Previous month:
December 2008
Next month:
February 2009

21 posts from January 2009

Keeping An Eye On The Bank's Computer

[Editor's Note: While I am on vacation, today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

It’s been around 39 years since computers have been keeping the books at banks in America. I say that because the bank I was working for in 1970, now the third largest in the world or maybe number two now, it was in that year that they began computerizing accounts.

At the end of the bank day, each bank employee, save the CEO, was given a stack of account files and a stack of data entry forms. We would fill in the data entry form from the account file. Once completed, the forms were collected and sent to the key-punch department, which was operating 24 hours per day on three shifts and did so for some three months until all the bank’s accounts were entered into the system.

Once the data was entered and the system working, calculations could be brought to bear on different types of accounts and the bank could for the first time evaluate the profitability of its accounts and the cost of its services.

Well, we have come a long way in 39 years. Today, computers do everything at banks and its in real time, near instantly. While generally that is a good thing, it can also create temptations for squeezing just a bit more from an account than the bank should.

Here is an example. Your checking account has $100.00 available. You are expecting a charge of $150.00 to be made against your account, so you transfer $200.00 from your Money Market account to your checking account. However, you make your transfer at 12:30 pm and the bank has a rule, that you’re unaware of, that holds post noon transfers until 3:30 pm or until the next morning. In the mean time, your charge hits. Now you get charged for a returned item and an overdrawn account. Today, depending on the Bank, such charges can be as much as $200.00.

The computer has been programmed to notice such things and can manipulate it to the bank’s advantage.

Bank computers are also great at changing payment cycles. Many of us think that our bills are representative of 30 days of activity. That’s not true anymore. The cycle may have been changed to 20 days and unless you’re reading those little brochures with tiny little print that they send in the mail, you won’t know that something has changed. Yet, when you pay your bill, you find that you are late, other charges are attached and perhaps your interest rate has been boosted. When you make your call to find out why, you are told that you have to pay your bill sooner than last month, because your cycle has changed. A Bank’s computer system can make a cycle change for millions of customers in seconds.

Now, I’m not suggesting that banks are out there doing these things, but it has been done and unless we keep our eyes on the Bank’s computers via our monthly statements and report such activities to our elected officials, we will become new victims of banks' greed.

© 2009 WBSeebeck


Rent Parties

[Editor's Note: While I am on vacation, today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

When I was a young boy in the late 1950’s, we had a number of recessions. I can’t compare them to the one we’re experiencing today, but as they say, “When your friend is out of work it’s a recession and when you are out of work it’s a depression”.

Back in those days when a man lost his job, it was a true tragedy for the whole family, as in post-World War II America; generally the woman worked in the home caring for the children. The news of a job loss in my neighborhood on New York’s Staten Island spread quickly and quietly. So did the response. You’d see the parish priest visiting the home. "Father Anglin’s visiting the D. family, what do think is wrong?” You’d find out later that he was with the family offering whatever help the Church could extend, usually food, money or contacts for other jobs. To a young child, whatever was happening, it was serious business when the priest visited a home other than someone dying or the annual visit.

Yet, that was just the beginning of the neighborhood response. Most people back then rented their homes. They weren’t apartments but small houses. When people ran out of money and couldn’t pay the rent, their friends and neighbors would “throw” a rent party.

What’s a rent party?

Well for those that don’t know, it works this way. Neighbors would announce that there would be a party at the home of the family in need. As people had a great deal of pride and to save them any level of embarrassment, it was just a party. Everyone would bring food to the party, some would bring music and decorations, and they all would dress up. At the front door would be a basket and as each person came into the house, money would be dropped into that basket “for the rent”. The party would go all night and people would come and go, saying hello, dancing, singing, having a good time and filling the basket.

At the end of the night, the family in need would be left with food for the family, and money for the rent and other bills. They also were left in a joyous and uplifted mood, given hope by their friends and neighbors, enough hope to face the problems before them. They knew they were not alone.

Each day, we hear of more and more of our friends and neighbors losing their jobs, and some their homes. Let us reach out to them. Revive the rent parties! Let them know you care and they are not alone in their tribulations.

This is how we built America, caring for one another. In this time of great need, we can and must do it again.

© 2009 WBSeebeck


FTC Continues Toward Credit-Based Auto And Homeowner Insurance Rates

Just before the Christmas holiday, the FTC released this news release:

"The Federal Trade Commission has ordered nine insurance companies to produce information for a study on the use and effect of credit-based insurance scores on consumers of homeowners insurance... The orders require information from the nine largest private providers of homeowners insurance, which have roughly 60 percent of the homeowners insurance market in the U.S..."

The nine insurance companies required to turn over data to the FTC:

  1. State Farm Mutual Automobile Insurance Company,
  2. The Allstate Corporation,
  3. Fire Insurance Exchange,
  4. Nationwide Mutual Insurance Company,
  5. The Travelers Companies, Inc.,
  6. United Services Automobile Association,
  7. Liberty Mutual Holding Company, Inc.,
  8. The Chubb Corporation, and
  9. American Family Mutual Insurance Company.

The companies have until April 24, 2009 to respond to the FTC's data request, which will be used for the FTC's final rules and guidelines.

