Previous month:
January 2010
Next month:
March 2010

14 posts from February 2010

Facebook Snafu Sends Email Messages To Wrong People

This is reason enough to stop using Facebook mail and/or to cancel your Facebook account. From the Wall Street Journal Digits blog:

"Last night, in an embarrassing glitch for Facebook that raises questions about privacy on the site, some users of the social-networking service began getting hundreds of personal messages that weren’t intended for them. A WSJ.com editor, Zach Seward, tipped Digits off to the apparent glitch after his Facebook inbox was flooded with messages ranging from the mundane to the truly private... Mr. Seward, who received emails from about 100 people, said the deluge started at about 8:30 p.m. and that he was later temporarily unable to access his Facebook account. Facebook removed all but two of the messages. But like many Facebook users, Mr. Seward has these messages sent to his third-party email account, where they remain. He said he has not heard from Facebook regarding the glitch... It is unclear how many Facebook users have been affected by the problem, but several Twitter users reported the glitch."


How Credit Cards Work: The Daily Show

The new credit card rules are now in effect. The video (~ 10 minutes) below explains what that means with humor:

The Daily Show With Jon StewartMon - Thurs 11p / 10c
Make it Rain - Bank of America
www.thedailyshow.com
Daily Show
Full Episodes
Political HumorHealth Care Crisis

Now you know why I do not have a credit card with Bank of America. Move your money today to a local bank or credit union.


Don't Get 'Mugged' By The Area Code Phone Scam

I often write about scams by criminals trying to either trick consumers out of their money, or trick consumers into revealing their sensitive personal and bank account information.

When I returned from vacation last week, there was a voice-mail message on my home phone from a woman who said she called me a couple months ago and asked me to return her call. She only gave a first name (which I didn't recognize), didn't mention the company she was with, and didn't leave a message why she called. Plus, the phone number she left had an Area Code I didn't recognize.

Then, I saw this AT&T press release:

"809 Area Code Scam: Be cautious when responding to e-mails or phone calls from the 809, 284 or 876 area codes. This long distance phone scam causes consumers to inadvertently incur high charges on their phone bills. Consumers usually receive a message telling them to call a phone number with an 809, 284 or 876 area code in order to collect a prize, find out information about a sick relative, etc. The caller assumes the number is a typical three-digit U.S. area code; however, the caller is actually connected to a phone number outside the United States, often in Canada or the Caribbean, and charged international call rates. Unfortunately, consumers don't find out that they have been charged higher international call rates until they receive their bill."

The FCC alert also includes the 649 Area Code. For those who are curious, Area Code 649 is Turks and Caicos; 809 is the Dominican Republic; 284 is the British Virgin Islands; and 876 is Jamaica. At the FCC (U.S. Federal Communications Commission) site, you can also file a complaint.

Obviously, it is wise to return the calls only of people whose names your recognize. I didn't fall for this scam and I hope that you don't either. The AT&T press release has tips on what to do to avoid falling for this scam, and what to do if you have already been scammed.

I frequently use Snopes.com to verify e-mail messages I receive which seem odd. Snopes.com also includes a warning by the 809 Area Code scam.


Ripoffs For Consumers to Avoid

This blog is all about what to do if you have been "mugged" or abused by a company or identity criminal, and what to do to avoid getting "mugged." Recently, CNNMoney published a list of, "America's Biggest Ripoffs." Thanks to my friend and I've Been Mugged reader, Bill, for the link.

I knew that text messaging and hotel mini-bars would definitely be on the list. I was happy to see this item also on the list of ripoffs:

"There's nothing free about forking over $179 a year for information at Freecreditreport.com. Instead you can go to AnnualCreditReport.com, which is run by the Federal Trade Commission, and get a truly free report once a year from each of the credit agencies: Equifax, Experian and TransUnion. Freecreditreport.com's catchy ditties can get stuck in your head for days -- but subscribing to the service will haunt your credit card bill for a year. When you sign up, you're asked for your credit card number. Then the site automatically enrolls you in its "Triple Advantage credit monitoring," which pledges to continuously track your credit status for $14.99 per month."

