Previous month:
August 2008
Next month:
October 2008

16 posts from September 2008

Most Popular I've Been Mugged Posts

The top ten most read posts:

  1. Experian Triple Alert Credit Monitoring Service
  2. Bank Of New York Mellon's Offer To Its Data Breach And ID-Theft Victims
  3. Suze Orman Identity Theft Kit Debuts
  4. Kroll's Offering From IBM Deserves Scrutiny
  5. Debix, LifeLock, and TrustedID
  6. 2008 Consumer Fraud and Identity Theft Complaint Data (FTC)
  7. Citi Credit Monitoring Service and Citi Identity Monitor
  8. Bank of New York Mellon Data Breach Affects at Least 4.5 Million Consumers
  9. Sidejacking: What It is and How to Protect Yourself
  10. What Does Your C.L.U.E. Insurance Report Say About You?

Bank Of New York Mellon Changes Its Offer To Its Data Breach Victims

In June of this year, I first wrote about the Bank of New York Mellon's offer to its data breach and identity theft victims. Since then, the bank revised the number of consumers affected by its data breach from 4 million to at least 12 million in several states. This month, Mellon improved its credit monitoring offer in two ways:

  • Increased the free credit monitoring period from 12 to 24 months
  • Offered to reimburse data-breach victims for fee to place a Security Freeze on their credit report
  • The credit monitor offer has a new web site address:

The bank's May 2008 data beach letter offered 12 months of free credit monitoring and, it didn't provide reimbursement of Security Freeze fees. The bank's September 2008 data breach notice reads:

"... we are offering you and other impacted individual a free credit monitoring product, Triple Alert, for 24 months to help you detect possible misuse of your data. If you choose to enroll in this product, you must activate your credit monitoring membership within 90 days from the date of this letter by visiting and using your single-use activation code XXXXXXXXX. In addition, if you place a credit freeze on your credit file within 90 days from the date of this letter, we will reimburse you for the cost of the initial placement and one removal of the credit freeze."

This revised offer is a step in the right direction, since the bank's data breach has placed many consumers' sensitive personal data at risk. This is the first I have heard of a company offering to reimburse data-breach victims for the cost of a Security Freeze on their credit report. However, the letter is vague about whether the reimbursement covers only the Experian Credit Report or all three consumer credit reports (e.g., Experian, Equifax, and TransUnion).

While 24 months of free credit monitoring is better than 12, it is still too short a period, since the identity theft and fraud risk continues long past 24 months. How about 10 years of free credit monitoring, Mellon? That sounds about right, since consumers must continue to monitor their credit reports long past 24 months.

If you don't know what a Security Freeze is and the benefits it provides for consumers, I strongly suggest that you read these blog posts:

If you received this BNY Mellon data breach letter and subsequently placed a Security Freeze on your credit report, let us know in the Comments section below if the bank reimbursed you for the cost of freezing one or all three credit reports.

If you received this BNY Mellon data breach letter and subsequently have been a victim of identity theft or fraud, let us know in the Comments section below. Then we can inform the bank to remove the statement on its web site:

"At the time of the incidents, we said there were no indications that the data had been accessed or misused in any way — and that remains the case."

Wall Street Bailout And Politics

I write this blog to help consumers protect their identity information and money. With that in mind, the following sums up the events of the past week where the worst financial crisis since The Great Depression and a presidential campaign overlap:

And there's this:

I'm no financial expert or economist, but here's my view -- which I've already shared with my Congressional representatives.

I am very, very concerned about the $700 billion bailout of selected Wall Street investment firms and banks. I assume Congress is going to do this bailout since they bailed out Chrysler Corporation in 1980. How are we going to pay for this? $700 billion is a staggering amount of money. Why should taxpayers bail out executives who have made both millions and poor financial decisions?

We should not do the bailout if Congress can't specify how they are going to pay for it, or how the investment banks are going to repay taxpayers. Speed should not be the priority, no matter what our President claims.

Will this bailout fuel inflation? Nobody seems to be talking about that.

And where was oversight by the government? Much of the oversight was gutted during the 1990s. That oversight must be reinstated.

The investment bank executives should have some money at risk, not just taxpayers. Think of it as matching gifts. These executives should put up some of their own money, and get an equal amount of taxpayer loans.

