Previous month:
May 2009
Next month:
July 2009

25 posts from June 2009

How To Protect Yourself Against A Rental Scam

You've probably heard about in on the news. It is a variation of the Craig's List check scam I wrote about previously, but this scam affects both landlords and renters. I encourage you to watch this ABC News video (an advertisement plays first):

[Editor's note: this video has been deleted by the news provider.]

To avoid getting "mugged" via a rental scam, the FTC advises consumers to look for these signs:

"They want you to wire money... There’s never a good reason to wire money to pay a security deposit, application fee, or first month’s rent. Wiring money is the same as sending cash — once you send it, you have no way to get it back."

"They want a security deposit or first month’s rent before you’ve met or signed a lease. It’s never a good idea to send money to someone you’ve never met in person for an apartment you haven’t seen... do a search on the landlord and listing. If you find the same ad listed under a different name, that’s a clue it may be a scam."

"They say they’re out of the country. But they have a plan to get the keys into your hands. It might involve a lawyer or “agent” working on their behalf. Some scammers even create fake keys. Be skeptical, and don’t send money overseas."

Log-in Credentials Breach At Several Corporations

Who said banks' web sites are bullet-proof? SC Magazine reported:

"A trojan has reportedly been uncovered that is harvesting FTP login data of major corporations, including the Bank of America, BBC, Amazon, Cisco,, Symantec and McAfee. According to a report in the Friday edition of The Register, Jacques Erasmus, CTO at Prevx, an internet security vendor headquartered in the U.K., discovered a site where a trojan is uploading FTP login credentials from more than 68,000 websites. Once an individual's PC is infected with the trojan, that user's stored FTP login credentials are harvested. An attacker can then login to the FTP site..."

And we all know that your log-in credentials (e.g., username and password) are just as valuable to identity thieves and criminals as the money in your bank accounts. And companies like McAfee, a provider of anti-virus software, should know better, too.

Michael Jackson: A Life of Great Creativity & Very Human Challenges

[Editor's Note: today's blog post is by guest author William Seebeck. During the 1980's, Bill and I worked together at Lexis-Nexis in Dayton, Ohio. Bill has a wealth of experience in online systems, banking, publishing, and public relations. Bill also blogs at Seebeck's View.]

By Bill Seebeck

I can still remember watching 40 years ago as Michael Jackson and his brothers went on the stage of the Ed Sullivan show, with Diana Ross, who discovered them, sitting in the audience.

What startled me that night was how Michael took the microphone, as if he had been doing it for a thousand years and with a voice that from the moment you heard it, knew it was special, began singing and dancing about the stage. He stopped you. You had to watch. You instantly fell in love with him and for quite some time afterward, he became known as "Little Michael Jackson".

Well, Michael Jackson and his brothers became famous overnight and they never looked back, everything was before them and we, the audiences throughout the world, were the beneficiaries of his amazing creativity.

I was in college when Michael first hit the scene and only saw him once in person, it was during the 1993 Super Bowl in Pasadena, California where he was the half-time show. Watching the video again today of that performance reminded me of his extraordinary gifts as one of the most exciting entertainers of all time.

We will always listen to Michael's music. We will also remember the songs he wrote for the world, including Black or White, Heal the World and We Are The World, the last, a song written for African relief and performed as a group by just about every major talent in the music business at the time.

Unless you have traveled the world, it is hard to appreciate the enormous impact American music has had on so many cultures. I remember sitting in a Fuddrucker's restaurant in Jeddah Saudi Arabia 10 years ago and watched as a group of Saudi high school boys entered the restaurant dressed not in their traditional garb but in cargo pants, Abercrombie & Fitch t-shirts, LA Laker hats worn backward and listening to the most popular radio station in the Kingdom back then -- U.S. Armed Forces radio. What were they listening to? Yes, American music and they all knew Michael Jackson.

