Previous month:
February 2010
Next month:
April 2010

26 posts from March 2010

Changes at I've Been Mugged Blog

I am pleased to announce two big changes in this blog.

First, I now accept online donations from readers. Donating online is easy, fast and secure. To donate, click on the DONATE button in the far right column. It links to the secure payment flow at the PayPal site. You can donate using a credit card or with your PayPal account. Your donation can be any amount of your choice: $2, $5, $10, $25, or more. Your donations help me continue the unbiased reporting, plus product and service reviews.

Second, my blog also contains online ads. For the past two and a half years, I have funded this blog with my personal savings. It is time to explore new revenue sources. So, I've allocated a space in the near right column to rotate ads within.

For Readers

I chose an ad approach that seemed as non-intrusive as possible. The ad space is in the same location on all blog pages. Many blogs insert ads both inside blog posts and between the post and comments. I avoided these options to keep the blog easy to read.

If you find the ads interesting, I hope that you will read and click on them. allows publishers to select which which ads display on a blog, so I have tried to pick ads from trustworthy, reliable brands and companies. If you find the ads intrusive or if you disagree with the ad selections, please share your comments via e-mail. I can explore other options.

Thanks for your readership and I hope that you will donate online today.

For Advertisers

In addition to the right column ad space, there is an ad space at the page bottom on the Reviews, List of Lists, and ID-Theft Resources pages. So, you have a choice in ad size and location. Statistics about my blog are available on the Advertise page. Ad rates are available at the site.

Thanks for your interest and I hope that you will consider I've Been Mugged for your advertising needs.

George Jenkins


Meet The Publishers: Age of Conversaton 3

A prior post introduced the authors in the upcoming book. Today, I'd like to introduce the publishers.

But first, a brief background. The editors - Drew McLelland and Gavin Heaton - of Age of Conversation are not professionally-trained publishers, but are bloggers like many of us. Regardless, the Age of Conversation 2 (AOC-2) was a beautiful book, in both paperback and hardcover. Two authors from the AOC-2, Gretel Going & Kate Fleming, started a publishing company called Channel V Books and offered to help publish Age of Conversation 3 (AOC-3).

So, an agreement was reached and Gretel/Kate assumed most publishing duties for AOC-3. According to Drew McClelland, these duties included:

"... in-house management of the entire publishing and marketing processes from start to finish (often working with the author from the beginning to shape the manuscript for his/her audience and create their platforms), and their seamless connection to major online retail distribution channels such as Amazon and Barnes & Noble. Finally, they handle all royalty and online distribution/fulfillment, which allows authors to focus on personal goals and business objectives, rather than on the business of their book."

AOC-3 Editor Drew McLelland described the benefits of working with Channel V Books:

"They work with business thought leaders who need to publish books in order to promote themselves and their businesses, solidify their credibility and attract new opportunities—but don’t have the time (or desire) to learn and manage the intricacies of the publishing business in the process. Channel V Books bridges the gap between self-publishing and traditional publishing by offering the best of both worlds: the highest production quality, distribution channels, visibility, creative flexibility, ease and, most importantly, profitability."

Thanks Gretel and Channel V Books!

Scams Visit the iPhone And Return To Facebook

Last week, I wrote about some shady subscription offers by companies offering free credit reports and free credit scores. TechCrunch has a good review of some shady offers and scams affecting social media users:

"In our Scamville series of posts last October we exposed the massive user fraud occurring Facebook and MySpace social games. Fake quizzes tied to long term mobile subscriptions, malware-laden toolbar downloads and other scams were the center of the controversy. The industry did a lot of talking in the wake of those posts and some long term changes have been made... But now we’re seeing the same old scams hit the iPhone. And the same players, particularly OfferPal Media and SuperRewards and now Google, are powering those scams. Specifically we’re seeing SMS-subscription offers, which trick users into putting long term subscriptions on their mobile phones (or their parent’s mobile phones)."

What makes these shady offers so bad:

"Users are offered virtual currency in exchange for answering a quiz or some other seemingly harmless offer. But once they click through and answer the quiz questions they’re told they need to enter their mobile phone number to get quiz results. Often there is fine print outlining the charges. But the already tiny print is completely unreadable on a mobile screen, making that disclosure meaningless even when it appears. SMS subscription scams are among the most lucrative offers to game publishers because users get a recurring fee of $10 – $25 per month..."

Zwinky returns to Facebook:

"We’ve also seen offers for the Zwinky toolbar back on Facebook games. When Zynga CEO Mark Pincus said “I did every horrible thing in the book to, just to get revenues right away” he was talking about Zwinky, one of the most hated malware wrappers on the Internet..."

Where is the FTC on these social media scams?

Educational Credit Management Corporation Breach Affects 3.3 Million Borrowers

Well, it didn't take long. About 85 days into 2010, we now have the largest data breach of the year, by far.

Last week, the Education Credit Management Corporation (ECMC) announced in its web site that 3.3 million borrowers' sensitive personal data was stolen during a data breach. According to ECMC, the stolen data included:

"... names, addresses, dates of birth and Social Security numbers. No savings, checking or credit card information was included in the data."