I wouldn't give my teenage son $700 without some strings attached... with my expectations about him making certain decisions, being responsible, and keeping me informed about his actions with the money I lent him. Nor would I give him all of the money at once.

Same goes for the proposed $700 billion bailout to investment firms. A smaller portion should be lent upfront. If these firms meet certain conditions, then they get more. If they miss those conditions, no more money. My list of conditions:

  • The bailout money for investment firms and banks cannot be used for political campaign contributions. It is for operational expenses only. Any violations and the money must be repaid and the execs go to jail
  • An investment firm or bank gets bailout money if the senior execs invest their own assets at risk in the investment firms
  • Senior executives' compensation in cash only, and capped at a $ amount or 50x multiple of the lowest worker's pay
  • Quarterly disclosure of how the senior executives are managing the bailout loan received
  • If the investment firm's or bank's profits exceed a threshold in 2 years, they must start repaying the taxpayers then and before any salary increases, bonuses, and stock dividends
  • Twice yearly auditing by a true independent third party... not just the firm's accounting firm. Any abuses and the executives go to jail
  • Any abuses and the investment firms do not receive any more bailout loans
  • Investment firms and banks receiving bailout monies are prohibited from making any corporate mergers or acquisitions
  • Investment firms and banks receiving bailout monies are prohibited from moving any (additional) jobs out of the country via offshore outsourcing
  • If the investment firms don't agree to these conditions, don't receive any bailout money
  • Bailout decisions are by a panel including the SEC Chairman, the Reserve Board Chairman, the Treasury Secretary, and several U.S. Senators; not a unilateral decision by the President

Funny how many Republicans and some conservative (Blue Dog) Democrats argue about how the market rules and is best for everyone, but when their corporate friends get into severe trouble, they want the Government to bail them out.

If you are 50+, consider where your Social Security would be after the past week's events -- if Bush/Cheney had privatized it.

We'll see what happens at tonight's debate.

Emerging Identity Fraud Scam: Credit Card Shaving

Thanks to my friend Michael in Oakland for alerting me to this emerging identity fraud scam. Sometimes, the low-tech or old-school approach is just as effective as online or high-tech scams. Yahoo Finance news reported:

"Shaving is a low-tech form of card theft where thieves sort through sets of 16-digit numbers to find one that matches an existing card, and then verifying that number either by trying to make a purchase online or by phone. The scammers can also buy a list of valid credit card numbers from black market sites online. Once they have their hands on a valid account number, they then create a new card with those numbers by shaving the numbers off of gift cards or expired credit cards and gluing them onto a defunct or stolen card. The magnetic strip is gouged with a knife or pen so that a store clerk has to manually enter the account number on a keypad, and the charge goes through."

This scam is particularly insidious because the consumer it totally unaware; your wallet or purse hasn't been stolen. And if you don't check your credit card statement every month, this type of fraud can go on for many months and rack up big charges.

Obviously, the retail stores' cashiers and clerks are the first line of defense against the scam. The credit cards look altered -- if the cashier takes the time to inspect the card. One way consumers can protect themselves is to shred old credit cards and paper statements. Consumers can also consider using use virtual credit cards:

"... consumers can fight shaving is with a credit card account that generates a new number for every new transaction. Citibank offers Virtual Account Numbers to cardholders for online purchases while PayPal provides the Secure Card in the form of a MasterCard debit card. While these can only be used online, Qsecure is rolling out a SmartStripe credit and debit card that looks like any other card. However, a chip embedded in the card's magnetic stripe automatically generates a different number for each purchase."

I haven't yet tried one of these new credit cards. If you have used a virtual credit card, share your experiences below.

Coming Soon: The End of Robo-Calls

In August, the U.S. Federal Trade Commission (FTC) released two amendments to its telemarketing rules:

"One will expressly bar telemarketing calls that deliver prerecorded messages, unless a consumer previously has agreed to accept such calls from the seller. The other related technical amendment modifies the TSR's method of calculating the maximum permissible level of 'call abandonment'."

