Previous month:
January 2011
Next month:
March 2011

16 posts from February 2011

Report: Top 10 Botnets of 2010

Recently, a family member mentioned to me that their personal computer didn't have a comprehensive anti-virus program. Not good. Today's post describes one type of virus software: botnets. Earlier this month, anti-botnet firm Damballa released it report of the leading botnots in 2010 (PDF).

A "botnet" is a collection computers used to run a software application... in this instance to perform cybercrime. The collection of computers can be computers located in consumers' homes and small businesses. The collection is infected with the malware software, controlled remotely by the software developer. Often, the botnet software works in the backgroound to remain unseen and operate secretly.

Botnets are used to perform certain identity-theft tasks, like stealing personal and bank information, stealing companies' intellectual property, and performing other corporate espionage. Botnets are also used to send computer virus software, send e-mail spam, and to flood a website with page requests rendering that website unavilable and unusable by the public (a/k/a DDoS = Distributed Denial of Service attack).

According to Damballa, the top 10 botnets accounted for approximately 47% of all botnet compromised victims during 2010, down from 81% during 2009. Damballa estimated that 35.2% of infected IP addresses had two or more different botnets running.Those leading botnets, based on the penetration into infected computers:

Rank Botnet Name Penetration % of Victims
1 TDLBotnetA (RudeWarlockMob) 14.8%
2 RogueAVBotnet (FreakySpiderCartel) 5.7%
3 ZeusBotnetB (FourLakeRiders) 5.3%
4 Monkif 5.2%
5 Koobface.A 4.0%
6 Conficker.C 2.8%
7 Hamweq (GraySunGirls) 2.5%
8 AdwareTrojanBotnet (WickedRockMonsters) 2.2%
9 Sality 2.1%
10 SpyEyeBotnetA (OneStreetTroop) 1.9%

A responsible consumer doesn't want to contribute to the computer virus problem. What should you do? Keep the anti-virus software on your home computer/laptop up-to-date and running. Run scans weekly of the hard drive, including any external or USB drives. Use a comprehensive anti-virus software product, too. If your computer is running slower than usual, it may be infected.

New AOL Privacy And Terms Policies Go Live March 31

There are plenty of changes underway at AOL. Earlier this month, AOL announced plans to purchase the Huffington Post website and news ooperation. Then, AOL announced to its members that it will revise, consolidate, and simplify its online privacy and terms-of-use policies:

From: AOLLegal
Date: February 20, 2011 4:54:10 AM EST
Subject: Updated Terms of Service and Privacy Policy for AOL Users

Dear AOL Users,
AOL is working hard to change and improve the way we serve you across all aspects of our services. We have recently relaunched and improved many of our consumer experiences, including and As we continue to improve AOL for you, some of the improvements are updating the ways that we interact with you and your information. As a result, we want to update you on our Terms of Service (TOS), which contains the agreements between you and AOL.

In addition, we are also updating our Privacy Policy. Privacy is incredibly important to all of us and we want to present the updates to our privacy policy in a simplified format designed to help clarify what information we collect, how we use it, and the marketing preferences and online advertising choices available to you. Both the updated TOS and Privacy Policy are available online now and will take effect on March 31, 2011.

You can find the old Terms of Service here. What I like about this announcement: it is a step in the right direction to provide consumers with full disclosure. Consolidating and simplifing documents that are usually difficult to read is a huge benefit. I also like that the targeted advertising opt-out link is front-and-center on the AOL Privacy main page. I like that the new policy discusses mobile devices. With the rapid pace of technology advances, website policies should change frequently.

I have not performed a line-by-line comparison of the old and new policies. I am not an AOL user, so I am sure that some AOL users will perform this analysis. There may be policy changes embedded that users object to.

Previously, AT&T made policy changes regarding online targeted advertising. These are always helpful for consumers.

What do you think? Will AOL users find the new policy easier to read? Will AOL continue to revise its policies as its busienss changes? Share your opinions below.

