defending any suit brought against you by merchants, financial institutions or other credit grantors or their collection agencies, or the removal of any criminal or civil judgment wrongly entered against you.”
"(c) Lost Wages: Actual United States wages or salary you lose as a direct result of time off work taken by you to report an Identity Theft;”
“(d) Miscellaneous: Loan applications fees, long distance telephone costs, mailing and postage costs, costs of having affidavits or other documents notarized; and”
"(e) Private Investigators: Any fees or costs associated with the use of any investigative agencies or private investigators. You must receive our advanced written consent to your choice of private investigators, and we reserve the right to select such private investigators.”

Note: the Triple Alert site pages do not mention outsourcing and whether Experian offshore outsources any of its operations. I know from prior research that all three national credit bureaus announced offshore outsourcing in 2003. To stay competitive and to manage costs, credit bureaus currently offshore outsource portions of their credit reporting operations, and likely do the same for their credit monitoring services. I would expect a credit bureau like Experian to mention its offshore outsourcing arrangements so consumers can make an informed purchase.

To summarize in plain English: if a bank account is on my Experian credit report and that account has money stolen from it, I would get reimbursed up to $10,000 less reimbursements for other valid expenses. If that bank account wasn't on my Experian credit report, then it isn't covered. That doesn't seem right.

The $10,000 of insurance didn't seem like much. It's pretty easy to have a $5,000 to $7,000 limit on one credit card, and much more in a savings account and mortgage. Attorney fees could easily eat up a large portion of the $10,000 guarantee.

Let’s assume for the moment that the $10,000 guarantee amount is enough coverage. There’s more to consider. The reimbursements are subject to more conditions. To get reimbursed, a consumer must also meet all of the following items:

  1. Review your credit reports in a timely manner and report fraudulent items
  2. File a police report within 10 days after first learning of identity theft or fraud (or after Experian notification)
  3. Contact Experian’s Fraud Resolution Department within 10 days after first learning of identity theft or fraud (or after Experian notification)
  4. Place a Fraud Alert with all 3 credit bureaus within 10 days after first learning of identity theft or fraud (or after Experian notification)
  5. Work with Experian’s Fraud Resolution Department to pursue any and all sources of reimbursement and submit any receipts and documentation. I must assign Experian rights (Power of Attorney?) to work on my behalf for reimbursements. And I must give back to Experian any reimbursements if I receive funds from another source (e.g., bank, credit card issuers, other insurance, etc.)
  6. Honestly inform Experian or pay back any reimbursements to them if they find that I misrepresented something

Obviously, any consumer uncomfortable with these 6 conditions should not sign an agreement with Experian Triple Alert. More importantly, $10,000 guarantee doesn’t provide much coverage. It seems easy to exceed that amount. Think of it this way: when you insure your home, you insure all of it, not part of it. The same applies to credit monitoring insurance or guarantees. If an identity thief steals all of my bank and financial accounts, I want insurance that covers everything. Not part of it. Moreover, residents of New York can't get coverage with Experian Triple Alert.

Note: I checked the Triple Alert Privacy Policy page. Experian Triple Alert participates in behavioral advertising programs:

The National Advertising Initiative (NAI) has developed an opt-out tool with the express purpose of allowing consumers to "opt-out" of the targeted advertising delivered by its member networks. You can visit the NAI opt-out page and opt-out of this cookie tracking. Please visit: for more information."
"Partner sharing Opt-out Options: If a business partner refers you to our Site, you may choose not to have your information shared with that partner by opting-out directly on your order form."

Consumers should be aware of this, since the site (and any Triple Alert partners) monitor customers' Internet use and serve up (supposedly) targeted, relevant ads.

So, the Experian Triple Alert service didn't look like a good deal to me. It looked like a poor value. It wasn't particularly easy to find. It doesn’t meet all or even most of my needs. The web site was skimpy on explaining important details and benefits. When the site provided explanations, it was often difficult to read, hard to find, and confusing. And, the service doesn't offer customizable e-mail/text messaging alerts to warn me as soon as possible of possible fraud. That's a state-of-the-art feature many banks and credit card issuers already provide their customers. Frankly, if the site pitching Experian Triple Alert to potential customers is this bad, then the actual service for customers probably is worse.

The Experian Triple Alert site did not prove to me any of the benefits it claimed, nor that Experian Triple Alert is a quality service worth signing up for. The site didn't convince me that it is better than other credit monitoring services available. The site seemed to pitch weak claims while trying to lure uninformed consumers.

All of this left me with the impression that Experian is a difficult brand to do business with. If I signed up for Experian Triple Alert, it would probably be a frustrating experience. No thanks. I prefer to look elsewhere for a credit monitoring service.

If you use the Experian Triple Alert service, please share your experiences. Why did you sign up? What works well? What works poorly? How well do the alerts, resolution, and reimbursement services help?

Privacy Advocates Target U.K. ISP Working With Phorm

In Europe, consumer privacy advocates are starting to increase the public's awareness of the consequences of behavioral advertising. According to the MediaPost Daily Online Examiner blog, several consumer privacy advocates are calling for the public to picket the annual meeting of BT shareholders due to the Internet Service Provider's (ISP) arrangement with a behavioral targeting vendor:

"The purpose of the protest is to make BT shareholders aware of the past and planned use of allegedly illegal interception technologies to sell behavioral profiles to an ex-spyware company... according to a report today in the U.K. paper The Register... an anti-Phorm petition in the U.K. has drawn more than 13,000 signatories to date. The petition, stating that Phorm’s plan 'would result in the browsing habits of the majority of the UK population being sold to a third party for advertising purposes,' warns that the opt out system for this technology is vague and unproven."