A warning: if you decide to use FreeCreditReport.com, read the fine print and contract terms closely, first. You do have seven (7) days within the trail period to cancel the credit monitoring service. I strongly urge you to browse the entire list of ripoffs.

What do you think? Should FreeCreditReport.com be on the list of ripoffs?


Readers Report Actions of Check Scam Artists

When I started this blog, I knew that identity theft was a hot topic. I just didn't know how hot.

Since I wrote this post about a check scam underway at the Craig's List sites, readers shared their experiences with avoiding check scammers. Several I've Been Mugged readers have submitted comments with tips about the habits of a specific check scammer who goes by the (obviously fake) name of Mr. Brahm. Tele-me wrote:

"i just received a check in the mail for way too much money on a car i was selling to mr. brahm. thank you for letting me know it was a scam. i looked in to it. his real name is michael harr lives in san diego ca..."

Laura included the text of one of Mr. Brahm's letters and added:

"I post the following only to show that Mr. Brahm, AKA Michael Harr - as per further research on other scam sites, is still in full operation. Furthermore, he has become more sophisticated in his language (no more misspellings!) and manner of address, making much more reasonable statements than before. In fact, the only matter of concern on my part was his claim that he was not able to see the item in person... he will eventually use another name/email address, etc. and it seems important for people to be able to recognize the style of his particular scam."

I suggest you read more comments about the check scam to better recognize this phishing e-mail. A variation of this scam tries to trick consumers into a phony job to wire money to an overseas address.

These attempts by scammers to trick consumers out of their money (or reveal their sensitive personal data and bank account information) is a reminder for consumers to verify the identity of a buyer; especially if they offer to pay more for an item than the asking price, and aren't interested in viewing the merchandise first. One way to check the identity is to do a Google (or Bing or Yahoo) search on the letter sender's name and e-mail address. Or check the scam/fraud section of the Web site you are using, including job search sites.

Last, I'd like to thank I've Been Mugged readers for sharing their experiences and comments. This helps all of us be informed shoppers and consumers. A wise person once told me that, "All of us together are smarter than any one of us." That is advice I firmly believe.


My New Year's Gift From Best Buy: Good Customer Service

I think that it is important to acknowledge good customer service when it happens. There are plenty of customer service horror stories on the Internet.

In April 2007, I bought a Toshiba Satellite A135 laptop. The laptop performed well at home and during several vacations to Florida, Aruba, and an Eastern Mediterranean cruise. After about 18 months, the laptop started to give me problems. The first problem: the laptop refused to charge the battery. Thinking that it might have been a power cord or battery issue, I bought a replacement power cord and battery.

Swapping out the battery and power cord failed to solve the problem. Removing the battery and trying to operate the laptop solely on standard household electricity didn't solve the problem either. The laptop would not start.

In April 2009, I brought my laptop to the nearest Best Buy store (in Boston's Dorchester section) and left it with Geek Squad, the on-site service option in Best Buy stores. Thankfully, I'd purchased a maintenance plan when I bought the laptop. Two weeks later, I picked up my laptop with a new power cord and new motherboard. Everything seemed okay.

In July 2009, the same problems returned: the laptop failed to charge the batter and it wouldn't run off of standard household electricity. So, another trip to the local BestBuy store to drop off my laptop with Geek Squad. Two weeks later, I picked up my laptop with a new power cord and a new motherboard. Once again, everything seemed okay.

Just after Thanksgiving 2009, the same problems returned again. One could call this Toshiba Satellite laptop a "lemon." So, another trip to the local BestBuy store to drop off my laptop with Geek Squad. This time, I made sure to reference the prior two service orders so that the technicians would consider the laptop's service history and problems. While a new motherboard would be free (thanks to the service plan), that didn't seem like a productive solution since it would likely fail in three to four months, as before.

