Previous month:
August 2009
Next month:
October 2009

17 posts from September 2009

Trends In Data Breaches

Recently, GovInfo Security interviewed Mary Monahan, Managing Partner and Research Director at Javelin Strategy & Research. I found Monahan's assessments very informative. Monahan's view of current data breaches and hacks:

"Fraudsters are definitely taking advantage of website vulnerabilities. This is a common trend that they have been taking advantage of these website vulnerabilities and then identifying them over and over and over again to download package sniffers, open back doors..."

Monahan's assessment of the types of data breaches to expect in 2010 and beyond:

"... criminals are moving up the food chain. They are going after -- last year we saw them at the restaurants; this year they are at the processor, the restaurant processor. So they are definitely moving up the food chain. The Heartland breach with 130 million credit and debit cards is a lot bigger breach. So they are taking what they are learning at the smaller breaches and moving up that food chain. Using the same types of messages, but refining them as they go along, so last year where we might have been able to find that package sniffer, now they are learning to erase traces of the sniffer on their computer program... We see [criminals] changing their target. So because there are so much credit and debit card numbers out there that this data is becoming less valuable. So they are going to start targeting other types of information."

The information targeted by criminals that Monahan referred to includes "PIN thefts" at banks and financial institutions, and redirects of consumers to phishing sites. Think of it this way: rather than steal a consumer's credit card number, it is worth more to steal the consumers' sign-in credentials so the criminal can directly access the money in the consumer's online financial accounts.

So, my advice for consumers:

  • Activate the anti-phishing software on your computer,
  • Learn how to recognize a phishing web site,
  • Learn about the anti-phishing features at your bank's or financial institution's web site,
  • If your bank or financial institution doesn't provide anti-phishing features with its online banking service, look for another bank
  • Create and use strong passwords,
  • Use different passwords for your online banking vs. e-mail accounts and social media sites
  • Protect the PIN number you use with your debit card at all ATM machines

Warning College Students About Identity Theft

It was good to read this article in the New York Post:

"ID theft is on the rise on university campuses as thieves take advantage of open dorm doors, the careless habits of students and plenty of laptops to steal ID from and use to gain access to the assets of not only the students, but also their parents. Parents should be aware that "criminals look at universities because not only are students the path of least resistance, but universities are lax in their security," said Robert Siciliano, an identity-theft expert. "Twenty percent of students do not acknowledge that it's a problem. They are just irresponsible and making all of their parent's personal information vulnerable.

What the consequences can be:

"This past summer, a 22-year-old male at the Southern University in Louisiana experienced ID theft due to carelessness in the dorm room and is now faced with explaining to his parents why their credit card has a $2,400 balance."

Hopefully, parents will pay attention and warn their college-age children to keep sensitive papers and records under lock and key.


Do You Know The Black-Market Value of Your Sensitive Personal Data?

Symantec recently launched its Norton Online Risk Calculator, an online tool that computes the black-market value of a consumer's sensitive personal data. I tried this calculator to see what it was all about.

First, the calculator asks basic information about your online habits and general demographic data (e.g., gender, age range, whether you have an e-mail account, etc.). Smartly, the calculator asks you for an age range and not your specific birth date. Otherwise, I wouldn't have completed the calculator.

Second, the calculator ask questions about whether you do banking and shopping online. The tool includes related questions about whether you bank online and pay bills online. It also asks if you shop online with a debit card, and whether you have installed and use anti-virus and spyware software on your computer. The calculator asks a very relevant question about whether you disclose on social media sites your birth date. The calculator also asks you to estimate to the total value of your online accounts and what you think thieves would pay for your sensitive personal data (e.g., name, address, birthdate, and bank account information).

Prior I've Been Mugged posts have explored the value of stolen consumer data, the risks of disclosing your birth date on social media sites, how to create strong online passwords, how to avoid getting your e-mail account hacked, and how to recognize phishing e-mail spam and sites. Unfortunately, many consumers believe their computers are protected by anti-virus software when in fact they aren't. And, it is extremely difficult to tell when your computer is infected by spyware and botnet software.