Over 14,000 people submitted comments to the FTC, which prompted the change in rules. Telemarketers must know get the consumers' express written permission in order to send prerecorded telemarketing calls. That permission can be obtained in a variety of ways, such as via a web site opt-in mechanism, in a response postal mailer, or during a "live" telemarketing phone call. Details about the new rule about prerecorded calls (a/k/a automated or "robo-calls"):

Permit sellers to obtain the required permission for prerecorded message sales calls from a consumer in any manner permitted by the Electronic Signatures In Global and National Commerce Act (E-SIGN Act)... by December 1, 2008, sellers and telemarketers provide, at the outset of all prerecorded messages, an automated keypress or voice-activated interactive opt-out mechanism so that consumers can opt out as easily as they can from a live telemarketing call.."

So, consumers will receive automated telemarketing calls only after they have opted-in or given the telemarketer their written permission. Two classes of companies are exempt from the new rules: healthcare-related prerecorded message calls consistent with the Health Insurance Portability and Accountability Act (HIPAA), and:

"... charitable solicitation phone calls placed by for-profit telemarketers (telefunders) that deliver prerecorded messages on behalf of non-profits to members of, or previous donors to, the nonprofit, but require that such calls include a prompt keypress or voice-activated opt-out mechanism..."

While the FTC will start enforcement against violators of the new rules, it is a lukewarm or very slow start:

"End the FTC's current policy of forbearing from bringing enforcement actions against sellers and telemarketers who place prerecorded calls that meet certain specified conditions that would be inconsistent with the new requirements; but permit sellers, as under the forbearance policy, to continue for one year after the rule's publication to place calls delivering prerecorded messages to consumers with whom they have an established business relationship, after which no prerecorded message calls can be made to consumers without their express permission."

If you want to learn more about the new telemarketing rules, download the Federal Register Notice (PDF, 111 pages, 480KB).

Suze Orman And the FDIC Partner To Help Consumers With Determining Bank Account Insurance Status

With the recent bankruptcies of financial firms, some banks, and the general uncertainty with the mortgage and credit crises, consumers are understandably nervous about the status of the bank accounts. This blog has previously discussed tips to help consumers.

Earlier this month, financial expert Suze Orman and the FDIC launched a web site to help consumers determine if their bank accounts are protected by FDIC insurance:

According to the FDIC web site:

"EDIE the Estimator can calculate your FDIC insurance coverage for each FDIC-insured bank where you have deposit accounts. EDIE lets you know in a printable report for each bank whether your deposits are within or exceed coverage limits."

When using the EIE tool, it was satisfying to read the following privacy information:

"... EDIE the Estimator does not require any confidential or personally identifiable information, nor does it store information after you complete a specific user session. Moreover, users can enter an owner's name by using their real name (Joe Smith), their relationship in the family group (Husband), or numerically (Owner1). The names of beneficiaries (if applicable) can be similarly entered. In addition, as an extra measure of safety, the system is programmed so no account group information for the session is transferred over the Internet."

So, for maximum protection and privacy, enter "Bank #1" for your financial institution and your generic family position (e.g., husband, spouse, child #1, etc.).

Bank of New York Mellon's Data Breach Widens

Recently, an I've Been Mugged reader wrote to me via e-mail:

"I just received a letter from Mellon today 09/19/08 regarding my personnel information being lost. I found your blog today while trying to go to their web site. This has to be a scam."

Unfortunately, the Bank of New York Mellon's data breach is real. According to CNN Money, the bank's original estimate of affected data breach victims has been revised from 4 million to 12 million. The Hartford Courant reported that the number of affected Connecticut residents increased from 500,000 in May to 635,000. The Boston Globe reported that the number of affected Massachusetts residents increased from 200,000 in May to about 400,000.

In my opinion, the bank's president, CEO, CSO (Chief Security Officer), and CIO (Chief Information Officer) should all be fired immediately due to this mess. How could the bank be so wrong with the number of affected customers? According to the CNN Money article:

"... a third-party re-examination of the analysis applied to the lost tapes has revealed that the affected number of individuals is actually about 12 million, Heine said. The company is in the process of notifying the additional consumers."

It would seem that the company didn't know exactly what was on the lost (or stolen) data tapes. this reminded me a lot of IBM's data breach last year involving lost/stolen data tapes. Since I had moved my residence several times, IBM found me by hiring a private investigator to locate my current residential address. The same may also apply to many Bank of New York Mellon customers, who had terminated their accounts with the bank, while the bank archived their sensitive personal data. And, the investigator may have accurately contacted some consumers and inaccurately contacted others.