This time, when I returned to the local Best Buy store after the Christmas holiday rush, a Geek Squad representative informed me that instead of fixing my buggy laptop, Best Buy would replace it with a comparable new laptop. The representative provided me with the appropriate documents and explained that a Best Buy sales representative would select the new laptop, which turned out to be an Acer Aspire 5532. And it was free!

Would I have bought an Acer laptop on my own? Probably not, but I was ready to try a different brand given the numerous problems I experienced with my Toshiba laptop. A new, free laptop definitely appealed!

Yes, I had to go through the inconvenience of re-installing software on my new laptop, but... I have a new laptop. Yes, I had to pay for a new maintenance and service plan for my new Acer laptop, but I view that as a good investment in case something goes wrong.

So, good customer service does happen, and I wish to thank Best Buy and Geek Squad publicly with this blog post. What I learned from this experience:

  • Back up your data. Fortunately, I did.
  • Back up your e-mail messages. Unfortunately, I didn't. Geek Squad returned the hard drive from my old Toshiba Satellite laptop, so I can still recover important email messages
  • Keep your sign-in credentials to software accounts handy. I was able to sign into my McAfee account and transfer my license from my old Toshiba laptop to my new Acer laptop
  • Buy the best maintenance and service plan available. With a portable, high-use product like a laptop computer you'll probably need it.
  • Keep copies of service orders for your equipment. If your laptop suffers repeated problems, it is to your advantage to reference prior service work.

An Analysis of the Amburgy v. Express Scripts Court Case

At the FindLaw site, Anita Ramasastry, a FindLaw columnist and Director of the Shidler Center for Law, Commerce & Technology, analyzed the Amburgy v. Express Scripts court case. In this case, a consumer sued a company claiming negligence, after that company's data breach and subsequent extortion letter from one of the hackers:

"What happens when a company that has been subject to a breach receives an anonymous letter from someone who claims to have access to the stolen data and who states that, unless there is a payoff, he or she will use the data to commit large-scale identify theft? Such a situation is more serious than a data breach alone, but less serious than a data breach combined with fully-realized identity theft. Of course, under the criminal law, the letter's demand is extortion, and its victim is the company. But is there also a civil remedy that consumers whose data is compromised can invoke in such a situation?"

That's a good question. Can consumers sue a company after a data breach and claim that the company should have done more to protect their data, because now the data breach victims bear a risk that didn't exist before the data breach:

"That was the question posed in Amburgy v. Express Scripts... The complaint alleged that the company breached its duty to maintain adequate security measures, and that this failure resulted in the data breach where millions of customer records were compromised. As a result, it alleged, plan members had been exposed to an increased risk of becoming victims of identity theft crimes, as well as fraud and extortion. The plaintiffs sought damages for emotional distress resulting from the fear of future identity theft. They also sought damages for costs incurred by plan members who had incurred costs for credit monitoring to prevent such losses. The suit claimed that the company's actions constituted negligence and breach of contract, and that these actions had also violated state consumer statutes."

I know that I definitely felt that way after IBM's 2007 data breach. I felt that IBM, through its own carelessness or the carelessness of one of its vendors, didn't protect the sensitive personal data of employees and former employees that was exposed (e.g., lost or stolen) -- including mine. After that breach, I had to take actions that I wouldn't have had to take if the IBM breach hadn't happened.

Yes, IBM paid for free credit monitoring and resolution for one year for its breach victims. The reality: long after the free period ended, I had to remain vigilant and continue monitoring my credit reports. To me, 10 or 15 years of free credit monitoring services seemed more appropriate. After all, IBM is one of the top computing and  security companies on the planet.

So I can fully understand how the class-action plantiffs must have felt in the Amburgy v. Express Scripts case. How the court ruled:

"... a Missouri federal court hearing the case held that even such a threat is not enough to form the kind of injury that gives a consumer standing to sue the company for negligence."