This is not good. Not at all. First, a breach with a huge amount of sensitive data like this indicates a breakdown in security, employee training, or both. This huge amount of data should never be this vulnerable on any type of storage media: USB drive, external hard drive, portable device, or whatever.

Second, identity criminals can do a lot of damage with this stolen data types: from apply for fraudulent loans to sell victims' Social Security numbers to undocumented immigrants to use to gain employment.

ECMC insures more than $11 billion in student loans for the U.S. Department of Education. The data was stolen from the company's St. Paul, Minnesota headquarters during the weekend of March 20 - 21.

Yesterday, the Wall Street Journal reported:

"ECMC said the stolen information was on a portable media device... simple, old-fashioned theft... It was not a hacker incident... It plans to notify affected customers in writing this week... ECMC also owns Premiere Credit LLC, a federal student-loan collection agency. No Premiere accounts were affected by the theft... Federal student-loan guarantors such as ECMC, USA Funds and American Student Assistance have contracts with the federal government to insure student loans against default... ECMC is the designated guarantor for loans in Oregon, Virginia and Connecticut, but borrowers from all states could be affected."

What is particularly nasty about this theft is that many borrowers, students, represent a vulnerable consumer segment. This consumer segment is often the least experienced and prepared about identity theft and fraud. They don't have the awareness, knowledge and funds (yet) to monitor their credit reports for fraudulent loans and other activity, plus subscribe to credit monitoring and resolution services.

In my opinion, ECMC has done the minimum: arranged for only 12 months of free credit monitoring services for its breach victims. I expected a far longer period of free credit monitoring services. Four years minimum seems sufficient to me, since it allow the students to complete (and keep the focus upon) their education and enter the workforce. To ECMC's credit, the company-arranged services from Experian include both credit monitoring and credit resolution (PDF).

While many colleges and universities have policies about identity theft and data breaches for staff and faculty, only a handful of higher education institutions have produced identity theft prevention events for students. This massive breach could be an opportunity for insurers like ECMC to show how much they care -- to do more than the minimum. Provide a longer period of free credit monitoring/resolution services, plus support and fund college-based identity-theft education and prevention programs.

Burglarized By Their Facebook Friend

I first saw the report on the evening news Thursday. It included real video of a mugging by the victim's friend.

You have been warned. Be careful who you accept as friends. Make sure your Facebook privacy and application settings are locked down tight. Even better: don't share your location information. If you feel that you must share location-based information, do so after you return home.

Now, the video:

Statistics: Consumers Prefer To Continue Using Credit Cards To Shop Online

The MediaPost Research Briefs blog summarized the results of the "Online Retail Payments Forecast 2010 - 2014" by Javelin Strategy and Research. Part of MediaPost's summary:

"Today, 63% of consumers indicate that they are comfortable or very comfortable with shopping online, but 22% report they never make purchases online or haven't made one in the past 12 months. Despite the sluggishness of the global economy in 2008 and 2009, domestic e-commerce climbed 10.8% from $185 billion in 2008, and to $205 billion in 2009. At the same time, the share of total retail sales represented by online transactions continued to rise, reaching 5.5% in 2009. The study indicates that 70% of US consumers used a major credit card to make an online purchase during 2009. The only other two options used by more than 50% of respondents were major debit cards, and an online payment service such as PayPal or Google Checkout."

Javelin performed the study in November 2009 with a random-sample panel of 3,294 consumers representative of the USA population. The other important takeaway:

"While debit share of online payments volume climbed just two percentage points to 28%, the dollar value of online sales attributed to debit cards rose 21% from 2008 to 2009. During the recent economic downturn, consumers turned increasingly to debit cards as an option to help them control spending. Debit also grew because it was one of the available options for consumers who had reached the limit for purchases on their credit cards or were unable to qualify for credit."

Translation: during the recession, consumers used what was available (e.g., debit cards) and didn't buy as much. The longer term trend: consumers want to continue using credit cards for online shopping. Seems to me consumers understand how shopping with credit cards is safer.

Should You Pay With Credit, Debit, Cash Or a Charge Card?

There are important differences when shopping with a debit card versus a credit card. The new credit card rules highlight the need for consumers to make an informed choices about the payment method used when shopping. Identity thieves have increased their use of skimming devices at both gas station pumps and bank ATM machines.

So, which payment method is best: cash, credit cards, debit cards, or charge cards? This video below from ABC News offers some practical tips to help you make an informed choice.

If you need to build up your credit history and credit score, paying with cash and/or a debit card won't help. If you have the discipline, charge cards offer several advantages over credit cards including the opportunity to build your credit history/score.

For many years, I had an American Express charge card. I used it to pay for business travel, since my employer promptly reimbursed me for business travel. Later in my career, I simplified both my life and my finances by reducing my use of credit/plastic. Ultimately, I paid off all of my credit card debt and cut back to two credit cards from a high of five credit/charge cards (and a high balance of $18,000). Today, I pay my credit card bills in full every month.

