Previous month:
July 2010
Next month:
September 2010

22 posts from August 2010

Free Cruise Vacation Offer: Legit Or A Scam?

Readers who know me personally know that I am a huge cruise fan. My wife and I have sailed on 17 cruises during an 11-year span. Some of the voyagers were as short as five days; others as long as two weeks. We have sailed to numerous ports in Alaska, Bermuda, the Mediterranean, the Hawaiian islands, the Panama Canal, and of course the Caribbean (South, West, and East).

We have sailed on the well-known cruise lines: Carnival, Royal Caribbean, Norwegian, Princess, Holland America, Celebrity, MSC, and Costa. For about eight years, I was the webmaster for a cruise travel website for interracial families. During a prior job at a digital advertising agency, one of my clients was Celebrity Cruises. So, I am very familiar with the cruise industry.

Perhaps you have seen recently an offer for a free cruise. Or maybe a friend or family member is asking you to join them on a free cruise. With online scams and identity theft risks, some consumers are understandably wary of these free cruise offers. How can a consumer spot a valid offer from a scam?

Over at Cruise Critic, a popular website and online forum used by cruise vacation fanatics, there is a good article by Dan Askin explaining these "free" cruise vacation offers, and a couple of the companies operating them. Some of the fees and expenses cruise passengers will have to pay during their "free" cruise vacation:

  • Government taxes, fees,and port charges (e.g., a fee cruise lines pay per passenger to each port their ship visits)
  • Daily tips for your cabin steward, waiter, and waiter's assistant
  • Alcoholic drinks
  • Souvenirs and items bought at on-board shops
  • Shore excursions and tours

Find out if you also have to sit through a timeshare pitch. Also, know the company you are dealing with before you send any money. If the company name is unfamiliar, research it at one of the cruise fan websites (I have used Cruise Critic, Cruise411.com, and Cruise-Addicts.com) or the Better Business Bureau website for any reviews and/or complaints. You want to find reviews by consumers who have already sailed on the cruise line and/or ship in the offer. You might also check the travel section at ePinions.com.

About a cruise offer from a particular company, Askin wrote:

"Celebration Cruise Line is the actual name of the line on which you'll be sailing. Caribbean Cruise Line is not a cruise line at all, but the name of a wholesaler that's touting the free cruise. But, the difference between line and wholesaler seems to be blurry at best, with many, many complaints on sites like Cruise Critic, complaintsboard.com and ripoffreport.com conflating line and seller... As a travel wholesaler, Caribbean Cruise Line is licensed and bonded in the State of Florida... the charges against Caribbean Cruise Lines have been fast and furious -- consumers have had difficulties getting refunds, been subjected to aggressive sales tactics, discovered that salespeople had misrepresented cabin location... Florida's Division of Consumer Services (DCS) has record of at least 40 complaints..."

Many cruise lines based their marketing headquarters -- the business function that sells cabins to consumers -- in south Florida because that's where the ships depart for Caribbean port destinations. So, you may find the Florida DCS website helpful. Cruise Critic devotes a section of their online forum to Celebration Cruise Line.

In my experience, I always purchased a cruise vacation through a known, reputable travel agent. Why? I got a better price with a travel agent partly because I managed a cruise group. Plus, I let the travel agent do what they do best: deal with the cruise lines, airlines, and any travel wholesalers. I never bought a vacation from a travel wholesaler. Travel agents know the trustworthy travel wholesalers from the ones that aren't.

Which cruise line is my favorite? Which port destination is my favorite? Ha! Buy me a beer sometime and I may tell you.


FTC Sues Three Companies for Deceptive Marketing of Medical Discount Plans

Perhaps you have seen the print or online ads offering inexpensive medical coverage. Are these plans worthwhile or a scam? According to David Vladeck, Director of the FTC Bureau of Consumer Protection:

“With so many Americans struggling to deal with the costs of health care, these medical discount benefit plans sound appealing because they masquerade as health insurance. But they are not insurance. They don’t offer the benefits of health insurance, and victims don’t know they’ve been ripped off until after they’ve tried to use the service and paid their bill.”

As a result, the FTC has taken legal action against three health care organizations for deceptive marketing of medical discount plans: Consumer Health Benefits Association (CHBA), Health Care One LLC (HCO), and United States Benefits LLC.

A U.S. district court has already ordered a temporary halt to CHBA for a variety of deceptive marketing actions. CHBA charged consumers enrollment fees of $29 to $280 in enrollment fees before providing consumers with written information about the plan. CHBA claimed that its plan was widely accepted by doctors, when in fact it wasn't.

You can read actual complaints by consumers against CHBA on both the ComplaintsBoard.com and ConsumerAffairs.com.

Things are similar with Health Care One LLC (HCO). In another legal action, the FTC alleged that HCO's marketing material claimed that the company's plan was widely accepted by doctors, when in fact it wasn't. The company's marketing materials also said that consumers who enrolled in the HCO plan would receive substantial savings on health care costs, when these savings were not possible. According to the legal complaint against HCO, the company does business under several other names including HealthcareOne, Americans4 Healthcare, Citizens4Healthcare, American Eagle Healthcare, EasyLife Healthcare, Elite Healthcare, Global Healthcare, and Republic Healthcare.

The FTC and the Tennessee Attorney General's office worked together regarding United States Benefits (USB). USB allegedly charged consumers $100 to $500 enrollment fees plus $300 to $1,300 monthly fees. When consumers tried to complain, cancel, or seek a refund, they were ignored. Also, USB allegedly marketing its medical benefits plans disguised as major medical health insurance. USB telemarketers claimed that the plan was available to all, including consumers with pre-existing conditions. After enrolling, the plan information materials consumers received stated that they joined a "benefits ssociation" instead of a health insurance plan.

