Previous month:
October 2008
Next month:
December 2008

14 posts from November 2008

Happy Thanksgiving!

2008 has been a busy year so far regarding identity theft and data breaches:

And of course... we all experienced the huge decline in the stock market and our retirement savings. On the plus side, we elected a new President and the Age of Conversation 2008 book was published with a chapter by yours truly. There is always something to be thankful for.

I'd like to wish all I've Been Mugged readers a safe, enjoyable Thanksgiving holiday and long weekend. I'm taking a much-needed break. Posts will resume on Monday December 1st.


Are You Smarter Than An Average U.S. Citizen? (American Civics Quiz)

During the summer, I wrote a post about how stupid we Americans seem to be. Why? We need good legislation to help protect our identity information and to hold corporations accountable for repeated data breaches and poor data security. We consumers must be aware of the issues, and we can't protect our sensitive personal data by ourselves. We need good identity theft legislation, like anti-skimming and data-breach notification laws that some states have.

Good legislation means electing politicians who understand how our government was constructed and should operate. If our elected officials are unaware or incompetent, we can't possibly expect good legislation from them. From Yahoo News:

"US elected officials scored abysmally on a test measuring their civic knowledge, with an average grade of just 44 percent... Ordinary citizens did not fare much better, scoring just 49 percent correct on the 33 exam questions compiled by the Intercollegiate Studies Institute (ISI)."

Why this is important:

"It is disturbing enough that the general public failed ISI's civic literacy test, but when you consider the even more dismal scores of elected officials, you have to be concerned," said Josiah Bunting, chairman of the National Civic Literacy Board at ISI."

I am concerned and hope that you are concerned, too. We have to hold our elected officials to a higher standard, regardless of whether they are joe-plumbers, soccer-moms, or college graduates. A properly functioning and effective government requires it.

I encourage you to take the online civics quiz. You can see how your score compares to the average citizens and wonder how elected officials answered so many questions wrong. During November, the average test score was 77% correct. By the way, I scored (an embarrassing) 85% correct.


A Visual Guide To The Financial, Banking, and Mortgage Mess

Like everyone else, I am worried about my investments and retirement savings. The Mint blog has one of the best visual aids I've seen which explains the financial, banking, and housing mess in the USA (and worldwide).

Some pundits blame consumers who bought more house than they could afford. Some pundits blame predatory lenders. Some pundits blame the banks for repackaging mortgage-backed securities without accurately indicating the risk (and while relying on CDOs as "insurance"). Some pundits blame government and the financial ratings companies for the lack of oversight. Some pundits blame politicians for changing Federal laws that contributed to this mess.

Seems to me, this mess is big enough, far-reaching enough, and damaging enough to consumers that there's plenty of blame to go around for all of the above.


Have You Heard About Credit Reports From Innovis?

I'll bet you haven't heard of Innovis either. The company sells consumer credit reports to lenders and banks. I had heard about Innovis until I read this Consumerist post:

"Sure, you've heard of Experian, Equifax, and TransUnion, but what about Innovis? Smaller agencies can do just as much damage to your ability to get a good deal on credit as their bigger brethren."

Why has it been hard for consumers to not hear about Innovis? It seems like this company has flown under the radar. Here's what I've learned so far about Innovis:

An October 2005 San Francisco Chronicle article reported:

"For the past five years, a company called Innovis Data Solutions has been quietly collecting reams of consumer info from a variety of lenders. Sometime next year, the company says, it will begin using its vast database to compile and market credit reports on millions of people -- whether they want Innovis to or not. This will make Innovis the fourth major player in the growing world of national credit reporting agencies... These are the companies that keep track of people's credit histories and can make or break a loan application. They're also the ones that make you jump through bureaucratic hoops if your identity is stolen or you're a victim of fraud."

Some consumer advocates were cautious, since in 2005 it was unclear whether or not Innovis would be open and transparent in its communications with consumers. In my view, consumer credit reporting companies need to be open and honest for several reasons. First, identity theft and fraud have mushroomed during the past five years. Second, corporate data breaches continue to expose millions of consumer records and sensitive personal data. Third, consumers need to monitor all of their credit reports for accuracy and fraud.