However, the type of overnight success that fell upon Michael was both a great joy and a great burden. In our times, when you gain "your 15 minutes in the sun" as Andy Warhol used to say, your life is taken from you by the public. You're watched and followed twenty-four hours a day and someone always wants something from you for themselves. Now sometimes what they want is legitimate, yet more times than not, it is not. It feels at times that they are sucking the very marrow out of you and one of the things that you lose is the ability to trust others. It is a difficult life. You try very hard to create a life that you can trust, withdrawing into a type of cocoon. That space becomes your safety zone, the place you can always run to and survive the latest hurt or betrayal. That space became where Michael, despite all of his world fame, lived. It is no surprise then that this is where he was tempted by his demons, the same ones that tempt each of us in our lives of non-perfection.

So today, I remember Michael Jackson, the boy I first saw and heard, the man we all came to experience, the incredible entertainer that graced our lives and with whom he shared his truly extraordinary God given gifts. We are forever grateful.

May God's peace be upon you Michael.

Copyright 2009 WBSeebeck. Reprinted with permission.

Are Defaults On Student Loans The Next Financial Bubble to Burst?

There are several posts in this blog about how banks are "mugging" consumers with higher credit card interest rates, lower card limits, increased minimums, and other fees. There is a debate about whether these changes, the high cost of college, and the recession will push many consumers to default on their student loans, or if the problem is poor financial planning and an attempt to avoid personal responsibility. At about the 13-minute mark are hints that the problem may be caused in part by predatory lending and collections policies:

Are Facebook And Twitter Really Changing Data Privacy Rules?

There's a pretty good commentary by Michael Fitzgerald in ComputerWorld Norway:

"CIOs generally don't care about privacy," says Peter Milla, former CIO and chief privacy officer at Survey Sampling International (SSI). Milla says most CIOs either focus on technology, or regard privacy as outside their domain, the province of a chief privacy or chief security officer. He finds both attitudes wrongheaded."

I agree with Milla. It seems stupid for a CIO to focus on information and ignore data security. They go hand-in-hand. One is wholly dependent upon the other.

"Milla says he recently worked to modify a request from a big-box retailer who wanted information about the people surveyed by his company on their behalf. 'They were bewildered and frustrated that we wouldn't give it to them,' says Milla. The retailer already collects plenty of data on its customers and didn't see what the problem was with a bit more. But Milla saw a breach of privacy, a contractual violation. If it leaked out that SSI shared personal data about its panelists, it could devastate its business. Milla says the big-box retailer's attitude is endemic. Companies think the data they gather belongs to them."

To me, this episode demonstrates an arrogance and entitlement about the consumer and customer data their company archives. Without customers, their company wouldn't exist. Fitzgerald points to one historical example of this arrogance:

"Ten years ago, then-Sun Microsystems CEO Scott McNealy told us, 'You have zero privacy anyway. Get over it.' "

Given the recent rise in use of social networking sites by consumers, Fitzgerald listed some of the companies, behavioral advertising efforts, and lawsuits about bungled consumer privacy. Fitzgerald highlighted one episode:

"In the wake of its privacy faux pas with Beacon, Facebook has moved to asking its users their opinions on its privacy policies. It has also created more ways for its users to control who sees their data. To Fenwick's CTO, Matt Kesner, this creates an expectation about control over data that will ripple through the IT world."

Yes, Facebook has made some changes. In my opinion, more changes by Facebook are needed. The site still doesn't disclose how and with home customers' personal data is shared by those popular Facebook applications. And, browsers still don't provide options for consumers to block Web beacons.

Yes indeed. I, the consumer, have an expectation about control over my personal data -- all of it, not just some of it. Fitzgerald highlighted a behavioral advertising example:

"one of the British ISPs, BT, acknowledged piloting the program using actual consumer data, without asking for permission. That has landed BT in hot water. The European Commission has initiated legal action against the United Kingdom over its refusal to stop companies like BT from using live customer data without permission. Meanwhile, Amazon and Wikimedia have said they will block Phorm from accessing traffic on their sites, and in late April, the U.S. Congress began holding hearings on deep-packet inspection."

