Previous month:
November 2009
Next month:
January 2010

18 posts from December 2009

The Most-Read Posts of 2009

Based on data supplied by Google Analytics, during 2009 the most-read I've Been Mugged blog posts were:

  1. Is Mint.com As Safe As It Says It is?
  2. Experian Triple Alert Credit Monitoring Service (Product Review)
  3. Banks and Credit Card Issuers Increase Interest Rates on Consumer Credit Cards
  4. Citi Credit Monitoring Service and Citi Identity Monitor (Product Review)
  5. Check Scam Still Operating At Craig's List Site
  6. Suze Orman Identity Theft Kit Debuts
  7. Consumer Reports On Lifelock
  8. TrueCredit From TransUnion (Product Review)
  9. Lifelock And The Credit Monitoring Industry Struggle To Protect Consumers
  10. Debix, Lifelock, and TrustedID
  11. Judge Rules In Favor of Experian Over Lifelock
  12. Bank of New York Mellon Changes Its Offer To Its Data Breach Victims
  13. Should Mint.com Query Its Customers' Financial Information For Fraud Notification?
  14. The Good, The Bad, And The Ugly: Credit Monitoring Offers
  15. 2008 Consumer Fraud and Identity Theft Complaint Data (FTC)
  16. Bank of New York Mellon's Offer To Its Data Breach and ID-Theft Victims
  17. Equifax 3-in-1 Monitoring (Product Review)
  18. Consumers Should Know FDIC Insurance Rules To Protect Their Money
  19. Health Net Breach Exposes 1.5 Million Consumers' Medical Records
  20. The Risks Of Disclosing Your Birthday on Facebook and Other Social Networking Sites

A quick scan of this list indicates that readers are most interested in credit monitoring service reviews, security issues about banks and financial institutions, recent breache. By contrast, the top posts of 2008 were:

  1. Experian Triple Alert Credit Monitoring Service
  2. Bank Of New York Mellon's Offer To Its Data Breach And ID-Theft Victims
  3. Bank of New York Mellon Changes Its Offer to Its Data Breach Victims
  4. Suze Orman Identity Theft Kit Debuts
  5. Citi Credit Monitoring Service and Citi Identity Monitor
  6. 2008 Consumer Fraud and Identity Theft Complaint Data (FTC)
  7. Bank of New York Mellon Data Breach Affects at Least 4.5 Million Consumers
  8. Sidejacking: What It is and How to Protect Yourself
  9. Debix, LifeLock, and TrustedID
  10. Kroll's Offering From IBM Deserves Scrutiny
  11. TrueCredit From TransUnion
  12. Fraud Alert or Credit Freeze: What's the Difference?
  13. Opt-out Resources For Consumers
  14. Equifax "3-in-1" Credit Monitoring Service
  15. Dilbert Promoted To The Boss
  16. Consumers Should Know FDIC Insurance Rules To Protect Their Money
  17. Experian Sues Lifelock
  18. Consumer Reports On Lifelock
  19. What Does Your C.L.U.E. Insurance Report Say About You?
  20. 2008 Identity Theft Survey - Javelin Research (Part One)

During 2010, I will continue to review credit monitoring services, especially those I haven't reviewed yet. I will continue to cover corporate data breaches, medical identity theft, and new sources of privacy threats to consumers' sensitive personal information. I will continue to report on announcements by government agencies like the U.S. Federal Trade Commission, which proposes guidelines that affect consumers and the companies that store consumers' sensitive personal information.

If there are topics you'd like to see covered, feel free to share them below, by e-mail or via Twitter. On the Internet, things change quickly. Thanks for reading I've Been Mugged!


Engineer Divulges Code That Protects Most Cellular Phone Calls

From The New York Times:

"A German computer engineer said Monday that he had deciphered and published the secret code used to encrypt most of the world's digital mobile phone calls, in what he called an attempt to expose weaknesses in the security of the world’s wireless systems. The action by the encryption expert Karsten Nohl aimed to question the effectiveness of the 21-year-old GSM algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of the world's mobile calls.

Mr. Nohl disclosed his efforts at the Chaos Communication Congress, a four-day computer hacker’s conference.

"The GSM Association, the industry group based in London that devised the algorithm and represents wireless operators, called Mr. Nohl’s efforts illegal and said they overstated the security threat to wireless calls."

Who knew that the code to encrypt wireless phone calls was 21 years old? You'd think that the cellular communications companies would use something more recent and more robust.


