Previous month:
March 2010
Next month:
May 2010

20 posts from April 2010

Survey: Data Security at Hospitals Is Poor

Last week, Identity Force released the results of its 2010 survey of 200 compliance offers at AHA-member hospitals in 43 states. How secure is your medical information in hospitals? Not very secure. Key survey results:

  • 41.5% of hospitals have TEN OR MORE data breaches each year (that's up 120% over last year)
  • Over 20% percent of hospitals have twenty or more breaches annually
  • 56.3% of hospital compliance officers believe that the new health care reform law will either have no change or will increase medical identity theft
  • 71.4% of hospitals on average investigate fewer than 50 cases each year of possible misuse of identity information
  • 15.7% of hospitals feel they are in compliance with the HITECH Act, which went into effect in February 2010
  • 48.3% of hospitals do not know if their vendors and business associates comply with the HITECH Act

As you read these statistics, remember that Identity Force provides identity theft protection for individuals, businesses and government agencies. Still, the statistics are poor.


Survey: What Executives Say About Data Security Versus What They Do

Earlier today, Accenture announced the results of a survey of 5,500 business leaders and 15,500 adult consumers in 19 countries. The results indicate that what companies say they do to protect sensitive data differs from what they actually do. Consider these survey results:

  • 73% of business respondents say they have adequate data security policies to protect sensitive personal data, but 58% have had at least one data breach during the past two years where sensitive data was lost/stolen
  • 70% agreed that organizations have an obligation to protect sensitive personal data, but 45% were unsure or disagreed to give customers control over what customer data is collected, and
  • 47% were unsure or disagreed to give customers control about how the customers' sensitive data is used
  • Sensitive customer information includes items such as, but not limited to: name, address, date of birth, race, National ID/Social Security number, and medical history

Are these business executives serious? I want to talk with the executives at 30% of organizations that believe they don't have an obligation to protect sensitive customer information. What twisted logic supports this conclusion by executives?

I also want to talk with the 45% of executives were are unsure or disagree to give customers control over what customer data is collected. What twisted logic supports this conclusion by executives?

I also noticed that the wording of the survey included data security policies and not processes and systems. There is a difference. A paper-only corporate policy is not the same as an implemented system and employee training sessions. Having only a toothless policy is not real data security. It is asking to be judged based on intentions and not based on actual behaviors.

More survey results I found disturbing:

  • 47% did not believe it was important or very important to limit the collection of sensitive personal customer information
  • 46% did not believe it was important or very important to limit the sharing of sensitive personal customer information
  • 47% did not believe it was important or very important to protect consumer privacy rights
  • 47% did not believe it was important or very important to prevent cross-border transfers of personal information to countries with inadequate privacy laws
  • 48% did not believe it was important or very important to prevent cyber crimes against consumers

Geez. These results define executives who don't care about data security. The finding aboout cross-border transfers of personal information is particularly troublesome when you consider the risks of offshore outsourcing and the offshore outsourcing activities by the major credit reporting agencies. You can download the complete Accenture survey report (2.4 MB, PDF format).

The survey also found differences in attitudes and behavior between organizations that had data breaches during the past two years and those that didn't. Organizations that didn't experience data breaches had a better understanding of where sensitive customer information was archived within their organization, and more likely felt obligated to control who had access to sensitive personal data.

When I read survey results like this, it tells me that executives need to be forced (e.g., regulation) what to do to protect customers' sensitive personal data because they won't do it on their own. It doesn't matter if it is poor ethics, or a rush to make money.


As Criminals Target Elders And Retirees For Fraud And Identity Theft, Several Resources Emerge

While this blog has focused primarily on data breaches affecting consumers broadly, over the past few weeks I have noticed a trend in scams and threats that target elders and retirees. I use the term "elders" because not elders (e.g., people over 50 years of age) are retirees, and not all retirees are elders. Like any other consumer segment, elders and retirees can be vulnerable because the use the same online technologies as other age groups.

First some facts. Pew Internet reported broadband access by age groups: about 59% for consumers ages 50 - 54; 57% for ages 55 - 59; 48% for ages 60 - 64; 42% for ages 65 - 60; and 30% for ages 70+. MediaPost reported than profiles at social networking sites is increasing among older Americans. While 78% of teens has social net profiles, the penetration is 77% for ages 18 24; 65% for ages 25 to 34; and 51% for ages 35 to 44.

These statistics don't surprise me because there are plenty of blogs written by and for elders. To learn more, Ronni Bennett, author of Times Goes By, maintains an excellent elder blogroll.

E-mail phishing scams affect consumers of all ages. ATM skimming devices steal from ATM users of all ages. Gas pump skimming devices steal from auto drivers of all ages. A prior blog post covered some of the retirement abuses by senior company executives. There is more to the problem that this. Many elders are larger consumers of health care and 5.8% of U.S. adults have alrady been victims of medical identity theft.

In Alabama, scammers were going door-to-door attempting to sell to elders "ObamaCare" health plans that were overpriced, unnecessary and contained insufficient coverage. In Hawaii, an elder man was financially abused and driven deeply into debt after giving away his durable power of attorney to a female acquaintance who used it to drain his bank account and opened new credit cards and a reverse mortgage.

Last week, at a conference on aging in Marlborough, Massachusetts, Governor Deval Patrick and Attorney General Martha Coakley advised elders:

  • While technology changes, many of the same scams persist
  • If an offer sounds too good to be true, it probably is
  • Offers with "you must act now" are a tip-off of a probable scam
  • Be aware of credit card fraud and fake charities
  • Protect their sensitive personal and bank account information

Earlier this month, Arizona Attorney General Terry Goddard hosted a seminar to teach consumers of all ages about how to detect and avoid scams targeting elders. The free session covered identity theft, Internet safety, elder abuse, and Medicare fraud. Another seminar occurred in March at the Sun Lakes Center of Chandler-Gilbert Community College. Arizona also operates a "Senior Anti-Crime University."