While some executives (and some consumers) maintain the myopic position that there is no privacy for consumers, these folks entirely miss the point.

First, it is about choice. Consumers choose whether or not to disclose their personal data when doing business with these companies. Second, control matters. Just because consumers choose to disclose their personal data (at the cash register or at the company's web site) doesn't mean that consumers give up all rights to control their personal data. Third, legal compliance matters. In the USA there are existing laws that require companies to protect certain types of sensitive consumer personal data (e.g., financial data, medical data, etc.).Fourth, it's about notice. Consumers expect opt-in mechanisms and to be notified about when and how their personal data is used. Opt-out mechanisms are not enough.

For me, my awareness as a consumer has been raised about privacy and various Internet technologies. It is no longer acceptable for a company:

  • Not to disclose in its online privacy policy how it uses browser cookies and web beacons,
  • Not to disclose in its online privacy policy the exact names of vendors, advertising networks, and third-parties it shares consumer and customer data with, and the circumstances when consumer data is shared with these companies,
  • To perform a behavioral advertising program without first notifying consumers and getting consumers' explicit permission via opt-in,
  • Not to disclose in its web site policies the offshore outsource vendors it works with and which circumstances and when it shares consumer data with those offshore vendors,
  • Not to disclose data breaches by the offshore vendors the company does business with,
  • Not to provide a mechanism for customers to communicate directly and immediately to a company representative via the company's web site using e-mail, reply forms, or similar methods.

Company executives that don't understand this and the shifting landscape are setting up their companies to go out of business, and suffer class action lawsuits.

10 Things You Should Know To Protect Yourself From Identity Theft

Over at WalletPop, there's a good list of tips for consumers about how to avoid identity theft and fraud:

1. Thieves don't need your credit card number in order to steal it. Conversely, they don't need your credit card in order to steal your identity.

2. The non-financial personal information you reveal online is often enough for a thief. Beware of seemingly innocent personal facts that a thief could use to steal your identity. For example, never list your full birthdate on Facebook or any other social-networking Web sites.

5. If an ATM or store terminal looks funny, don't use it. "Make sure there is no device attached to any ATM card slot... As a general rule, the mouth of a card receptacle on an ATM machine should be flush with the machine or have only a very slight lip.

8. Pay attention at the checkout line. If a cashier or salesperson takes your card and either turns away from you or takes too long to conduct what is usually a normal transaction, she may be scanning your card into a handheld skimming terminal to harvest the information. But they... can take a picture of the front and back of your card with a cell phone or merely swap out cards.

One protection tip that hadn't occurred to me when traveling on vacation or on business:

"... cut up your used hotel key cards when you check out... since these keys contain important information about you and your finances, including your name, address, phone, and the credit card you used to pay for your room. When you toss them out or leave them lying in the hotel room, anyone can pick them up and use them to steal your identity,"

To read the entire list, visit the WalletPop site.

The NAI Behavioral Advertising Opt-out Mechanism: Good or Bad?

Thanks to rcalo for alerting me to this site. If you have read this blog over the past year, then you know that I have written a lot about behavioral advertising (BA). My interest in BA is partly because some Internet Service Providers (ISPs) have attempt to use a form of BA with the Deep packet Inspection (DPI) technology, which goes far beyond the older tracking technologies, like Web browser cookies, which advertisers have traditionally used.

Congress and consumers are right to take a long, hard look at firms using DPI. And, however favorable the FTC's proposed behavioral advertising guidelines are for corporations, those guidelines are not finalized. My interest in BA is not just the consumer privacy concerns, but the data security concerns due to the fact that company data breaches soared in 2008 compared to prior years. Too many companies don't take data security seriously enough. DPI allows companies to collect a lot of inormation more quickly -- and lose it later in a data breach, regardless of their claims about anonymizing the data.

Plus, ISPs play a key role in providing consumers with trustworthy access to the Internet. Even though NebuAd closed last month, Phorm is part of a larger situation where ISPs rush for advertising revenues and abuse consumer privacy.