According to the Tennessee AG's website, USB does business under other names including United States Health, United Benefits of America, UBA, United Benefits, United Health Benefits, Health Care America, HCA, National Benefits of America, Insurance Specialty Group, and Adova Health.


Beware of Credit Card Interest Rate Phone Scam

Yesterday afternoon, I received a phone call. It was one of those robo or automated calls with a recording that identified itself as:

"This is account services calling to offer you a lower interest rate on your credit cards, if you sign up today..."

Of course, this sounded like a scam because, a) the extreme time-sensitive demand and, b) the caller never mentioned their company or bank name.

To learn a little more about this scam, I pressed "1" when prompted to speak with a live customer service representative. I wanted to ask more questions to collect information about this scam. The person on the phone said:

"Hi This is Ryan. I work with Visa and MasterCard. I'd like to help you lower your credit card interest rate. First, I need you to tell me some information about yourself."

I said hello, thanked Ryan for the phone call, and politely asked what company he worked with. Ryan replied, "Visa and MasterCard."

I replied that that I needed to know more. I need to know what company or bank he worked at since his answer didn't tell me. So, I asked him again, what company he worked at.

Ryan hung up the phone.

A word to the wise seems appropriate. If a caller cannot properly identify their self or their employer, don't do business with them. I was prepared to hear more of Ryan's pitch so I could share details about this scam on this blog, but Ryan realized I was on to his scam and he hung up the phone. I doubt Ryan was his real name. More likely, this was a phishing scam to trick consumers to either reveal their sensitive personal information (e.g., name, address, birth date), bank account numbers, and/or credit card numbers, or to sign up for an expensive, unnecessary credit reduction plan.

According to an alert from the U.S. Federal Trade Commission (FTC):

"The companies behind the sales pitches claim to have special relationships with credit card issuers. They guarantee that the reduced rates they offer will save you thousands of dollars in interest and finance charges, and will allow you to pay off your credit card debt three to five times faster. They claim that the lower interest rates are available for a limited time and that you need to act now."

The FTC emphasizes that these companies cannot do anything for consumers that you can do yourself for free. You can negotiate directly with your credit card issuer for a lower interest rate. If you receive a phone call like this, the FTC suggests that consumers do not give out any personal information and simply hang up.

Moreover, this robo-caller was breaking the law as my home phone is on the Do Not Call list. Unfortunately, I was unable to get the company name. Otherwise, I would have reported this phone fraud to the FTC.

The other question I use to flush out scam artists and fraudsters is to ask them for their phone number because I am busy but want to call them back later. They usually hang up at that point, too. If you want to learn more about how to recognize phone scams, visit the FTC Phone Fraud website.


I've Been Mugged Mentioned in SC Magazine

The CyberCrime section of SC Magazine recently ran a two-part article series on the identity-theft risks with call centers. This blog was mentioned in part one and in part two. I was asked about the risk issue related to consumer notification of breaches by vendors or subcontractors located outside the USA. It was also an opportunity to mention my four-part series from 2008 about offshore outsourcing.

I encourage I've Been Mugged readers to visit the article series. Thanks to Charles Jeter and SC Magazine for the coverage.


Author Naomi Wolfe Sues Bank For Identity Fraud And Negligence

The Smoking Gun website reported that Naomi Wolfe, author of several best-selling books including "The End of America: Letter of Warning to a Young Patriot," has sued her bank over an identity fraud case and negligence. Wolfe alleges that her bank, WaMu, failed to protect her financial accounts and went so far as to delay any help assisting Wolfe so that they bank could avoid liability to replace the stolen funds. About $300,000 was stolen from Wolfe's account.

Wolf claimed that, after discovering the financial account fraud in 2005, WaMu Wolf instructed her to keep her accounts open while the bank investigated the fraud. As a result, the thief continued to steal money from her account and:

"While she took “reasonable steps to investigate and remedy the losses in her accounts,” Wolf alleges that WaMu sought to “cover its negligence” by impeding her efforts."

If proven in court, this would be a new low for a bank. Wolfe basically claims that the bank delayed fraud investigation due to greed. The bank stood to lose money if it investigated in a timely fashion, so the more profitable route was to not help a customer investigate and resolve identity fraud.

In 2008, WaMu was seized by federal banking regulators and then acquired by JPMorgan Chase. Reportedly, this was the largest banking collapse in the United States. The Wall Street Journal reported earlier this month that a bankruptcy judge has approved an investigation into WaMu's collapse, based in part on the bank's involvement in risky mortgages.

Documents available at the Smoking Gun website include bank emails and a link to the legal complaint. Additional news coverage is at the Huffington Post website.


Privacy Quiz: Are You More Recognizeable Than Jackie O.?

Apparently, I am -- according my results of the Digital Privacy Quiz by the ACLU.

I took the online quiz the other day. It was easy and informative. The quiz helped me understand the ways we consumers are tracked, the lack of choice we face, and which of my online habits create risky to my privacy.

Most of the quiz uses a tongue-in-cheek approach with humor. So, don't expect a rigorous, serious-toned academic type quiz.

I like the phrase "digital privacy" because it is more than simply online privacy. It encompasses all of the ways companies collect information about consumers, and the variety of our habits that create information digitally.