In June 2008, I wrote about the the FTC's intent to study of the use and effect of credit-based insurance scores on the availability and affordability of automobile and homeowners insurance, and the open comment period for consumers to voice their concerns and objections. I wrote about this because it has everything to do with how companies make money from your sensitive personal data; and how that sensitive personal data is used, archived, and shared between government and industry. According to the latest FTC press release:

"In May 2008, the Commission authorized the use of compulsory process in the homeowners insurance study (http://www.ftc.gov/opa/2008/05/comprofyi.shtm) and posted for public comment a draft model order to obtain data for the study. Based upon comments received, the FTC developed final orders that maximize its research capability while minimizing any unnecessary burden on insurers participating in the study."

Should you be concerned? If this project continues, your auto and homeowners insurance will be based mostly on your credit worthiness rather than on your driving and accident record. Does this make sense? It's another example of the "tilt in the playing field" towards the needs of companies and away from the needs of consumers.

Credit-based insurance rates also mean that consumers must spend more time and money inspecting their credit reports at the three major credit bureaus, because inaccurate credit report information could lead to higher insurance rates. Seems to me like your auto insurance should be based on our driving record; and your homeowner's insurance based on your claim history.


The IRS Advises Consumers About Phishing Scams, But Fails To Adequately Protect Its Systems Containing Sensitive Taxpayer Data

A friend forwarded this e-mail message from the I.R.S.:

E-mail message from the IRS. January 2009

2009 is not the first time that fraudsters have pretended to be the IRS to trick consumers into revealing their sensitive personal data. It's good to remind consumers to be aware of phishing scams, especially since this is tax-filing season. The message continues:

E-mail message from the IRS. January 2009

First, I'd like to thank the IRS for this reminder. However, good data security habits are not the responsibility of only consumers. The IRS needs to do its part too. According to ComputerWorld:

"Less than three months after the Treasury Inspector General for Tax Administration reported that there were major security vulnerabilities in two crucial Internal Revenue Service systems, the IRS's security practices have been panned by another government entity. This time, the criticism (download pdf) comes from the Government Accountability Office, which last week released a report highlighting several problems with how the IRS protects taxpayer data."

The problems included:

"... taxpayer and other sensitive data continues to remain dangerously under-protected at the IRS. According to the GAO, while the IRS has addressed 49 of 115 previously reported security issues... the IRS still does not always enforce strong password management rules for identifying and authenticating users of its systems, nor does it encrypt certain types of sensitive data... the IRS has a tendency to allow sensitive information such as user IDs and passwords to be "readily available" to any user on its networks. Weak passwords and excessive access on the network for authenticated users were also cited as potential threats to taxpayer data."

That's not all:

"... a continued failure by the IRS to implement any agency-wide information security program or review risk assessments annually... The GAO pointed to specific security problems, including the following: Exposed usernames and passwords on an IRS contractor-maintained Web site; authenticated users on the IRS network with access to shared drives containing taxpayer information, performance appraisal data and sensitive data such as Social Security numbers for other IRS employees; financial information and account data that was transmitted in the clear from the IRS's financial accounting system; inadequate logging of security events for Unix and Windows servers at a data center, and a similar lack of controls for logging changes to mainframe data sets at another data center; a failure to maintain or enforce a baseline configuration for a mainframe system..."

When this type of stuff happens, executives need to be fired. It shows a lack of importance placed on data security.

If this bothers you (and I truly hope that it bothers you a lot), I encourage you to contact your elected officials and demand better performance by the IRS. After all, the IRS maintains plenty of sensitive personal data about consumers. A 'do-as-I-say-but-not-as-I-do' approach by the IRS with data security is not enough. The IRS databases should be bulletproof or damn close.

So, some advice for consumers seems appropriate: a) expect phishing attacks during this tax filing season, and b) if you don't know, learn how to recognize a phishing e-mail message and a phishing web site.


Monster.com Experiences A Third Major Data Breach

On Friday January 23, Monster.com posted this message on their web site:

"We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes. Monster does not generally collect – and the accessed information does not include - sensitive data such as social security numbers or personal financial data. Immediately upon learning about this, Monster initiated an investigation and took corrective steps."

The Monster.com notification includes the usual corporate double-speak:

"It is important to know the company continually monitors for any illicit use of information in our database, and so far, we have not detected the misuse of this information."

Of course, the company wouldn't notice any abuse of stolen information. Consumers are most likely to discover it first, especially when identity thieves take over consumers' e-mail accounts, or use consumers' e-mail accounts sign-in credentials (e.g., ID and password) to access their online bank and financial accounts. Watch this CNN video about the consequences when identity thieves hijack consumers' e-mail accounts.

This breach happened at a terrible time. Unemployment is up nationwide and more people are looking for work. According to PC World:

"Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday. USAJobs.com, the U.S. government Web site for federal jobs, is hosted by Monster.com and was also subject to the data theft. USAJobs.com also posted a warning about the breach."

That statement can't be correct. Several states have laws requiring companies to notify consumers affected by a data breach. Plus, this is not the first major data breach at Monster.com. The Register reported:

"It's at least the third time Monster.com has put its users at risk after suffering a significant security breach. In August 2007, a Trojan-horse program used pilfered employer credentials to siphon resume data belonging to some 1.3 million people. Within days, many users started receiving targeted phishing attacks that tried to trick them into downloading malicious software or take jobs as money mules for online crime gangs. The company made much fanfare about plans to improve security, but two months later, it was hit again when attackers hijacked some of its job listings and used them to infect visitors with malware."

Actions speak louder than words. It seems to me that Monster.com either can't or doesn't know how to improve its data security. It is sad that the company doesn't want to notify consumers, something it is required to do in many states. Time for consumers to switch to a different job search site. Maybe it will take a mass exodus by Monster.com customers to competitive sites for Monster.com to get off its rusty-dusty and clean up its data security practices.