With all of that as a backdrop, I have mixed feelings about the Network Advertising Iniative (NAI) opt-out site below, since it is predicated on a business model where all consumers are, by default, included. This places the burden on consumers to become BA experts and track which sites they visit use BA with, in order to opt-out effectively. And, opting out is no guarantee since companies can easily include users back in BA with a change in web site privacy and terms of use policies. The whole model should be based with a default where consumers aren't included until they opt-in.

When you use the NAI site to opt-out of BA, it provides a status of the advertiser networks that have already placed a BA Web browser cookie on your computer. For me, I learned that I had active BA cookies from:

  • Atlas
  • AudienceScience
  • BlueLithium
  • Burst Media
  • Collective Media
  • Mindset Media
  • Undertone Netowkrs
  • Yahoo Ad Network, and
  • TACODA Audience Networks

That was far more BA cookies than I thought I had. A thorough check would be to see if any of the sites I have visited regularly mentioned any of these advertiser networks in their privacy and terms policies. I doubt it.

The NAI's BA opt-out mechanism has limitations. First, it won't protect a consumer against DPI. Second, consumers will have to use the BA opt-out mechanism again if you delete the cookies on your computer, change Web browsers, or get a new computer. Given this, the NAI's BA opt-out mechanism is not a true opt-out. Too much burden is still on the consumer, and it is too easy for a consumer to get sucked back into BA again.

If you have used the NAI site below to opt-out of BA, I'd love to hear your experiences. How did you tell if the opt-out worked? Did you see a change in the online ads display at the sites you visited?

When I opted out of pre-screened credit offers and telemarketing calls, it was easy to see the change. The number of pre-screened credit card and loan offers I received via postal surface mail stopped -- period. So too for telemarketing calls; those dropped to zero, too.

So, it's easy for consumers to see and evaluate the effectiveness of opting out of postal surface mail offers. But what about BA? How can a consumer tell if this BA opt-out mechanism works?

Anyway, here's the NAI video:

Banks: The New Loan Sharks & Extortionists of the 21st Century?

[Editor's Note: today's blog post is by guest author William Seebeck. During the 1980's, Bill and I worked together at Lexis-Nexis in Dayton, Ohio. Bill has a wealth of experience in online systems, banking, publishing, and public relations. Bill also blogs at Seebeck's View.]

By Bill Seebeck

Well, here it is the 21st of June. It's Father's Day.

Yet today, millions of credit card holders that have received notices from their banks since June 1st, know this is the beginning of a new cycle in which the percentage of funds due monthly on their accounts has doubled. Instead of having to pay 3% of their total amounts due, they will now have to pay 6% and for some of them at an interest rate upwards of 29%.

You know, I bet there are still some guys in prison doing time for loan-sharking in this country. What's a loan shark? That's someone who charged greater than a rate considered just by the society. That rate before the banks and Congress changed it used to be 23%. It was called the usury rate.

The Catholic Encyclopedia states that usury is a sin and frankly is so in every major Abrahamic religion. "...Lending money at interest give us the opportunity to exploit the passions or necessities of other men by compelling them to submit to ruinous conditions...[Usury has been defined] as the abuse of a certain superiority at the expense of another man's necessity... It is in itself unjust extortion, or robbery."

So, who are the loan sharks now? Who are the extortionists?

What's extortion? Findlaw states, "Most states define extortion as the gaining of property or money by almost any kind of force, or threat of (1) violence, (2) property damage, (3) harm to reputation, or (4) unfavorable government action. While usually viewed as a form of theft/larceny, extortion differs from robbery in that the threat in question does not pose an imminent physical danger to the victim..."

I think it is fair to say that demanding high monthly minimums at interest rates up to 29.99% can be viewed by the "card holder" as threatening. Failure to pay can result in harm to their reputations in the form of credit scores and possible default, and in this world, "no credit" can put a person and their family on the street in a nanosecond.