Of course, the ACLU is interested in recruiting consumers to join their petition of Congress to tighten laws to protect consumers' digital privacy. Disclosure: I am and have been an ACLU member for many years. Also, I have spoken at a prior Massachusetts ACLU convention. I hope that you will take the quiz, and then read and sign the petition.

Last, a link for those who don't know who Jackie O. was.


Facebook Introduces New Location-Based Feature With Privacy Flaws

Last week, Facebook has introduced its new location-based service, Places, and the media has discussed it extensively. Mashable features a video about Places by the Facebook developer team. My initial reaction was that this didn't affect me because I do not use or upload data to Facebook with a smart phone or mobile device.

I was wrong.

Last Thursday, I signed into Facebook and browsed my privacy settings to see what was new. I saw several new options for Places, so I used a step-by-step guide at PC World to disable Places. There is another step-by-step guide with video at Lifehacker. Changing my privacy settings to disable (e.g., opt out) Places took me about 30 minutes.

What really irritated me about Facebook Places is two things. First, in response to concerns raised by the ACLU Facebook executives stated that the new program is opt-in and not opt-out. In my view, that is a bunch of bull. The program is opt-out as the ACLU warned. I can't imagine why Facebook executives would claim the feature is one thing, when it's actually another. Why? Keep reading.

Like many consumers, I prefer features built on an opt-in basis. Opt-in makes my life easier and there's less to manage. I only worry about or familiarize myself with a feature's details when I decide to sign up or "opt in" to that feature. With features built on an opt-out basis, consumers are automatically included. While consumers have choice, opt-out places the burden on consumers to continually learn about and familiarize themselves with every new feature, and then take the time and effort to sign out or "opt-out" when they don't want to participate in the new feature.

Second, Places is an opt-out program because it members have to change their privacy settings if they don't want to participate in Places. What are the changes you must make? After signing into Facebook, below are privacy settings I had to change:

  • Places I Check In To. Facebook automatically defaulted my privacy setting for this to the same as my other privacy settings: "Friends Only" which meant I was already included in Places even though I don't want it and didn't ask for it. I changed this setting to "Only Me." If this program was truly opt-in, this privacy setting would default to options like "Disabled" or "No" to reflect that I am not in the program -- until I indicate so by changing it.
  • Include me in "People Here Now" after I check in. If I am truly opted out and not in Places, then I should never see this privacy setting until after I have opted-in and enabled Places. By showing this, Facebook makes its interface unnecessarily confusing.
  • Friends can check me in to Places. Facebook automatically defaulted my privacy setting for this to "Enabled" so that my friends can include me in location-based status messages. Again, I didn't want this nor did I ask for this, but Facebook automatically included me into Places anyway. I changed my privacy setting for this to "Disabled" because I do not want to participate in this program either actively or passively. If the program was truly opt-in, I wouldn't even see this privacy setting until after I had opted into Places. Since Facebook decided to present this privacy setting, it should have defaulted to "Disabled" to reflect that I am not in the program until I indicate so by changing it.
  • Facebook seems to want to treat Places the same as its photo tagging feature -- where you tag people in photos. In my view, the two are very different features. One indicates you are in a photo taken in the past. The other indicates where you are now, and facilitates real-time tracking. While I trust most of my Facebook friends, that trust does not extend to real-time tracking. Nor do I want a few easily-excitable friends to include me in location-based status messages when I am not there. Plus, I have no desire to spend the time and energy deleting various location-based messages -- and probably not catch them all; like I do today with deleting messages by my friends' apps on Facebook.
  • If Places was truly opt-in, I expected to see an "opt-in to Paces" or "join Places" button first. After enabling that, then I expected to see more detailed privacy settings for Places. This approach would provide a cleaner, simpler interface -- but Facebook didn't do that.
  • One of the most important privacy settings is the data you choose to share (or not) with your friends. I found this page somewhat hidden and it should have been easier to find. to access it: Account > Privacy Settings > Edit Your Settings (Under Applications and Websites) > Info Accessible Through Your Friends > Edit Settings. In the pop-up window, I made sure that none of the boxes are checked for this, including the box next to the item "Places I Check In To."
  • The ACLU response page to Facebook lists more issues with Places

The bottom line: given the way Facebook constructed Places, if you like location-based services, then you probably are happy. That dovetails with Facebook's own interests to keep its members hooked using its website, and with Facebook using as much of your personal data items as possible.

If you like opt-out based features where you are automatically included, then you are probably happy. The rest of us aren't happy. By twisting the English language and a confusing interface, Facebook seems to intentionally blur the lines between being opted in or not to Places -- hoping consumers will just give up and participate anyway.

My interests are not the same as Facebook's. A truly customer-focused service would recognize and value that.


The Ways We Are Connected To The BP Oil Spill

Last week, I learned that the small, local bank I had planned to move my money to is being acquired by a larger bank I do not want to do business with. So, I am still looking for a local bank (or credit union) to move my money to.

Below is an interesting video about the ways, direct and indirect, you may be connected thru the big banks to an event like the BP oil spill:


Taxpayer Stimulus Funds Used By Vendor For Offshore Outsourcing

Periodically, this blog covers outsourcing and offshore outsourcing because much of consumers' sensitive personal data is transmitted to and processed by companies in remote locations and/or other countries. On Monday, the NBC affiliate in Columbus Ohio reported the results of an investigation where the State of Ohio award a contract (funded by taxpayers stimulus money) to a company that outsourced the jobs to a firm outside the USA.

This is wrong is so many ways. Stimulus money is for jobs here, not overseas. And, companies need to be transparent in disclosing their outsourcing activities, especially in website terms. The televised news report:


Dislike Button Scam Circulates On Facebook

You have to recognize the continual creativity of identity thieves and scammers. They tend to use the latest or most popular social networking sites and features.