The New York Department of Aging (DFTA), the Department of Consumer Affairs (DCA), the Aging in New York Fund and the American Museum of Finance jointed developed an interactive financial education game titled "It's My Money" to educate elders on identity theft and fraud scams. The game, launched in February 2010, can be downloaded for free and is designed for play in group settings, such as community centers. Versions of the game are in English, Spanish, Russian, and Chinese.

Also in February, the Institute for Financial Literacy launched the Project SCREEN (Senior Citizen & Retiree Empowerment Education Network) program to train senior service providers to teach financial literacy skills to their clients because elders are targets of fraud, identity theft, and financial abuse.

Next month, a representative from the Pennsylvania Attorney General's office will share the latest scams by identity thieves at a seminar for elders in Wyoming County near Wilkes-Barre.

To find information and upcoming events where you live, contact the attorney general office or consumer protection office in your state or county government.


CBS News: Data Breaches From Used Copy Machines

Earlier this week, the CBS Evening News broadcast a segment about data breaches via used copy machines. It was good to see this problem highlighted on a national news broadcast. The problem is huge and needs lots of attention.

Regular readers of this blog already know about the issue since I blogged about the used copy machine breach problem over a month ago. CBS News reported this week:

"Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine. In the process, it's turned an office staple into a digital time-bomb packed with highly-personal or sensitive data... It took [a data expert] just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan - downloading tens of thousands of documents in less than 12 hours. The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid."

And, used copy machines are sold to buyers both inside and outside the USA. In my view, progress will be made only when company executives are held accountable for selling used machines that have not been cleansed of sensitive data. Not fines, but jail time.

More importantly, the threat is not from only copy machines but from the broader office equipment liquidation process -- how companies discard used office equipment: servers, routers, desktop computers, laptops, mobile devices, and external storage devices.

The liquidation process is supposed to work like this: a company hires an equipment vendor to buy, transport, and wipe clean the hard drives on the used office equipment it discards. The vendor is supposed to perform all of these tasks; and makes money by reselling the used equipment.

In reality, not all vendors consistently cleanse the equipment they have been contracted to cleanse. And, nobody at the client company checks or audits their performance. It's the dirty little secret nobody within a company wants to discuss. In September 2007, I wrote about a breach via used office equipment liquidation.


Dump The Porn! Spokeo Has Blown Your Cover

[Editor's Note: Today's blog post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Here's her take on Spokeo.]

By R. Michelle Green

A friend was incensed and frightened to discover that Spokeo.com knew where he lived. Maybe it was the picture of his front door that really freaked him out. Welcome to the 21st century. Ain’t data mining a bitch?

Spokeo says it’s not your grandma’s phone book. With Spokeo, you can find contact information searching by name, email address, or phone number. It calls itself a search engine specializing in organizing people-related information.

Register with Spokeo and it can aggregate the data from your favorite social networks in one place. No more checking Facebook, then Linked In, then Live Journal, then Amazon, etc.. Just let Spokeo access your e-mail account and it will harvest your contacts, go get public information about them, and aggregate all that data. You can keep up with everyone’s latest photos and status updates in one place.

While it was new to me and my friend, Spokeo has been around for a while. It first appeared in 2006. Spokeo 4.0 launched in March of this year, and traffic surged within weeks of the announcement. They are already apologizing for no longer being able to respond to callers within 3 to 4 hours.

What does Spokeo really do? Why is it so scary? It makes data mining visible.

I first understood data mining in 1996 after reading William Gibson’s book Idoru. The main character was so adept at reading the digital footprint left by human interactions on the net that he was hired to determine if the title character was real or virtual.

Knowing this can be done and seeing the result are two different things, however. Wait until Spokeo can access purchase records from Netflix or Amazon! (Oh, stop choking. They only look at publicly available data. Oh, you have public wish lists and profiles on both? Never mind. As you were.) Though it’s far from scientific, I searched about 30 names and about 45 emails so far. I searched myself extensively, of course.

So far, the creepy stuff isn’t always that accurate. A lot of the information is clearly from statistical guesses (if you’re living in a zip code that’s 92 percent white, it’s not a stretch to guess you’re Caucasian). I got different results looking by name or by e-mail; and the more established the e-mail, the more extensive the results. No surprise there.

Even the errors are informative, however – some physical locations associated with searches were wrong today, but reflected locations that were, at one time, true. That’s why these sites aren’t putting private investigators out of business. On the other hand, it’s giving them a hell of a helping hand.

So how does Spokeo work? It searches everything. No, you didn’t hear me. Everything. Every publicly available source of information they can get to. That includes phone listings, political contributions, home ownership, posted photos, etc. If you own your home, and use online photo sites, Spokeo could use Google Maps to display your front door, or perhaps Picasa to display a picture of your three kids and the dog.

Anyone can get this on search. Register as a user and you can see more. This blog has a screenshot of what a Spokeo page can look like for registered users. On the other hand, if your name is really common, or you use multiple names (like Richard Dean Anderson from Stargate, for example), Spokeo struggles. And right now, I think the surge in demand is significantly slowing their servers’ response times. Those issues are surely transient.