So, if you think that the banks are OK and that everything has changed, you are living in a world of dreams. Take a look around your neighborhoods and see how many empty stores there are and how many people are out of work. In part, it is because of what some banks did and what some banks continue to do.

What they are doing is squeezing, you, the public for their own benefit.

Definitely actions that are not in the interest of the public good.

Who are their monitors? Where are their monitors? How do they continue to get away with this stuff?

I'm upset by this, are you?

By the way, Happy Father's Day!

Copyright 2009 WBSeebeck. Reprinted with permission.

I'm Back! After a Month of Celebration, New Struggles & Transitions

[Editor's Note: today's blog post is by guest author William Seebeck. During the 1980's, Bill and I worked together at Lexis-Nexis in Dayton, Ohio. Bill has a wealth of experience in online systems, banking, publishing, and public relations. Bill also blogs at Seebeck's View.]

By Bill Seebeck

Well, I'm back.

I've been quiet for the past month for lots of reasons, perhaps the most important was preparing for and witnessing my younger son's graduation from college. It was a beautiful New Hampshire day and there were lots of speeches and honorary degrees awarded, but perhaps the best speech of the day was by a representative of the St. Anselm College graduating class of 2009. She related what it meant to attend and graduate, as a Muslim woman, from a Catholic liberal arts college. Her name is Waqarun Rashid and her speech (audio, text), entitled, "The Peaceful Struggle" was wonderful and enthusiastically received by all, especially her fellow graduates.

My son, Matt did honor to himself by not only graduating but received his degree with honors. Those members of his family in attendance (grand aunt & uncle, aunts, uncle, cousin, brother, niece, mom and dad), ages 81 to 11, were very proud of him and it was truly a joyous moment in a year of most difficult challenges for all of us in the world.

Seventy-two hours later with actual diploma in hand, we said goodbye to Matt as he left us once again, to begin yet another journey, his own new struggle, this one in service to his country. He left for Missouri to begin his basic combat training with the United States Army.

As a parent at moments like this, you have flashbacks to earlier days, like the first day you put him on a school bus at the age of six and hoped all would go well. This time, I had yet to catch my breath from watching him graduate from college and now he was off again, with the rank of Specialist, to join many other young American men and women in service to our nation. I am in prayer for him and them every day and unashamedly ask you to add yours to mine. On this one, we have common interests. He may be my son, but he is now one of my guardians and yours.

At this time in my life, with my own struggles far from over, I can't help but reflect on what an honor it is to be a parent. It is a most awesome responsibility that never ends and frankly, I wouldn't want it any other way.

Making phone calls during Basic Combat Training is a privilege and when they come, they're only for two or three minutes. Well, yesterday, Matt called from the base. His first words were, "Dad, is today Father's Day?" To which I responded, "Well, if it isn't, it is now".

Happy Father's Day!

Copyright 2009 WBSeebeck. Reprinted with permission.

Phorm Raises Money

I've written extensively about behavioral advertising. It is important to track the actions of companies that promote and enable behavioral advertising, particularly the Deep packet Inspection (DPI) technology. Revolution Magazine reported:

"Phorm has raised £15 million through a stock sale to fund expansion plans in Britain and Korea. The company said the capital will be used ‘to continue the implementation of its service in the UK and Korean markets, and for general working capital purposes, as it continues partnership discussions with ISPs both in the UK and internationally."

Phorm developed DPI technology that allows Internet Service Providers (ISPs) to track everything their customers do online. The data is sold to media companies and advertisers so ISPs can supposedly serve up more relevant ads and make more money.

"Last year Phorm sold 1.61 million shares for £20 each - more than four times the value of the latest offering... Kent Ertugrul, chief executive of Phorm said the 3.3 million shares sold for £4.50 each, account for 19.4 per cent of the company, and were bought up by existing shareholders and new financial institute investors."

DPI goes far beyond the older tracking technologies, like Web browser cookies, which advertisers have traditionally used. Congress and consumers are right to take a long, hard look at firms using DPI. And, however favorable the FTC's proposed behavioral advertising guidelines are for corporations, those guidelines are not finalized.