According to the Symantec calculator, my sensitive personal data is worth about $30.29.

Is this risk calculator any good? Part of me feels that it is a slick method to advertise their Norton anti-virus software. After you complete the calculator, the site does present a couple of their software products. Like any other viral application, the site presents a "Send to a Friend" link at the end, hoping you will disclose your friends' e-mail addresses and tell your friends about the risk calculator. I did not refer any friends.

Symantec could have done a better job with this calculator. Why?

  1. The calculator should have been produced as a secure site (https://), which it isn't.
  2. The calculator is a Flash application and the site does not disclose how it uses the Flash cookie on the consumer's computer.
  3. The calculator does not state what it will do with your answers, how long it will store them, and what other companies it will share the information with. The site has a general link to Symantec's Privacy Policy.
  4. The calculator does not ask if your sensitive personal data has actually been exposed already during a data breach, nor did it ask if the consumer monitors their credit reports with a credit monitoring service, nor did it ask if the consumer already protects their credit report data with a Security Freeze.
  5. The calculator did not ask any questions about whether you use RFID or contactless credit/debit cards.

My recommendation: skip this site. It's just not worth it. I expected something far more rigorous from a security software company.


Facebook Settles Class Action Lawsuit & Shuts Down Its Beacon Advertising Service

Facebook Logo and link to its beacon press release Facebook, Inc. has agreed to shut down its Beacon advertising service as part of a settlement of a class action lawsuit filed in August 2008 against the company and its Beacon affiliates. You may remember that the Beacon service received much negative media coverage when the Beacon service failed to provide Facebook members' (and non members) with adequate notice and consent mechanisms, which resulted in the disclosure of the consumers' product purchases.

In October 2008, Facebook, Inc. filed a motion to dismiss the class-action complaint. In September 2008, Facebook, Inc. and the class-action attorneys entered into negotiations. The settlement agreement was reached before a court could rule on the dismissal motion. The settlement agreement must be approved by the U.S. District Court for the Northern District of California, where the lawsuit was filed.

I reviewed the class-action settlement agreement, which includes the following:

  1. Facebook, Inc. gets to deny any wrong-doing,
  2. The two plaintiffs (Sean Lane and Mohammad Sheikka) receive $15,000 and $7,500 respectively,
  3. Facebook, Inc. agrees to pay the plantiffs' class-action attorney fees,
  4. Facebook, Inc. agrees to set up a privacy foundation funded with $9.5 million (less attorney's fees). The purpose of the foundation is to "fund projects and initiatives that promote the cause of online privacy, safety, and security."  To start, the foundation will have three directors selected by both Facebook's attorneys and the plaintiffs' class-action attorneys.
  5. The settlement agreement covers "Protected Persons" (Facebook executives, and some of its Beacon affiliates, such as Blockbuster, Fandango, Overstock.com, Zappos.com, and Gamefly.)

ls this a good settlement? I think so, even though the settlement doesn't mention any damages. Why? Facebook, Inc. will pay an ongoing "price" in the form of the privacy foundation to help consumers. That's a lot more than the company probably would have done otherwise. And, it sets a clear consequence for companies that rush to make money while ignoring consumers' privacy, consent, and notification needs.

Congratulations to the Privacy Crusaders! First, NebuAd and now a new privacy foundation funded by Facebook.


Meet The Banks And Credit Card Industry

Mr. President, the gentlemen from the credit card industry are here.

Are banks the new loan sharks for the 21st century? Despite the new law as some banks slowly loosen credit, so far in 2009 we consumers have experienced huge increases in credit card interest rates, lowered card limits, higher fees, more fees, and constantly changing due dates --  all of this after bailouts and bonuses in 2008.