Should Mint.com Query Its Customers' Financial Information For Fraud Notificaton?

A prior post discussed whether Mint.com is as safe and secure as it says it is. After tiny fraudulent charges from Adele appeared on many consumers' credit cards, Mint.com took the step of notifying its customers that there statements included the fraudulent charges. In the ZD Net Toybox blog, Andrew Nusca ponders the question:

"While no one would fault Mint for notifying its members of fraud, the move has sparked a discussion: should Mint be allowed to query the financial information of its users for such an event?"

First, I agree with Nusca. Proactive notification of consumers about fraud is always a good thing. The faster, the better too. And, Mint.com's notification should be based on a query of the financial information and transactions consumers have already downloaded to their Mint.com account.

Second, it's more important for banks to proactively perform this notification, and not just financial planning sites. Third, if Mint.com customers read the fine print of their agreement, they would realize that they have given Mint.com the Power of Attorney to act on their behalf. So, Mint.com could take actions like this in the future, plus much more.

Rather, this is an opportunity for Mint.com to fine-tune its agreement and provide its customers with an opt-in mechanism for features like fraud notification, or features consumers may be uncomfortable with. Give consumers a choice of which bank accounts and the scope of historical transactions to query for fraud notifications.

Right now, there's no consumer choice and consumers should be in control. Giving consumers choice is simply smart business, especially when it applies to consumers' money and finances.

There is precedence. Mint.com could learn from the experiences of ISPs that failed to notify consumers of important programs and failed to provide adequate opt-out mechanisms. Or Mint.com could learn from AT&T's proposed approach to targeted advertising. Or Mint.com could learn from Google's decision to reduce the amount of consumer data stored from 18 to 3 months. Plus, my bank already allows me to customize online my alerts based on the types of transactions and dollar amount.

Proactive fraud notification is always a good thing , but Mint.com should give consumers choice and control about features like fraud notification.


Do You Submit Your Real Birth Date When Registering At Social Networking Sites?

At C/Net, Daniel Terdiman wrote a good blog post about a lax data security habit many consumers are guilty of. On January 1, Daniel received several "Happy birthday" messages from Facebook and from several people connected with him on Facebook. Daniel's actual birthday is not January 1st. Here's what's up:

"When I signed up for Facebook, I entered my birthday, as I often do on Web sites that ask for it, as January 1. I do that because it's easy for me to remember, because it's sort of close to my real birthday, and most importantly, because there's no way I'm giving a Web site my real birthday. Hello! Identity theft, anyone? In the past, this has never come back to me in any way... But with a site like Facebook... it obviously does come up, and it makes me wonder. Do most people put in their real birthday? Don't they worry about the consequences?"

I agree with Daniel. Regardless of what companies claim, data breaches happen. Plus, a consumer's birth date is a highly valuable piece of sensitive personal data which identity thieves love to steal. Why? Consumers' real birth dates are a way for identity thieves to distinguish between several people with the exact same name -- especially when buying and selling stolen personal data.

And, identity thieves can use real birth dates to answer challenge questions when trying to break into consumers' banking and financial accounts -- by phone or online (if a Web site is foolish enough to use birth date as a challenge question during sign-in).

My rule of thumb: if a company's web site is not giving me a paycheck, then they don't get my real birth date. While there are public databases (e.g., drivers registration, property records, etc.) that include consumers' birth dates, I still have a choice about when and where to disclose my sensitive personal data.

My advice to consumers:


ITRC Releases 2008 Data Breach Statistics: Insider Theft Doubled

Several blogs and news organizations reported 2008 corporate data-breach statistics published by the Identity Theft Resource Center. I found this news story from Byte and Switch particularly interesting. First, there's the standard summary:

"Reports of data breaches in the U.S. rose almost 50 percent in 2008... The ITRC 2008 data breach report, which extracts data from several different breach disclosure sources, reckons that there "were 656 compromises in the U.S. last year, up from 446 in 2007."

Then, there are the juicy details:

About 12 percent of the reports came from financial-services firms, up from 7 percent in 2007... Financial institutions reported more than 18 million records breached last year..."

So much for bullet-proof data security and computer systems at banks and financial institutions. Consumers should know that any web site that claims its data security is as good as the banks', doesn't have very good security.

And more juicy details:

"Only 2.4 percent of all breaches involved data where encryption or other strong protective measures were in place, and only 8.5 percent involved password protection... Malware attacks, hacking, and insider theft accounted for nearly 30 percent of breaches that cited a cause, the ITRC said. Insider theft more than doubled between 2007 and 2008, accounting for 15.7 percent of the breaches."

We have a new trend. The number (and percentage) of breaches caused by insider theft is going up dramatically. Insider-theft breaches doubled in 2008 versus 2007. Not good news at all. Not good news at all given an economy in recession, with more people out of work. I wonder if the recession will fuel more insider-theft breaches during 2009.

The more important questions: are companies adjusting their data security methods to prevent insider-theft data breaches? Are banks and financial institutions adjusting their data security methods to prevent insider-theft data breaches? And if not, why not? Banks and financial institutions received billions of dollars in 2008, and it's not clear how the bailout money was used. This is a disgrace.

Time will tell.


Congratulations To President Obama & Vice-President Biden

Today is the most extraordinary inauguration in my lifetime. As an African-American who lived through the Civil Rights events and struggles of the 1960's, it is an event i never thought that I would live to see given this country's history. But it has happened and I am so very proud of my country and its citizens. We have elected our president based on the content of his character.