My interest in this is not just the consumer privacy concerns, but the data security concerns due to the fact that company data breaches soared in 2008 compared to prior years. Too many companies don't take data security seriously enough.

Plus, ISPs play a key role in providing consumers with trustworthy access to the Internet. Even though NebuAd closed last month, Phorm is part of a larger situation where ISPs rush for advertising revenues and abuse consumer privacy.

The Weak Links In Companies' Data Security

Recently, eWeek reported the results of a survey by IronKey and the Ponemon Institute:

"... roughly half of the 967 end users surveyed said their corporate data security policies are largely ignored by both employees and management. The policy violations ranged from the misuse of USB sticks to personal use of e-mail to turning off the firewall... 61 percent admitted to copying confidential data onto USB sticks and transferring the information to a noncorporate device. Most admitted their companies either did not allow this or had no policy in place to deal with it."

It's easy to blame the employees, but when the company either doesn't have a policy or doesn't enforce it, the blame lies both on management and employees. Data breaches are bound to happen. There's more:

"... 47 percent admitted to having shared their passwords with co-workers or third-party contractors in the past... More than 20 percent of the respondents admitted to having turned off security such as anti-virus software, desktop firewalls and encryption on enterprise devices, up from 17 percent when this study was performed two years ago."

Wow! A good list of reasons why data breaches happen in companies, hospitals, schools, and government agencies. There is more:

"... 58 percent said they felt their companies did not provide adequate training on following the rules, while 46 percent said the policies were too complex to understand."

Teach Your Dad About 'Phishing' This Father's Day

To help consumers avoid identity theft, the U.S. Federal Trade Commission has developed an electronic Father's Day card with tips about how to spot bogus phishing e-mail messages. Versions of the FTC e-card are in English and in Spanish.

To learn more about phishing, whaling, v-phising and other scams, browse the Scams and Threats section of this blog. Or, take one of these online identity theft quizzes.

If you or a parent have been the victims of identity theft and fraud, you should report it to both local law enforcement and to the FTC. To file a complaint in English or Spanish, visit the secure FTC Complaint Assistant site, or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad.

Updates On The Heartland And RBS WorldPay Lawsuits

When I have read news reports during the past few weeks, I get the impression that executives at Heartland Payment Systems and some banks are happy to act as if the Heartland data breach never happened; to avoid telling credit cardholders details about the Heartland data breach. To me, this attitude is totally unacceptable. Plus, several states require the notification of consumers.

On Thursday last week, SC Magazine reported:

"A federal court body ruled this week that litigation facing two payment processors, Heartland Payment Systems and RBS WorldPay, will be consolidated. In separate judgments, the U.S. Judicial Panel on Multidistrict Litigation decided this week that lawsuits against Heartland will be heard in Texas, while action against RBS WorldPay will be moved to Georgia. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against Princeton, N.J.-based Heartland, which disclosed in January that its systems were breached. Heartland did not say how many records were compromised, but some estimates placed the number around 100 million, making it the largest reported data breach in history."

That would make Heartland's breach bigger than the TJX Companies / TJ Maxx data breach (90+ million records). I am watching these lawsuits closely, since Heartland was supposedly PCI compliant while its breach occurred. I also believe that the immense size of these data breaches warrants strong consequences for the executives at both companies. Monetary fines, and a temporary removal from Visa's list of PCI-compliant firms, are not strong enough consequences.

All of this has consequences for consumers. In yesterday's blog post, the Associated Press summed up the situation for consumers: every time you pay with plastic, chances are that retailer is gambling with your sensitive personal data.

Weak Data Security Facilitates Data Breaches By Retailers

Yesterday, the Associated Press released its finding of an investigation into data breaches since 2006 and Payment Card Industry (PCI) compliance by retailers. The key findings:

"The government leaves it to card companies to design security rules that protect the nation's 50 billion annual transactions. Yet an examination of those industry requirements explains why so many breaches occur: The rules are cursory at best and all but meaningless at worst...More than 70 retailers and payment processors have disclosed breaches since 2006, involving tens of millions of credit and debit card numbers... many others likely have been breached and didn't detect it."