What do you think? Recently, I ordered my credit report from Innovis to see how accurate it is. I will post on this blog my experiences doing business with Innovis. If you have done business with Innovis, please share your experiences below.


More Than Half of British Companies Have Lost Data

Shocking statistics last week. More shocking statistics today.

The ComputerWorld Storage Security blog reported:

"An astonishing 55% of British companies have lost data, according to a new report of 785 IT professionals in the U.K."

There's more bad news:

"Conducted by the Ponemon Institute LLC, the survey found that 49% of them have had over two breaches in the last two years."

That's almost half have suffered multiple data breaches. How many data breaches does it take before executives learn? Apparently some corporate executives are slow learners, if that. Yet, there's more:

"Around two-thirds of respondents said negligence, including that of outsourcers, was responsible for data breaches, compared with only 10% who said hackers were a major cause. A third said insiders were a threat."

And, the bad news continues:

"Many firms were unable to track data breaches and find the source of the problem. Some 44% said they were not confident they could even detect a breach in the first place, and over half take several weeks to notify any customers affected."

Let me summarize all of this. Over half of British companies have had data breaches. About half of those have had multiple data breaches. And, a large number can't detect data breaches when they occur. So, the actual data breach activity probably is worse than the above statistics.

Companies and executives unable to detect data breaches? That seems to mirror the incompetence found within a study of data breaches at American companies.

Several weeks before consumers are notified? That seems pretty good compared to US companies. Really? In 2007, it took IBM three months to notify me and other current and former employees about its data breach. And IBM supposedly specializes in the computing and data security business! It took the Bank of New York Mellon 3 months to notify some of its data-breach victims, and 6 months to notify the rest after the bank increased its count of data-breach victims from 4.5 to 12 million.

And, we won't discuss the 90+ million records exposed by the TJX Companies / TJ Maxx debacle.

Corporate executives are still proving that they won't take data security and data-breach notification seriously until there are stiff penalties -- like huge fines and/or jail time.


Dallas School System Created Bogus Social Security Numbers For Undocumented Foreign Workers

Apparently, in parts of Texas undocumented foreign workers don't need to buy stolen Social Security Numbers from identity thieves, or make up bogus Social Security Numbers to get a job. The local government will happily do it for them. Last week, the Dallas Morning News reported:

"Years after being advised by a state agency to stop, the Dallas Independent School District continued to provide foreign citizens with fake Social Security numbers to get them on the payroll quickly... Some of the numbers were real Social Security numbers already assigned to people elsewhere."

This is unbelievable! How stupid can people be? First, they engaged in creating bogus SSNs. Second, were told to stop something (e.g., fraud) they never should have been doing in the first place. Third,they continued to do it anyway. The newspaper reported:

"The practice was described in an internal report issued in September by the district's investigative office, which looked into the matter after receiving a tip. The report said the Texas Education Agency learned of the fake numbers in 2004 and told DISD then that the practice "was illegal."

Apparently, these Texas school and government officials either don't know or don't care about the consequences and damage victims experience when others fraudulent use their valid Social Security Numbers. In this part of Texas, the ends justify the means, which is all about speedy hiring regardless of the consequences and damages to other citizens.

"DISD human resources chief Kim Olson, who came to the district in 2007, said that she learned about the false numbers this past summer around the time the district's investigative unit was looking into them and that she put a stop to the practice."

The SSA is currently investigating the DISD's activities. Good! A story like this makes one wonder what other school districts, agencies, or companies have done the same as the DISD.

This story is far from over. Journalists and Texas citizens should want to know exactly how Olson put a stop to this fraud activity. Who was suspended, fired, and/or fined? Who was prosecuted and jailed? What is the Texas State Attorney General's office doing? When did the DISD implement data security training classes for its employees? How many victims, whose valid SSNs were duplicated by DISD, are residents in other states?