I've Been Mugged readers are aware of the consequences of behavioral advertising, which includes plans by ISPs to install tracking software on their servers to monitor every Web site and page their subscribers use and all search terms they enter. ISPs and advertisers claim two reasons for behavioral advertising: a) convenience for consumers with relevant ads, and b) the continuation of free services by ISPs. The reality is that consumers forfeit privacy for benefits they may never see, and ISPs gain a larger, more valuable advertising revenue stream.

If behavioral advertising troubles you (and it should!), I encourage you to read more about it and then tell your elected government officials about your concerns.

Congratulations To Senator Obama; Coal To The TV Networks

Congratulations to Senator Clinton for her South Dakota victory. Congratulations to Senator Obama for becoming the presumptive nominee for the Democratic party. Now is the time to bring the party together and conquer "Bush McSame." Enjoy your day Senator Obama. Bask in your victory. You deserve it and you have earned it. Please give careful and deliberate thought to your choice for a VP running mate.

Now, a word about last night's coverage of this event by the television networks.

Here in Boston, I subscribe to basic cable. Only NECN broadcast Obama's speech in its entirety. Three of four TV networks (CBS, NBC, and Fox) and their local affiliates all presented standard programming which included reruns. ABC broadcast only half of Senator Obama's speech, and then the network anchor talked over the Senator before ABC cut to other programming.

Yes, there is the minor issue that the super delegates could change their votes. My point: at June 3, 2008 Senator Obama had achieved the number of delegates required for the Democratic nomination. Senator Clinton had not. Regardless, where was the TV network coverage last night>

What's up with this? Why such poor TV network coverage of this event? Is this the best that corporate owned media can do? Never before has this country had a woman and African-American candidates with a real chance of winning the presidential nomination of a major political party. Never before. And with Senator Obama's speech last night, never has an African American (of either sex) been the nominee with enough delegates to secure the nomination. That's history in the making by any measure.

Yet, no live coverage of the presumptive nominee's speech by the big four networks. Nothing. Zilch.

Disappointing. This poor coverage was not worthy of the broadcast licenses the 4 networks enjoy.

If they continue with this crappy coverage, I say pull their broadcast licenses.

FTC Seeks Consumers' Comments On Proposed System To Develop Credit-Based Homeowner Insurance Rates

I often write about the U.S. Federal Trade Commission (FTC), since its activities directly affects us (and our wallets or purses). Prior posts covered the FTC's annual analysis of identity theft and its proposed rules for behavioral advertising, which could affect your Internet usage and privacy. Currently, Congress has required the FTC to study ways to base homeowners insurance rates on credit-based insurance scores.

Yes, you read that correctly. The FTC is studying ways to base your homeowner insurance rates on your financial and credit information. This study was mandated by Section 6(b) of the FTC Act and Section 215 of the Fair and Accurate Credit Transactions Act (FACTA). I've Been Mugged readers know that insurance companies already based property insurance rates on C.L.U.E. reports, that compile consumers' auto and homeowners insurance claim histories.

In 2007, the FTC studied ways to for credit-based auto insurance rates. Some key findings from that July 2007 auto insurance study:

1. Scores effectively predict the number of claims consumers file and the total cost of those claims. Their use is likely to make the price of insurance better match the risk of loss that consumers pose. Thus, on average, as a result of the use of scores, higher-risk consumers pay higher premiums and lower-risk consumers pay lower premiums.

2. Use of scores may result in benefits for consumers. For example, scores permit insurers to evaluate risk with greater accuracy, which may make them more willing to offer insurance to higher-risk consumers for whom they otherwise would not be able to determine an appropriate premium. Scores also may allow insurers to grant and price coverage more efficiently, producing cost savings that could result in lower premiums. Little empirical data was submitted or available to the FTC that would allow the agency to quantify the magnitude of these benefits.

3. Scores are distributed differently among racial and ethnic groups, and these differences are likely to have an effect on the premiums that these groups pay, on average.

4. As a proxy for race and ethnicity in statistical models of insurance, scores have a 1.1 percent and 0.7 percent effect for African-Americans and Hispanics, respectively. This means that most of their predictive power is not as a substitute for membership in racial or ethnic groups. In addition, scores effectively predict risk of claims within racial and ethnic groups.

5. The Commission could not develop an alternative scoring model that would continue to predict risk effectively, yet decrease the differences in scores among racial and ethnic groups.

From the auto insurance study, finding #1 above seems more focused on "risk" rather than "actual claims," which suggests that insurance companies can base auto rates on what they think your risk is, not your actual risk based on claims. Plus, there are a lot of "maybe's" in #2 above. This seems to be a big win for industry and not much of a benefit for consumers.

If this insurance study seems odd to you, it should. One would expect insurance rates to be based on you claim history and not your finances. Companies seem intent on changing this traditional approach. If you are concerned, I strongly encourage you to submit a comment to the FTC. The deadline for submissions is June 18, 2008 -- 2 weeks from today. You can submit comments via postal mail to:
Federal Trade Commission
Office of the Secretary
Room H-135 (Annex C)
600 Pennsylvania Avenue, N.W.
Washington, DC 20580
Be sure to include “Credit-based Insurance Score – Homeowners Insurance – P044804” on both your letter and the envelope.

The Age Of Conversation 2008 Moves Closer To Publication

The Age Of Conversation 2007 As some I've Been Mugged readers know, I am a contributor to the The Age of Conversation 2008. I am happy to report that the book is well along its path to production. On May 15, about 275 bloggers submitted their chapters to Drew McLellan and Gavin Heaton, creators and editors of the book.

This year's topic, Why Don't People Get It, will surely create some buzz and passionate discussions. The book goes on sale online in August at If you want to read a few excerpts, visit Ryan Barrett's Cheap Thrills blog. However, to read my chapter, you'll have to buy the 2008 book.