I've written previously about data breaches at debit/credit card payment processors that were audited and supposed to be PCI compliant. Too many retail companies are still not compliant with PCI standards:

"... one in 10 of the medium-sized and large retailers in the United States — face fines but are left free to process credit and debit card payments. Most retailers don't have to endure security audits, but can evaluate themselves."

Combine this with the fact that 20% of information technology professionals lie on data security audits, and you have a culture focused on making money and not protecting consumers sensitive personal data. Perhaps the damning part:

"Credit card providers don't appear to be in a rush to tighten the rules. They see fraud as a cost of doing business and say stricter security would throw sand into the gears of the payment system, which is built on speed, convenience and low cost."

The consequences tor consumers:

"It means every time you pay with plastic, companies are gambling with your personal data. If hackers intercept your numbers, you'll spend weeks straightening your mangled credit, though you can't be held liable for unauthorized charges. Even if your transaction isn't hacked, you still lose: Merchants pass to all their customers the costs they incur from fraud."

many of us have already experienced large increases in our credit card interest rates to cover higher expenses by banks and credit card issuers. I'm sure part of these higher expenses are the costs to re-issue credit cards after huge data breaches and to pay for the fraud.

The Associated Press article mentioned one example where it took a consumer four months to fix two credit cards that were hacked as part of the Hannaford grocery chain breach. And that didn't include the time spent to adjust online bill payment arrangements with those credit cards -- the work consumers must do and credit card companies don't help with after a data breach.

This means that retailers are more interested in making money and profits than a sincere effort to protect your sensitive personal data. Is this acceptable? Of course not. Can the retail and credit card industries do a better job? They should and must.

If this infuriates you (and I truly hope that this does make you mad), I encourage you to write to your credit card company and demand better data security, and not just fines of payment processors and retailers who are not PCI compliant. The address is on the back of your monthly credit card paper statement.

Then, write to your elected officials in Congress and demand both strong legislation to send to jail company executives who continue to ignore data security, stronger PCI standards, and an FTC policy that is stronger and more effective than the current self-monitoring policy.

Breach Notification: Vermont And Wisconsin Do It Right

While surfing the Web, I was pleased to discover that both the Vermont Attorney General's Office and the Wisconsin Office of Privacy Protection publish on their Web sites the breach notification letters they received from companies, schools and governments. Vermont's coverage starts with March 2008. Wisconsin's coverage starts with 2006.

This is great news. These online disclosures allow residents of these states to verify any breach notification letters they may receive directly from companies. I have written previously in this blog about other states that provide similar online disclosures: Maryland and New Hampshire.

In my opinion, all 50 states should do this. There is no downside. Sadly, my state, Massachusetts currently does not.

Survey: 20% Of Information Technology Security And Technical Professionals Lie On IT Audits

I write often about data breaches and corporate responsibility. This survey result strikes directly at the ongoing problem of data breaches every year at companies, hospitals, schools, and government agencies. SC Magazine reported:

"According to the survey of 150 IT security managers and technical staff from enterprises and government departments, 20 percent admitted to cheating on security audits or knowing of a colleague that did. The survey was conducted from April 28 to 30 during InfoSecurity Europe in London... lying on an audit, is like, “driving without a seatbelt.” Doing so is a great disservice to the company, which could experience a data breach."

Yikes! This directly affects the trend with soaring numbers of data breaches last year. And when data breaches happen, they expose consumers' and customers' sensitive personal data -- including yours and mine. I found this interesting too:

"Jonathan Gossels, president and CEO, SystemExperts, a Payment Card Industry (PCI) standard Qualified Security Assessor (QSA), told in an email Wednesday that he would have thought that the number of those who lie on audits would be even higher than 20 percent."