For more humor about banking and other topics, visit Daryl Cagle's Political Cartoonists Index.


Smart Consumers Recognize Phishing Scams

Dilbert Cartoon - Bank Phishing Prior posts to learn more about phishing and scams:

Learn how to recognize a phishing e-mail message and a phishing web site.


How Much Is A Stolen Credit Card Worth On The Black Market?

The news media has covered very well the Gonzalez- led theft of 130 million credit card numbers. What is this information worth to criminals? In other words, what does this stolen information sell for?

According to a post on VirusList.com dated Aug. 17, 2009, U.S. consumers' Visa credit cards are worth about $2 each. While analyzing virus software, Kaspersky Lab virus analyst Dmitry Bestuzhev found a Web site with pricing information for stolen credit cards. German credit cards, at $6 (USD) each, fetch the highest price at piece. With technical support and a sliding scale of prices, this appears to be organized business.

It appears that the price also varies by order size. CBC News Canada reported:

"Stolen credit card numbers now go for as little as six cents each, if they're bought 10,000 at a time. The price can be $30 US per card for smaller orders. Access to hijacked email accounts can cost 10 cents to $100, while bank account credentials range from $10 to $1,000. Scammers can hire people to "cash out" compromised bank accounts for between eight per cent and 50 per cent of the amount they're stealing. Hosting for scam websites ranges from $3 to $40 per week."

That implies that the 130 million credit card numbers stolen by the Glonzalez-led theft ring are worth about $7.8 million (USD) on the black market, if purchased in bulk.


Directory of Credit Reporting Agencies

While writing this blog, I've become fairly familiar with the major, national credit reporting agencies: Experian, Equifax, and TransUnion. Consumers should know that there are many more credit reporting agencies (also called "credit bureaus) within the United States, and worldwide.

After a brief search, there seem to be several hundred credit reporting agencies in the United States alone. The Collection Agency Services (CAS) Web site maintains a database of regional credit reporting agencies which is searchable by state. I found about 55 credit reporting agencies in California, 72 in New York, and 12 in Massachusetts. Who knew that there were so many?

The CAS site isn't the best. While it does display the town and ZIP code for each credit reporting agency, it does not display Web site links. This means that consumers have to do the extra step of performing an Internet search to find Web site addresses and phone contact information.

Consumers should take the time to search for credit reporting agencies in their state. The search results will give you an idea of the number of companies that archive consumers' sensitive personal data. And, if I can find this database, then identity criminals can, too.

It would be better if each state's consumer protection agency or department of justice maintained a list of credit reporting agencies in their state. Consumers need an easy-to-find, convenient place to find this information.

Why these smaller, regional credit reporting agencies weren't included in many states' consumer breach notification and Security Freeze legislation is a mystery to me. Does anyone know the answer?


Private Browsing Mode in MSIE v8

Thanks to Mary Grace Whalen for alerting me to this All Things Digital blog post:

"... InPrivate Browsing, is only available in the latest version of IE, called IE8. You turn it on by either selecting that option from the Safety button at the upper right, or from the Tools menu in the Menu Bar if you have chosen to make that bar visible. Once you do, an “InPrivate” label appears at the top left corner of the browser and a page appears explaining that the browser won’t record on your own PC certain records of what you do in that browsing session. There’s an additional privacy mode, available from the same two drop-down menus, called “InPrivate Filtering,” which goes further. It blocks Web sites you go to from saving certain records of your presence there on their own servers. InPrivate browsing lasts until you close the InPrivate browsing window."

There's also a video about it:

If you value your online privacy, this seems like a pretty cool feature. I haven't used this feature, yet, since I use Firefox (which has a similar feature in v3.5) 99% of the time. If you have used MSIEv8's InPrivate Browsing feature, let us know below what you think about it.