I wish to extend congratulations to President Barack Obama and Vice President Joseph Biden. Below is a video honoring all 44 presidents (with a tip of the hat thanks to Ronnie Bennett, of the Time Goes By blog, for the link):


The OTHER Rev. Dr. Martin Luther King and President-elect Obama

[Editor's Note: In honor of the Martin Luther King King holiday, I am pleased to present the blog post below by guest- author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

When I walked in on them one late winter morning in 1974, Dr. King Sr. and his dear wife Alberta were sitting at a table doing what one does at a Church every week, putting the parish bulletin together by hand and getting things ready for the Sunday service. It was just the two of them, no pomp or circumstance, two servants of God doing His work.

Dr. Albert Manley, president of Spelman College was kind enough to set up my visit that day to Ebenezer Baptist Church to meet the King’s. I was already so grateful. Mrs. King mentioned that people were always coming by from seemly everywhere just to say hi. They found that surprising in a way. We spoke for a few more minutes, I offered to help with the bulletin but they were just finishing up.

Dr. King said, “Well, why don’t we take a walk, I believe you will be wanting to visit Martin’s grave.” He put on his coat and we left the church. He tucked his arm in mine for balance and I believe had a walking stick in the other. On the way, he told me that things had been hard since Martin’s death six years before. He said that his other boy Alfred, who was helping out at the Church had drowned and they were missing both of them very much. “With Coretta having to travel around a lot”, he said, “Mrs. King and I often look after the children.” He wasn’t sure that at his age, he was much good to them.

We arrived at what I remember was a sort of parking lot area where Martin’s eternal flame was blazing. Dr. King said that they had plans to build a whole Center within which the grave would be contained.

We stood silently in prayer. As we did, I couldn’t help but remember standing before another eternal flame in April 1964 at Arlington. The spring thaw had started and the graveside of President Kennedy was muddied. Plywood boards surrounded it so people could walk up to it. I was with my Catholic Youth Organization group that day and we stood and prayed beside Senator Robert Kennedy, who had accompanied us.

On the walk back to the Church, Dr. King asked me what denomination I belonged to. I told him I was a Catholic and he said that he was so surprised by the Catholics and how supportive they were of the civil rights movement and of Martin’s work. The King’s were such humble people. I told him that being there was one of the greatest moments of my life, he smiled and gave me a double take.

I took leave of them a few minutes later. I had a book on Martin and asked if Dr. King would autograph it. He said, “Why would you want my signature?” Whatever my answer was I remember stumbling over my words and feeling totally stupid. They just laughed, and patted me on the back as we said goodbye. It was a wondrous moment for me.

In the summer of that year, the man who was most respectfully called, “Daddy King” was to suffer yet again, when a crazy gunman entered the Church and shot Mrs. King to death while she sat at the church organ. Dr. King, Sr. stayed with us another 10 years and had great influence on many more people, as President Carter held him up for praise.

I think of Dr. King, Sr. today because he was a great leader too, born in another century, the son of a sharecropper, a shepherd to his flock in Atlanta and many more of us around the country and yes, father to a man of peace who dreamed that “one day my four little children will grow up in a nation where they will not be judged by the color of their skin but by the content of their character.”

That dream has come true today. Alleluia, Alleluia. That dream has come true today.

© 2009 WBSeebeck


Checkfree Data Breach Exposes 5 Million Consumers' Data

Checkfree is now part of Fiserv The new year is not even a month old and we already have had the first major company data breach. And this breach is at a U.S. financial institution. On January 6, ComputerWorld reported:

"CheckFree Corp. and some of the banks that use its electronic bill payment service are notifying more than 5 million customers that criminals took control of several of the company's Internet domains and redirected customer traffic to a malicious Web site hosted in the Ukraine."

This data breach is important because:

"... in a notice filed with the New Hampshire Attorney General, CheckFree disclosed that it was warning many more customers than previously thought."

Basically, two groups of consumers were affected by the data breach:

"... 1.) those who we were able to identify who had attempted to pay bills from our client's bill pay sites and minus those who actually completed sessions on our site, and 2.) anyone enrolled in mycheckfree.com."

How bad was the hack and data breach? It was this bad:

"Customers who went to CheckFree's Web sites between 12:35 a.m. and 10:10 a.m. on the day of the attack were redirected to a Ukrainian Web server that used malicious software to try and install a password-stealing program on the victim's computer. The criminals were able to take control of several CheckFree Web domains after logging into the company's Internet domain registrar, Network Solutions, and changing the CheckFree DNS settings."

Because Checkfree lost control of its Web domains, the company doesn't know exactly how many consumers were affected. Checkfree believes that a smaller number of consumers (160,000) were likely affected with the malware, but because the company really doesn't know it is notifying 5 million consumers because that many could be affected.

Geez. So much for bullet-proof data security by a U.S. financial institution. If you don't know what banking services Checkfree performs:

"CheckFree processes bill payments for more than half of the banking institutions in the U.S... CheckFree has deals to provide electronic bill payment services to banks such as Wachovia and Bank of America. It is not clear whether or not these banks were affected by the attack."

My advice to consumers: if you receive notification or a free credit monitoring service offer from Checkfree, review it closely to see if it is better protection than you can get elsewhere. Also, check your online banking and financial account statements closely for fraud.


How Will The Recession, The Mortgage Mess, and The Financial Crisis Affect Identity Theft?