The scariest thing for me – searching my email addresses. Even for free, it showed some of the blogs that I frequented, a few mixes I’d shared on Pandora. A friend thinks he has a secret email address he’s used for years for naughty searches. I’d told him it was suspect, that by now Google could aggregate his real and his secret identity, but he’d paid me little attention. Entering the secret email on Spokeo immediately revealed his real name. I showed him the link face-to-face, I wanted to watch the top of his head blow off. Good thing for him his wife doesn’t like technology like I do.

What can you do to protect yourself? You can opt out so that your results do not appear if you are searched. Fine print: you can only opt out of name and phone number search, and you have to give them your e-mail to engage this feature. Since they only use public information, you can go to all your sites and make sure you’ve read all their Privacy rules and engaged all the appropriate settings. When Spokeo next updates, your newly private data will disappear. Snopes alleges that Spokeo does not always take expeditious action on these requests.

Facebook’s founder Mark Zuckerberg might call me an old fuddy duddy for even raising these issues. He says that privacy is no longer a social norm. Google’s CEO Eric Schmidt takes the offensive. He says if I have to hide something I shouldn’t be doing it, and name checks the Patriot Act for good measure. You may agree with them. So, Spokeo may not bother you – yet.

By the way – Spokeo will show you even more if you pay them money. And here’s the kicker: the cost for three months is about what you’d pay for popcorn and soda at the movies.

Happy stalking.


© 2010. R. Michelle Green. Reprinted with permission.


Wall Street, Financial Regulation, And The Need For Systemic Change

Past blog posts have covered some of the abuses of consumers by banks with credit card interest rate increasses. Our financial and banking system is so complicated, how can a consumer evaluate the financial reform discussion in Washington? How to evaluate the messages from reform advocates and opponents?

I found this episode of the Bill Moyers Journal very helpful. Moyers interviewed financial experts Simon Johnson and James Kwak about the factors that require systematic change and regulation in order to avoid a repeat of the 2008 financial system crisis. Johnson and Kwak are also co-authors of the book, "13 Bankers: The Wall Street Takeover and the Next Financial Meltdown."

After watching the Moyers Journal interview, the book is definitely on my must-read list. In my opinion, it should be on all voters' reading list. The interview covered some interesting topics:

  • The management styles and habits typify Wall Street that led to the 2008 meltdown
  • What needs to happen for real financial reform in Washington to be effective
  • The nature of the threat from an "oligarchy" of 6 banks that control too much of our economy and Americans' deposits
  • The case for breaking up the banks: too big to fail is too big
  • Why regulation alone isn't enough
  • What hasn't changed and how another financial meltdown can happen again
  • It's not a partisan issue as neither party (Democrats or Republicans) are getting it right

Some excerpts:

"... according to Kwak, is that the legislation currently doesn't address the central problem of the crisis, that America's banks have grown 'too big to fail.' In fact, the problem has gotten worse, with just six banks holding assets in excess of 63% of the U.S. Gross Domestic Product. Kwak explains that the crisis actually made the surviving banks more powerful... these banks have gotten bigger, because they've bought each other. They've become more powerful. And they have an even stronger market position..."

During the interview, Moyers asked:

"Over the course of my lifetime, and my working career as a journalist, I've seen one regulatory agency after another taken over by the very industries they were supposed to regulate. Regulation requires a President who is committed to tough regulation. If you get a free market President like George W. Bush, you get regulation serving the industry... If you get a Democratic Party that's been compromised by its concessions and capitulations and contributions from Wall Street, you get a regulatory system that is a joke, and that's what we have. What's to ensure that the next regulatory system won't be a joke?"

And Johnson answered:

""The person who nailed this intellectually a long time ago was from the University of Chicago. George Stigler, not a man of the left, got a Nobel Prize [for concluding that] all industries end up with the industry capturing the regulators. What's happened to us is exactly what Stigler warned against, on a massive scale. The [Obama] Administration still argues that we should delegate responsibility, going forward, for lots of things around finance - like how much capital you should have - delegate that to the regulators... Now that's crazy. That's not acceptable. That's not what they should do, particularly because any Democrat should say 'well, wait a minute, the next free market president who doesn't believe in regulation [that] comes in will gut the system.' And any person from the right who's read Stigler should say 'well, those regulators are just gonna get captured.' You've got to put it in legislation..."

One blog that I will definitely start reading regularly is The Baseline Scenario. Sadly, Brooksley Born was right, and was shunned by supposed financial experts who knew better.


TransUnion And Acxiom Modify Their Arrangement

I wrote a 4-part series in 2008 about the three major credit reporting agencies and offshore outsourcing. I have not written much about Acxiom, a company that archives and data-mines massive amounts of information about consumers. This blog post is a start to correct that reporting oversight about Acxiom.

RTT News reported:

"TransUnion, and Acxiom Corp. announced a renewed agreement... Under the new multi-year agreement, Acxiom said it will continue to manage the operation of TransUnion's sophisticated mainframe environment and supporting network processes. In addition to delivering robust and secure infrastructure management, Acxiom and TransUnion will continue to combine their data and technology expertise to help clients create accurate, real-time and consistent information across their enterprises and also enable them to drive highly personalized marketing via both companies' multichannel solutions."


Brokerage Fined For Data Breach

In a press release last week,the Financial Industry Regulatory Authority (FINRA) announced that it fined brokerage D.A. Davidson & Company $375,000 for failing to protect confidential customer information after a group of cyber criminals hacked into the firms systems. The data breach occurred on December 25, 2007 and affected about 192,000 consumers.

"FINRA found that prior to January 2008, D.A. Davidson did not employ adequate safeguards to protect the security and confidentiality of customer records and information stored in a database housed on a computer Web server with a constant open Internet connection. The unprotected information included customer account numbers, social security numbers, names, addresses, dates of birth and other confidential data. Furthermore, the firm's procedures for protecting that information were deficient in that the database was not encrypted and the firm never activated a password, thereby leaving the default blank password in place."