The 2009 Data Breach Hall Of Shame

This month, Network World magazine released its list of the 2009 Data Breach Hall of Shame. This list includes companies and government agencies that really effed up... they didn't protect consumers' sensitive personal information as they should have. All of these breaches were preventable. Here's who made the list:

  1. Transportation Security Administration (TSA) after it accidentally posted on a public Web site a manual that contained complete details on its airport screening procedures,
  2. Heartland Payment Systems after it allowed hackers to steal about 130 million credit and debit cards over several months while the company was being certified as PCI compliant for security,
  3. Health Net after it lost a hard drive with unencrypted personal, financial, and medical information of 1.5 million consumers and after it waited for six months before notifying government authorities and its breach victims,
  4. U.S. Government Printing Office after it posted on a publicly accessible web site a document with details on U.S. civilian nuclear sites marked as "Highly Confidential Safeguards Sensitive,"
  5. RockYou Inc after a hacker stole over 32 million consumers' passwords and sign-in credentials that were stored in plain text without any encryption or protection

I agree with Network World. The companies and agencies on this list deserved to be on this list. Their executives were sound asleep when they should have been awake and actively protecting the sensitive information they were entrusted with. In honor of these executives, I'd like to present them with the Data Breach Analysis Flow below, which was first published in this blog in September 2007:

Data Breach Flow


Heartland Settles Consumer Class Action Lawsuits

On Monday, Reuters news service reported that credit card processor Heartland Payment Systems Inc. has agreed to settle its consumer cardholder class action lawsuits related to the company's data breach. Heartland has agreed to:

"... pay up to $2.4 million to class members submitting valid claims. Heartland agreed to pay a minimum of $1 million to class members and take up settlement-related administration costs, including up to $1.5 million for the cost of notice to the settling class. The company will pay up to $760,000 of the costs of attorneys representing the class members. Heartland said it could terminate the deal if costs of notice exceeded $1.5 million, or if it received more than 2,500 requests for exclusion from the settlement class."

The settlement deal includes consumers whose credit and debit cards were compromised between Dec. 6, 2007 and Dec. 31, 2008, plus consumers who have alleged that they have suffered fraud losses.

Last week, Heartland agreed to pay $3.6 million last week to settle claims with American Express Company.


Lawsuit Alledges Netflix Violated The Video Protection Privacy Act

I like the Netflix service. It's a convenient, inexpensive method to watch movies. I have been a happy customer for several years. I was distressed to read this in the MediaPost Daily Examiner:

"When Netflix released a trove of "anonymized" information about consumers as part of a contest for a better recommendation tool, it only took a few weeks for researchers at the University of Texas at Austin to show how easily the data could be de-anonymized... If Netflix was chagrined by this development, you'd never know it. Not only did the company continue with the contest, but proudly declared it intends to hold a second one -- for which it will release even more information than last time. For the new contest, Netflix will make available customers' gender, ages, ZIP codes and previously rented movies in hopes of gleaning insight into users' tastes... Researchers have known for more than a decade that gender plus ZIP code plus birthdate uniquely identifies a significant percentage of Americans... "

Last week, Wired magazine reported about the Doe v. Netflix class-action lawsuit filed in Federal Court in California (PDF document) where Netflix's actions with insufficiently anonymizzed data alledgedly outed a lesbian customer.

When will corporate executives learn that they don't own consumers sensitive personal data? When will corporate executives learn that consumers have entrusted them with their sensitive personal data? And that trust can easily be broken and hurt their brands.

Maybe Netflix executives ignored the Facebook-Beacon privacy fiasco. Maybe Netflix executives were hoping that during the holiday season we consumers wouldn't be paying attention. And the coming lawsuits should get the attention of these executives.

Well, we consumers are paying attention. If Netflix continues with activities like the above contest, then I will probably switch to a different service to view movies.


Heartland To Pay American Express $3.6 Million For Breach

Last week, PC World reported:

"Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network. This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year."

Heartland processes credit card and debit card transactions. Typically after a breach banks and credit card issuers incur expenses to delete the compromised credit card accounts and issue new credit/debit cards to consumers. So, it is appropriate for Heartland to reimburse the credit card brands and credit card issuers.

"Heartland has also had to pay out fines assessed by other brands such as Visa and MasterCard. Typically, these card brands levy fines against those responsible for data breaches."