Why the court ruled against the plaintiffs in Amburgy:

"... the court invoked the law of standing – that is, the body of law that examines whether a would-be plaintiff has suffered the type of injury that the court deems a valid basis on which to ground a lawsuit. The Amburgy court found that the injury at issue was not sufficiently concrete to be the basis to sue for a negligence claim... Standing requires "injury in fact" and the court held that a possibility of injury is did not meet the standard."

The extortion letter was not enough. Amburgy wasn't on the list of 75 stolen identities the hackers shared in their letter. Amburgy hadn't had any money stolen from his bank accounts, or fraudulent loans taken out in his name.

Translation: a consumer has to suffer real identity fraud first: loss of money, getting your bank accounts hacked, or fraudulent loans taken out in your name. After that, then you can sue -- provided you have the money and resources to sue and can prove the connection between your identity fraud and the corporate data breach.

The court's decision is understandable and unfortunate. In this age of the Internet and computing, sensitive personal data can be transmitted quickly and resold anywhere worldwide, and it seems that the criminals are rarely caught. All of this makes it extremely difficult for the average consumer to prove that the fraud and stolen bank account monies they experienced are directly connected to a corporate data breach that happened weeks or months ago.

There has to be a better way... a middle ground that balances the needs of consumers and the needs of companies:

"Finally, the courts that have rejected "identity theft risk" cases may feel that the courts should not be the only -- and may not be the best -- place for developing new risk- mitigation principles and tools. Congress may be the best place to develop a unified solution..."


How Consumers Should Prepare For New Credit Card Rules That Start February 22, 2010

An excellent article at Barnkrate.com lists five tips for consumers who use credit cards. You may remember that President Obama signed into law the Credit Card Accountability, Responsibility and Disclosure Act on May 22, 2009. Two provisions became effective last August, and more provisions become effective on Feb. 22, 2010. Here's what you need to know and do:

"1. Beware the advance notification exceptions. On Aug. 20, 2009, a provision that required 45 days' advance notification of "significant" terms changes took effect. It applies to fees and finance charges, as well as some rate increases. Loopholes in the law... the law doesn't require 45 days' advance notification for credit limit decreases.... Issuers also don't have to provide 45 days' advance notice of rate hikes triggered by a 60-day late payment, expiration of a promotional rate, termination or completion of a workout agreement, or shifts in a variable-indexed interest rate."

What you need to do:

"Read notices from your issuers, and verify the rate and credit limit each month when you get your monthly statement, especially before making a large purchase. Going near your credit limit can hammer your credit score."

Another important tip:

"2. Don't fall into retroactive rate-hike loopholes. Come Feb. 22, existing balances will be protected in most circumstances from a rate increase. If you miss the due date by two months or more, however, the APR applied to that debt can skyrocket. Owe a balance after a promotional rate expires and your rate can increase up to the regular APR."

Another important tip:

"4. Permission needed to go over-limit. Under the CARD Act, a purchase that exceeds the credit limit can't trigger an over-limit fee unless the cardholder has opted in to allow over-limit transactions. The consumer must be informed of the overlimit fee they will incur if they surpass their account limit."

What you need to do:

"The law doesn't prohibit approval of over-limit charges when the customer hasn't given permission for them, but does leave room for denial. If you need to go over-limit for whatever reason, you can switch on your over-limit privileges at any time, by making the request in writing, orally or over the Internet."

You have been warned. I encourage you to read the complete article and all five tips.


New York State Attorney General Files Suit Against Bank of America

Yesterday, the New York Times reported:

"Bank of America settled a regulatory complaint with the Securities and Exchange Commission on Thursday even as New York’s attorney general accused the bank, its former chief executive and chief financial officer of securities fraud. In a lawsuit filed on Thursday, the attorney general, Andrew M. Cuomo, asserted the bank and the two officers — Kenneth D. Lewis, the chief executive, and Joe L. Price, the chief financial officer — misled shareholders and the government about the merger with Merrill Lynch."