The Sophos blog recently reported on a new threat in Facebook status messages that takes advantage of a feature we all want on Facebook but doesn't exist. The phishing status messages you should ignore and not click the link:

"Get the official Dislike button NOW! http://bit.ly/xxxxxxxxxxxxx"

In the above example, I masked out the shortened website address. This will vary, but you get the idea. If one of your Facebook friends fell for this scam, then you will probably receive this phishing message:

"I just got the Dislike button, so now I can dislike all of your dumb posts. LOL! http://tiny.cc/thedislikebutton"

If you click on the link, your browser will be directed to a fraudulent Facebook application that accesses the data in your Facebook profile, sends spam to your Facebook friends, and encourages you to complete a bogus survey to help the scammers make money.

The Dislike button scam was bound to happen as Facebook and website operators expanded their use of the "Like" button and Facebook social plugin modules on websites across the Internet. And, this was not the first scam on Facebook. Earlier this year, scammers circulated a free Walmart gift card status message. Walmart does not ask consumers to complete online surveys for free gift cards. It is wise for consumers to learn how to recognize phishing scams, including these scams on Facebook.

A reminder: the Facebook "Unlike" button is real. You can find it in the lower left-column on Facebook fan pages you have already liked. This is the valid, official method to unlike a fan page. You can also find it beneath a status message or comment you have "liked."

[Addendum: Mashable reported a coming change in the display and behavior of the Facebook "Like" button making it more difficult for Facebook members to "Unlike" something.]


Javelin 2010 Identity Fraud Survey Results

I spent some time recently reading the results of the Javelin Research 2010 Identity Fraud Survey (PDF, 453 K bytes). During the past six years, Javelin Research has surveyed about 30,000 adults to track the volume of identity theft and fraud incidents. The latest survey during 2009 included about 5,000 adults in the USA.

For new readers, there is a difference between "identity theft" and "identity fraud." The former is when an unauthorized person accesses your sensitive personal information. The latter is when the criminals use stolen identity information to steal money, obtain credit, or impersonate another person during a crime. Most of the time, I use "identity theft" in this blog to cover both theft and fraud.

How identity theft occurs:

"... among the victims who knew how their data was taken, lost or stolen wallets, checkbooks, or credit cards accounted for nearly two times as many instances of theft as all online attack methods combined."

How identity criminals fraudulently use stolen personal data:

  • 42% - make purchases in person
  • 42% - make purchases online
  • 21% - make purchases via phone or postal mail
  • 10% - withdraw money from ATM machines
  • 10% - write checks
  • 6% - buy prepaid gift cards

This criminal fraud is influenced by the fact that often credit cards are stolen. In 2009, more han 11 million adults were identity fraud victims.

The survey report's authors advise that the most effective way for consumers to protect themselves from identity fraud is to monitor their accounts online for unauthorized purchases. That means checking your bank accounts and phone bills online. If you see unauthorized transactions, notify the bank (or phone company) immediately. If your credit/debit cards and/or checks were stolen, notify your bank immediately.

It will become increasingly important for consumers to monitor their wireless phone bills as phone carriers add payment services to smart phones. About online shopping, the survey report's authors advise consumers to:

"... take additional precautions to protect their payment and personal information. Enrolling in Verified by Visa or MasterCard SecureCode, which allows you to have an additional password when making purchases online, offers consumers greater security. There are also programs such as Trusteer’s Rapport and IDVault offered by financial institutions, which can alert users when they enter a website for the first time, thus creating an additional layer of security to prevent users from entering their information into a fraudulent site."

About social networking sites, such as Facebook, Twitter, and MySpace), the survey warns consumers that identity criminals can harvest your sensitive personal data you share online and then use it against you to:

"... take over accounts or open fraudulent accounts. Users should not store or reveal personal contact information, including phone numbers, Social Security number, date of birth, e‐mail addresses, physical addresses, mother’s maiden name, or other information that could potentially allow a fraudster to obtain sensitive information or hints to passwords."

So if you mention your favorite color on pet online, don't use that color or pet's name as one of your online passwords. It is obvious: don't post your bank accounts online or in an email message. And, don't post online the sensitive personal information of your family and friends.

I have blogged previously about the risks of displaying your birth date on social networking sites, but too many of my online friends continue to display it based on a fear that their friends won't send them birthday wishes. Hello?! Your true friends know your birth date already. And, do you want volume or quality? Unfortunately, fear often outweighs good data security habits.

If you are a victim of identity fraud, it will take time and money to repair your credit and resolve the fraud:

"Out‐of‐pocket costs can include unreimbursed losses, lost wages due to time taken off work, and possible legal fees for those victims attempting to prosecute... Most victims don’t experience any out‐of‐pocket costs, but those who did suffered an average cost of $373. The average time to resolve the fraud for these victims was 21 hours."

Remember, your mileage may vary with credit resolution. Identity fraud involving your stolen Social Security Number or online bank account sign-in credentials is far more complex than a stolen credit card.

The report also listed several tips for consumers to avoid identity theft and identity fraud, which I have covered often in this blog:


Another Data Security Snafu by Facebook

Sadly, yet another reason to distrust Facebook. Last week, ZDNet reported about a Facebook error page that contains a data security hole. If a user enters faulty username and password information, the error page that Facebook serves it was crafted in a way that it reveals sensitive personal data: your email address and profile photo.

You can easily recreate this yourself. Just enter your email address and change one or two characters. The error page will guess that it is still you and then only ask for your password. Great! Facebook just made hacking easier for identity criminals.