Error-Filled Background Checks Make Finding a New Job Difficult

At some point during our work careers, we all look for a new job. Given the recent, ongoing economic downturn, many people are looking for work. When applying for a new job, potential employers usually perform a background check of applicants. What happens when the background check includes wrong information? The following story explains what happens.

Channel 7 News, the ABC News affiliate in San Francisco, reported the story of Patrick Chad Padilla, who applied for a security job position at a Walmart store in Sacramento, California. After the third interview, Padilla was offered the job pending a background check. Walmart withdrew the job offer when the background check turned up problematic information.

After looking at the the background check Walmart, Padilla noticed that the report contained information about Patrick Saenz Padilla, who Channel 7 News would later discover is a criminal serving time in a New Mexico prison. Despite the middle name differences, Walmart insisted on using the faulty background check and refused to offer Padilla the job.

Hello? Does anybody at Walmart use their brains?

Obviously not. Brain-dead bureaucracies operate in the private sector, and not just in government agencies.

This story is important for several reasons. First, multiple companies made errors in this story. Walmart's errors are clear. Second, Padilla applied for a job at Roseville Hyundai later and the same thing happened again. The faulty background check stopped another job offer.

Third, there are some sensible guidelines governing the proper use of background checks by companies. In at least one instance, an employer started a new policy demanded Facebook passwords from both job applicants and current employees without any suspicion of wrongdoing. (That policy has since been suspended for a 45-day review.)

Fourth Acxiom, the provider of the background check service definitely shares some of the blame for Padilla's job-search difficulties. Acxiom clearly made mistakes by combining information about two different people into a single report. From the news story, it isn't clear that Acxiom has corrected Padilla's profile information. The middle name difference should have been easy to spot, but Acxiom either missed it, or ignored it. And Padilla suffered the consequences.

This is not the first incident with an erroneous background check. In this incident in Kansas last year, the local sheriff's office helped the affected job applicant clear his name.

Background checks are necessary, as employers can't hire convicted criminals for certain jobs. A wide variety of companies use Acxiom products and services, including Sony Ericsson Mobile Communications, Urban Mapping, Blackboard, USA Swimming, Senior Checked, Windstream, and General Motors. At its mid-year 2010 conference, the National Association of Professional Background Screeners (NAPBS®) Background Screening Credentialing Council (BSCC) announced that Acxiom and several other companies had achieved compliance with its Background Screening Agency Accreditation Program (BSAAP).

Although this class-action against Acxiom was ultimately unsuccessful in the courts, it did reveal that Acxiom buys a lot of its information about consumers from various states' motor vehicle agencies.

A recent survey by The Black Book of Outsourcing rated Acxiom number one in customer satisfaction for IT outsourcing. Well, Acxiom may help its IT department customers save money, but I wonder how reliable that customer satisfaction rating is. Would consumers rate Acxiom highly? My guess is Padilla wouldn't rate Acxiom highly.

Fifth, background-check concerns are not only about Acxiom, but also apply to other companies that provide similar services. CNN Money listed some of the companies, including Rapleaf, that provide background checks based on the collection of consumer data from public records. The Wall Street Journal published a similar list of what it called "scrapers." published a similar list of companies consumers should consider removing their profile data from.

Sixth, when private companies offer products and services based on their collections of sensitive consumer information, there has to be a method to discover and correct mistakes and erroneous entries. This process exists with the major credit reporting agencies, but not with companies like Acxiom. As Channel 7 News reported:

"There's no federal or state agency that's making these companies actually clean up their records and make them accurate..."

Getting pack to Padilla's story: later, Walmart reversed itself and encourage Padilla to apply for a different job. What? Is Walmart serious? After all of the obvious mistakes and blunders, Walmart couldn't do the right thing, apologize, and simply offer the job to Padilla?

Meanwhile, Padilla had moved on to work for another company. I wouldn't work at Walmart either after this poor treatment. It signals that Walmart probably treats vendors, suppliers, and its employees just as poorly.