In a settlement with the S.E.C., the bank agreed:

"... to pay a $150 million fine and strengthen its corporate governance rules... n his complaint, Mr. Cuomo said that the bank first chose not to disclose the losses involving Merrill Lynch, which topped $16 billion, to its shareholders who were voting to approve the deal. Then, the bank told federal officials that those same losses had persuaded bank executives to consider backing out of the deal, unless the government provided a second bailout."

Prior posts in this blog have covered the excesses by banks with consumer credit cards. The Frontline "The Credit Card game" program explained more about how the system is rigged against consumers. We consumers have met the banks and experienced huge increases in credit card interest rates. Some consider banks the new loan sharks for the 21st century. Both the settlement and the new lawsuit sound about right to me.


How To Make Sure Your Bank Accounts Are Covered By FDIC Insurance

You work hard for your money. Naturally, you want to make sure your money is protected. The Federal Deposit Insurance Corporation (FDIC) insures the deposits at member banks. The current FDIC insurance limits:

"If you (or your family) have deposits at one FDIC-insured bank with a combined total balance less than the basic maximum insurance amount under federal law – currently $250,000 through year-end 2013 – all of that money is fully protected. And, as always, you may qualify for much more than the standard maximum insurance amount at the same bank – perhaps millions of dollars of coverage – if you have funds in different "ownership" categories. That's because the FDIC's rules allow for separate $250,000 coverage for deposits held in your name alone (single accounts), accounts with one or more other people (joint accounts), accounts that name beneficiaries when you die (testamentary or revocable trust accounts), and certain retirement accounts, such as Individual Retirement Accounts (IRAs)."

All of this sounds great. How can a consumer easily find out which accounts are insured? Try EDIE, an online estimation tool by the FDIC.

To use EDIE, first you enter (or select) your bank. EDIE has a nice look-up mechanism to find your bank by name and by branch location. Then, select the type of account (e.g., checking, savings, IRA, etc.) you have at that bank, and the amount in that account. You then repeat this last step for each account you have at the same bank.

After entering this data, EDIE will tell you if each account at that bank is covered by FDIC insurance, the amount insured by the FDIC, and if any amounts are not insured (e.g., over the FDIC insurance limit). This presentation by EDIE makes it easy to see how much money you must move to another bank so that it is insured by the FDIC.

I hope that you will use EDIE. I did. It's easy to use.


Are Social Networking Sites Becoming a Security Risk?

Earlier this week, Sophos released the results of a survey which found:

  • 57% of users report they have been spammed via social networking sites, a rise of 70.6% from last year
  • 36% reveal they have been sent malware via social networking sites, a rise of 69.8% from last year
  • 72% of firms surveyed are worried that employee usage of social networking sites places their firms at risk
  • Survey respondents identified Facebook as the social networking site posing the greatest security risks
  • 49% of companies survey allow their employees unrestricted access to Facebook, up from 36% a year ago

These results are part of Sophos' 2010 Security Threat Report (PDF, 3.22 MB), which explores current and emerging computer security trends:

"... criminals identify potential victims on social networks, and then attack them, both at home and at work. In Sophos's opinion, many Web 2.0 sites are concentrating too much on growing their marketshare at the expense of properly defending their existing users from internet threats."

When asked which social networking site posed the greatest security risk, 60% of respondents identified Facebook. MySpace was rated second (18%), followed by Twitter (17%) and LinkedIn (4%).

"Although LinkedIn is considered to be by far the least threatening of the networks, Sophos advises that it can still provide a sizeable pool of information for hackers... Sites like LinkedIn provide hackers with what is effectively a corporate directory, listing your staff's names and positions. This makes it child's play to reverse-engineer the email addresses of potential victims."

I'm surprised that the report didn't mention Tagged, Classmates, Youtube, Plaxo, and Flickr in the list of social networking sites that might pose a security risk.