This error page snafu happens regardless of your security settings. Persistent criminals can harvest email addresses and photos this way. If there is one thing I have learned while writing this blog, it is that identity criminals are creative and persistent. They will look for security holes to exploit in websites and in software. The folks at Facebook just gave them one.

Snafus like this give me the impression that folks at Facebook are incompetent both technically and with the user interface. There are hundreds websites with better error messages. Basically, in an attempt to make things easier, the folks at Facebook created a security problem.

And if Facebook is this lax with the sign-in error page, what is happening that I cannot immediately see with its apps and social plugins? It also makes me wnder if Facebook is serious about protecting members' privacy, or if this latest error page snafu is the real Facebook showing itself again.

I call this error page: one-half step forward and five steps backwards. What do you think?


Breach at Library Affects At Least 126,000 Florida Students

Last week, the College Center for Library Automation (CCLA) announced that it had experienced a data breach which exposed the sensitive personal information of 126,000 students at six colleges in Florida. During a computer upgrade at the CCLA, the breach victims' sensitive personal information was exposed on the Internet for five days from May 29 to June 2, 2010.

The CCLA provides all 28 of Florida's public colleges with library and information services. The breach notification (PDF) did not list the specific data items exposed or stolen. The notification advised affected students to place Fraud Alerts on their credit reports at the three major credit reporting agencies: Experian, Equifax, and TransUnion.

The company also provided a website with further information about the breach: www.cclaflorida.org/security. The website mentioned that breach victims included:

"Students, faculty, and staff members at the following Florida colleges: Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College."

This suggests that far more consumers than 126,000 students were affected by the breach. If I were a former employee at one of these schools, I'd want to know if my sensitive personal information was exposed/stolen, too. So, I wonder what the true number affected consumers is by this breach.

Since I started writing this blog in 2007, I have read dozens of breach notification letters. Frankly, this was one of the skimpiest and thinnest breach notifications I have read. Why?

First, the CCLA's breach notification didn't list the types of personal data items disclosed. It should have. And, the website didn't explain much more. The website did a good job of explaining the state law about what personal information triggers a breach notification:

"... individual's first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: (a) Social security number; (b) Driver's license number or Florida Identification Card number; (c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."

The website described in a somewhat confusing and vague way the data items exposed/stolen:

"The personal information contained in the temporarily exposed records was incorporated into a longer string of alphanumeric information, and was not specifically identified by type of information in any way. The exposed data did not include any personal financial information such as credit card or bank account numbers, or any library usage records."

So, what exact data items were exposed? After reading this, I was left with the impression that full name, address, phone, birth date, Social Security number and driver's license data were exposed. The exact data items exposed/lost should have been clearly listed in both the breach notification and the website, since that indicates to consumers the seriousness of the breach, and what to do next.

Given the likely data items exposed/stolen, identity criminals have sufficient information to obtain credit fraudulently in the students' names: new loans, credit, credit cards and mortgages. Unfortunately, a new trend by identity criminals is the theft and use of children's Social Security numbers because their credit history is clean and easier to abuse.

Second, the breach notification didn't offer any free credit monitoring and resolution services to breach victims. This is standard practice by most companies after a breach: free credit monitoring services for a year or two. After all, the breach was CCLA's fault and not the breach victims' fault. Perhaps, each breach victim received a personal notification which included this offer.

If I were a victim of this breach, I'd assume the worst and would monitor my credit reports for fraudulent entries and not only place Fraud Alerts on my credit reports. Why? Some lenders may not comply with this. And consumers who have experienced fraud may need stronger protection, like Security Freezes for their credit reports. It is important to understand the differences between Fraud Alerts and Security Freezes.

Credit monitoring is helpful for consumers who are unfamiliar with both the financial/credit process and identity theft. These consumers often don't know what to do to protect themselves.

In my experience, students are often least informed about the dangers of identity theft versus identity fraud. Students often don't understand the financial/credit process and how valuable their clean credit is. CCLA could and should do a lot more to help its breach victims.

Some colleges and universities are providing cyber training classes to help students protect themselves online. And there is identity-theft information college students need to know. This data breach is an excellent opportunity for the CCLA and the colleges it supports to educate students about identity theft, identity fraud, and prevention tips. I can't think of a better function by a library and college.

What do you think?


Teenagers And Identity Theft Prevention

A recent Associated Press news story on ABC News highlighted a new trend by identity criminals to steal the sensitive personal information of children and teenagers. Why? Because youth have unused Social Security numbers which thieves can resell to people who want to obtain credit fraudulently. Plus, parents (and their children) don't check their chldren's credit reports for fraud.

What should you do? Parents should ensure that their teenager children learn how to spot phishing attacks -- attempts by identity criminals to trick teens into revealing their sensitive personal information.

The Federal Deposit Insurance Corporation (FDIC) advises teens:

"Even if you're too young to have a checking account or credit card, a criminal who learns your name, address and Social Security number may be able to obtain a new credit card using your name to make purchases. One of the most important things you can do to protect against identity theft is to be very suspicious of requests for your name, Social Security number, passwords or bank or credit card information that come to you in an e-mail or an Internet advertisement, no matter how legitimate they may seem."Teens are very comfortable using e-mail and the Internet, but they need to be aware that criminals can be hiding at the other end of the computer screen," said Michael Benardo, manager of the FDIC's financial crimes section. These types of fraudulent requests can also come by phone, text message or in the mail."

To that I would add: don't give out your health care coverage information or account number. Some identity theft includes medical identity theft.