Meet The Authors: The Age of Conversation 3

Age Of Conversation 2010 will be available in April I am happy and excited to announce that the Age of Conversation 3 (AOC-3) is at the publisher for printing! The book will be available sometime during April 2010, and in the following formats: paperback, hardcover, Kindle, and iPad.

The theme for the AOC-3: It's Time To Get Busy. The book has a new Web site, thanks to Sticky. The new cover artwork was designed by Chris Wilson.

I am thrilled to introduce you to the talented and insightful social media authors who contributed to the AOC-3 -- of which I am one. As the publication date nears, I will share more information about the book.

Now, take a few minutes and browse the AOC-3 authors' blogs:

Adam Joseph

Priyanka Sachar

Mark Earls

Cory Coley-Christakos

Stefan Erschwendner

Paul Hebert

Jeff De Cagna

Thomas Clifford

Phil Gerbyshak

Jon Burg

Toby Bloomberg

Shambhu Neil Vineberg

Joseph Jaffe

Uwe Hook

Steve Roesler

Michael E. Rubin

anibal casso

Steve Woodruff

Steve Sponder

Becky Carroll

Tim Tyler

Chris Wilson

Beth Harte

Tinu Abayomi-Paul

Dan Schawbel

Carol Bodensteiner

Trey Pennington

David Weinfeld

Dan Sitter

Vanessa DiMauro

Ed Brenegar

David Zinger

Brett T. T. Macfarlane

Efrain Mendicuti

Deb Brown

Brian Reich

Gaurav Mishra

Dennis Deery

C.B. Whittemore

Gordon Whitehead

Heather Rast

Cam Beck

Hajj E. Flemings

Joan Endicott

Cathryn Hrudicka

Jeroen Verkroost

Karen D. Swim

Christopher Morris

Joe Pulizzi

Leah Otto

Corentin Monot

Karalee Evans

Leigh Durst

David Berkowitz

Kevin Jessop

Lesley Lambert

Duane Brown

Peter Korchnak

Mark Price

Dustin Jacobsen

Piet Wulleman

Mike Maddaloni

Ernie Mosteller

Scott Townsend

Nick Burcher

Frank Stiefler

Steve Olenski

Rich Nadworny

John Rosen

Tim Jackson

Suzanne Hull

Len Kendall

Amber Naslund

Wayne Buckhanan

Mark McGuinness

Caroline Melberg

Andy Drish

Oleksandr Skorokhod

Claire Grinton

Angela Maiers

Paul Williams

Gary Cohen

Armando Alves

Sam Ismail

Gautam Ramdurai

B.J. Smith

Tamera Kremer

Eaon Pritchard

Brendan Tripp

Adelino de Almeida

Jacob Morgan

Casey Hibbard

Andy Hunter

Julian Cole

Debra Helwig

Anjali Ramachandran

Jye Smith

Drew McLellan

Craig Wilson

Karin Hermans

Emily Reed

David Petherick

Katie Harris

Gavin Heaton

Dennis Price

Mark Levy

George Jenkins

Doug Mitchell

Mark W. Schaefer

Helge Tenno

Douglas Hanna

Marshall Sponder

James Stevens

Ian Lurie

Ryan Hanser

Jenny Meade

Jeff Larche

Sacha Tueni & Katherine Maher

David Svet

Jessica Hagy

Simon Payn

Joanne Austin-Olsen

Mark Avnet

Stanley Johnson

Marilyn Pratt

Mark Hancock

Steve Kellogg

Michelle Beckham-Corbin

Michelle Chmielewski

Amy Mengel

Veronique Rabuteau

Peter Komendowski

Andrea Vascellari

Timothy L Johnson

Phil Osborne

Beth Wampler

Amy Jussel

Rick Liebling

Eric Brody

Arun Rajagopal

Dr Letitia Wright

Hugh de Winton

David Koopmans

Aki Spicer

Jeff Wallace

Don Frederiksen

Charles Sipe

Katie McIntyre

James G Lindberg & Sandra Renshaw

David Reich

Lynae Johnson

Jasmin Tragas

Deborah Chaddock Brown

Mike O'Toole

Jeanne Dininni

Iqbal Mohammed

Morriss M. Partee

Katie Chatfield

Jeff Cutler

Pete Jones

Riku Vassinen

Jeff Garrison

Kevin Dugan

Tiphereth Gloria

Mike Sansone

Lori Magno

Valerie Simon

Nettie Hartsock

Mark Goren

Peter Salvitti

Police Find Skimming Devices Inside Pumps at 180 Gas Stations in Utah

This is news regardless of where you live. Why? The use of skimming devices by identity criminals is not limited to Utah. ABC 4 television news reported:

"Utah police investigators said crooks have installed electronic "skimming" devices at 180 gas stations from Salt Lake to Provo in an attempt to steal bank card and pin numbers... The skimming device is actually located inside the gas pump... The “Skimmer” copied card and pin numbers giving the criminals free access to the victim’s bank accounts... Crooks used the stolen card information captured by the device to steal more than $11,000 using ATM machines in Los Angeles... Investigators don't know how many card numbers the crooks stole... The only way that you're going to know if you've fallen victim to this is if your credit card starts being used or if your debit card number starts being used..."