If you aren't sure if the breach notification letter you received is real or a scam, read this blog post about how to determine the letter's authenticity. If you received a breach notification letter from the Bank of New York Mellon, you might call the phone number listed in the letter (or in the web site) and ask them how they verified that you are indeed affected... how they are certain it's you. Ask probing questions and don't let them off easy.

And remember... you have a choice about how to protect your identity and financial information. If you are a Bank of NY Mellon breach victim, you have a choice. You can accept the credit monitoring offered by Bank of NY Mellon, or you can use another credit monitoring service that best suits your identity protection needs. Everyone's needs are not the same.

What Causes Credit Card Issuers To Raise Interest Rates?

If anything, this blog is about helping you protect your identity information and money. In 2008, Consumer Action, a San Francisco-based non-profit organization, surveyed several credit card issuers (e.g., banks and credit unions. They asked what events cause the credit card issuer to increase a consumer cardholder's interest rate:

  • Addison Avenue FCU: One late payment
  • American Airlines-FCU: One late payment; Two or more late payments
  • American Express: One late payment or two or more late payments (see 2 questions down); over limit three or more times; Returned payment (bounced check) (all apply within a 12 month period)
  • Bank of America: One late payment; Going over limit
  • Capital One: Two or more late payments within 12 billing cycles
  • Chase: One late payment; Returned payment (bounced check); Going over limit
  • Citi: Returned payment (bounced check); Going over limit; One late payment
  • Digital FCU: Two or more late payments; Going over limit
  • Discover: Two or more late payments
  • Everbank: Two or more late payments
  • Golden 1 FCU: One late payment; Two or more late payments
  • HSBC Bank: One late payment; Going over limit
  • Pulaski Bank and Trust: One late payment
  • Simmons First: Two or more late payments
  • Town North Bank: One late payment
  • U.S. Bank: One late payment; Two or more late payments; Going over limit
  • US Bank: One late payment; Two or more late payments; Going over limit
  • Washington Mutual: One late payment; Going over limit; Returned payment (bounced check)
  • Wells Fargo: Two or more late payments; Going over limit

A few credit card issuers listed additional events which cause an interest rate increase:

  • First Command Bank: cardholder dies; seeks relief as a debtor in bankruptcy, insolvency, or debtor relief law; cardholder provides bank with false or misleading information or signatures.
  • Addison Avenue FCU: Fail to live up to terms of agreement and disclosure statement; Credit worthiness is impaired; Die, become insolvent or subject to bankruptcy
  • Digital FCU: failure to adhere to terms of agreement; Credit worthiness impaired; Death, become insolvent, or bankruptcy; Default in other loans with the bank; Misrepresentation in loan application
  • Pentagon FCU: Illegal use of card; Death/Incompetent

Note: in most instances, a single late payment is enough to cause an interest rate increase. Now that you know, you can plan your credit card payments accordingly; and set up automatic payments through online banking.

If you do online banking, you can set up automatic alerts via e-mail to warn you when your checking account balance dips below a certain amount which you specify. Read this post if you are unsure about whether or not to switch to paperless statements for your credit card.

How To Tell If A Data Breach Notice And Enclosed Credit Monitoring Offer Are Legitimate

I recently received this e-mail message from a reader:

"I read your blog about taped records being lost from IBM on February 27. It made me suspicious since I received a letter from BNY Mellon saying that they had lost a box of tapes including some of my records on February 27, 2008. They were offering free credit monitoring service through Triple Alert Credit Monitoring and offering $25,000.00 in identity theft insurance from Virginia Surety. I am naturally reluctant to give out information to someone soliciting it from a letter. I had almost decided to sign up when I saw your blog and the date stood out making me more reluctant. Did everybody have tapes stolen on February 27? If so how did they all fit in the one missing box?"

In today's world, reluctance to disclose your sensitive personal data is wise. However, this reader seems to have confused events on different dates. The IBM data breach ocurred in February 2007. It was reported widely in the news media.

The BNY Mellon data breach occurred in February 2008. It too was widely reported in the news media. I think that it's coincidental that both data breaches occurred in February.