To summarize, teens must learn how to recognize phishing websites, phishing email messages, and phishing posts at social networking sites. You have probably seen the $1,000 gift card scam circulating within Facebook. If it sounds too good to be true, it usually is.

To learn more, try these blog posts:


Warning: New Computer Virus Drains Online Bank Accounts

Earlier today, CrunchGear warned of a new computer virus targeting Windows computers that can drain your online bank account. The virus software, called Zeus3, has already affected consumers worldwide.

The anti-virus software vendors don't have a fix for this yet. So, your computer could be infected. Software experts advise consumers to monitor their financial accounts and not open email attachments; especially attached files with the .EXE extension. If you have been infected, contact your bank.


What Happens To Your Tweets When You Die?

This blog discussed a few months ago the issues with Facebook when you die. On Monday, the Death and Digital Legacy site announced the change in the Twitter.com deceased policy.

Why is this important? For consumers who want to control their content, this is important. Often, your online content has value after you die -- or maybe even more value since you won't be publishing any more content after you die. Plus, your heirs may have concerns about privacy or what to do with your online content. The new Twitter.com deceased policy:

"If we are notified that a Twitter user has passed away, we can remove their account or assist family members in saving a backup of their public Tweets. Please contact us with the following information:

  1. Your full name, contact information (including email address), and your relationship to the deceased user.
  2. The username of the Twitter account, or a link to the profile page of the Twitter account.
  3. A link to a public obituary or news article.
You can contact us at [email protected], or by mail or fax:
Twitter Inc.,
c/o: Trust & Safety

795 Folsom Street, Suite 600

San Francisco, CA 94107
Fax: 415-222-9958
We will respond by email with any additional information we might need."

If you use a smartphone app to publish your tweets, then that service provider's deceased policy may also affect what happens to your online content after you die.

Twitter's policy is a good one. More social networking sites need to clarify their policies about what happens when users die and the process for heirs. That can help prevent identity theft.


A Conversation With Mary Gentile, Author of The Book: Giving Voice To Values

At some point during your career, you will encounter a situation where the organization you work for is not doing the "right" thing -- something unethical, immoral, and/or illegal. You know what the "right" thing is but speaking up may be risky or unsafe. Would you speak up about what is right?

Your boss wants to cut corners at the expense of safety. Or, your coworker alters the financial report with fake numbers. Or, a small business owner signs work agreements with subcontractors he has no intention of paying when the invoices arrive. Or, the information technology team skips the implementataion of standard data-security methods. Knowing right from wrong is easy. Speaking your mind about it can be hard if you are feeling pressure from your boss, your coworkers, or your own career concerns.

If you worked at BP or Goldman Sachs, would you have stood up about what is right? If you worked at Heartland, TJX, Checkfree, Facebook, or HealthNet would you have spoken up about what is right about data security?

After making the decision to speak up, what does it take to get heard? How can we be more effective at speaking our mind, and building alliances with like-minded coworkers, so that pressures don't stop you from acting on our values?

Mary Gentile explores these issues in her new book. GIVING VOICE TO VALUES: Speaking Your Mind When You Know What’s Right (Yale University Press; $26; August 24, 2010; hardcover and Kindle). A Babson faculty member, consultant, and director of the Giving Voice to Values curriculum, Mary Gentile shows us not how to decide what’s right or wrong, but the much harder step of how to speak our minds and act on our values when we already know what’s right.

I discussed these issues recently with Mary. I have known her since the mid 1990's when we both worked at the Harvard Business School: she was an instructor and I performed business and economics research in the Research Services department at Baker Library.

I've Been Mugged: What prompted you to write the “Giving Voice to Values” book?
Mary Gentile: I have worked in business education for almost 25 years – ten years at Harvard Business School, fifteen-plus years of independent consulting to business schools globally, and now since 2009 I've been based at Babson College in Massachusetts.

During all that time, I became increasingly convinced that the approach taken most often to business values and ethics in business schools and in corporate training efforts was missing a critical piece. These efforts most often focused on building Awareness of ethical conflicts and on teaching models of ethical Analysis to help managers and employees to decide what the "right" thing to do might be in a particular situation. But there was a glaring absence when it came to teaching about values-driven Action: that is, what to say and do once we knew what we thought was ethical.

And it was this very gap that Giving Voice To Values (GVV) – the book and the curriculum it is based upon -- was designed to fill.

The GVV approach has been catching on quickly and widely. We currently have well over 100 pilot sites in business schools and organizations on six continents. The work has been or is about to be featured in the Harvard Business Review (twice); the Financial Times (twice); strategy+business, BizEd, Stanford Social Innovation Review, and many other publications. Now with the publication of the book, we are excited to see the audience grow further.

Mugged: What are the common traits of organizations that effectively give voice to values and facilitate employees raising unpopular messages?
Gentile: In our conversations with individuals who have voice their values and in our work in business education, we have seen that there is a fairly consistent set of organizational traits that can enable "voice." They are not big surprises: things like, a culture of openness where it's not only acceptable but valued when employees raise their concerns and questions and ideas; managers who listen; a clear statement of organizational mission or purpose, that is broader, bigger and deeper than simply making the quarterly numbers; the sharing of organizational "stories" that celebrate times when individuals expressed their values to good effect. Perhaps the most interesting one is the willingness of leaders to speak openly with their peers and reports about the process they went through to decide and act on their values, not in a bragging or self-celebratory fashion but as a sincere expression of their own learning.