If thieves drain your checking account balance to zero, you'll know that way too. By then the damage has been done, and your bank may not reimburse you for the stolen money.

Because it is impossible to spot a gas station pump that has been tampered with, I never pay at the pump. Instead, I go inside to the cashier and pay with credit or cash. And I keep my credit card within eyesight. I use my debit card only at my bank's ATM machines.

Would You Recognize a Skimming Device on A Bank ATM Machine?

At his Krebs On Security blog, Brian Kebs has a good blog post about how to recognize a skimming device attached to the card slot of an ATM machine. Identity criminals will try to place these devices on ATM machines (and gas station pumps) to steal your debit card sign-in credentials so they can drain your bank account.

Brian's blog post includes photos, which clearly indicate how thieves can attach a skimming device to the ATM card slot.

Now don't panic and think that every ATM machine has been tampered with. The thieves target ATM machines that are not in well-lit and public places.

My advice:

  • Use ATM machines from your bank. You know what they look like and familiarity makes it easy to spot tampered machines
  • Use ATM machines that are in well-lighted and in public places
  • If the ATM machine looks like it has been tampered with, use another machine
  • I avoid unfamiliar-looking ATM machines, that are often in convenience stores

Related article: Anybody Can Buy And Operate an ATM Machine.

Impacts Continue From The Heartland Data Breach

Finextra reported:

"Around 5000 First National Bank of Durango customers have been unable to use their cards in stores, although they can still withdraw cash at ATMs. In a notice on its Web site, the bank says: "Please be aware that as a result of a security breach at Heartland Payment Systems that occurred over a year ago, debit cards issued by the First National Bank of Durango may have been compromised. It is important to note that there was not a security breach at First National Bank of Durango, our systems remain secure. The breach occurred at a 3rd party processor."

Reportedly, the First National Bank of Durango blocked payments after several customers contacted the bank about suspicious charges on their bills.

Are these continual post-breach impacts unusual? Experts say that this is to be expected. According to Bank Info Security:

"What happened to First National Bank of Durango is not unusual, says Avivah itan, Gartner distinguished analyst. "Typically the crooks will use stolen cards right after a heist until the looting is discovered and publicized in the media... At that point, the crooks will lie low and not use them because of heightened alerts that will flag and stop their use (e.g. because the cards are on watchlists). Then when time passes and the heat is off, "The crooks will rear their ugly heads and start using them again... Debra Geister, Senior Director, AML and Compliance Services at LexisNexis Risk Solutions, says this scenario is really no different from a sleeper scam, where the fraudsters sit back and wait until an opportune time to strike."

As I've written repeatedly in this blog, identity thieves are smart and persistent. The risks continue as long as the thieves believe that they can use the stolen information successfully, or resell it to others who can use it successfully.

After a data breach with debit/credit cards, banks block accounts and then re-issue cards with new account numbers as needed, since re-issuing cards is expensive. After a breach of sensitive personal information (e.g., Social Security number, birthdate, etc.), companies often offer free credit monitoring services for a year or two. This Heartland post-breach experience casts doubt on both practices since criminals don't magically give up after a year or two.

When Corporate Executives Commit Identity Theft And Fraud

What happens when corporate executives do bad things? This blog has covered law enforcement actions that usually involve low-level employees, workers, or technicians that have committed identity theft and fraud. Do senior-level (also known as C-Suite) corporate executives or owners of businesses experience the same consequences when caught?

One answer to this question is in the courts. I didn't have to look far with to find court cases.

In U.S. v. Abdelshafi, the owner of a medical transportation company was convicted of submitting fraudulent health care billing claims and aggravated identity theft after using patients' medical information to submit fraudulent bills for trip services that never happened. The CCH Healthcare publication reported about a January 2009 court decision about then length of the owner's court sentence:

"The transportation company contracted with a HMO to provide medical transportation services to Medicaid patients... It was discovered that the owner of the transportation company submitted claims with substantially inflated mileage amounts and also claims for trips that did not occur, enabling the owner to collect at least $303,329 in fraudulent payments... The Court of Appeals for the Fourth Circuit noted, however, that while the owner did have the lawful authority to use the identifying information for proper billing purposes, he did not have the lawful authority to use Medicaid patients' identifying information to submit fraudulent billing claims... U.S. Sentencing Guidelines provides that an individual's offense level should be increased by two levels if the individual abused a position of trust that significantly contributed to the commission of the offense... The owner abused the authority of his position by misusing the Medicaid patients' identification information to file fraudulent claims for payment. Therefore the sentence enhancement was proper."