Class-Action Lawsuit Filed Against Behavioral Advertising Vendor NebuAd

MediaPost reported this week:

"A group of 15 Web users filed a lawsuit Monday against behavioral targeting company NebuAd and six Internet service providers that tested the company's platform. The lawsuit, brought in federal district court in San Jose, Calif., alleges that NebuAd's platform violated Web users' privacy."

If you have been reading this blog, then you are aware of the problems and privacy violations with behavioral advertising (a/k/a behavioral targeting). Several Internet Service Providers (ISPs) have tested this new technology without informing their customers or getting their permission. Some of this was revealed during testimony before Congress. And, the FTC seems to advocate more for companies than for consumers' privacy concerns. Earlier this year, a survey found many adults uncomfortable with behavioral advertising.

The new technology, Deep Packet Inspection, is installed on the ISP vendor's computers and literally tracks every site, every site page, and every search the consumer visits or performs:

"The collection of data by the NebuAd device was wholesale and all-encompassing," the lawsuit alleges. "Like a vacuum cleaner, everything passing through the pipe of the consumer's internet connection was sucked up, copied, and forwarded to the California processing center. Regardless of any representations to the contrary--all data--whether sensitive, financial, personal, private, complete with all identifying information, and all personally identifying information, was recorded and transmitted to the California NebuAd facility."

All of this sensitive data any ISP -- intentionally or accidentally -- can easily match to a user's IP address (e.g., the string of unique digits that define each user's computer location on the Internet). ISPs view behavioral advertising as a new and lucrative revenue stream, which they desperately want a piece of.

Some ISPs have already tested the new technology without their customers' explicit consent:

"Congress held hearings this summer after learning of NebuAd's platform. As part of its investigation, the House Energy and Commerce Committee sent letters to 29 Internet service providers, asking if they had worked with the company. The six Internet service providers named in the lawsuit all answered that they had tested NebuAd's platform. One of the companies, the Washington Post Company's Cable One, acknowledged that it did not notify customers about the NebuAd test or allow them to opt out."

As a result, in their rush to make money NebuAd, Bresnan Communications, Cable One, CenturyTel, Embarq, Knology, and ISPs have already earned consumers' mistrust... and this resulting class-action lawsuit. Moreover, this sensitive personal data can be hacked or stolen like any other data. So far, ISPs and NebuAd haven't given any reassurances about effective data security methods.

If this abuse of privacy bothers you (and I sincerely hope that it does), I encourage you to write to your elected Congressional representatives and demand strict legislation regarding behavioral advertising: an opt-in basis, explicit consent, easily understandable opt-in and consent, data security, notification to consumers of data shared to specific vendors.


Cyber Extortion: Give Us Your Money Or We'll Expose Your Customers' Sensitive Personal Data

This is the first time I have read about this type of extortion scam happening to a company. Last week, CNN Money reported:

"Express Scripts said Thursday it has received a letter demanding money from the company under the threat of exposing records of millions of patients. The threat was made in an anonymous letter that the company turned over to federal investigators. The letter, received in early October, included personal information on 75 people covered by Express Scripts, including birth dates, social security numbers and prescription information."

The thieves are essentially saying: pay us or we'll expose more of your customers' sensitive personal data. And to prove it, enclosed is some of the data we've already stolen. Yikes!

According to MarketWatch, some of Express Scripts' clients have also received extortion letters. The company's response so far:

"Express Scripts said it has contracted with Kroll, a New York-based risk-consulting firm and global data security leader to offer expert assistance to its members if they have become victims of identity theft because of this incident... Details about Kroll's services and the identity restoration offer can be found at www.esisupports.com"

Clearly, Express Scripts has had a large data breach and needs to respond with effectively and support its data breach victims. Correctly, the company is working with the F.B.I. and with Kroll.

According to the company's web site, Express Scripts has been listed in the Fortune 500 since 2000, received the URAC's Best Practices in Consumer Empowerment and Protection Awards in 2008, made Forbes' 75 Most Reputable Companies in the U.S. list in 2008, and received Information Week's 500 Most Technologically Progressive Companies award from 2002 to 2005. Obviously, all of that was not enough regarding effective data security.