Warnings For Consumers From The Federal Reserve Board

This blog is all about empowering consumers (whether you have been mugged or not) to protect their money and sensitive personal information. Last week, the Federal Reserve Board (FRB) issued a warning to consumers to be aware of:

"... fraudulent solicitations that appear to be made with the approval or involvement of the Federal Reserve, Federal Reserve officials, or other U.S. government officials. These solicitations promise bogus financial services or large sums of money in exchange for either payment or personal information that can then be used to access a consumer's bank account."

This type of warning usually means a rise in the amount and frequency of phishing e-mail messages and/or phishing Web sites -- methods to trick consumers into disclosing their sensitive personal information (e.g., bank account numbers, Social Security number, etc.) to identity criminals. That means you may see official-looking but bogus e-mail message that appear to come from the FRB. The FRB operates this web site for users to file complaints about fraud. You should also notify your local law enforcement and submit a complaint to the FTC.

Recently, the I've Been Mugged blog reported advice for consumers from the FRB about private educational loans, shopping for mortgages, and credit cards.


Medical Tourism: All Of The Places Patients' Health Records Will Go

I found this Business Insurance article interesting:

"When Scarborough, Maine-based supermarket chain Hannaford Bros. Co. announced last year that it would begin sending its employees to Singapore for knee and hip replacements to save the company money, it attracted the attention of several hospitals in Boston that offered to match the price. What the company probably did not realize at the time was that it was at the forefront of an emerging market: domestic medical tourism. Unlike foreign medical tourism, patients don't leave the country. Instead, they travel to another city within the United States to have procedures for up to 75% less..."

Sounds like outsourced health care to me. The companies involved in this are those companies that fund their own health care programs for their employees.

I found this interesting for several reasons. First, who knew that domestic medical tourism is a growth industry?

"... BridgeHealth International Inc., for example, launched its domestic network of 15 hospitals across the United States about six months ago in response to demand from its insurer and TPA clients... Olympus saw the opportunity to use its existing infrastructure of nearly 30 domestic medical facilities to market to insurers, TPAs and self-insured employers that, like Hannaford, are looking to achieve the cost savings of medical tourism without leaving the country... Healthplace America, which specializes in domestic medical tourism, set up shop last year to market directly to self-insured employers. The Lisle, Ill.-based company provides access to a specialty network of 22 U.S. hospitals."

According to the Examiner.com, medical tourism:

"... is growing at an astonishing rate. The Centers for Disease Control (CDC) estimates that in 2006, half a million Americans traveled abroad for health care. According to the Deloitte Survey of Health Care Consumers, the number rose to 750,000 in 2007; the report projects that the figure will increase to 6 million by 2010... People travel abroad for root canals, routine dental work, face lifts, hysterectomies, joint replacement, and bypass surgery... Some of those heading overseas are among the nearly 50 million Americans without health insurance."

There is even a magazine devoted to the medical tourism industry.

Second, this represents another situation where more companies (domestic and foreign) besides the employer will share consumers' sensitive personal data. In this model, who ensures data security? Who notifies and helps the employee/consumer when there is a data breach? What happens when the outsource health care firm is located in a state without consumer breach notification laws?

Third, whether it is domestic medical tourism or foreign medical tourism, I wonder what control or choice the employee has beyond elective procedures.

Fourth, the phrase "medical tourism" is misleading. It makes it sound so benign. Tourism is when the consumer visits a place to visit based on their interest or choice. Let's call it what it is: outsourced health care (domestic) and off-shore outsourced health care (foreign).


Breach Notification For Consumers' Electronic Medical Records

Along with the health care insurance reform debate, I've started reading more and more about data security and electronic medical records. In a recent press release, New York-based Experior Data Security and Encryption announced its encryption services for health care organizations:

"The American Recovery and Reinvestment Act of 2009 provides incentives for medical care providers to transition from paper health records to electronic health records. It is those electronic health records that we help secure..."