If this story upsets you (and I truly hope that it did upset you), I encourage you to write to your elected officials and tell them:

  • Potential employers must give job applicants copies of the background check report used for the hire decision
  • Consumers should not suffer the consequences for corporate mistakes and errors, especially about background checks
  • Federal and state laws must require companies to correct errors in their databases containing consumer information
  • Database marketing services (e.g., companies that collect data and offer products based on those databases) must provide consumers with a fast, easy-to-use, and prompt process for reviewing and correcting errors in their profile
  • Corporate violators should be prohibited from the data collection and from any services/products based on that data collection

Have you been denied a new job due to an error-filled background check? Have you lost a job offer to an erroneous background check? We'd like to hear your experiences, and if you were able to correct the problem.

Advertiser Networks Threaten Consumers Privacy Online

If you have been following online developments and technologies, then you've probably realized that advertiser networks try (or attempt) to collect an increasing amount of personal information about consumers.

For many years, that collection was limited to the use of web browser cookies, or when you signed into a website with an ID/password. Then "pop-up" and pop-under" ads appeared in an attempt to force the display of advertisements for users who regularly deleted their web browser cookie files. The collection then spread to "zombie" and Flash cookies, to apps at social networking websites, to "web bugs" and "web beacons," and lately to popular mobile devices. You can see some of the results of that data mining at websites like Spokeo and Pipl.

It was good to read this Philadelphia Inquirer article:

"Internet ad networks are likely tracking nearly everything you do - not just you, but also your teenage kids. The networks, along with data miners and brokers, are creating "online profiles" that become more and more valuable the deeper they get."

As you read this, many of you are thinking that there is no problem. Data collection provides the convenience of targeted or relevant advertisements for a better online experience, right? Yes, for those of use that value targeted advertisements online.

There have been some under-publicized advertising opt-out failures. Plus, those consumers who don't want the tracking are confronted with a growing list of opt-out links and do-not-track software, because the default so far has been everyone is included (whether you want to be included or not). That places the burden on consumers to continually opt-out of ad networks, who can easily configure their systems to auto-re-include consumers when things change. How fair is that?

There is also the issue of disclosure and notice in website privacy and terms-of-use policies. Those policies should be complete and accurate.

Maybe you don't care where your personal data goes and who it is shared with or sold to. I care about where my data is bought, sold, and shared. And you may care because it affects your children. The Center For Digital Democracy:

"... joined more than a dozen others Friday to urge the FTC to pay special attention to the vulnerability of teenage Internet users - those 13 and older, who are too young for the safeguards of the Children's Online Privacy Protection Act. One ironic result of that good law, they say, is that teenagers are essentially treated like adults online. Social-networking sites such as Facebook put adolescents at extra risk, not because the sites themselves are so insidious, but because they are places where young people share so much personal information - or perhaps over-share..."

That sounds like a good start to more sensible laws that balance the needs of consumers (and children) versus the needs of corporations.

I haven't covered childrens issues much in this blog, except in posts about the Ringleader class-action, and money management education for high school students. I expect to cover childrens issue more often during 2011.

A Better Facebook?

Recently, some friends and I were discussing the new photo viewer on Facebook. If you haven't seen it, Facebook presents photos in a layer above your time-line:

The new Facebook phot viewer. February 2011.

What I like about the new viewer: you can rotate photos the owner was too lazy to orient correctly. And, you don't lose your place in the time-line.

What I dislike about the new viewer: it requires more clicking to get to comments. As a UI/IA professional, I notice limitations like the usual difficult for many people to read light type on a black background.

If you don't like the new photo view, you can press the F5 key to switch back to the old interface. I have no idea how long this F5 feature will remain active.

During the online discussion via Facebook, some people said they like the new feature. Some didn't. One person suggested the Better Facebook browser (BFB) application:

"Can't recommend enough installing "Better Facebook." One of it's many fab features is it allows you to disable [the new photo viewer]."

I visited and briefly reviewed the Better Facebook website. (There's also a blog and Facebook page.) BFB works with the Firefox, Chrome, Safari, and Opera browsers.

It's great that a person took the initiative and time to create this script. It's sad that Facebook doesn't officially support BFB. When a user goes to the effort to improve a company's website interface, that is usually a signal that many other users are similarly dissatisfied.