I have heard of this extortion scam happening to individuals, where scammers take over your computer remotely via a computer virus and demand money in exchange for the virtual release of your computer. This happened to a former coworker in Boston. Her husband's PC was taken over by scammers in eastern Europe. She and her husband never paid the extortion money, and instead paid a local computer technician to rebuild her husband's PC Mac notebook. But, Express Scripts this is the first instance I've read of this extortion scam with a company.

This extortion scam has plenty of implications. Express Scripts' databases contain sensitive personal data for many consumers, since it manages the prescription benefits for more than 50 million people through its client companies, employers, and union-sponsored plans. The identity thieves have smartly targeted medical identity theft, since there are many data security holes within the medical industry.

I hope that companies don't pay thieves in these types of scams. There's no way of knowing whether or not the thieves have already re-sold the stolen data. There's no way of guaranteeing that the thieves will return or delete the stolen information. And, it invites more identity theft.


80% of Australian Companies Had at Least One Data Breach Within The Last 5 Years

If there ever were alarming statistics, these are it. Smart Company of Australia reported:

"A new survey reveals almost 80% of local companies have experienced data breaches in the past five years, with 40% recording between six and 20 breaches. The Symantec Australian data loss survey shows 59% of businesses suspect they have been the victim of data breaches, but are unable to identify stolen information."

And the costs of data breaches are substantial:

"A whopping 34% of respondents report an average breach cost them $5,000, while 14% say breaches cost them between $100,000 and $999,999, and 7% over $1 million."

How did these data breaches happen?

"... the main cause of data breaches, the survey reports, was lost laptops at 45%, while human error accounted for 42% of cases. Malicious attacks were responsible for 28% of breaches, while hacking and malware were responsible for 24%."

Geez! Don't these companies train their employees (and contractors) on effective data security habits? Don't these companies teach their employees (and contractors) the company's data security policies? Apparently not.


Identity Thieves Use Sinowal Computer Virus to Steal 500,000 Bank and Credit Card Accounts

If there ever was a compelling advertisement for consumers to maintain the anti-virus software on their computer, this Washington Post news article is it:

"A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today... Researchers at RSA's Fraud Action Research Lab unearthed the massive trove of purloined data while tracking the activities of a family of spyware known as the "Sinowal" Trojan, designed to steal data from Microsoft Windows PCs."

What was stolen:

"... more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information..."

So, the identity thieves had enough personal data -- bank account numbers, credit card numbers, ID and passwords -- to sign into consumers' bank accounts and/or to make fraudulent charges on consumers debit and credit cards. Yikes!!

Reportedly, the stolen consumer data was collected since 2006 by identity thieves most likely located in Russia. The Sinowal computer virus, also called "Torpig" and "Mebroot" by various anti-virus companies, is known for its ability to change its appearance to remain undetected by security software:

"On Oct. 21, a new Sinowal variant was submitted to Virustotal.com, which scans incoming files against nearly three dozen commercial anti-virus programs and maintains a historical record of those results. Only 10 out of 35 of those security programs - or 28.5 percent - identified it as such or even flagged it as suspicious. Another scan of a Sinowal variant sent to VirusTotal a week earlier yielded slightly better results, with just over half of the anti-virus tools detecting it as malicious."

You can read more about the Sinowal Trojan in the New York Times. A word to the wise: keep the anti-virus software on your computer up The protection is worth every penny.


SCOTUS, Social Security Numbers, Identity Theft, and Undocumented Foreign Workers

Several news media (e.g., Houston Chronicle, New York Times) recently reported that the Supreme Court of the United States (SCOTUS) has decided to review cases about undocumented foreign workers, identity theft, and Social Security numbers. According to the Associated Press:

"The government has used the charges — with the possibility of prison time — to persuade people to plead guilty to lesser immigration violations. In other cases, defendants have been convicted of "aggravated identity theft," even without proof that they knew their phony ID numbers belonged to real people."