While I don't know and haven't seen the specific correspondence this reader received from BNY Mellon, I wrote about the breach notice from BNY Mellon, which was a valid breach notice. My wife decided not accept their credit monitoring offer, for some of the reasons listed in that blog post.

This is why I started this blog... for people to share information and learn. There's so much happening in the identity theft marketplace. No single person can know it all. Plus, the pace of change is fast.

How can a consumer tell if a breach notice is legitimate or a scam? Here's my list:

  1. Companies usually distribute breach notices via the U.S. postal mail -- not via e-mail. Notices are addressed to a specific person by name.
  2. States with laws that require companies to notify data-breach victims (e.g., consumers, customers, employees, and former employees) usually require the company to send the same breach notice to their Attorney General's office, consumer affairs office, or state department of justice
  3. Regarding #2, you can contact that office in your state by phone or online, to verify if the breach notice you received is legitimate or not.
  4. Also, a couple states -- Maryland and New Hampshire -- post online all of the data breach notices they have received. You can check these sites to see if the breach notice you received is listed there. (Hopefully, more states will published breach notices online. When I hear about additional states, I will post it on this blog.)
  5. You can contact the Human Resources department of the company which sent the breach notice. If you are skeptical, look up their phone number in the company's web site or in the phone book. (If you are skeptical, do a Google search to find the company's web site; then go to the site's Contact Us page for instructions.)
  6. Check your local newspapers, news media, and reputable blogs for news items about the company's data breach. Reporters and trustworthy bloggers will fact-check data breach notices. (Some trustworthy and reputable blogs are listed on the ID-Theft Resources page.)
  7. Check the Breach Blog or the Privacy Rights Clearinghouse site
  8. Talk to neighbors, friends, classmates, or coworkers who may have been affected.

After you have confirmed that the breach notice is legitimate, then you can evaluate the company's offer of free credit monitoring services. As I've mentioned to others, get the credit monitoring service that meets your specific identity protection needs. Everyone's needs are not the same. One size does not fit all.

And remember, that credit monitoring does not stop all types of identity theft and identity fraud.

If you have any tips you use to verify a data breach notice, feel free to share it below.

Visa And Banks To Test Real-Time Fraud Alerts

In the ZDNet Zero Day blog, Ryan Naraine reported:

"Credit card giant Visa is teaming up with with eight North American banks to deliver fraud alerts in real-time via SMS (text messages) and e-mails to cell phones. The pilot program will allow about 2,000 Visa cardholders to set thresholds that will trigger an immediate transaction alert to a mobile device. Once an alert is received, a cardholders can verify the transaction details, and if the transaction appears to be irregular, can immediately contact their bank to help stop further transactions on the card."

According to Reuters:

"Participants may choose to be alerted to a variety of types of card usage, including ATM withdrawals, international transactions, Internet or phone transactions, and transactions above specified amounts."

While this sounds like a good idea, the details are critical. Will there be a monthly fee for this feature? I hope not. It should be included.

How "real-time" is real-time? I already have alerts with online banking and those arrive about 40 - 60 minutes after the transaction. That's not real-time. Not even close. I wonder if Visa and its banks really will be able to deliver real-time credit card alerts before the transaction is completed.

Also, consumers must have control over their alerts. It's important for consumers to be able to:

  • Change the dollar threshold for their alerts
  • Specify different dollar thresholds for cash withdrawals versus purchases
  • Toggle on/off the cross-border alert, since people do travel on vacations and/or business
  • Specify their default charge geographic area, since certain states and/or countries may be visited repeatedly
  • Select the alert format of their choice: v-mail, SMS, e-mail, or any combination
  • Integrated within the consumer's online banking

Farmers Identity Shield (Product Review)

Farmers Insurance While watching late-night television recently, I saw an advertisement for Farmers Identity Theft Shield. Readers of this blog know that I'm looking for a replacement credit monitoring service after Discover changed its credit monitoring vendor. The Product and Service Reviews page in this blog lists all of the credit monitoring services I've reviewed so far. Today's post includes a review of Identity Shield from Farmers Insurance.