The BFB website does a good job of explaining what the app does (and doesn't do). It explains well its dependencies on the Facebook website. However, the lack of official support by Facebook means that bugs are inevitable with BFB.

I chose not to install the BFB app primarily because I could find any privacy or terms-of-use policy statements at the BFB site. Matt Kruse is probably a trustworthy guy, but I don't know him. While I realize that BFB is a one-persona operation, it's important to my identity information values to know exactly what any app will and won't do.

If there is a problem, these policy statements are what consumers rely upon to gain resolution with the app developer. Otherwise, it is the "wild, wild, west" and anything goes, including your sensitive personal information to wherever the app (hacked or not) decides.

What is your opinion of or experience with the Better Facebook app?

Foreclosed And Abused By Their Mortgage Company

This story is a classic example of a "mugging" by a mortgage company. The Huffington Post reported an awful story about a couple facing foreclosure on their home even though they didn't miss a payment.

Yes, you read that correctly. The mortgage company wants to foreclose even though the homeowners didn't msiss a payment. And the homeowners can prove they didn't miss a payment.

How did this situation happen? According to the Huffington Post story:

"...the neighborhood bank that originally issued their mortgage sold the loan, and it eventually landed in the hands of one of the nation's largest mortgage companies... The complex reality of the modern mortgage system was supposed to have very little effect on the Parkers -- they would simply mail their monthly payment to a mortgage servicer... But, along the way, that machinery broke down. No one, the Parkers say, told them their loan had been sold. With no word from the new servicer, New Jersey-based PHH Mortgage, the Parkers sent their first payment to the original bank, which mailed the check to PHH, according according to documents the Parkers provided to The Huffington Post. But that check went missing..."

How does a mortgage company mishandle a payment? After all, collecting mortgage payments seems like a primary corporate task.

The Parkers did everything correct. They kept documentation. They kept submitting mortgage payments. They called PHH to find out what happened. They also sent payments directly to PHH. They sent registered letters to PHH customer service representatives. They spent hours on the phone with the bank and the mortgage servicer. They even contacted both the CEO of PHH and their state attorney general's office for help.

You'd think that PHH would want to quickly correct the problem, since they want to continue receiving payments from a willing and financially-able homeowner. The Parkers worked with the local bank to correct the problem at PHH. They hired an attorney to help them communicate messages and payments properly given the foreclosure threat:

"It appears Metropolitan National Bank forwarded proof that that original payment had been sent to PHH Mortgage, and asked the Parkers for proof they'd made all the subsequent payments, which they forwarded to PHH Mortgage... In November, 90 days after that first payment had gone missing, the PHH Mortgage refused the fourth payment, returning the check with a letter that explained the account was in arrears..."

I guess that bureaucracy and incompetence got in the way at PHH. PHH sent the house into foreclosure on December 29.

Consumers lose their home after one mishandled payment by a mortgage company? That is not right, on so many levels. Where is the honesty? The corporate responsibility?

I checked the Better Business Bureau website to see it's rating of PHH. While the BBB listed PHH as B+, there are 362 complaints about the mortgage company. 33 percent (120) of those complaints were for billing and collections issues, and 35 percent (128) were for contract issues. While 93 percent (336) of complaints were resolved, consumers still had to experience the hassle of getting their complaint resolved. It seems thtat the Parkers' experience with PHH is one of the unresolved.

I wonder how frequently this crap happens. A company mishandles checks and paperwork; and the consumer suffers the consequences. Where is the executive and corporate accountability? This kind of crap will stop only when bank and mortgage executives go to prison for this type of consumer abuse.

Apple, Mobile Device Privacy Abuses, and Data Plan Theft

Earlier this week, Apple Computer was served with another class action lawsuit alleging violations of mobile device owners' privacy. I read the complaint (PDF, 2.7 MBytes) which caught my attention for several reasons.