As you might expect:

"... Defense lawyers have argued that their clients should not be charged with stealing an identity because the immigrants were seeking documentation only to allow them to work. They didn't know if the numbers were fictitious or belonged to someone else, their lawyers say."

As outrageous as this is, it gets even moreso:

"When a person makes up a Social Security number, having no idea whether it belongs to someone else, it is hard to see how that conduct qualifies as 'theft' — much less 'aggravated theft,'" said the lawyers for Ignacio Carlos Flores-Figueroa, a Mexican national who was convicted of the crime."

Hello? Are they serious? If you are an undocumented worker and you either:

  • Get an Social Security identification number from anyone other that the U.S. Social Security Administration, it is fraud
  • Make up a fake Social Security identification number in order to get a job, it is fraud

Undocumented workers understand this. They aren't stupid. If they get a state ID card or driver's license from anyone other than a state agency, they know it is fake. It's really that simple.

It really doesn't matter if the undocumented worker didn't physically steal the Social Security identification number. They used stolen property to get something they don't have a right to. Some people might argue that undocumented workers are often unfamiliar with rules in the USA and probably don't know how to get valid Social Security numbers.

Bull.

Undocumented foreign workers aren't stupid. They know that only state agencies issue valid state ID cards and driver's licenses. Consider this real-life analogy: if I see a guy selling iPods or DVDs on a blanket on the floor of a subway platform (and he can't produce a seller's license issued by the subway authority), most reasonable people would conclude that these items probably are stolen. If I see a guy selling iPods or DVDs out of the trunk of his car parked on the street, most reasonable people would conclude that these items probably are stolen.

The same applies for Social Security numbers. Undocumented foreign workers aren't stupid. They know in their home country where to get valid documents, and that doesn't change when they arrive here. They probably are desperate for work and decide to take the risk knowing that the Social Security number they just bought probably isn't valid.

Rather, I want stronger laws protecting Social Security identification numbers, since undocumented foreign workers can do an extensive damage that is difficult to repair, when they user another person's valid Social Security number fraudulently.

Sometimes, common sense applies.


Data Breach By Google JotSpot

Monday's post discussed the reasons for consumers to know what privacy they give up when using Google services. Part of that assessment is knowing what personal data Google has about you, especially if your data is hacked, stolen, or exposed during a data breach.

Last week, C/Net News reported:

"... Google's JotSpot service, which allows people to collaborate on online documents, exposes user names and e-mail addresses to anyone on the Internet, but Google says the problem is due to administrator users not making the settings private. As a result, sensitive user data is indexed by Google's crawler and made accessible on the Web, said Ben Edelman, a Harvard Business School professor and security researcher.”

What data was breached?

"CNET News was able to view full user names, e-mail addresses, and group memberships of JotSpot users. This was done by searching Google for "user management" pages on JotSpot that list registered users for different JotSpot projects or groups. Such a search conducted late on Thursday brought up about 2,800 results."

This news story highlights the need for companies to consistently and effectively train their employees on effective data security habits and the company's data security policies. Otherwise, data breaches are bound to happen.

This data breach is no different than the multitude of breaches where company employees all too often lax about data security and leave laptops unprotected; and store massive amounts of sensitive data about customers, employees, and former employees. It's no different than an employee copying files with sensitive data to an unprotected folder or sub-folder on a public Internet server.

Edelman added:

"... that even if the problem is due to users not setting the privacy settings adequately, the matter still reflects poorly on Google. "This is not good design. Showing e-mail addresses is hard to defend" especially when Web crawlers can scoop them up, he said. "It's a question of what users could reasonably understand and accept. The privacy policy doesn't give any indication" that the data could be exposed to the Web."

Perhaps more importantly:

"The problem also exposes a chink in Google's hosted services business, which relies on customers--individuals and companies--having faith in Google's ability to secure customer data..."

I agree 1,000% with Edelman. If a vendor is going to encourage users to collaborate on documents via the Internet, then that vendor should make the privacy settings and features in their application as "bullet-proof" as possible.