The Experior press release has some good links to related government documents. What I found interesting was about consumer breach notification:

"The Health Information Technology for Economic and Clinical Health ( HITECH ) Act, passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA), has substantially increased the penalties for health care organizations that suffer a security breach. Health care providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to notify people if a breach or unauthorized access has occurred, and may result in a violation of privacy or even identity theft. In cases where a breach affects less than 500 people health care organizations must keep a log and submit it to the Department of Health and Human Services on a yearly basis."

The press release also discussed the consequences for health care organization that don't comply with the new laws:

"In cases where a breach affects more than 500 people health care organizations face considerable and serious consequences. They must notify a major media outlet, the federal government, and set up a hotline. They also face fines, in certain cases, as high as US $1.5 million per calendar year, and the possibility of criminal charges should the company or an individual be found willfully negligent. However, covered entities that secure health information through encryption or proper destruction are exempt from the notification requirements should a breach occur. Enforcement of breach notification requirements is expected to begin in February 2010..."

Exemptions from consumer notification? Consumers need to be informed regardless of whether the health care organization was in compliance or not. If true, this notification exemption is not good.


Health Care. What's The Story?

[Editor's Note: while I am away, today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations. Lately, Bill has had a lot of direct, personal experience with the health care industry.]

Part I – How To Think About It & The Economics and The Politics of It

By Bill Seebeck

My son Matt taught me a few things in an essay he wrote this week, when he asked the question, “Why do so many people know so very little about subjects that are so important to them?” Now he asked that question not about health care but about the defense of the nation.

In the essay, he said that in his quest to answer that question, he thought, “What kind of preconceived notions did people have and where did they come from? What is the reason for their knowing a half-truth or a true falsehood and was it a result of their education?”

“After long periods of study and introspection, I deduced that there are two types of knowledge people acquire often without acknowledging the disparity between the two. First, ‘perceived knowledge’ is a veritable brain dump, something learned or heard of, studied for a test but never examined or understood.”

“The second type, ‘actual learned knowledge’ is the opposite, instructed or read in a detailed manner and expressed in such a way that it is appreciated,” he opined. “The beauty of actual learned knowledge is that it incorporates a whole spectrum of topics. For example, history inherently requires economics, politics, and sociology to be more fully explained. It is a way to wisdom,” he wrote.

Thanks Matt for helping to focus on and shape how we think about the subjects that are so important to us. Thank you also for serving all of us this day in the uniform of our country.

So, as we think about health care, let us also think about the fact that we also need to consider economics, politics, history, sociology, medicine, science, technology and how we value life, our lives and others.

Health care is one of the most expensive items in our personal budgets, state budgets and in the budget of the United States. The cost to those budgets continues to rise. We (the citizens, our state governments and federal government) cannot afford the basic cost of health care, nor its continuing increases.

Therefore, we must change the system.

There are lots of politics wrapped up in health care. Why? In part because there is so much MONEY wrapped up in health care.

Corporations run health care. They make the drugs we take, operate the pharmacies that dispense the drugs, make the machines (CT-Scan, X-Rays, etc.) used for performing tests, blood testing services, they own the insurance companies and the hospitals that determine how much everything costs and who is going to pay for what.

Then we have the doctors, nurses, technicians, etc., and the colleges and universities that train them. It costs thousands and thousands of dollars to train these people who not only choose this profession but they are the people to whom we entrust our lives. They have a need to protect the quality of their educations, but they also need to pay off the cost of their educations while practicing medicine, paying the high cost of insurance required to practice medicine and living life with some quality.

The next group is ourselves. We always want something better. We also don’t want to pay a high cost for it.

We have our seniors, who since the 1960’s have had a medical system of their own that in tandem with Social Security provides at the very least a basic style of life that recognizes their dignity and life’s effort as working people, who because of age and the challenges of health that come with aging generally cannot afford a system without support.

Finally, we have our elected officials. They are after all politicians. They are influenced by each of the groups noted above and many more. The lobbyists that represent such groups contribute millions to politicians at election time. Such influence can cause an elected official to move from the right thing to do, to the thing to do in order to get elected the next time they run for public office.