A few days ago, I posted a message via Twitter wondering how the recession and financial crisis will affect ID-theft and company data breaches. Well, one answer seems to be in this "Phishing scams citing bank mergers" article from Bankrate:

"Scammers love to use current events to dupe consumers, and today's ongoing financial turmoil offers the perfect opportunity for one of the most popular forms of fraud -- phishing... Phishing attacks increased 16 percent from August to September and surged 103 percent from September to October, according to Web security vendor MessageLabs. Bank consolidations have provided the back stories for some of those phishing messages... also noticed a rise in financial spam, including those relating to mortgages, debt consolidation and credit counseling."

What's a consumer to do? Expect phishing attacks. Learn how to recognize both phishing e-mail messages and a phishing web sites.


9 Good Habits For Consumers To Survive A Deep Recession

This blog is about empowering consumers. Since the economy and the recession are clearly on everyone's minds, I'd like to deviate slightly from the usual ID-theft and data breach content to discuss how to survive a deep economic recession.

I also wanted to address this topic since this is the first recession for younger adults; you were a kid or teenager during the last recession and you probably didn't care or didn't notice. Plus, the news media delivers several doses daily about the economy, how bad it is, people who are losing their jobs, and companies that are closing or laying off workers. It can all seem very scary.

There's a good post at the Consumerist blog about 9 good habits to survive a deep recession. Some of the good habits:

  1. Keep a cool head
  2. Learn to dislike debt and pay it off
  3. Know where your money is going
  4. Eliminate waste
  5. Buy smart
  6. Buy used

You can read the rest of the list at the Consumerist blog. The only addition I would make to the list is: continue to practice good data security habits. Company data breaches will continue through the recession. Fraudsters and identity thieves aren't going on vacation just because there's a recession. Now is not the time to get lazy about protecting your sensitive personal data. How consumers protect their sensitive personal data, and how consumers safely use credit and debit cards should not change.

I always feel more secure during a recession when I've put my personal finances in order before the recession. The fact is, recessions happen. After the 1973 oil crisis, the U.S. has had recessions in 1981-82, 1990-91, 2001, and now. So, it seems wise to plan accordingly.

Having things in order means several things. When times are good, I live well within my means and save at least 10% of my pay, besides saving for retirement. We've all heard the saying: save for a rainy day. Well, the rainy day is here (e.g., recession, layoffs, reduced access to credit by consumers, home foreclosures, personal bankruptcies up, etc.).

How much to save? Common wisdom is at least 6 months of after-tax pay. I realize this is difficult for many people, but it is a good goal to have. During my work career, I have lived through several recessions and three company layoff events. I believe that my work experience is not unique. So, it seems wise for consumers to plan accordingly.

I consider myself a smart shopper. I research larger purchases and don't buy on impulse. Buying on impulse creates wasteful spending. My habit: don't buy stuff just because the retail store or television ad says the item is on sale. Buy stuff when you actually need it -- when it's worn out.

A few years ago, I paid off all of my debt, including credit cards. So as banks and credit-card issuers have tightened access to credit and reduced consumers' credit card limits, I haven't experienced any of this pain.

My wife and I share a car since I use mass transit to commute to and from work. And, we bought our car used. Why? It was cheaper and we didn't want monthly car payments. Sure, I'd like a shiny new car just like everyone else, but I'd rather spend my hard-earned money elsewhere. Plus, I remember the oil crisis of 1973 and the long lines at gas stations. So, the $4.00 per gallon prices we all paid this summer was not a surprise for me. And, it shouldn't have been a surprise for anyone (including the auto companies) who has paid attention to the news during the last decade.

To me, a new car is a questionable purchase. Why? First, new car prices are high. Second, the price of gas is largely unpredictable. Who wants to buy something if you don't know how much it'll cost to operate it? Third, my guess is that the price of gas has to go up; and drive up all costs associated with maintaining an auto.

Fourth, most of the USA hasn't adequately maintained our infrastructure: bridges, roads, tunnels, dams, power grid, and waterways. (I encourage all voters to read the ASCE Infrastructure Report Card, and then tell your elected officials that you demand better maintenance.) To me, it seems crazy to drive a $40,000 car through pothole-infested roads and crumbling bridges or tunnels.

Fifth, I like to walk since there is clear proof of the health benefits of walking. We made the decision to live in a city with access to a good mass-transit system.

Sixth, I prefer an all-electric car to reduce our dependence on fossil fuels. You may remember that General Motors produced an all-electric car in California in the 1990's. Through politics, selfishness, and reliance on the oil industry, GM destroyed its electric car and the supporting charging system, while EV-1 drivers begged GM not to. So, it's hard for me to have sympathy today for an auto bailout when GM had an all-electric car, had a huge lead on its competition, and then blew it with some bone-headed and myopic decisions back in the 1990s. When gas hit $4 a gallon last summer, GM could have owned the marketplace because consumers want fuel-efficient and affordable cars.

As bad and scary as it seems today, you will through this recession. As a wise person once told me, "this too shall pass." Just learn from today's events, make good decision about your purchases and lifestyle, and move forward with confidence. And, buy green products.


Equifax Pays $65K To The State Of Indiana For Violating Security Freeze Law

During the run-up to the holidays, I almost missed this news item. It received coverage by news organizations in the State of Indiana, but lesser coverage elsewhere. According to the ConsumerAffairs.com site:

"Equifax Information Services has agreed to pay $65,000 to resolve allegations that the company failed to comply with Indiana's security/credit freeze law.... Attorney General Steve Carter obtained a consent judgment after charging that the credit agency failed to place security freezes and failed to issue freeze confirmations and unique personal identification numbers to Indiana consumers within the timeframes as defined by state law."