Then, there's this case from about an employee who stole another employee's identity and then used that identity information to steal money from the victim's 401-K retirement account. While the criminal was not a senior level executive, the case includes identity theft and 401-K retirement account fraud:

"A former employee of a Kansas City, Mo., gaming casino was sentenced to one year in federal prison and three years of supervised probation after completion of her prison term. Dana Wachter also was ordered to make approximately $38,000 in restitution stolen from a co-worker... Wachter was sentenced June 29, 2009 in U. S. District Court for the Western District of Missouri. She was indicted in June 2008 on one count each of aggregated identity theft, mail fraud and theft... The indictment contends that, in March 2007, Wachter used her co-worker's social security and personal identification numbers to authorize an $18,000 distribution from her co-worker’s 401(k) account. Wachter is further alleged to have used the mail to steal a distribution check and forged the participant’s signature on the check."

To find more white-collar crime, one doesn't have to search far. I decided to broaden my searches for cases that didn't necessarily include identity theft. The U.S. Attorney Office in Nebraska published this news release involving a C-Suite executive:

"On March 3, 2009, the Honorable Judge Laurie Smith Camp sentenced Marilyn Adams, 66, of Omaha, Nebraska, to a term of 12 months in prison followed by 3 years of supervised release... Adams was indicted in April of 2008 in a two count indictment alleging that a nursing staffing business she formed, AMS Healthcare Services, withheld monies from the paycheck of its employees for purposes of making contribution to a company sponsored 401K program through Hartford Life Insurance Company. Adams, along with her son, Jeffrey Adams, withheld $111,136 dollars with the promise of forwarding those funds to the Hartford Life Insurance Company. Marilyn Adams, as the company president and plan administrator was required to file forms with the Department of Labor documenting funds withheld and transmitted to the 401K plan. Judge Smith Camp ordered Marilyn Adams to pay restitution in the $111,136 dollar amount to the 39 former employees from whom she stole."

I'll bet that those 39 employees felt they had been mugged when they didn't see the contributions to their 401-K accounts while the company deducted money from their paychecks.

Then, I visited the the U.S. Department of Labor (DOL) site to see what else I could find. The DOL site publishes summarizes of the court cases -- both civil and criminal -- it prosecuted during the past year, and the money collected. The agency's March 2010 Fact Sheet reported:

"... in Chao v. Gene Shawn Group, et. al., the U.S. Department of Labor obtained a Consent Judgment and Order. The Consent Judgment requires defendants Young Jin Lee and Juliette Lee, owners of the Gene Shawn Group, LLC dba A-Q Dental Laboratory (Company), to repay $32,587, including interest, to the A-Q Dental Laboratory 401(k) Profit Sharing Plan. The Consent Judgment holds the Lees responsible for restoring any losses remaining after the conclusion of the Company’s bankruptcy proceedings. Additionally, the Lees were permanently enjoined and restrained from future service as a fiduciary of, or service provider to, any ERISA-covered plan. The Department alleged that the defendants violated ERISA by failing to remit employee contributions, employer matching contributions and loan repayments to the plan."

Here's one of several criminal cases summarized in the Fact Sheet:

"... Mark Harrington was sentenced to 2 years imprisonment, 24 months probation, and ordered to pay restitution of $349,870. On April 14, 2009, Mark Harrington pled guilty in the U.S. District Court for the District of Massachusetts to embezzlement from an employee pension fund. Mr. Harrington had been the Vice President and Controller at Anchor Capital Advisors, LLC and in this position he also acted as the Plan Administrator for the Anchor Employees' 401(k) Plan (Plan)... As the Plan Administrator, he directed the custodians of the Plan's assets to make distributions totaling $386,711.70 to various fictitious entities. At the same time, he employed the services of a relative to establish bank accounts at different banks in the name of these fictitious entities and to deposit the distributions into those bank accounts. Harrington used the stolen funds to buy a home, a Cadillac Escalade, breast implants, jewelry and other items."

Another summary:

"... in Chao v. Craig Wagner, the U.S. Department of Labor obtained a default judgment ordering Concrete Construction Co. of Acworth, Georgia, and its president, Craig Wagner, to restore $11,672 in employee contributions, employer contributions, and interest to the company’s 401(k) plan. The Department alleged that the defendants violated the Employee Retirement Income Security Act (ERISA) when they withheld employee contributions to the plan and illegally commingled the contributions with the general assets of the company..."

The fact sheet also published statistics about the agency's performance. In 2009, the DOL closed 1,042 civil cases of which 87% (910) included violations, and closed 64 criminal cases of which 52% included criminal indictments -- both totaled about $17.9 million.

The fact sheet also includes historical agency performance. In 2007, the agency prosecuted cases with judgments totaling more than $51 million. In 2004, the agency closed almost 1,600 civil cases. In 2003, the agency the judgments totaled more than $135 million. That's a lot of money. That's a lot of crime.

This fact sheet was a good read. C-Suite executives seem to receive similar consequences as lower-level employees.

The historical statistics indicate to me that there is (and has been) a significant amount of crime by people usually in a position responsible for employee 401-K retirement plans -- often C-Suite executives. I could have listed more court case summaries, as I found more cases involving medical identity theft.