A sub-group of the elected officials are governors, state governments and their legislative bodies. Most states require an annual BALANCED budget and the cost of health care to a state can be punishing, especially if the federal government doesn’t help fund what the state is required by law to provide its citizens. Then, if the state has to cut costs to balance their budget, then local governments (your town) will also have less money from the state and generally will have to make cuts as well.

It is the role of the President of course to lead the country as its chief executive officer. He or she must offer programs to Congress that balance the cost of health care in relation to other needs of the nation with in this case, the health care needs of its citizens.

The President knows that the health care system has to change because as we noted in the economic section, it costs too much for everyone. In the economic mess we are in, it absolutely must be addressed. Not later, but now because it represents such a large and growing percentage of the federal budget, state governments and our own budgets at home.

What we change to as the NEW HEALTH CARE SYSTEM is a battle between all of the groups noted above, the debate we are experiencing today, with all sorts of half-truths and falsehoods flying about, all because it is first ABOUT MONEY and only a distant second about our health.

As a result, at the end of the day, it does not mean that we will have a new system that will truly serve our health care needs in the future nor be as inexpensive as it could possibly be. What we will have will be what the lobbyists and elected officials bang together. Unfortunately, not a happy thought.

Meanwhile, let me know what you think.


2009 In Review: Data Breaches

Bank Info Security recently reported:

"... 356 data breaches so far in 2009, according to the Identity Theft Resource Center (ITRC). And 46 of those breaches have involved financial institutions - up from 34 at this same time last year... The good news is that, based on percentages, financial institutions consistently have lower percentages of data breaches than other organizations... The bad news is when financial institutions - or their third-party service providers -- are breached ... it's big. Example: the Heartland Payment Systems breach, which resulted in the compromise of 130 million credit and debit cards. Financial data -- bank account numbers, social security numbers, and other personal identifying information - is invaluable to hackers..."

In other words, on average financial institutions have fewer breach events compared to other industries, but when financial institutions have a data breach, far more records are stolen with consumers' sensitive personal and financial information.

Early on, Heartland Payment Systems had no idea how many records were stolen, and some class-action lawsuits were filed.  The I've Been Mugged blog explored consequences of the Heartland breach. Later, breach details emerged as the Miami hacker's role was exposed.

The ITRC analyzed the types of breaches at financial institutions and found seven types:

  • "Insider theft: 12 breaches;
  • Skimming: 8;
  • Missing paper documents: 10 of the breaches
  • Exposure of data on the Internet: 4;
  • Accidental breaches: 2;
  • Stolen or missing hard drives/laptops: 5;
  • Outside network intrusions: 2;
  • Unknown cause: 3."

The bottom line: consumers should know that any site that advertises itself as having "bank-level security" isn't 100% hacker proof. Unfortunately, there is a risk involved and bad stuff happens.


The Credit Card Industry Struggles With Keeping Consumers' Data Secure

The last few weeks have included a huge increase in identity-theft news. First, we consumers heard on August 17 about the indictment of three hackers -- a Miami man and two Russian accomplices -- in what is probably the largest data breach and theft in the USA. More than 130 million debit and credit card numbers were stolen.

This latest theft of 130 million card numbers covered data breaches from 2006 to 2008 for companies including Heartland Payment Systems, a card payment processor, and retail chains 7-Eleven Inc and Hannaford Brothers. The Heartland breach has affected dozens of banks nationwide.

Second, we learned that this the Miami man, Albert Gonzalez, was also a former government informant for the U.S. Secret Service since 2003 and was already known to government officials, and already in prison for a series of eight retail hacks affecting and additional 40 million credit cards. The thefts of those 40 million additional cards included retail companies such as BJ's Wholesale Club and TJX Companies/T.J.Maxx. So one man (with help from some friends) stole more than 170 million debit/credit cards.