Basically, Equifax did not admit any guilt, and paid the fine since it violated state law. Hence, the word "allegation" was used above.

In Indiana, credit-reporting agencies are supposed to place a credit-report freeze within 5 business days of receiving a consumer's letter. According to Carter's allegations, Equifax didn't do that fast enough for 19 consumers, including a two-month delay for one consumer. In Indiana, credit reporting agencies are also required to notify consumers within 10 business days that their credit reports have been frozen. According to Carter, Equifax failed to do that for 24 consumers, and it took 6 months to notify one consumer.

It's good to see a state's attorney general looking out for the needs of consumers by monitoring compliance to Security Freeze laws. Most state have Security Freeze laws, and I wonder how many other states are monitoring compliance:

"It is believed that the Indiana Attorney General's Office is the first to enforce the consumer credit freeze statute against one of the three national credit-reporting agencies."

Attorney General Carter summed up the situation well:

"This law was enacted to give consumers a layer of protection against identity theft and other forms of personal identity fraud... The freeze doesn't provide the protections it was designed to give our citizens when the required timeframes and other requirements of the law are not followed."

I have a freeze on my credit reports and I encourage consumers to do the same, especially if your sensitive personal data has been exposed during a corporate data breach. But note, a Security Freeze is not a cure-all. And, read this review if you are considering Equifax's "3-in-1" credit monitoring service.


Mysterious Charge Appears On Many Consumers' Credit Card Statements

A consumer alert from the Boston Globe:

"Several Internet complaint boards are filled with comments from credit card customers from coast to coast who have noticed a mysterious charge for about 25 cents on their statements. The charge shows up on statements as coming from "Adele Services" in Melville, N.Y. There is no business by that name listed in Melville..."

This is not the first time something like this has happened. Why a tiny charge? Some people think that the fraudster is testing whether stolen credit card numbers are valid, before submitting a larger charge. Others think that the fraudster is simply trying to make a lot of money by charging many people -- perhaps millions of consumers -- a tiny amount hoping that consumers won't notice.

What consumers should do:

"Take a look at your credit card statements, and if the charge is there, don't let it slide. It's what the thieves want you to do. Instead, file a dispute with your credit card company, and lodge complaints with the Federal Trade Commission and the Internet Crime Complaint Center - which is run by the FBI, the National White Collar Crime Center, and the Bureau of Justice Assistance."


My 2009 America

[Editor's Note: Today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

I ran out of food and money today. It’s a Sunday and I thank God for the many things that I do have that can’t be measured by a scale or calculator. My two wonderful sons, three beautiful grandchildren are the best, as well as the rest of my family and friends that are spread across the country.

My medicine begins to run out on Wednesday and I don’t know what I’m going to do about that. My energy level seems better the last couple of days and I’m trying not to let the COPD get the best of me. It’s really the stress that gets you each and every day, but I give thanks that I still have my sense of humor left.

Yesterday, I had some hearty soup from a can but had to be careful of the sodium that was around 700 mg. You see when you have diabetes, asthma, high blood pressure, you can also get CHF when the sodium causes you to retain water and that’s definitely not good. Almost glad I ran out of the soup.

My first job was the summer of my 13th birthday. My grandmother who raised us while my mother worked sent me off to the rich man’s country club to caddy for the golfers. I would leave before sunrise and walk a few miles to the course. I wasn’t afraid of the early dark mornings. In the winter, after I made my first communion, I had been an altar boy and served the 6:00 mass. It’s very cold and dark at 5:40 am in January, in New York.

When I got to the golf course, I sat apart from the caddies. Almost to a man, they were in their 30’s and 40’s, had their own language it seemed and a way about them. What I realized very quickly is that when the golfers came in, they went out first. By nearly 1:00 pm, I was still waiting. When the sun was at its highest and warmest, I was finally chosen and walked the course until just before four. I reached home around five, the same number as my pay for the day.

That was the beginning of my work career and I don’t ever remember a time I didn’t work at something, until now.

There’s less than a tank of gas left in the car, so I have to plan my outings. I’ve got 130,000 miles on the Camry and I need an oil change. It’s going to have to wait.

My first hard time was the recession of 1972. I was just starting out after college and had the additional responsibility of a wife and child. Every interview I went on seemed the same. Do you have work experience in that area? No, but I was the editor of my high school and college newspapers and I did some freelance writing. Sorry, when you get some real experience come back to us. That’s when I learned the meaning of Catch-22. Can’t have the experience if someone doesn’t give you a job to get the experience.

Well, I never gave up and one day I went for an interview and found that the person who met with me was an old neighbor and he gave me a job at the employment agency and I eventually placed myself (Yankee ingenuity). The rest, as they say, is history.

As a boy, I dreamt about the future. What would I do? What would I be? One day, I decided I would be either the Pope or the President of the United States. Also, I wanted to travel and meet people from other countries and see their worlds. My grandfather had traveled as a “man Friday” to his employer who owned a steamship company and my uncle was an Air Force major and if they could do it, so could I.

Well, I didn’t make it to be President, but I was active in politics and had the chance to meet and speak with three of them directly. I didn’t become Pope but I was ordained as a deacon 19 years ago. As for traveling, well I got to visit and at times work for long periods of time in Canada, Mexico, the Caribbean, Europe and the Middle East. I’ve flown in helicopters, single, twin and four-engine planes both piston and jet and flew the Concorde, twice the speed of sound, four times. Not bad in my book of dreams.