Mugged: What are the common traits of employees and managers at these successful organizations?
Gentile: Well, as I said before, openness; a willingness to learn from each other; a regular appeal to the organization's wider mission as well as their own personal sense of professional purpose. And as we learn from GVV, folks who have thought in advance about the kinds of values conflicts that are predictable in their particular industries and functional areas, and who have anticipated and practiced "pre-scripting" themselves ,are more likely to be able to voice their values when it's necessary. They have, in effect, "normalized" the process of voicing values and have developed the muscle memory necessary to make voice their default position when such situations arise.

Mugged: What are the common traits or habits of organizations that do NOT give voice to values and employees are NOT able to raise unpopular messages?
Gentile: Just as sharing stories of times when managers have effectively voiced their values can help build a culture that enables such behaviors, stories of cutting corners or the celebration of cynicism can disable voice. Remember the prominent stock tickers at Enron which encouraged employees to focus, always and primarily, on the short term stock price. If you want your employees to focus on long term sustainable results achieved in a responsible fashion, then you need to focus on that.

Similarly organizations and managers who don't listen, who punish the messenger, are not likely to hear the messages that can save them for legal and ethical turmoil.

Mugged: Skeptical readers might say that ethics/values are irrelevant; that they don’t contribute directly to company profitability. Obviously you disagree. How do ethics and values relate to profitability and company growth?
Gentile: Well, there are plenty of stories – especially these days – about organizations that have or are paying a price for ethical infractions. Think about Goldman Sachs and the settlement it had to pay in the John Paulson scandal, or BP and the price it is paying for the Deepwater Horizon oil spill.

But the GVV approach is somewhat different. Too often, discussions of business ethics start from the position that we have to prove that "ethics pays." And as I said before, there are plenty of stories about times when managers and companies have paid a steep price for values transgressions. However, we all also know that folks sometimes get away with such violations.

The point of GVV is to suggest that we all know in our heart of hearts that sometimes ethics pays and sometimes being unethical can pay, at least for a while and at least in monetary terms. But nevertheless, we also know that many of us -– probably most of us -– would actually like to act in alignment with values like honesty and compassion and integrity, if we thought we could do so effectively. That is, we would be more likely to voice and enact our values if we felt more competent at it.

And that is what GVV is all about. I am not focusing on trying to convince someone to be ethical. Rather I'm trying to empower those of us who would already like to act on our values to be better at it. The focus is on "moral competence" more than "moral courage." The seven pillars of the GVV approach – Values, Choice, Normalization, Purpose, Self-Knowledge and Alignment, Voice and Reasons & Rationalizations – each yield a set of insights and tools for achieving this competence.

Mugged: Which sectors (e.g., public/government, private/corporations, nonprofits, academia, NGOs) does your book provide organizational examples about, and why?
Gentile: Most of the examples are from the private sector, although there are a few NGO examples. This is because the work was developed in the business education context. Nevertheless, the scenarios and the skills discussed are widely applicable. I increasingly receive queries from other fields – engineering, medicine, law, liberal arts, NGOs, etc.

Mugged: This blog discusses data breaches (e.g., when organizations fail to protect the sensitive personal data they archive of employees, customers, and former employees) and corporate responsibility (e.g., what those organizations and their executives do, or don’t do, after a breach). In your research, what examples have you seen about data breaches, corporate responsibility, and executive responses?
Many of the examples we have seen have to do with the reporting of financial data which entails similar issues of accuracy, honesty, and responsible handling of information. We also feature a case wherein a hardware producer encounters a potential privacy violation in the re-use of previously owned hard drives. We have another case that focuses on the honest reporting of market research on customer preferences. The pressures and anticipated consequences in all of these situations come down to the same kinds of issues: time pressures; cost pressures; fear of displeasing our bosses. What we have seen in our interviews is that those individuals who actually voice their values in such situations have spent at least as much time focusing on the potential pressures and consequences of failing to act: potential lawsuits; customer defection; actual loss or pain to customers; negative reputational effects, etc.

Mugged: What specific departments or functions (e.g.,, IT, human resources, marketing, finance & accounting, general management, etc.) within organizations does your book discuss, and why?
Gentile: The GVV approach is relevant to all functions because values conflicts arise in many areas but examples in the book and the curriculum include financial management, human resource management, supply chain management, external relations, strategy, internal auditing, marketing, sales, etc.

Mugged: For organizations that are good at giving voice to values, what specific documents or training do these organizations provide their employees?
Gentile: I believe that the more specific and organizationally customized the training can be; the more it involves leadership all throughout the organization (as opposed to being relegated to HR only) and the more it provides opportunities to share positive examples from within the firm and to practice actually scripting responses to common scenarios, the more effective it will be. This is the GVV approach.

Mugged: Many organizations either outsource or offshore outsource their back-office operations to other companies. How has this business practice affected the ability of companies to give voice to values?
Gentile: Well, of course, this practice can complicate the process for several reasons such as the lack of familiarity and comfort with cultural norms and the sheer distances that mean certain behaviors are just not that visible. In the end, however, we have found that these pressures are simply variations on the same kinds of challenges one faces within a domestic organization and the same types of skills and practices are required.

Mugged: When consumers apply for a job at a potential employer, what questions would you suggest they ask during the interview process to determine whether the potential employer is effective at giving voice to values for its employees?
Gentile: Well, you can learn a lot by asking for some stories/examples of leadership behaviors that the firm values highly: for example, you could ask "can you share some examples of things employees in this job (i.e., the one for which you are interviewing) have done that really impressed you? What would you regard as high performance and leadership in this job?" And you can ask "How open is the company and management to hearing from employees about new ideas or about concerns with current practices? Can you share some examples?"