FINRA is the largest non-governmental regulator for all securities firms doing business in the United States. Factors that led to the fine:

"... between April 2006 and October 2007, the firm had retained independent auditors and outside security consultants to review and/or audit its network security. During the course of those consultations, the firm received recommendations for enhancements to its security systems. Although the firm implemented the majority of those recommendations, it failed to implement a recommendation, made in or about April 2006, that it install an intrusion detection system. The firm had not implemented such a system at the time the hack occurred in December 2007."

The company learned about the breach after one of the hackers sent am e-mail message on January 16, 2008, blackmailing the firm. Reportedly, the U.S. Secret Service has investigated the breach and identified four of the cyber criminals, who have been extradited from Eastern Europe, arrested, and now face charges in federal court in Montana.

Sounds to me like the fine is appropriate but perhaps not enough. In my opinion, senior company executives will only take data security seriously when jail time is a consequence. Short of that, they will play the odds and when caught pay any fines.


What Would Thomas Jefferson Do With Facebook?

[Editor's Note: Today's blog post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Here's her take on privacy policy changes underway at Facebook.]

By R. Michelle Green

While pundits and politicos often mention Thomas Jefferson’s contributions to politics (or to Hemmings), I had to see the HBO series on John Adams to learn that he was an avid correspondent. More than 150 letters between the two presidents have provided historians with fascinating insight into life and politics during America’s infancy.

If Jefferson were alive today, would he share those thoughts with hundreds of Facebook friends (and their friends)? Or would he reserve his musings for Adams alone, friends so close even death could not part them for long? Regardless of his decision, I’ll bet all of Jefferson’s marbles that he would have made the decision knowledgeably, not by default – an informed population could appropriately protect its rights and monitor its government. Will informed decision-making be enough when it comes to Facebook (FB) and the like?

I like FB, but I’m no power user. I typically don’t stay logged on more than an hour or so, and I might actually post a status update twice a month. I don’t play the games, I don’t buy things, I don’t use the invite features or the birthday greetings – you see where I’m going here. On the other hand, I am old enough and gregarious enough to have many sets of FB friends: from lifetime buddies to people who don’t know my first name. Past employees, maybe future bosses and clients are on FB with me. So FB’s structure, rules and organization are relevant to me.

I know there’s data out there with my name on it under scrutiny somewhere, whether I like it or not. People who rail about privacy losses or who expect someone to sort it all out have missed the point. Unless you and your bicycle are willing to go cash only and crash at your friends’ houses forever, you’re leaving a data trail. The best you can do is be forearmed and knowledgeable.

Reading the documents made me more aware of the scope of FB operations. Developers, applications, business pages, fan pages, mobile devices, Facebook connect partners – there are a great many all coming to this one entity to gorge themselves at the data trough. Understanding your relationship to this and other giant aggregators of data and connections is IMHO per se important, whether your definition of privacy connotes concerns for secrecy or the ability to control.

Facebook has recently proposed changes to two major governing documents: their Privacy rules, and their Statement of Rights and Responsibilities (SRR -- formerly Terms of Use). If you plan to read them all, ratchet up the font size, find a comfy chair and get your favorite caffeine hit before you start. The best place to look at existing, proposed and marked up documents is here, a link conveniently provided in a summary of key changes by FB Deputy General Counsel Michael Richter.

I make no claims on thoroughness – these are things that I noticed or found interesting. You may want to check yourself to see how FB relates to you, particularly if you are a developer, a frequent app user, a FB page administrator, or a mobile user.  I am currently none of those things, and possibly (probably?) nodded off reading those paragraphs.

I found some of FB’s changes to be simply blunter expressions of their original statement. With your privacy settings, for example, the new text makes it clear that ‘everyone’ means the set of all people who use the net – FB users and non-users. At your request, FB will delete questionable content that had been marked ‘everyone.’ FB has no control over the search engines that have likely indexed and cached that content, however. And while you can delete a post you make, you can’t delete a message you send.

The Facebook Connect process was new to me, though I had begun to see its presence on pages I visit. It permits you to register for a site using your FB credentials, ‘freeing’ you from the drudgery of establishing a new profile and password. In payment for that freedom, you gave that site access to “General Information” about you, defined by FB as, "you and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting.” Under the right circumstances, you’ll also be sharing your and your friends’ location or age. And if you post content from that site to FB, its privacy settings, not yours, are in play.

This is also true with mobile devices. When you post to FB from your smartphone, that device’s privacy settings are in play, not yours. Where are those settings? Are they in the phone, or on the SIM card? Inquiring minds would want to know. One of the new paragraphs in the SRR targets mobile users, saying, “You provide all rights necessary to enable users to sync their contact lists with any basic information and contact information that is visible to them on FB, as well as your name and profile picture.” And don’t forget communication is two-way: I can have def con 1 privacy settings, but if I post to your wall, my post is now governed by your privacy settings.

So let’s play out a scenario. I have multiple e-mail accounts, many if not most of us do. Maybe I have an ‘anonymous’ e-mail account that I used several years ago to contact you. Maybe you put it in an address book and labeled it with my name. You used Friend Finder when you first joined FB, so FB harvested your address book for contacts. And you’re a busy guy, so you haven’t done the work to change the default privacy settings on your FB account. FB has your permission to send out an invitation to yet a third party, who might know my friend, adding that you might also know these other people. Now my profile picture is associated with my anonymous e-mail address, and I - never - even - know.