This makes me wonder how effective PCI compliance really is, and the companies that claim good data security based on passing PCI audits. Some experts believe that PCI compliance is not enough.

Fraud And Scam Warnings To Consumers From the Better Business Bureau

A couple warnings to consumers so you don't get "mugged," become a fraud victim, or pay more than you have to. First, the BBB advises consumers to read the fine print at online social media sites, especially Facebook, since:

"... the large print doesn’t always tell the whole story... in January, BBB issued a warning to consumers about online ads and Web sites that use Oprah’s name to sell acai berry supplements as weight-loss miracles... these ads are still common on Facebook and MySpace and link to fake blogs such as that are designed to look like testimonials of women who lost weight on the acai supplements... The phony blogs link to Web sites that offer a free trial of an acai supplement, and while the customer may think they only have to pay shipping, they could get billed as much as $87.13 every month if they don’t cancel before the trial period ends."

Another scam consumers should be aware of:

"There are many ads on Facebook that advertise ways to make easy money from home... the ads link to blogs that were supposedly created by people who made money through a work-at-home program. One such blog written by a “Sarah Roberts” claims that she added “$67,000 a year to my family’s income working 10 hours a week... The blogs direct readers to Web sites for programs such as Internet Money Machine and Easy Google Cash where they can sign up for a seven-day trial access to information on how to make money from home. While the free trial supposedly only costs $1.95-$2.95, the individual will be charged $69.90 every month..."

Be sure to follow the above link to learn about more scams. Second, the BBB warns consumers about automated phone calls offering lower credit card interest rates:

"Consumers across the U.S. and Canada are sounding off to Better Business Bureaus about incessant automated telemarketing calls promising to lower interest rates on their credit cards. Not only are the calls a nuisance and violate U.S. and Canadian Do-Not-Call laws, but some companies behind the calls are ripping off consumers by charging large up-front fees to negotiate lower interest rates with credit card companies — something consumers can do on their own for free... After the initial recorded message, consumers must dial another number to be connected to a live person. The live “operator” usually starts the sales pitch by asking for the consumer’s credit card number and whether the consumer is interested in lowering their interest rates. From there, callers begin closing the sale, asking if the consumer is willing to pay – usually from $700 to $1,000 - to have their firm contact the credit card company and negotiate lower rates."

About telephone offers, the BBB advises consumers to:

"Never give personal information, including Social Security, bank or credit card numbers, over the phone to an unknown telemarketer. Always research the company first by reviewing its Reliability Report at; When considering any company offering any type of financial assistance, insist on getting a contract in which all terms and conditions are clearly explained before signing up or providing credit card or other payment information; U.S. consumers can place their home phone number on the federal Do Not Call list by visiting If the consumer’s number is already on the list but continues to receive telemarketing calls—or is receiving robocalls on a cell phone—he or she can use the same Web site to report the incident to the FTC. Canadian consumers can learn more at

Sears Settles With The FTC About Consumer Privacy Abuses With Undisclosed Tracking Software

I've Been Mugged discussed consumer privacy abuses by Sears in 2008. On June 4, 2009, ComputerWorld reported Sears Holdings Management settled with the U.S. Federal Trade Commission about a complaint where Sears failed to inform "My SHC Community" customers about the large amount of sensitive personal data it collected with a downloadable software application:

"Sears Holdings, owner of the Sears and Kmart retail chains, invited some visitors of and to become members of the "My SHC Community," paying them $10 if they agreed to download "research" software that would confidentially track their online browsing... the software not only tracked browsing, but also monitored customers' online secure sessions, including sessions on third-party Web sites... The Sears software collected the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size of Web-based e-mail messages... The software would also track some computer activities that were unrelated to the Internet..."

From now through July 6, interested consumers can submit comments to the FTC about this Sears settlement. Before submitting a comment, consumers should read:

Based on comments received, the FTC will decide whether or not to proceed with the proposed settlement agreement. I encourage readers to review the proposed settlement. You may feel it is not strong enough, especialy about the sensitive consumer data Sears already collected.