Earlier this year, the company set aside over $12 million to cover fines and other breach-related expenses. In February of 2009, at least two class-action lawsuits were filed against Heartland. By Une, about 31 lawsuits had been filed.


ID Watchdog and InComm To Jointly Produce New Identity Theft Products For Consumers

I found this video interesting:

After watching the video, I visited the ID Watchdog web site to learn more about their service. My first interaction with the site was a positive one. I found it easy to read and easy to understand the identity protection services it provides. ID Watchdog seems to be moving towards the comprehensive detection I look for in a service, since it monitors a dozen different databases that store consumers' sensitive personal data. ID Watchdog has a data-sharing agreement with Acxiom.

My experiences with other identity protection services hasn't been so positive. You can access reviews of other identity protection services on the Reviews page in this blog.

I hadn't heard of InComm before. They seem to make and distribute cards that have stored value... like the gift cards you'd buy in a big-box retail store chain or grocery store chain. I am sure that this blog will cover during the coming months reviews of products by InComm and ID Watchdog.


11 Reasons Why Data Security Is Good For Profits

At Law Technology News, David Bender has compiled a good list of reasons why it is profitable for companies to focus on good data security and privacy during tough economic times:

  1. Reduced customer churn
  2. Reduced risk of damage from contractor malfeasance
  3. Avoidance of the monetary cost associated with a data breach
  4. Reduced probability of brand damage
  5. More effective use of information
  6. Protection against discontented employees

This list is also applicable to law firms, since attorneys have received an exemption from the FTC Red Flag Rules. To read the full list of Bender's reasons, read the Law Technology News article.


Good News For Bloggers!

eMarketer summarized the results of a recent study by Technorati of bloggers worldwide. I found these results particularly interesting:

"... most are men, ages 18 to 44, affluent and well-educated. About one-quarter work for a traditional media outlet in addition to blogging, and most still don’t make any money from their self-publishing activities... 70% of bloggers polled by Technorati said they talked about products or brands on their blog. The most common activity was to post about brands they loved—or hated—as well as to write reviews or post about experiences with stores or customer service. Nearly six in 10 of all the bloggers surveyed said they were better known in their industry because of their blog..."

Those findings dovetail with what this blog is about... consumers experiences with companies regarding identity theft and data breaches. This blog also provides reviews of various credit monitoring services. To browse available reviews, just click on the Reviews link in the horizontal navigation bar at the top of this page. You will find plenty of readers' comments underneath each review. In some instances, a vendors' representative have also submitted comments.

Yet, there's more from the Technorati study. Perhaps, most importantly:

"... bloggers who post for a business reported even higher levels of success: 71% had increased visibility for their company, 63% had converted prospects into purchasers through their blog, and 56% have seen their blog bring their company recognition as a thought leader in the industry."


Mugged By The Health Care System

This is one of those times when I must deviate from the usual identity-theft content and discuss something more important.

I encourage you to read the Matter of Life, Death article in the St. Petersburg Times newspaper. The author is a close friend of mine who I have known since freshman year of college:

"I am scheduled to begin dying on Feb. 1, 2010. Although I have been an insulin-dependent Type 1 diabetic for 22 years, my health has always been very good. My condition has never impaired my enjoyment of life; I've never had a diabetic emergency. Luck, of course, has played a part, as has educating myself about diabetes management. By far, though, the single most critical element of my vitality has been excellent health insurance coverage. That will end on Jan. 31, the day my COBRA insurance benefits run out."

For those that are unfamiliar with the financial issues many consumers face wit health care insurance, Robert does an excellent job of highlighting the numbers:

"I continued my insurance coverage under COBRA, paying the entire $579 monthly premium... I wear a $5,000 insulin pump — the third one insurance has paid for since 1999. The pump's insulin-delivery kits, which must be changed every three days, cost $199 a month at market rates; insurance pays the full cost now. The insulin itself costs $338 a month (my current co-payment is $54). The test strips used in my blood-glucose testing monitor cost more than $200 a month over the counter (my current co-payment is $48)."

Please read the entire article. It's easy to be an opponent of health care reform when your life isn't at risk. We Americans tend to forget that people are dying due to a lack of or inadequate health care insurance.

The conversation needs to get personal.

Tell your elected officials that people are dying and will keep dying while they diddle. And send them the link to the above article.