That may mean making the default document access settings private. It may mean extra on-screen messages and warnings when users deviate from standard document access privacy settings. It may mean adding to the application a default set of settings that match the company's internal policy so that changed settings can be easily discovered and messaged.

And, the Google JotSpot or Sites Privacy Policy should explicitly describe the consequences when users deviate from the most secure document access privacy settings. Otherwise, data breaches are bound to happen -- which benefits nobody.


How Google Compromises Your Privacy

Yesterday's post discussed the reasons for consumers to be aware of what privacy you give up when using Google's free services. Thanks to MarketWatch, today's post shows a couple of the ways Google services can compromise your privacy:

"Consumer Watchdog has created a YouTube video showing how your computer could be having an unnoticed conversation about you with Google. The nonprofit group has called on Google's founders and directors to adopt new privacy safeguards that allow for anonymous internet and software use... read the letter to Google's founders at http://www.consumerwatchdog.org/resources/LtrGoogle10-13-08.pdf.

Below is the video, which I encourage all consumers to watch. Again, an informed consumer is a smart shopper. Know what you are buying when you use free services from Google, or from any other vendor.

The sensitive personal data consumers must protect, and the sensitive personal data companies often keep and should protect vigorously.


Consumers Should Know The Price They Pay When Using Google Services

At the ZDNet Education blog, Christopher Dawson wrote a very interesting post about the "price" consumers pay for using services from Google. Most know that all Google services are free. By "price," Dawson means:

"There is no such thing as a free lunch; obviously I need to give Google something for all of the super cool tools it gives me to use in my personal, professional, and academic lives. This isn’t news to me and it isn’t news to my users (who I encourage to use Google’s tools). It isn’t news to them because I make it abundantly clear what it costs to use Google’s services."

One of my coworkers, Doug, absolutely loves anything Google. I understand the enthusiasm people like Doug have for Google, since the company has introduced several services many consumers find attractive: calendar, maps, e-mail, search, Google Earth, RSS feed reader, web site analytics, web browser -- I have no idea exactly how many different Google services Doug uses. I just know it's a lot. He frequently talks about how great they are. And, I happily remind Doug what he has given up and continues to give up: a fair amount of personal data.

I'm glad that Dawson included this topic in his Education blog. It's important for consumers to evaluate at every web site they visit how much sensitive personal data they are asked to disclose. It's important for consumers to make an explicit, conscious decision: if the free service is worth the personal data they must disclose.

Why? Wherever a consumer's personal data is stored or collected, that represents a place where it can be hacked, lost, or stolen -- and then abused by identity thieves.

My impression is that few students, in both high school or college, pause to consider how much sensitive personal data they disclose online, until it's too late (e.g., it's stolen). An even smaller number pause to consider if the free service is worth the personal data disclosed.

I wonder if this decision making is taught in schools. Few students, or adults, think about how much personal information they give up in return for free Internet-based services.

Don't get me wrong. I use several services from Google, and I am a fairly satisfied Google Analytics customer. But there are some Google services I avoid, like Gmail, for privacy reasons. Michael Krigsman summed up the situation well in his ZDNet IT Project Failures blog , in a post titled, "Google is NOT Your Friend:"

"Whether or not they realize it, all Google users engage in an implicit business deal with the company. Those amazing, so-called free, tools come at the cost of your privacy. Google hoards your data for use anytime, anywhere its voracious heart desires. The clever company is always thinking up new ways to slice and dice your personal data in service of its corporate profit."

In my opinion, a wise and informed consumer constantly evaluates the retailers and web sites he/she does business with, regarding both data security and the sensitive personal data requested. A smart and informed consumer reads the Privacy Policy at each web site before registering or purchasing at that site. Smart consumers monitor the retail stores and web sites they shop at, and avoid companies that suffer from multiple data breaches.

Consumers should adopt Google's motto of "Do no evil." That is, when it comes to managing your sensitive personal data, consumers should take care not to do any evil: shop anywhere or do anything that jeopardizes their sensitive personal data.