It is still puzzling the ways information associated with me behaves. It’s one of those things where the more you know, the more you don’t know. I found an interesting FB page called my invite history: “See your entire history of invitations, including who has joined because of you.” Go to "Invite Your Friends" and look for the "View All History" link to the right. I did not knowingly make some of those requests. Most names or email addresses I recognized, some I do not. Meanwhile the list erroneously showed some current FB friends as not on the network. I found that FB will let me delete my name from future invite suggestions, though I don’t know how well or quickly it will work.

Despite the comments above, I am impressed with the public lengths FB has gone to establish positive relationships with its member base. It speaks to Facebook’s understanding of privacy as control. If you want to voice your opinions on the running of the platform, you can become a fan of the Facebook governance page. As a fan, you will receive notices of changes to governing documents. I liked the redline documents best – this shows the original text and the altered text of the SRR in a PDF with changes highlighted. If a suggested change gets more than 7,000 comments, FB will offer alternatives that users can vote on. If 30% or more of registered users vote, the vote’s result will be binding on the company.

That’s a hell of an approach for a corporation, particularly a privately-held company. The cynic in me that wants to call this hype still recognizes it’s pretty damn substantive hype. It does give Facebook leave to say, however, that whatever happens to your data depends on you, the enlightened citizenry of the Facebook Republic.


© 2010 R. Michelle Green. Reprinted with permission.


Stolen Data About India, The United Nations, and The Dalai Lama Traced To China

This InformationWeek article caught my attention for two reasons. First, because of the targets:

"... the Indian Ministry of Defense, the United Nations, and the Office of the Dalai Lama, among other organizations.... The security experts who revealed the attacks managed to track the perpetrators over eight months... Some of the stolen data consisted of visa applications provided to Indian embassies, for example. Other data recovered included some 1,500 letters sent from the Dalai Lama's office... The malware used to compromise victims typically involved an element of social engineering, to convince recipients to open infected files. The attackers used PDF, PPT, and DOC files to exploit old and recent vulnerabilities in Adobe Acrobat and Acrobat Reader, Microsoft Word 2003 and Microsoft PowerPoint 2003."

There was a time when PDF documents were safe. I guess that time has passed. And yes, I follow the Dalai Lama on Twitter. The second reason (bold text added for emphasis):

"The report on the attack... is called Shadows in the Cloud: An investigation into Cyber Espionage 2.0... represents an attempt to differentiate between previous hacking methods and an emerging approach that relies on "the misuse of social networking and cloud computing platforms, including Google, Baidu, Yahoo, and Twitter... The researchers identified three Twitter accounts, five Yahoo Mail accounts, twelve Google Groups accounts, eight Blogspot blogs, nine Baidu blogs, one Google Sites account, and 16 blog.com blogs that were part of the attackers' infrastructure. The report concludes by warning that the selling points of cloud computing -- reliability, distribution, and redundancy -- are the very properties that make cloud services attractive to cybercriminals."


Adzilla Quietly Settles Class-Action Lawsuit

About a year ago, I wrote about the class-action lawsuit involving Adzilla. Last week, Media Post reported:

"A privacy lawsuit against behavioral targeting company Adzilla and its partners was quietly settled late last month, according to court records. Adzilla, which stopped operating in the U.S. in 2008, did not acknowledge any wrongdoing as part of the settlement... Adzilla agreed that it will "require opt-in consent of consumers or any consent that may be required to avoid violation of the Electronic Communications Privacy Act" should it resume ISP-based targeting in the U.S."

Readers of this blog know that I am a proponent of opt-in systems; to require behavioral advertising companies to clearly notify and inform consumers first and to only collect data about consumers after gaining explicit, prior consent via a conspicuous online opt-in mechanism. Several Internet service providers abused consumers' rights by collecting data without notice and without gaining prior consent.

Unfortunately:

"The settlement leaves unresolved whether it's legal to target Web users based on data purchased from Internet service providers."


Medicare Fraud: What It Is And How To Avoid Becoming a Victim

What is medicare fraud? In the Medford Transcript via Wicked Local, Dan O'Leary provides a definition for elders:

"Medicare fraud occurs when an individual receives Medicare benefits to which they are not entitled. How would this work? Perhaps someone approaches you in a parking lot and offers you free groceries if you give them your Medicare number. Or, maybe you receive a telephone call from a person who claims to be conducting a survey and asks for your Medicare number."

You should not disclose your Medicare number in either of the above situations. How to protect yourself:

"You should only divulge your Medicare number to your doctors and other providers approved by Medicare. To see if a provider is approved by Medicare, call 1-800-MEDICARE (1-800-633-4227). In addition to protecting your personal information, you should treat your Medicare benefits like any other valuable service. Be wary of offers that claim to provide Medicare services for free. Be cautious of any health provider that says it has been endorsed by Medicare."

If your Social Security card is lost or stolen, visit the www.socialsecurity.gov site. If you suspect or experience medicare fraud, report it to the Office of Inspector General as soon as possible. You can also report Medicare fraud at the Medicare.gov site.


LPL Data Breach And Theft

Many companies and financial services Web sites advertise "bank-level" security. This news story is a sober reminder that data security is only as good as the employees who handle your sensitive personal information. Investment News reported:

"LPL Financial yet again has fallen prey to a technology blunder that placed private client information at risk. An unencrypted portable hard drive was stolen from the car of an LPL representative Feb. 24... The adviser, Christian D'Urso of StoneRidge Wealth Management in Beaverton, Ore., had one client in New Hampshire... As a result of the theft, private client information, including names, addresses, dates of birth and Social Security numbers “may have been breached,” Marc Loewenthal, LPL's senior vice president and chief security and privacy officer, wrote... This isn't the first time... In 2007, the firm reported that computer hackers had compromised the login passwords of 14 financial advisers and four assistants."