In a related news story, ZDNet Asia listed the top five security threats as:

  1. Malware
  2. Spam
  3. Targeted attack through employees
  4. Phishing
  5. Human error, leading to leaked corporate data

Cost Of A Corporate Data Breach Rose Again in 2009

Last week, PGP Corporation and the Ponemon Institute announced the results of the fifth annual U.S. Cost of a Data Breach Study. Results from the U.S. study:

  • The average cost per customer record increased to $204 in 2009 from $202 in 2008
  • The average total cost per corporate data breach increased to $6.75 million in 2009 from $6.65 million in 2008
  • The single highest breach cost was $31 million. The lowest single breach cost was $750,000
  • Breaches caused by insiders (e.g., employees, contractors) decreased in number
  • The percentage of companies that encrypt customer records increased to 58% from 44% in last year's survey
  • Breaches by third parties (e.g., subcontracters, affiliates) dropped slightly to 42% of all breaches in 2009 from 44% in 2008

The total cost of a corporate data breach includes several items: expenses for investigation of the breach incident, detection and resolution expenses for ongoing breaches, legal and administrative expenses, customer defections, company reputation management, notification expenses to government agencies and breach victims, technical consultants' fees, and customer support costs including hot-lines and credit  monitoring subscriptions for breach victims.

The study included an analysis of 45 data breach incidents, wit the size of the breach ranged from 5,000 to 101,000 customer records exposed. The study analyzed companies from 15 industries: financial services, retail, health care, services, education, technology, manufacturing, transportation, consumer, hotels and leisure, entertainment, marketing, pharmaceutical, communications, research, energy and defense.


Don't Get "Mugged" At A Gas Pump. Protect Your Debit Card Number and PIN

Prior posts have warned consumers about skimming scams at ATM machines and how to recognize and avoid ATM machines that has been tampered with. As consumers have use their debit cards more often at a wider range of retail stores, identity thieves have moved their skimming scams accordingly.

I wasn't surprised to read that criminals operate card-skimming scams at gas stations, and not just at ATM machines. I was surprised to learn the following: at ATM machines criminals attach a portable card-skimming device on the outside of the ATM card slot (where it can be seen if you are alert), but at gas stations criminals insert a portable card-skimming device inside the gas pump where it can't be seen by consumers.

Inside the gas pump? Read the scam alert from the AARP Webletter:

"Soon after filling up at the gas pump, a motorist learns that his bank account has been emptied. What happened? Another case of “skimming,” in which crooks place a portable card-reading device—readily available over the Internet—inside the pump. When the customer inserts his debit card and enters the required personal identification number, the device captures both the data from the card’s magnetic stripe and the PIN. Later, the devices are retrieved, and the stolen data is used to create a duplicate card to raid the victim’s bank account."

Gas stations are becoming a more popular target by identity thieves since the gas pumps are frequently unattended and not monitored by security cameras. This makes it easier for criminals to insert a portable card-reader device inside the gas pump to steal consumers' bank account information:

"That was the case with one member of the Russian mob, which is often behind organized skimming rings. He took a job at an Arco station and placed a skimming device inside a gas pump. After he disappeared, authorities learned that his hidden skimmer stole $300,000 from customers’ debit cards."

The skimming scams are made easier by older gas station pumps that don't encrypt the PIN numbers.

What should a consumer do to avoid getting "mugged" at a gas station? The first priority is to protect your personal identification number (PIN). Experts advise that consumers should:

  1. Pay at the pump using the "credit" option and not the "debit" option. This provides you with greater protections, liability limited to $50, and you don't use your PIN. Plus, you receive loyalty points if your credit card has a loyalty program.
  2. If you want to pay using the "debit" option, don't pay at the pump. Go inside the gas station and pay at the cashier's window. If a "signature debit" is available, use that there instead of your PIN.
  3. Pay with cash if possible, since that never discloses your bank account information.

What do I do? I pay with cash, especially if I am at a gas station I don't shop at regularly.