As for experience, I now have plenty. Yet, there doesn’t seem to be much call for my work anymore. For the last 30 years, it has primarily been in information technology. Since the 1980’s, I have thought about and developed processes, methodologies and systems that deal with how information technology can positively change companies, industries and societies.

Yet, here I am today in 2009 America. No work, no money, no food, no medicine and an uncertain future.

Do I still have hope? Yes, I have hope. After all, one of the things I did in my life was write the song, “Roll Up Your Sleeves America”.*

Can you eat that?

© 2009 WBSeebeck


*Roll Up Your Sleeves America © 1982 WBSeebeck


The 20 Most Useful Identity-Theft Posts in 2008

Based on data supplied by Google Analytics, during 2008 the following 20 blog posts were read the most by I've Been Mugged readers:

  1. Experian Triple Alert Credit Monitoring Service
  2. Bank Of New York Mellon's Offer To Its Data Breach And ID-Theft Victims
  3. Bank of New York Mellon Changes Its Offer to Its Data Breach Victims
  4. Suze Orman Identity Theft Kit Debuts
  5. Citi Credit Monitoring Service and Citi Identity Monitor
  6. 2008 Consumer Fraud and Identity Theft Complaint Data (FTC)
  7. Bank of New York Mellon Data Breach Affects at Least 4.5 Million Consumers
  8. Sidejacking: What It is and How to Protect Yourself
  9. Debix, LifeLock, and TrustedID
  10. Kroll's Offering From IBM Deserves Scrutiny
  11. TrueCredit From TransUnion
  12. Fraud Alert or Credit Freeze: What's the Difference?
  13. Opt-out Resources For Consumers
  14. Equifax "3-in-1" Credit Monitoring Service
  15. Dilbert Promoted To The Boss
  16. Consumers Should Know FDIC Insurance Rules To Protect Their Money
  17. Experian Sues Lifelock
  18. Consumer Reports On Lifelock
  19. What Does Your C.L.U.E. Insurance Report Say About You?
  20. 2008 Identity Theft Survey - Javelin Research (Part One)

A quick scan of this list indicates that most of the blog posts discuss credit monitoring services. Consumers seem to be starved for independent, trustworthy, and insightful information about credit monitoring services, especially when they have been affected by a company's data breach. I spent the second half 2008 writing product and service reviews to address this need.

By contrast, the most useful blog posts during 2007 (when I started this blog in July):

  1. Kroll's Offering From IBM Deserves Scrutiny
  2. What Does Your C.L.U.E. Insurance Report Say About You?
  3. Working Asset or Working Liability?
  4. Debix, LifeLock, and TrustedID
  5. New ID-Theft Law In Massachusetts
  6. Is Second Degree Harassment Appropriate For This Cyber Crime?
  7. Apparently, (the Data Tapes) Fell Off The Back Of a Truck...
  8. A Conversation With IBM (Part One)
  9. Opt-out Resources For Consumers
  10. Put Home Depot On The Wood Pile of Laptop Data Breaches
  11. Is TD Ameritrade Doing Right By Its Customers After Its Security Breach?
  12. Fraud Alerts
  13. TJX's Offer To Its ID-Theft Victims Deserves Scrutiny
  14. TD Ameritrade's Data Breach Highlights Online Brokerage Security
  15. Freezing your Credit Report Is Not A Cure-all
  16. A Conversation With IBM (Part Two)
  17. IBM, Me, and Identity Theft
  18. The McAfee and FBI Webinar About Safe Online Shopping Tips
  19. Reply From Attorney General Coakley's Office
  20. Data Breaches and Lawsuits

During 2009, I will continue to review credit monitoring services, especially those I haven't reviewed yet. I will continue to cover corporate data breaches and behavioral advertising; especially when topics like these have far-reaching implications for consumers. I will report on announcements by government agencies like the U.S. Federal Trade Commission, which will propose more changes that affect consumers. And, I'll continue to cover some of the new Internet and social networking tools that have far-reaching implications for privacy and data breaches.

If there are topics you'd like to see covered, feel free to share them below or via Twitter. On the Internet, things change quickly. So, there's lots to do in 2009. Thanks for reading I've Been Mugged!


Caroline Kennedy – Privacy Rights Advocate

[Editor's Note: I am pleased to present another guest post by William Seebeck. I've known "Willie" for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

The 17th Amendment to the Constitution of the United States allows a governor of a state to appoint an individual to the U.S. Senate when the sitting Senator has resigned, died or is unable to continue to serve. This appointed person is temporary and will serve out the remainder of an unexpired term. When the term expires, the seat will become vacant and an election will he held for it.

This has been going on since the amendment was ratified by the states in 1913. It has become news in 2009, because a large number of senators, in addition to the president and vice president-elect, have been chosen to work in the Obama administration.

One of the states where a new senator will be named is New York. Governor Paterson will name a replacement for Senator Clinton who has been nominated by the President-elect to be U.S. Secretary of State.

One of the individuals who might be named and has publicly expressed interest for the job and met with the Governor is Caroline Kennedy, daughter of the late President John F. Kennedy. Some say that Caroline, 51 does not have enough qualifications. I say, not only does she have enough qualifications but also has a specialty that I believe must be front and center today and that is our right to privacy.

In addition to seven other books she has written, Caroline along with Ellen Alderman wrote two books on the subject, one in 1991, entitled, “In Our Defense: The Bill of Rights in Action” and in 1995, “Right to Privacy”.