Reportedly, LPL has about 12,000 representatives and advisers, making it the nation's largest independent-contractor broker-dealer. What our government is (or is not) doing about data security at financial services companies:

"Neither the Financial Industry Regulatory Authority Inc. nor the Securities and Exchange Commission require notification of privacy breaches by advisers or firms, though a proposed amendment to the SEC's Regulation S-P would add this. That proposed amendment, 17 CFR Part 248, “Privacy of Consumer Financial Information and Safeguarding Personal Information,” was published in March of 2008 but remains pending."

In my opinion, FINRA and the SEC both should require advisors and firms to notify breach victims of data breaches. According to a company representative, the consequences to LPL advisers who lose client data start with a formal reprimand, increase to fines, and then to termination. A formal reprimand? That sounds too weak to me.

I want to know what the consequences are for senior company executives when their company experiences multiple data breaches; especially companies that handle other people's money.


Facebook Newbie? Read This First

[Editor's Note: I am happy to introduce guest author R. Michelle Green, the Principal for her company, Client Solutions. I met Michelle in T'ai Chi Ch'uan class. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Here's her take on Facebook.com including some tips even experienced Facebook users may not know.]

By R. Michelle Green

Two of my friends just joined Facebook. Just.

If you are in their company, here are some things you should know.

When people first friend you, you think "Wow, he thought of me! Sure, I'll friend that guy from third grade!" Then a month later you're like, "Why did I do that? I have nothing to say to him." What if it’s a one-night stand from college? The first boss you ever had? It's flattering at first, maybe even interesting for a month or two. Then you realize that one of them is flooding your news feed with their obsession with lolcats. So think before you click.

If you have authority over others who friend you, you may want to decide in advance on a friending policy. For example, I know a college administrator who only friends students after they have graduated. Thinking it through in advance can save some embarrassment later.

Some of your friends may friend your friends just because s/he’s your friend (whoa – that made me dizzy). Unless I am sure it’s someone I know, I don’t friend profiles without a picture. Even so, one friend had to put a warning on her page to beware of an impostor. The impostor's Facebook page used my friend's pictures and particulars. Facebook's Help Center was unresponsive. The impostor is no longer visible but we never knew for sure if Facebook took down their account, or if the impostor simply tired of the game.

If you like, you can always de-friend someone. They will not receive a notification from Facebook, but if they have just two friends, they will notice that you are no longer on their friends list. (That may matter to you.) If they have 100 friends, they'll never notice.

Think about where and how you reply to people. If you write it on their Facebook wall, or comment to a status post, people you may never meet may read it as a notification or part of their news feed (never meet that is, until they become your boss or something). About 50% of the time, I choose to reply with specific messages, and rarely use the write-on-the-wall feature.

Another caution: sending someone a message lets them look at your profile for a little while, even if they are not your friend. So, if someone you don't know or can't verify somehow contacts you, ignoring the message is your best bet. Here's a scary article showing you the lengths some will go to hack your Facebook account.

Be careful of stuff sent to you, even by people you respect (their Facebook account may have been hacked). The koobface virus, the crush me virus, and marketing things like the free $500 Whole Foods card scam come to mind. A tech savvy friend fell for the Whole Foods card scam, and the program sent info requests pushing the same deal to all his friends under his name.

If someone can hack (or guess) your password just from looking at your profile (see note about sending messages, above), bad guys may hijack your Facebook account, block key people (e.g., spouse, kids), and then send friends desperate messages without your knowledge (“help I’ve been mugged overseas, send money!”). Things like this have led me to construct my longest online password for use on Facebook; one I don’t use anywhere else.

Review your privacy settings. The "Friends of Friends" setting sounds alright, but in practice is problematic. Two of my friends are performers – they have over 250 friends each, some of whom are also performers. You do the math.

You can set varying privacy limits by building lists of friends. For example, set up an immediate family list and give them special access. I’m up to 8 lists at this point. Check periodically to see if your profile looks the way you want it to by others within each list (there's a mechanism for that on your Facebook Settings page).

There are a lot of cool games and time wasters on Facebook. I read them, but I won’t participate. I may be too conservative -- I have never played Scrabulous for example (huge hit, Scrabble knock off). I won't give Facebook access to my other e-mail address books (even if I used them, I wouldn't). I won't even sign up for people to send me birthday wishes. These applications permit developers to look at your profile information and often that of your friends. (Reading Facebook's Terms of Use and Privacy can be very scary.) I don’t give marketers data for free if I can help it. The ACLU has created a great app that lets you see what your profile looks like to a Facebook developer.

To learn more, read these online articles:

So that's as armed as I think I can get you. Go forth and friend.


© 2010. R. Michelle Green. Reprinted with permission.


Upcoming Events: ID-Theft Prevention And Electronic Privacy

On Saturday, April 10, AARP Massachusetts will sponsor “Fight Fraud - Shred Instead” in support of Create The Good from 9 am to 12 pm in the Basketball Hall of Fame parking lot (1000 West Columbus Avenue, Springfield – off Route 91). Too many consumers don't have a shredder at home and/or don't understand the benefits in shredding documents with sensitive personal data to protect their sensitive personal information, credit, and bank accounts. A mobile shredder truck will process documents for recycling. You can bring up to three medium sized boxes, or one large garbage bag. Read this if you are not sure what documents to keep versus shred.