Judge Dismisses Lawsuit About Express Scripts Breach

Last week, SC Magazine reported:

"A federal judge has dismissed a Missouri man's lawsuit against pharmacy benefit management firm Express Scripts, which suffered a data breach that exposed sensitive customer data. John Amburgy alleged that Express Scripts was negligent because it did not secure its database, leaving the system vulnerable to hackers who stole customer data, including names, Social Security numbers, birth dates and prescription information... Amburgy contended that he and other victims faced an increased risk of becoming the victims of identity theft. He sought damages for the time and money he spent protecting his identity after the breach. The case was dismissed last week by U.S. Magistrate Judge Frederick Buckles because Amburgy could not prove that his information was actually used fraudulently."

You may recall that Express Scripts received an extortion letter demanding money, or the thieves would expose the stolen personal information: either use it fraudulently or resell it to other identity criminals. More than 700,000 consumers were affected.

The judge's decision seemed very consumer-unfriendly to me. I guess that a consumer has to actually experience theft of their money or a financial account takeover (or drainage of funds) in order to prove negligence.



Update On The Health Net Breach

The Arizona Attorney General acted first after 1.5 million consumer records were exposed or stolen during this data breach. Earlier this week, the Hartford Business Journal reported:

"Attorney General Richard Blumenthal says a missing disk containing confidential data on almost 450,000 Health Net patients in Connecticut may have been stolen, rather than lost. Blumenthal said today he is notifying federal criminal investigators, asking that they take a closer look into the matter... Blumenthal said Health Net lost the information in May, but never informed consumers, the police or his office about the loss of information. He said the six-month delay in giving notice to consumers and the state could be a violation of the law. Meanwhile, Blumenthal also is probing Health Net's proposed deal to sell its northeastern licensed subsidiaries..."

While the breach has been bad news for consumers, these actions by local government are good news for consumers and breach victims. I wish Connecticut Attorney General Blumenthal continued success.


Beware Of Phishing Emails About Fake CDC Flu Vaccination Registrations

An important notice for consumers so you do not get "mugged" during the flu season. The Centers For Disease Control published an advisory for consumers:

"CDC has received reports of fraudulent emails (phishing) referencing a CDC sponsored State Vaccination Program. The messages request that users must create a personal H1N1 (swine flu) Vaccination Profile on the cdc.gov website. The message then states that anyone that has reached the age of 18 has to have his/her personal Vaccination Profile on the cdc.gov site. The CDC has NOT implemented a state vaccination program requiring registration on www.cdc.gov. Users that click on the email are at risk of having malicious code installed on their system."

Learn how to recognize a phishing e-mail message and a phishing web site. Or, read this blog post.


In-Flight WiFi Service Presents Usability Problem During Sign-Up

While flying between Boston and Los Angeles last week on business, I had the opportunity to use the in-flight WiFi service offered on Virgin America. The WiFi service is GoGo, which turns the entire plane into a flying hot-spot.

The WiFi service is free on Virgin America until January 15, 2010. It was convenient since I had plenty of time during the 6-hour flight to surf the Internet at 37,000 feet. My only complaint about the GoGo in-flight Internet service: it doesn't provide consumers with the opportunity to read the GoGo Privacy Policy before signing up.

You can read the GoGo Terms Of Use policy before signing up, which I did. While reading it, I noticed a link in it to the GoGo Privacy Policy. When I followed that link, the GoGo Privacy Policy page wouldn't load in my Web browser.

This seemed unfriendly to consumers and unnecessary.

GoGo is no small operation. According to a company press release, GoGo already has one-million customers. GoGo is produced by Aircell LLC. It should be easy to provide access to both policies before sign-up.

Perhaps you are like most consumers and don't read the Terms of Service and Privacy Policy at a web site before registering to use that site. I read these documents because I want to know what I am registering for, and what support the company will provide should things go bad. These documents often disclose what data of yours the Web site will keep, reuse, and resell to other companies.

In my opinion, to ignore and not read a Web site's Terms of Service and Privacy policies is like surfing the Internet with your eyes shut. You may get where you are going, but you'll probably encounter plenty of difficulty along the way.

While I doubt there were any side-jacking thieves on board my flights, consumers should have access to both the Terms of Service and Privacy policies before signing up... especially with in-flight services like GoGo, which will become more commonplace.

When I returned from my business trip, there was an e-mail message in my in-box from GoGo asking me to provide feedback about their WiFi service. That survey and this blog post should be adequate feedback.