I bought “Right to Privacy” when it came out in 1995. as I was very concerned about privacy issues in the expanding online industry. It was a fantastic book and as far as I am concerned one of the best on the subject. The content covered privacy in all aspects of our daily lives and was eye-opening.

So when I heard that Caroline Kennedy was interested in serving as a U.S. Senator, I thought, well we now have someone who understands the privacy issue and will have the clout to be the people’s advocate on the national stage. Lucky us.

I should also point out that in addition to being the daughter of the late President and an author, she is a graduate of Radcliffe College and Columbia Law School. She is a member of the bar association in New York and Washington, DC. Ms. Kennedy serves on the board of directors of the Commission on Presidential Debates and the NAACP Legal Defense and Educational Fund. President-elect Obama named her co-chair of his Vice Presidential Search Committee that recommended then Senator Joseph Biden.

I’m sure my old squash opponent, Al Franken would agree, she’s qualified.

© 2009. WBSeebeck


Spammers And Fraudsters Target Twitter.com Users

While sending Tweets Saturday afternoon, I noticed this message on my Twitter.com home page:

WARNING! If you get an email notice about a DM with a link it could be suspicious.

Later in the day, this warning message changed to:

Warning! Don't sign in to fake Twitter.com from a DM. Read more on our blog.

It turns out that spammers and fraudsters have targeted Twitter.com users with phishing attacks, to try and trick consumers to revealing their sign-in credentials or more. Earlier in the day, I received within a one-hour period about nine Twitter alerts (e.g., so-and-so is now following you) which linked to suspended Twitter account pages. The good news: the folks at Twitter.com had already identified and deleted the Twitter accounts created by the spammers.

The not-so-good news: the good folks at Twitter.com probably have not suspended all of the Twitter accounts set up by spammers. So, Twitter users need to be cautious, like anywhere else on the Internet. On Saturday January 3, the warning page at the Twitter.com site said:

Don't Share Your Secret Info! 2 hours ago
If you receive an email notice saying you’ve received a Direct Message with a link that redirects to what seems like Twitter.com, be careful about entering your Twitter credentials. Instead, look closely at the URL to see if it’s not really Twitter but a sketchy phishing site like http://twitter.access-logins.com..."

By Monday, the good folks at Twitter had significantly expanded the content on this warning page.

However, Twitter.com seems vulnerable to phishing for a couple reasons. First, Twitter Profile pages rarely display the entire web site address (e.g., URL), so it can be difficult to tell if the link destination in the Follower's profile is safe or a spam site. Second, Tweets (e.g., Twitter posts) frequently include abbreviated web site addresses (thanks to sites like shrinkify.com and tinyurl.com), so it's difficult to determine if the final link destination is safe or a spam site.

When I meet new followers on Twitter, I will look to see if they already tweet with somebody I already know. If so, it's easier to trust them and to verify them via a friend. Sometimes, I will enter the new Follower's web site address from their profile into a Google search, since my home computer has McAfee Site Advisor integrated into Google. This is a few extra steps, but worthwhile in my opinion. On the Internet, you have to verify people as being who they say they are. (Note: if you remain anonymous, I am likely not to interact with you. that's sad, but it is what it is.) And, Mr. Tweet offers some more advice.

You'd think that by now all consumers would recognize a phishing attack and not click on the link. I guess that enough consumers still fall for this trick and surrender their sensitive personal data and sign-in credentials, since spammers continue to deliver phishing attacks by e-mail and by web sites.

So, some advice for consumers seems appropriate: a) expect phishing attacks at social networking sites, and b) if you don't know how, learn how to recognize a phishing e-mail message and a phishing web site.


Identity Theft Predictions For 2009

First, I'd like to wish everyone a happy New Year. Second, I'd like to welcome the new I've Been Mugged readers and followers on Twitter.

The blogosphere is a wonderful tool for collaboration, so I asked a few bloggers I'd met to share their predictions for 2009 about identity theft, data breaches, and corporate responsibility. These predictions are about what we think will happen, not what we think should happen:

  • "With the worsening economic climate, companies will skimp on security, leading to data breaches and identity theft of even larger proportions than the past."
    -- Justin James, TechRepublic Programming & Development
  • "Data breaches will become a more explosive problem than in the past. Ever more data is being put online without sufficient security, training, and internal safety processes being installed at the same time. Therefore, we will see more large incidents as we did in 2008, where potentially millions of ID theft victims have no recourse other than check their credit reports and hope for the best. Sadly, 2009 will be a worse year than ever before."
    -- Michael Krigsman, ZDNet IT Project Failures
  • "My only prediction would be unfortunately more IDs will be stolen in '09."
    -- Peter Kim, Being Peter Kim
  • "The deadline for compliance to the Red Flags Rules came and went with little fanfare for the nation's banks and savings institutions. I guess they were a teeny bit distracted by trying to stay afloat. Does that mitigate the fallout from data theft and loss? I think we will see that a significant number of them have not complied and may not ever comply. In May of 2009 all entities with oversight by the FTC will also need to be in compliance."
    -- John Taylor, Identity Theft And Business

Of course, I've included my own prediction:

  • "As web sites rush to implement single-sign-on mechanisms with the leading social networking sites, security seems to be a secondary concern. Similarly, many consumers rush to use these mechanisms without considering the risks or consequences when a data breach at site A exposes both their sign-in credentials, sensitive personal, and money at site B. I think that we will see during 2009 some high-profile data breaches involving single-sign-on and social networking sites where users are left out in the cold trying to repair the post-breach damage."
    -- George Jenkins, I've Been Mugged

What is your ID-theft or data breach prediction for 2009?