Nine consumers have filed this latest class-action lawsuit against Apple Computer and several other companies for the unauthorized access, use, and transmission of the mobile device owners' sensitive personal data to app developers and third-party companies. The mobile devices in question include iPhone, iPad, and iPod Touch devices. Besides Apple Computer, the complaint included several several popular brands: the New York Times, WebMD, Yelp, Quattro Wireless, NPR, and Groupon. Many smart phone users have used Groupon for its geo-based coupons. I use several of these apps on my Windows® operating system smart phone.

The complaint alleges that several app developers (Groupon, IAC, NPR, The New York Times, Pandora Media, WebMD, Yelp, Flurry Inc.) and their affiliates (Pinch Media, Medialets, Flurry Inc.):

"... gained individually, and in concert with defendant Apple, unauthorized access to, transmittal of, and use of data, which included but was not limited to the plaintiffs' and class members' UDID, obtained from the plaintiffs' and class members' mobile devices, bypassing the technical and code-based barriers intended to limit access, in addition to bypassing the plaintiffs' and class members' privacy and security settings."

UDID is the "Unique Device Identifier," a 40-digit code embedded in all mobile devices. It identifies your mobile device and when matched with your cellular phone number (or iTunes account), allows companies to identify your mobile device as uniquely you. The complaint alleges that the companies knew about this fraudulent activity and based their business model on unauthorized access and use of this personal information.

For several consumers in the class-action, they began to suspect that something was wrong when their mobile devices:

"... tended to operate more slowly and sometimes froze when loading web pages."

Consumers use a wide variety of apps. Some of the apps the consumers in the class-action downloaded from the iTunes store: Currency, WallpapersHD, Flixster, Netflix, Pandora, Shazam, Google, New York Times, Google Earth, Find iPhone, WiFi Finder, Monopoly, Sudoku2, Tetris, Scrabble, UNO, Angry Birds, Skype, Epicurious, Bank of America, eBay, GasBuddy, and Obviously, only some apps compromise consumers' privacy. The point: I can imagine the consumers in the class-action probably felt "mugged" by their mobile device apps. When a few apps allegedly compromise your privacy, you become wary of downloading more apps that might do more damage.

How many apps compromise consumers' privacy? MediaPost reported:

"... researchers at the Technical University of Vienna reported that more than half of the 1,400 iPhone apps they studied collected users' device IDs... An earlier study by Bucknell University assistant director of information security and networking Eric Smith found that 68% of the most popular iPhone apps transmitted the devices' unique numbers to outside servers..."

Besides privacy abuses, another impartant issue for consumers is "data plan theft." Some people may call the defendant companies' apps "bandwidth hogs," put I prefer the term "data plan theft." Why? When apps secretly store, use, and transmit mobile device owners' sensitive personal information, the transmission consumes a portion of mobile device owners' monthly data plan limits. That is theft when the transmissions aren't authorized.

There is a direct impact and cost if you pay a monthly fee for your data plan and your data plan has a (low) limit. The cost seems easy to calculate, when you consider that most consumers check for news several times daily. The Groupon users I know, use that mobile site several times per week.

I guess that you could call the offending apps, "money sucking apps."

As a smart phone user, "data plan theft" is important to me because I pay my mobile service provider $25 monthly for about 2 gigabytes of data downloads. (I get unlimited texts so that doesn't factor into the download amount.) Mobile device owners who frequently use the above offending apps would probably incur a greater cost theft than less-frequent users.

Given the "data plan theft" issue, I can imagine the consumers in the class-action probably felt "mugged" by their mobile device apps. When a few apps allegedly compromise your privacy and consumer your data plan usage without authorization, you become wary of downloading more apps that might do more damage. All apps stores need to recognize this threat and take appropriate corrective action.

Otherwise, you could call the app stores, "data breach stores."

The complaint included an attorney's name I have seen before: Joseph Malley of Dallas. Malley, often referred to as a "Privacy Crusader," was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, and Facebook. In 2010, Facebook settled the suit for $9.5 million. For consumers who have privacy concerns, you want an attorney that is experienced with online privacy issues and technologies. Malley is the guy you want on your side.