Farmer's service is coverage a consumer would add to an existing Farmers homeowners insurance policy. It isn't sold separately. The Farmers site does an average job of explaining their offering. The site does not provide a price, so it is difficult for consumers to determine if the Farmers offering is a good value for their money. Some key features of Farmers offering:

  • Coverage of $28,500 expenses
  • $1,500 indemnity
  • Monitoring of credit files and publicly accessible records for fraudulent activity, for two people
  • Annual identity report with details of the customer’s credit file and public records
  • Professional on call to answer questions regarding identity safety concerns
  • Assistance in replacing lost, stolen or damaged identification documents (birth certificate, passport, etc.)
  • E-mail tips and news to help prevent identity theft
  • Access to Farmers’ informative Web site

Actual ID-theft victims would also receive:

  • Identity resolution services for the entire household
  • 24/7 access to an advocate at Identity 911 to guide the victim through the identity recovery process
  • Preparation of correspondence necessary to notify all relevant parties of the fraud (credit bureaus, financial institutions, etc.)
  • Creation and maintenance of a case file of all phone calls, documents and results
  • Assistance in placing fraud alerts and security freezes with credit bureaus

The focus of the site is to get a consumer to talk with a Farmer insurance agent. While that is a reasonable goal, the site is very weak on providing details. It could and should do both.

The site doesn't explain what the "$1,500 indemnity" means. The insurance coverage is a little more than available from other providers, but the site doesn't provide a link to the full text of the agreement so consumers can read the coverage details. As I discovered in prior product reviews, the important details about insurance coverage and expense reimbursement is covered in the detailed agreement, which the Farmers site doesn't provide.

The Farmers site does not list specifically which credit bureaus it monitors. The copy implies all three national credit bureaus, but I look for precise copy statements, not implications. the site does not explain the training and qualifications its phone-based professionals have, so the user cannot evaluate how beneficial this phone support might be. The site does not even link out to the sub-contractor, Identity 911. This is critical since Identity 911 would provide assistance to ID-theft victims.

I reviewed briefly the site and quickly noticed that much or most of its content is a copy of the Identity Theft Knowledge Center site run by Identity 911. I guess that Identity 911 allows its clients to reuse its news, tips, and informational content. While this may greatly help Farmers, it left me wondering how much Farmers Insurance really understands about identity theft. Farmers seemed to have hired a subcontractor to do all of the heavy lifting.

The site says that consumers get an "Annual Identity Report," but the site doesn't show an example report. So, consumers are unable to learn exactly what's in this report and how beneficial it might be (or not). Is it the full text of the consumer's credit reports at all three national credit bureaus? Or is it a Farmers-created summary? And, an annual report may not meet many consumers' identity protection needs. When an alert informs the user that there's a change to one of their credit reports, the consumer wants to see that report immediately... not wait for the annual identity report which could be months away.

Would I buy this product? No way. The site is skimpy on details. Many of the service features and descriptions are vague. No demos or online tutorials. The site does a very poor job of explaining and proving the service benefits and features.

The site didn't offer any explanations of why Farmers Identity Shield might be better than other credit monitoring services. The user is left to make their own comparisons and analysis. It seems that Farmers quickly cobbled together an offering, with the hope that poorly informed consumers would buy it without asking hard questions. Part of the services Farmers seems to charge for (e.g., placing Fraud Alerts and Security Freezes), I have already done and consumers can do for themselves for free. It is very easy and a fast 5-minute phone call for a consumer to place a Fraud Alert on their credit reports.

More importantly, the site fails to state the monthly fee for the service. How can consumers make a decision about a service when the site doesn't state the price?

During the upcoming weeks, I will review more credit monitoring services. You can access prior reviews at the Product and Service Reviews page, or via "Product Reviews" in the right-column tag cloud. To receive alerts about future reviews, click on either of the e-mail or RSS links in the right column.

FTC To Host Radio Frequency ID Workshop

The U.S. Federal Trade Commission (FTC) will host a workshop on September 23, 2008 titled, "Transatlantic RFID Workshop on Consumer Privacy and Data Security." The purpose of the workshop:

" explore emerging applications of radio frequency identification technology and their implications for consumer protection policy. The workshop will bring together industry representatives, government officials, and consumer advocates from Europe and the United States to discuss security and privacy concerns associated with RFID technology."