How do three people steal 130 (or 170) million credit cards? Third, we started hearing technical terms like the "SQL injection" technique the criminals used to exploit weaknesses in the way computer system developers write code for credit card databases. According to InternetNews:

"For his crimes, if Gonzalez is convicted in the Heartland incident, he'll face a fine of at least $250,00, and up to 25 years in prison. Gonzalez had servers in California, Illinois, Latvia, the Netherlands and Ukraine..."

Sounds to me like far more than three people are involved. You don't simply set up servers in multiple countries without some help. This theft smells like an organized business. I want law enforcement to capture and prosecute other criminals worldwide (e.g., Hacker-1 and Hacker-2 who are in or near Russia) who aided the thefts and/or resold the stolen data.

Fourth, details then began to emerge about the breaches at specific companies:

"... Dallas-based 7-Eleven, while confirming security breaches, said that only ATMs at some stores were affected... Moreover, the Dallas chain would not say where the affected stores were.... A 7-Eleven statement said the chain became aware of attacks in late 2007, saying they had occurred Oct. 28 through Nov. 8. The indictment said the chain’s network was breached from August 2007... Each card-issuing company made its own decision on what action to take, including replacing cards or putting card numbers on an alert for fraud..."

Like a bad screenplay, we further learned that Gonzalez went by the "soupnazi" online alias and he:

"... reportedly became an informant for the Secret Service in 2003, helping in a sting of a cybercrime syndicate, known as Shadowcrew.com. But afterward, Gonzalez re-established his own hacking group, called "Operation Get Rich or Die Tryin," according to Threat Level..."

Perhaps most troubling:

"Accomplices to the crimes are believed to be on the loose in Russia or other countries where U.S. authorities are less likely to get them. And the underlying security holes mined by the hackers still exist in many payment networks."

Most of this was summarized nicely in the New York Times:

"The financial stakes are getting higher. Fraud involving credit and debit cards reached $22 billion last year, up from $19 billion in 2007, according to California consulting firm Javelin Strategy & Research."

You may remember that the breaches at Heartland and Hannaford occurred while both companies were supposedly within compliance to security requirements. Again, from the New York Times:

"Those standards were set by a council that includes the world's two largest credit card networks, Visa and MasterCard Inc; fast-food leader McDonald's Corp; oil major Exxon Mobil Corp; and big banks Bank of America Corp and Royal Bank of Scotland Plc... Yet some 5 percent of the largest retailers and restaurants still have not met compliance deadlines set in 2007, according to Visa."

Clearly, the security standards are insufficient and need to be strengthened. Then, we learned that J.C. Penny, Target, Boston Market, DSW, Office Max, Barnes & Noble, and Sports Authority were affected by the Gonzalez-led breaches. By the end of the week, Gonzalez pled guilty to several charges about the breaches, and would get a maximum of 25 years in prison.

Meanwhile, the banks, credit card networks, and retailers argue about the appropriate security standards and who should pay. What should consumers do?

We consumers can't control the squabbles between the banks, credit card networks, and retailers. We can control which cards we use and when. My advice is this:

  1. Shop online with your credit card, since that gives you more protection than a debit card.
  2. If you can, use cash for in-store purchases, or use a credit card. Why? Retailers are not honest and transparent about informing consumers of breaches or about which stores in their chain are problematic. (Remember, not all states have data breach notification laws.) And, the credit card industry still hasn't solved its security problems. See this blog post above.
  3. Use your debit card at your bank's ATM machines. Regardless of those entertaining Visa and MasterCard advertisements on television, the system isn't as secure as it should be. I avoid ATM machines in convenience stores, and try to use ATM machines only in my bank's branches.
  4. Review your monthly credit card statements, since some fraud shows up as tiny charges first (e.g., 25 cents) and since you may spot fraud first. Don't rely on your bank spotting it first. If you spot fraudulent charges, report it quickly to your bank or credit card issuer.