Several related blog posts consumers may find helpful:

What Are Your Personal Identity Information Values?

While reading the book "Giving Voice To Values" recently, I began to wonder what a set of identity information values would be. After a prior employer exposed my sensitive personal information during a data breach, I was forced to learn about identity theft and fraud. That incident caused me to think about what information I need to protect, how to protect that data, and my expectations of employers, prior employers, and retail companies to keep secure my personal data.

By "values" I mean the things that are important to each of us; not necessarily current law (federal, state or local). For instance, smoking cigarettes is legal, but you may decide not to smoke. Your personal values guide your behaviors. Another person may decide to smoke cigarettes, cigars, and weed -- regardless of the laws. What you consider important, another person may not.

Values vary by person. Our values guide our behaviors; what we purchase. What we do. What we won't do.

I want to be clear. I am not advising readers to break the law. I am encouraging readers to seriously consider what your values are regarding your identity information. If you don't know what your identity information values are, you probably cannot evaluate if a retail company or social networking site meets your needs. You can't tell if that company is treating you well or abusing you. In short, you can't be an informed shopper.

By "identity information values," I mean what you consider important about the list of data items that describe you. your values guide what, when, and how you decide to share and protect your personal information. When I first started this blog, I compiled a crude list of the personal data companies, schools, healthcare organizations and government agencies compile about consumers. As technology advances, that list of data items grows.

Today, smartphone and other mobile devices can attached a geo-tag to photos and videos you take. Social networking sites ask you if you want to attach a geographic indicator to your posts or tweets. There are many more examples.

I think that we can agree that there is a lot of information we consumers can share about ourselves; and a lot of information companies can collect about us. To paraphrase a line from the first Spiderman film: "with great power, comes great responsibility." That may sound hokey, but I strongly believe it applies to personal identity information.

So, what are your identity information values? Here is a start at my list of identity information values:

  1. It better be accurate: I expect any identity information about me to be accurate. It should not portray or convey something that isn't true, unless I authorize it.
  2. Online profiles are not comprehensive: I don't share everything online, especially the most sensitive data items (e.g., birth date, SSN). So, don't assume that everything you read provides a complete view. It doesn't. And it never will.
  3. I read website polices: that includes the privacy and terms of service policies. So, they have to be accurate, complete, and current.
  4. I expect to be asked and notified: if a company or website want specific data items about me, I expect to be asked. I expect your website policies (e.g., terms of use, privacy) to clearly state what data items you want. We are entering into an agreement and I will hold up my end. I expect you to hold up your end. If you don't, i will take my business elsewhere at the earliest opportunity.
  5. I prefer opt-in: opt-out systems may be easier (and more profitable) for companies, but I prefer opt-in. If your product or service is so great, tell me about it and I will decide to register, sign-up, or opt-in. Don't include me automatically and force me to (continually) sign-out or opt-out. I view companies that use opt-out systems as lazy marketers whose business model is probably flawed. If you refuse, I will look to take my business elsewhere at the earliest opportunity.
  6. I expect to be paid: if you want to use my words, my image, or both in an advertisement, I expect to be compensated. As the economist Milton Friedman said, "There is no free lunch." If you really value my participation in your advertisement (online or otherwise), I expect to be paid since you expect your ad to generate revenue for your purposes. If you refuse, I will look to take my business elsewhere at the earliest opportunity.
  7. If you impersonate me, there will be consequences: if you pretend to be me, or assist somebody else to use my personal data pretending to be me and I did not authorize this action, you have made an enemy.
  8. I am the decider: I decide what information about me that is inaccurate. I get the final say or word about what is accurate about me, since I know myself better than any corporation, data broker, or data mining entity.
  9. I may share it, or not: I choose whether or not to distribute or share with others identity information about me. I may grant or give away that right to people I trust: doctors, lawyers, accountants, certain government agencies, and a few retail companies.
  10. There are consequences if you abuse it: if you abuse my identity information, use it in ways I did not agree to, decide in the future to make things public that we previously agreed to as private, or take/steal identity information I didn't authorize, then there will be consequences. I may stop doing business with your company, or take stronger action.
  11. I can change things: I can revoke any rights I have given to others to have, store, or distribute identity information about me. Just because I gave a social netowkring company some of my personal information today means that they can keep it forever, unless I agree to that.
  12. I expect companies to practice sound data security: when a company archives my sensitive personal information, it had better adequately protect it. If not, then you really aren't prepared nor trustworthy. If you promise that you are prepared, and then a data breach or similar event proves otherwise, I will take my business elsewhere at the earliest opportunity.
  13. Actions speak loudest: While what your company may comply with federal, state, and local law, if an offer or business practice looks or smells deceptive, then that is how I will view it. What a company does (or doesn't do) tells me more about its values than anything it says. Most companies have sufficient cash to hire skilled public relations staff, so its words mean far less. If I find that a company's actions conflict with or contradict my values, I will tell you, and expect a correction. If no acknowledgement and correction, I will take my business elsewhere at the earliest opportunity that is convenient for me.