In Washington, DC the PrivacyCampDC 2010 conference about electronic privacy and government policy will take place on April 17, 2010. The goal of the event is to connect researchers, developers, practitioners, citizens and other enthusiasts for collaboration and knowledge sharing.

The event is sponsored by several organizations including the Center for American Progress Action Fund, the The Center for Democracy and Technology, the The Future of Privacy Forum, the Sunlight Foundation, and others. To learn more, read the PrivacyCampDc wiki.

If you can't attend the PrivacyCampDC event, the PrivacyCampSF 2010 conference will take place on May 7 in San Francisco.


Would You Recognize A Phishing E-Mail Message?

Lately, I have received e-mail messages from friends who had their e-mail accounts taken over by spammers or identity thieves. So, today's post is about how to spot fraudulent e-mails, a critical part of practicing good data security habits to protect your e-mail account and sign-in credentials.

Recently, this e-mail message arrived in my in-box:

"From: "Earthlink Company" <[email protected]>
Sent: Saturday, March 13, 2010 11:34 AM
Subject: Your account

Dear Costumer,
Please due to the upgrading of our site earthlink we will want all the earthlink users please confirm with us that you are still using our service kindly provide to us.
Username....................
Password....................
your full name..............
we are doing all this to protect all of our costumer from the hackers.and if you do not fill in the information within 48 hrs your account will be close down as spaming account.

Thanks,
Earthlink.Inc"

At first glance, the message and return address seemed legit, but aren't. How to tell? First, my Internet Service Provider (ISP) already knows my sign-in credentials and would never ask. Second, the numerous spelling and grammar mistakes were suspicious. Third, the return address had been faked.

How do I know? My e-mail software program lets me view (e.g., File --> Properties --> Details) the message header, which displays who the e-mail message is really from (bold added for emphasis):

X-MSK: CML=4.501000
Status:  U
Return-Path: <[email protected]>
Received: from mx-jacana.atl.sa.earthlink.net ([127.0.0.1])
    by mx-jacana.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 1nQtmG3SI3Nl34e0; Sat, 13 Mar 2010 10:34:58 -0500 (EST)
Received: from elasmtp-galgo.atl.sa.earthlink.net ([209.86.89.61])
    by mx-jacana.atl.sa.earthlink.net (EarthLink SMTP Server) with ESMTP id 1nQtmo7ga3Nl34e2; Sat, 13 Mar 2010 10:34:40 -0500 (EST)
Received: from [41.17.120.115] (helo=User)
    by elasmtp-galgo.atl.sa.earthlink.net with esmtpa (Exim 4.67)
    (envelope-from <[email protected]>)
    id 1NqTMO-00053T-3m; Sat, 13 Mar 2010 10:34:40 -0500
Reply-To: <[email protected]>
From: "Earthlink Company"<[email protected]>
Subject: Your account
Date: Sat, 13 Mar 2010 17:34:26 +0200
MIME-Version: 1.0
Content-Type: text/plain;
    charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
Message-ID: <[email protected]>
X-ELNK-Trace: ba88a12321140fc6c5c7b6c64e756277239a348a220c2609c3b53c1b6ce03c2ce4568839ea4ccbc693caf27dac41a8fd350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 41.17.120.115
X-ELNK-Received-Info: spv=0;
X-ELNK-AV: 0
X-ELNK-Info: sbv=5; sbrc=-3; sbf=bb; sbw=010;

The message wasn't from my ISP, but from an identity thief or spammer in South Africa. If I had replied to this phishing message with my sign-in credentials, the thief could have taken over my e-mail account and accessed my payment information (e.g., credit card number) -- and really done some damage.

So now you know what to do if you receive an e-mail message that looks suspicious. Don't reply. View the message header. The commands in your e-mail program may be different, but you can view any message header. If it is a fraudulent, report it to your ISP. Then delete the e-mail message.


If No/Slow Economic Growth Is In The Future For The USA, What Will You Do To Cope?

I try to balance articles between abuses of consumers (e.g., identity theft and fraud, corporate data breaches, corporate irresponsibility) with tips and advice for consumers to protect themselves. It is a challenge because the world around us is changing quickly. Trends I see:

  • There are new services that didn't exist 5 or 10 years ago (e.g., online banking, smart phones, opt-out resources, reputation management services)
  • The digital economy means more companies collect and share your sensitive personal information
  • The global economy means a greater number of companies outsource work to both firms with the same country or firms in other countries
  • The global economy means that work, and your sensitive personal information, easily move across country borders
  • Across several industries, companies pursue more aggressive Internet technologies
  • Companies increasingly adopt an aggressive marketing posture with products and services based on opt-out instead of opt-in
  • In an increasing identity economy, companies pursue government sources with rich identity data
  • Criminals quickly adapt their methods to take advantage of new technologies

Change is everywhere. One former employer outsourced work to firms in several states, Vietnam, and Argentina. Another former employer outsourced work to Costa Rica. I've written extensively about offshore outsourcing by the three major credit reporting agencies. To cope with expensive health care, some consumers pursue medical tourism.

Change is everywhere. We consumers increasingly use anti-virus software on our home computers. The anti-virus software on my computer updates itself almost daily. I'll bet that yours does, too. When I use a public computer or my laptop over public WiFi, I now use private browsing. Alert Internet users are aware of both phishing e-mail and sites.

As laptop use rose, so too did threats like sidejacking. As debit card use rose, so too did threats like skimming for both credit/debit cards and RFID or "contactless" cards. New terms have emerged like money mules, whaling, and social war dialing. Never before did consumers have to worry about fake ATM machines.