After reading these court summaries, I can only imagine that the C-suite executives in these cases were arrogant and felt entitled to use other peoples' money as if it was theirs to use as they please. I'd like to congratulate the DOL Employee Benefits Security Administration for those achievements. I look forward to reading the agency's fact sheet in 2011 about its accomplishments during 2010.

A Review Of

I saw the ad below recently on late-night television. Perhaps you have seen it too:

I know Ben Stein more for his comedy than his economic commentaries. He's also in some funny cable TV service commercials with Shaq. So, I have nothing against Stein. Everyone has to make a living.

I don't know anything about Filbert, the squirrel in the ad. I have nothing against Filbert either.

At first view, the ad seemed harmless enough. It is wise for consumers to know their credit score, since many purchases depend upon having good credit. To learn more, I visited the site.

That's when things really got squirrely.

The site is easy to read and easy to navigate. There are huge buttons on the home page to start the registration process to get those free credit scores. Consumers can get "free" credit scores from each of the three major credit reporting agencies: Equifax, Experian, and TransUnion: Home page

The above page copy also inform users that they can get their credit reports when ordering their free credit scores. Further down the page (out of view when the page first loads) is as a huge button for consumers to click to view a sample report compiled with information from the three credit reporting agencies. A sample report is a good thing to view before registering. A more friendly page design would place that sample button further up the page so it is easier to see.

Now, I already know my credit score, so I didn't register for the service. If you scroll to the bottom of the page, you will see tiny text that is easy to miss, especially if you clicked on any of the large buttons near the top of the page. So, I've repeated the tiny text here:

" is not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under law, you must go to

Translation: while you can get credit reports at the site, they aren't free. The credit scores are free but the credit reports have a monthly fee. The tiny text explains why there is a monthly fee:

"FreeScore provides you with the tools you need to access and monitor your financial/credit information through the program's credit reporting and monitoring benefits. FreeScore and its benefit providers are not credit repair service providers and do not receive fees for such services, nor are they credit clinics, credit repair or credit services organizations or businesses, as defined by federal and state law. Credit information provided by TransUnion Interactive, Inc."

Translation: the site is operated by TransUnion, one of the three major credit reporting agencies. FreeScore will help you monitor your credit scores and credit reports, but it won't help you fix them should something bad happen. You are on your own if you need to remove errors in your credit reports, or if you are already an identity-theft victim and thieves have made fraudulent purchases affecting your credit scores and reports.

So, if the credit reports at FreeScore aren't free, how much do they cost? In my opinion, a better design would have displayed the price along with the credit report offer on the home page. Instead, the consumer has to hunt for the price information, which appears on the FreeScore registration page below. The price is in small type in the right column under OFFER DETAILS: Registration page

I've repeated the tiny copy here so it is easier to read:

"Simply click "View Scores" on the next page to activate your FreeScore trial membership and claim your 3-in-1 Credit Profile and Triple Credit Score. After your 7-day FREE trial period it's just $19.95 per month for FreeScore. Remember, you can call FreeScore toll-free at 1-800-316-8824 within the first 7 days to cancel, and you will not be charged/debited."

Translation: you get free credit scores only during the seven (7) day trial period. After that, charges apply if you don't cancel your trial membership, which automatically signed up for a credit monitoring service costing almost $20 per month. The trial membership period is awfully short, too.

This offer by reminded me a lot of the pitch by, a site that pitches free credit reports but enrolls consumers in a credit monitoring program with a monthly fee if you don't read the tiny text and cancel. Yesterday's post discussed the new Credit Report disclosure rules mandated by the FTC. The site never pitches free credit reports, so I guess that TransUnion believes that they don't have to comply with the new disclosure rules since they aren't selling free credit reports at the site.

In my opinion, the site is the same as the site. Both advertise X (e.g., get something for free) but really offer Y (credit monitoring for a monthly free) and place the important details in small print rather than say so upfront in easier to read type. Both sites use the auto-opt-in method: the user is enrolled in the credit monitoring service unless they cancel in time. To me, this is a sleezy marketing approach. The old "buyer beware" advice definitely applies here.

In my opinion, is expensive since the price includes credit monitoring and not credit resolution services. And, the FreeScore monthly fee of $19.95 is higher than the monthly fee of $14.95. So, maybe the cost of those "free" credit scores is baked into the higher monthly credit monitoring fee.

Is FreeScore for you? That's a decision only you can make. You know your credit situation best. Having good credit is critical and monitoring your credit reports is wise to ensure their accuracy. If you are a victim of identity theft and fraud, then monitoring your credit reports for fraudulent purchases is critical, but getting credit resolution service is equally important.

My advice: shop around and always read the FINE PRINT at a Web site; especially sites offering freebies and/or credit monitoring services. Know the limitations of the credit monitoring service you are considering. Be an informed consumer.

FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports

In a press release late last month, the U.S. Federal Trade Commission (FTC) announced new disclosure rules that will go into effect on April 2 for Web sites offering "free" credit reports. The new rules aim to help consumers better understand Web sites offering "free" credit reports. The new FTC Credit Reports Rule effective April 2:

"... will require new prominent disclosures in advertisements for “free credit reports.” For example, any Web site offering free credit reports must include a disclosure, across the top of each page that mentions free credit reports, which states:

THIS NOTICE IS REQUIRED BY LAW. Read more at FTC.GOV. You have the right to a free credit report from or 877-322-8228, the ONLY authorized source under federal law."

The Credit CARD Act of 2009 required the FTC to change the Credit Reports Rule by February 22, 2010 to prevent deceptive marketing of “free credit reports.” During the interim period from February 22 until April 2, the disclosure requirement is shorter, includes only text, and excludes links:

“Free credits reports are available under Federal law at:”

After April 2, the disclosure includes longer text (see above), a clickable button to "Take me to the authorized source" for free credit reports, and clickable links to both and FTC.GOV. Prior to issuing the revised rules, the FTC sought and received feedback about the proposed rule change from consumers, consumer reporting agencies, consumer report resellers, business and trade organizations, state attorneys general, consumer advocates, law firms, members of Congress, and academics.

This is the best that the FTC could do? It doesn't seem to prevent deceptive advertising but, moderate it instead.

Is the interim disclosure enough? Obviously not. While it is a step in the right direction, it is a small step. It includes minimal text and no links.

Is the April 2 disclosure enough? This is two steps in the right direction, but still not enough. While it includes more text and links, one link is to the FTC home page. A better link destination would be the FTC site page about free credit reports and the site.

A even better solution would be for the rule to prohibit companies from making what is essentially, in my opinion, a "bait and switch" offer. Then, these micro-managing rule changes would be unnecessary and not waste limited government resources. At, the "free" credit reports really aren't. The site currently contains the interim disclosure, as required by the FTC.

I am sure that the credit reporting agencies are happy with the FTC's new rule change because it allows business-as-usual with minimal changes. Experian doesn't have to pull all of its ads that appear on both Youtube and late-night television and cable.

Sadly, the new rules are a business-friendly solution that allows companies to continue presenting Web sites with similar "bait and switch" offers; only to replace "free credit reports" with other freebies to evade the new disclosure rules.

How? I'll discuss one example tomorrow.

TJX Hacker Gets 4 Years In Prison

It's important to note when identity thieves get what they deserve in court. The Wired Threat Level blog reported last week:

"Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy... Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts. Zaman pleaded guilty in April to one count of conspiracy. His sentence includes three years of supervised release with the condition that Zaman must disclose his conviction to any future employer. Upon release, Zaman will not be barred from using computers."

The group used money mules to withdraw money from ATM machines with stolen bank account information and to wire money to overseas accounts in Latvia. In December 2009, former Morgan Stanley programmer and co-conspirator, Stephen Watt, received two years in prison. Watt wrote the code for a sniffer computer program used to steal card account data from the TJX network. For his role in the conspiracy and thefts, experts say Gonzalez may receive at least 17 years in prison.

Huge Data Breach Potential From Used Copy Machines

Early in my career, jobs at Xerox Corporation taught me how copy machines work. This WBZ Television news item definitely caught my attention:

"Copy machines today are just like computers... They have hard drives and can store data that can be extracted... Think about it. Your tax preparer, your mortgage broker, your doctor, chances are they have all made copies of documents containing your personal information. That means your social security number; your bank accounts and credit card information could all be sitting on a hard drive in an office copy machine... There are massive warehouses across the country filled with hundreds if not thousands of used copiers that are up for sale. Companies are supposed to wipe the hard drives clean, but that does not always happen."

It's good that the news media is now aware of and reporting this problem. In my experience, the threat is not from just copy machines but from the broader office equipment liquidation process -- how companies discard used office equipment: servers, routers, desktop computers, laptops, mobile devices, and external storage devices.

The liquidation process is supposed to work like this: a company hires an equipment vendor to buy, transport, and wipe clean the hard drives on the used office equipment it discards. The vendor is supposed to perform all of these tasks; and makes money by reselling the used equipment.

In reality, not all vendors consistently wipe clean the equipment they have been entrusted to cleanse. And, nobody at the client company checks or audits their performance. So, large amounts of sensitive data literally exit companies' doors on thousands of used copy machines, computers, laptops, and related office equipment.

It's the dirty little secret nobody within a company wants to discuss.

I first wrote about this used office equipment breach potential in September 2007. I am glad that the news media is now paying attention. The question: are corporate executives -- information technology and security professionals - paying attention? Within each company, who is auditing the used equipment liquidation process? Who is being held accountable?

Lifelock Settles With the FTC: Company To Pay $12 Million

The U.S. Federal Trade Commission (FTC) reported:

"LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck. In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers. “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz."

Lifelock began marketing its service in 2006. Radio entertainer Rush Limbaugh promoted the service. In 2008, the credit reporting agency Experian sued Lifelock. During the same year, consumers in several states sued Lifelock about the quality of its service.

The FTC news release also added:

"The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection."