If you are unfamiliar with radio frequency identification (RFID) technology, I suggest that you read these prior posts. As with any new technology, the proper installation and use of RFID -- with adequate data encryption -- is critical, since RFID cards usually contain sensitive personal information of consumers and employees. According to the news release:

"The workshop is being held in conjunction with the September 22, 2008 “Transatlantic Symposium on the Societal Benefits of RFID,” sponsored by the Trans-Atlantic Business Dialogue, the European-American Business Council, and EPCGlobal, with the support of the U.S. Department of Commerce and the European Commission."

The workshop is free and open to the public. If you cannot attend, a live webcast will be available at the FTC web site. The workshop will be held at the FTC Conference Center, 601 New Jersey Avenue, N.W.,Washington, DC 20001.

Maybe the three enterprising M.I.T. students will attend and contribute to the discussion.

Why Does First Data Know So Much About Consumers?

[Editor's Note: I am pleased to introduce the first guest author at I've Been Mugged. I've know William Seebeck for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations. Bill sent to me his comment below which he also submitted as a reply to the ZDNet blog post by Tom Formeski about First Data Corporation. Bill's message deserves the widest audience possible, and it includes advice both First Data and consumers would be wise to listen to.]

By Bill Seebeck

I'm sure that it is true, as Mr. Capellas states, that he knows more about what we (the American public) are likely to do next than we do ourselves.

However, I hope that Mr. Capellas also knows that he and First Data Corporation hold a special trust as the guardians of that information as it represents the most private of American consumer information.

Why does First Data know so much?

In part it is because First Data Corporation, now a private corporation, represents both sides of most electronic transactions. It represents more than 50% of the banks and other financial institutions that issue credit/debit cards and other electronic instruments. It also represents more than 50% of all merchants that accept credit cards at their stores, restaurants on the streets of America's towns and cities and also on the electronic highway that transits our Internet community. First Data also represents more than 50% of all the ATM's that Americans use every day.

This means that First Data Corporation has knowledge of your bank accounts, credit activity, purchasing data, and much, much more.

I think most Americans would agree Mr. Capellas that as a result of the role your company plays in all aspects of financial transactions that you and your company are in a very unique and most singular position. You hold a sacred trust it seems to guard the privacy of such transactions rather than thinking up new ways to monetarily benefit from the use or sale of this most private information.

Those of us who are pioneers in the use of electronic information and e-payment services believe that companies like First Data should be much more transparent. It is bad enough that America's consumers feel held hostage by the credit reporting agencies, it doesn't need another company to exploit them.

Mr. Capellas, most Americans don't know that you have access to their bank accounts, their store accounts, their phone records and their Internet activity. I strongly suggest that you keep what you and your company know about what is in those accounts to yourself. Show the people of America what keeping a sacred trust is all about.

William B. Seebeck
August 8, 2008. © William Seebeck.

AT&T Promises To Do ISP-Based Behavioral Advertising 'The Right Way'

The Congressional Committee on Energy and Consumer Privacy began investigating the behavioral advertising activities of Internet Service Providers (ISPs) after reports surfaced that ISPs were selling consumers' data to third-party tracking companies. The Committee sent letters to 33 telecommunications companies inquiring about ISP-based behavioral advertising programs.

I've focused on the letter from AT&T for several reasons. First, I have local, long distance, and wireless phone service with AT&T. Second, AT&T is a major player in the telecommunications sector. Third, when I worked at Digitas LLC, AT&T was one of the clients I performed online web site project work for over several years.

I encourage consumers to read the response letter from the company you do business with. At some future date, it may be appropriate to switch service providers if they implement behavioral advertising in an inappropriate or consumer-unfriendly way.

The response from AT&T about ISP-based behavioral advertising, included the following:

"AT&T does not engage in the behavioral advertising that is the focus of your inquiry, specifically the tracking of a consumer's overall web search and web browsing activities -- by tracking either the person or a particular computer -- to create a distinct profile of the consumer's online behavior... We are aware that certain companies have conducted trials of next-generation behavioral advertising technologies and techniques. AT&T has not conducted any such trials."