We consumers are slowly learning about identity theft and the difference between Fraud Alerts and Security Freezes for our credit reports. Five years ago, Security Freezes didn't exist. What passed as good debit/credit card protection by companies 5 years ago is no longer acceptable. Debit/credit card transactions processor Heartland learned this the hard way.

In the Christian Science Monitor Simple Dollar blog,  Trent Hamm discussed the rapid pace of change, the global economy, and what it may mean for U.S. citizens:

"My belief is that, for the most part, the standards of living everywhere else in the world will rise rapidly to meet the standard of living in the United States. However, I also feel that our standard of living here will probably never grow at the same rate as it did in the twentieth century. In short, I think our growth rate will be much lower than that of the rest of the world and may in fact be a slow reduction over a long period of time."

My own work situation changed recently from traditional full-time employment to freelance/contract work. I set my own work hours now and negotiate with several firms needing UI/IA work. So, I am sensitive to and mindful of the above economic trends.

What should consumers do? Hamm suggests the following for consumers:

"... there are two key solutions for this – and they’re solutions anyone can follow. Plus, they’ll benefit everyone regardless of whether they believe such change is happening or not. And these two key solutions are summed up in one phrase: spend less and/or earn more. We can spend less by recognizing that we don’t need every service or tool that comes down the pipe."

I agree. I try to be selective about which Internet and communications technologies I use. I don't buy the newest cable television package. Rather I buy the package that best fits both my television viewing habits and budget. I don't buy the newest smart phone. Rather, I buy the phone and calling package that best fits my calling habits and budget. And, I closely read both the terms and conditions and privacy policies at the Web site.

We consumers are learning about identity theft and fraud. I believe that it is wise to use a similarly selective approach when choosing a credit monitoring service.

Hamm's second solution:

"... we can earn more by improving our soft skills... This is true in any field. Everyone has hard skills that they can provide to the world. We’re all good at something – and some of us are good at several different things. When you have your choice among people who are good at a particular task, you don’t choose because of the hard skills. You choose because of the soft skills. Do they communicate well? Do they listen well? Are they organized? Are they responsive? Do they spend their time improving themselves or improving the community?"

In my experience, Hamm's solutions apply to both individuals and companies. For companies, some marketers might call these "soft" skills as branding activities... the interactions between the brand and both its customers and prospective customers. Other might suggest these interactions on social media sites.

When I review credit monitoring services, I look at both the "hard skills" (e.g., the specific credit monitoring, alerts, credit repair, resolution, etc.) and the "soft skills" (e.g., customer support, communication with prospects and customers, web site ease of use, communications methods and social media sites used, etc.).

However you describe it, what passed for a quality product or service 5 years ago, won't do today. And, a quality product or service today won't do 5 years from now. The bar has been raised -- and continues to move upward -- for what passes as customer satisfaction and quality levels of service.


Boston Rated The Number 2 Place For Cyber Criminals

According to a recent Symantec study reported in the Boston Business Journal, Boston is apparently a good place to do business, if you are a cyber criminal. Boston rated high on the list due to the availability of unsecured WiFi hotspots, a concentration of cyber crimes, and a large number of zombie computers -- consumers' home computers used to distribute spam.

The top 20 cities for cyber crime from the study:

  1. Seattle
  2. Boston
  3. Washington, D.C.
  4. San Francisco
  5. Raleigh, N.C.
  6. Atlanta
  7. Minneapolis
  8. Denver
  9. Austin, Texas
  10. Portland, Ore.
  11. Honolulu
  12. Charlotte, N.C.
  13. Las Vegas
  14. San Diego
  15. Colorado Springs, Colo
  16. Sacramento, Calif.
  17. Pittsburgh
  18. Oakland, Calif.
  19. Nashville-Davidson, Tenn.
  20. San Jose, Calif.

To read the full list of the 50 riskiest cities, read the Boston Business Journal article and the Symantec news release.


Homeowners Who Defaulted On Mortgages May Find Collectors Chasing Them For Years

The Sacramento Bee reported that collection agencies will still pursue homeowners for years after they defaulted (e.g., foreclosed or short-sale) on their mortgages:

"... lenders have been quietly selling second mortgages and home equity lines left unpaid after foreclosures and short sales. The buyers: collection agencies, which in California have up to four years to make a claim. If they win court judgments, these collectors could have years to pursue borrowers with repayment plans, and even garnish their wages..."

Experts warn that the only options for consumers are to arrange a debt negotiation plan or file for bankruptcy. Note: debt negotiation is not the same as debt consolidation. And, debt negotiation is not the same as debt elimination. The Better Business Bureau (BBB) offers advice for consumers:

"Debt negotiation companies claim that they will negotiate with a consumer’s lenders to lower the total amount of debt owed for an upfront fee. Unfortunately, some consumers who paid for debt negotiation services found out that the company never contacted their lenders, but instead, took their money and ran. Because the debt negotiation company made it sound like they had everything under control, the consumer stopped talking directly with their lenders and ended up slipping deeper into debt. Relying on debt negotiation firms could also put a dent in a consumer’s credit report."

So, talk directly with whomever owns your mortgage: the bank or lender.


Retirement Plan Flow Analysis For Corporate Executives

Today is April Fools day, but this is no joke. According to Bankrate:

"In 2007, the U.S. Department of Labor's Employee Benefits Security Administration, or EBSA, the agency charged with enforcing 401(k) regulations, investigated more than 1,326 cases of 401(k) mismanagement or malfeasance, resulting in more than $51 million in restitution and penalties."

Do the math: that's $38,460 per case. That's not small change.

So, it seems that the senior executives at many small, medium and large companies have "mugged" their employees. These executives seem to manage their employee 401(K) retirement plans using the flow below:

Retirement plan flow analysis for company executives