From time to time, friends and coworkers ask me what I think of Lifelock's service. I usually direct them to the product review by the folks at Consumers Reports. And I encourage them to closely review the Lifelock terms of the service, so they know what they are paying for. I also encourage them to read this blog so they can learn what they can do themselves -- like fraud alerts -- for free.

Survey: Ponemon Lists The Top 20 Most Trusted Firms For Privacy

Ponemon Institute released last month its list of the 20 most trusted companies for privacy. The list is compiled from an annual survey of 6,627 adults in the United States. Survey participants were asked to rank their most trusted companies from a list of companies provided. Highlights from this year's survey:

"Among the brands that made the top twenty were four not listed in the previous study, including Google, Weight Watchers, Walmart, and AT&T. Of the companies listed last year, Facebook, AOL, and eLoan did not make the 2010 list. 2009 was a tumultuous year for privacy, as illustrated by Facebook’s drop out of the top twenty in a year when they found themselves at the center of a very public debate over the evolution of their privacy policies and settings."

It's good to see that there is a "cost" when a Web site or company has confusing or constantly changing privacy policies and rules. Some other highlights:

"Consumers feel they are losing control of personal information: Only 41 percent of consumers feel they have control over their personal information, down from 45 last year and an overall drop from 56 percent in 2006."

The next finding definitely caught my attention:

"Identity theft is top of mind: 59 percent of consumers said fear of identity theft was a major factor in brand trust diminishment, and 50 percent said notice of a data breach was a factor. Other significant threats to brand trust were abuse of civil liberties and annoying “background chatter” in public venues."

The Top 10 most-trusted companies for privacy (with their prior year ranking in parentheses):

1. American Express (1)
2. IBM (3)
3. Johnson & Johnson (5)
4. Hewlett Packard (6)
5. E-bay (2)
6. U.S. Postal Service (6)
7. Procter & Gamble (7)
8. (4)
8. Nationwide (9)
9. USAA (11)
10. WebMD (13)

Google was ranked #13. Read the press release to browse the complete list of all twenty ranked companies. I'll be a number of CEOs are wondering how the United States Postal Service outranked them. Who says that a government agency doesn't work well?

AT&T's jump up the list could be related to the telecommunications company's public statement about its behavioral targeting policy, which is more consumer-friendly than most companies. Then again, maybe the public has forgotten about AT&T's role with internal spying.

For a year-to-year comparison of the top 20 companies for privacy, see Mike Spinney's blog at the Ponemon site.

Survey: 5.8% Of US Adults Have Been Medical Identity Theft Vitims

Identity thieves want far more than your credit card, debit card, and bank account information. They want your medical information. Why? For a variety of reasons, one of which I covered in yesterday's blog post. Another reason is to sell stolen medical information to others to get free health care they don't have access to otherwise.

ComputerWorld reported the results of recent survey about medical identity theft:

"Roughly 5.8% of American adults have been victimized, according to a new survey from The Ponemon Institute. The cost per victim, on average, is $20,160... "The National Study on Medical Identity Theft" is based on findings from 156,000 people who agreed to discuss identity theft in general. Among those surveyed, 5.8% provided specific details about how they had been hit by medical ID theft, in particular."

Medical identity theft is defined as when another person uses stolen medical insurance information to acquire health care goods and services. Some key statistics from the survey:

"29% of victims of medical ID theft discovered the problem a year after the incident, and 21% said it took two or more years to learn about it... Nearly half of the victims (48%) lost coverage due to medical ID theft. Roughly 75% found resolution difficult, and only about 25% said there were no consequences due to the theft... 46% did not report the incident to law enforcement or other legal authorities... and 33% said the medical ID theft occurred because a family member used their medical ID for goods and services without their knowledge."

So, consumers should protect their medical insurance cards just as you would protect your debit/credit cards.

Florida Couple Return To Identity Theft

When law enforcement catches identity thieves and fraudsters, I like to acknowledge it.

Yet, some identity criminals never seem to learn. The Miami Herald reported:

"Last year, they were charged with running a racket to pilfer patient records from Jackson Memorial Hospital to sell to lawyers for personal-injury claims. Now Ruben E. Rodriguez and wife Maria Victoria Suarez have been indicted again for paying an ambulance-company employee to steal information on patients transported to Miami-Dade hospitals and healthcare clinics. That theft scheme dates all the way back to 1995, according to an indictment filed last week. In both federal cases, the Coral Gables couple are accused of brokering the stolen computer records of patients' names, addresses, telephone numbers and medical diagnoses to several attorneys in exchange for kickback payments. The lawyers paid them hundreds of thousands of dollars for the referrals after settling injury claims, authorities say... According to court records in the JMH case, one unidentified personal-injury attorney wrote 27 checks totaling $85,250 to a shell company incorporated by Rodriguez as kickback payments for the patient referrals between 2006 and 2009."

Hopefully, this couple -- and the lawyers that facilitated this scam -- will all be off to jail for a long time. And, I hope that the newspaper and the prosecutors publish the full list of attorneys and health care workers involved.