More importantly:

"But because Overall Behavioral Targeted Advertising goes beyond the simple practice of "targeting" limited to a consumer's use of individual or related web sites,and involves the more invisible practice of tracking consumer activity across countless unrelated web sites, it has unique implications for consumer privacy. For these reasons, if AT&T deploys these technologies and processes, and we have yet to do so, it will do so in the right way, after full and careful consideration of the relevant issues, and with a particular focus on what we believe are the pillars of any business practices that involve customer information:

(1) give consumers control over the use of their information;

(2) ensure transparency;

(3) protect consumers' privacy; and

(4) give consumers value."

These four principles are an excellent start for ISP-based behavioral advertising (and apply to web browser cookie-based behavioral advertising). They are consumer-friendly and provide a good foundation. I wish that AT&T's statement included principles about data security, and the company's arrangements with third-party vendors and outsourcing. Then, it would habe been a complete list of principles.

I was curious about AT&T's reply letter since AT&T operates ISP services through multiple entities depending upon where in the USA the consumer lives: DSL service, dial-up Internet services, satellite Internet service, and fiber-to-the-home Internet and TV service. The service AT&T provides varies based on whether the consumer lives within a state that historically was served by BellSouth or SBC, since AT&T acquired both companies during the past decade. AT&T's response would have been more transparent and accurate if its response letter had disclosed these multiple ISP entities. Given this patchwork-quilt of services, any behavioral advertising opt-in (or opt-out) mechanism for consumers is even more critical.

We shall see if AT&T honors its promise and all four of the above principles. I hope so and expect them to. I hope that other companies and the FTC follow AT&T's lead.

First Data And User-Generated Credit Reports: A Good Solution?

Tom Foremski recently wrote a very interesting post on his ZDNet blog:

"At the recent Fortune Brainstorm conference I spoke with Michael Capellas, CEO of First Data, which processes about one-half of all US credit card transactions. He said that the company collects massive amounts of financial data and that this part of the business is just ten percent of revenues–he wants it to be one half of total revenues within the next two years. First Data revenues were $8 billion in 2007... One of the financial data services First Data is considering offering is to allow consumers to control their own financial reports–these are used to determine credit ratings–which determine interest rates."

Are user-generated credit reports a good idea? Or more accurately, is First Data prepared to implement this well?

While I am all for free-market efforts to break the oligopoly that the 3 national credit bureaus (e.g., Experian, Equifax, and TransUnion) have in the USA, a lot of important details need to be worked out before credit reports from First Data can (or should) go forward. Is First data prepared to offer nationwide Security Freezes?

Since I started this blog, consumer concern about identity theft and data security has grown. Many states' laws specify Security Freezes for consumers and at certain prices. Is First Data prepared to offer nationwide Security Freezes for its reports?

As you may know, Choicepoint has been able to avoid these laws since they don't consider their C.L.U.E. reports "credit reports," even though the FTC is studying methods to base consumers' property insurance rates on their credit reports. Based on my interactions with Choicepoint, I believe that the company is not consumer friendly. If First Data enters the credit report marketplace with the same attitudes as Choicepoint, then there will be no benefit for consumers. There would be just another vendor making money from consumers' credit reports with no real accountability.

Will First Data offer credit monitoring services, similar to the current offerings from the credit bureaus? I hope not, because as a group these monitoring services are weak and not very beneficial. If First Data were to improve upon the current crop of credit monitoring services, that would be a benefit for consumers. Is First Data up to the challenge?

Anyone familiar with the identity theft industry knows that there are gaps with credit monitoring, that it doesn't protect consumers from all types of identity theft. Will First Data offer another "me too" credit monitoring service, or is it willing to go beyond current industry habits and offer a truly beneficial and comprehensive solution for consumers?

And how exactly would First Data's entry into the credit reporting business actually help consumers with more accurate credit reports? A few years ago, I was denied a credit card application because the credit bureaus had mixed my data with my deceased father's data. I was able to get the inaccuracies in my credit reports fix, but the event taught me that the credit bureaus are in the business of selling consumers' credit information to potential lenders, and not in the business of providing accurate credit reports.

Moreover, consumers cannot decide to not have their reports at any one of the three national credit bureaus. If consumers could pick which bureaus they wanted their credit reports at, that would be a huge step forward away from the current oligopoly and towards a true free-market system.

I hope that Mr. Capellas addresses these issues and doesn't narrowly focus on only diversifying his firm's revenues from credit cards. Filling both consumers' credit reporting and identity protection needs is good business.