Mugged: Are there any public documents consumers should read about an organization that indicate if that organization is good at giving voice to values?
Gentile: I would always do the usual due diligence, read the company's own preferred language about itself -– website, annual reports, press releases -– but recognize that these are examples of "public speak." So going further to look for interviews with senior management in the business press; business reporting on the firm; investor guidance; consumer complaints; and other public sources of commentary can give you a fuller picture. There is no substitute for talking to current employees, off the record, if you can swing that.

Mugged: We seem to be swamped with many new technologies… smartphones, notebook PCs, cloud computing, social networking sites, distance learning, and similar online services. Is any of this useful or necessary for an organization to effectively give voice to values?
Gentile: Each of these new technologies can be used for good or ill. Just as each of them provides potential opportunities for new ways to deceive or manipulate, they also provide new ways to share positive messages and to keep each other "honest." In the end, it all comes down to the individuals and both their intent as well as their mastery. For those of us who want to voice our values effectively, it is useful to develop as many possible methods of communication as possible. The GVV approach would focus on inviting examples and practice with using these methodologies positively.

Mugged: What do you see in the future for improving organization effectiveness at giving voice to values?
Gentile: I do believe that the more that companies and their leaders provide opportunities for employees to actually practice developing scripts and delivering them, out loud, in a peer coaching context, the more genuine and reliable their efforts at creating a values-driven organization will be. As I speak about the "Giving Voice To Values" approach in more contexts – to both business education as well as practitioner audiences –- increasingly I encounter interest in using this approach.


Change, Staying Informed, and Participation In A Democracy

As a consumer advocate, I get inspiration from several areas. One source has been Ralph Nader. Long before he was a presidential candidate in the 2000 election, he was a tireless consumer advocate. I remember seeing Corvair cars on New York City streets in the 1960's. Recently, Maria Hinojosa interviewed Nader on the One On One program:

Some interesting comments by Nader:

"We have a great Freedom of Information Act to get information, which is the currency of a democracy."

"Corporations have become fewer and bigger... they never stop concentrating power. They have to -- to get their way -- control government."

I found his comments about change surprising. Nader said that change requires both the wealthy and a grass-roots movement. Here's why:

"Justice requires money. It requires money for lawyers, for organizers in the communities. It requires money for transportation. It requires money to constantly reach people directly."

Nader on why our democracy needs continual citizen participation:

"[It's] simple. Corporations have no vote. People have the vote."

Nader emphasized that citizens must stay engaged in our democracy and not give up when politicians don't deliver on the changes promised:

"That's exactly what the power structure wants you to do. In other words, it wants you to quit, to withdraw."

This is why I blog about identity theft, data breaches, privacy, and corporate responsibility. We consumers cannot cast informed votes if we aren't aware of the issues. And, the issues about identity theft, privacy, and corporate responsibility change quickly and are often complex. This places a premium on staying informed. For me, traditional (corporate-owned) news sources aren't always the best source of information.

This blog is all about informing and empowering consumers. My goals with this blog are to bring about change with:

  • Stronger laws and consequences for company executives who do not adequately protect sensitive consumer data,
  • Increased consumer awareness and skills with protecting their sensitive personal data, and
  • Improved credit monitoring services that truly meet consumers' needs

If we citizens voters don't vote and don't participate in our democracy, then a corporatocracy could easily result. (Some would argue that we are well on our way to one.) That could impede our access to news, a truly free Internet, and elections of officials that act according to voters' needs and not corporations' needs.

Some pundits and corporate executives say there is no more privacy. If so, then there is no choice. Privacy means choice. You choose what to make public or keep private.

And if there is no choice, then control over your personal information become irrelevant. When consumers have lost control over their personal information, then corporations are free to do whatever they want with it.

You do want to control over who, when, and where your personal information goes, don't you?


Texas / IBM Data Center Project Failure

A good friend, Michael Krigsman, writes an excellent blog: IT project failures. The reasons vary for project failures and some are data breaches. His blog deserves a mention here because a recent post discussed a project involving IBM Corporation, a company I have had some direct experience with. Michael wrote:

"The Texas Department of Information Resources (DIR) sent IBM a “Notice to Cure,” accusing the large system integrator of failing to perform its obligations on a data center consolidation contract worth $863 million. According to an internal report prepared by the department, this is a case of the “blind leading the blind,” with both parties at fault."

Ouch! Harsh words. Sad state of affairs for a project.


How To Use Facebook: Reduce, Remove.

A friend recently read this MSNBC article:

"The personal details of 100 million Facebook users have been collected and published online in a downloadable file, meaning they will now be unable to make their publicly available information private. However, Facebook downplayed the issue, saying that no private data had been compromised. The information was posted by Ron Bowes, an online security consultant, on the Internet site Pirate Bay. Bowes used code to scan the 500 million Facebook profiles for information not hidden by privacy settings."

After reading the article, my friend asked me in Facebook status message, "So is this latest FB breach cause for concern?"

Based on everything I have learned and written about Facebook in this blog, my answer was: despite its promises about privacy controls, Facebook is doing everything to make sure that everything you share on Facebook becomes public. The faster you realize this and act accordingly (e.g., reduce your usage of FB, remove stuff from FB that you want to keep private, don't upload to FB anything you want to keep private, use traditional email), the better. As soon as there is a credible alternative, I am switching.

Want to learn more about Facebook? The module in the right column lists key blog posts about Facebook.

You don't believe me? You think I am paranoid? Nope. Read this: Top 10 Reasons To Quit Facebook.