What do you think? What's your list? Do you even have a list? Did my list miss anything?

BBB: The Top 10 Scams of 2010

During 2010, fraudsters and identity thieves targeted consumers with a variety of scams, to trick you into revealing your sensitive personal and bank account information. The Better Business Bureau listed the top 10 scams with the most complaints from consumers:

  1. Job Hunt Scams – Scammers try to trick job hunters into revealing their bank account, social security number, and similar sensitive personal data; and demand a fee to be considered for a job.
  2. Debt Relief and Settlement Services – Many bogus companies promise to help you get out of debt and demand upfront fees. The BB said debt-relief complaints rose 30% during 2010.
  3. Work from Home Schemes – These schemes vary: upfront fees to learn the secrets to making money online, assembling products at home, or get paid to be a mystery shopper.
  4. Timeshare Resellers – The BBB reported a 40% increase in complaints about the timeshare industry and deceptive resellers. The scammers typically demand large upfront fees to help you sell timeshare property, and the help is never provided.
  5. Not So “Free” Trial Offers – These include a variety of deceptive offers, such as free trial offers online for diet supplements, penny auctions, and money making schemes. Victims reported they were billed monthly for items and found it extremely difficult to cancel.
  6. Itinerant Home Repair/Roofers – Typically, door-to-door sales people fail to fix roofs or complete other home repairs promised. The BB reported a 40% increase during 2010 of complaints, driven in part by 1,000 complaints nationwide about American Shingle, which has since gone bankrupt.
  7. Lottery and Sweepstakes Scams – These often target seniors and demand that you wire a large cash amount upfront to pay for taxes for your prize. The scammers pretend to be representatives from legitimate companies like Reader’s Digest, Publisher’s Clearing House or a fake foreign lottery. The victim wires the money, but never receives the prize.
  8. Identity Theft – These include phishing emails, vishing phone calls, smishing text messages, bank ATM machine and gas-station pump skimming devices, or theft of your sensitive personal and bank information through a data breach at an employer, former employer, bank, or retail store.
  9. Advance Fee Loan Scams – Fraudsters promise consumers and business owners, who are struggling financially, that they qualify for large loans, but must pay large upfront fees first. The victims wire the money and never receive their loans.
  10. Over-Payment Scams - Fraudsters target people selling items online or perpetuate rental scams by submitting checks that overpay the amount requested, and ask you to wire the difference. The check bounces and victims are out the money wired back to the scammers.

How to protect yourself: there are entries in this blog that cover most of the above scams. Follow the above links to learn more. Attend National Protect Your Identity Week events that are in your area. Visit the BBB website to research a company before doing business with it.

St. Petersburg Times Interview: Heartland's Chief Information Officer

Recently, the St. Petersburg Times interviewed Steven Elefant, the Chief Information Officer Heartland Payment Systems hired after its disastrous data breach in 2009. With 130 million debit/credit card numbers stolen, that data breach was the largest corporate data breach in history. Consumers at banks and credit unions were affected. Several class-action lawsuits resulted and Heartland paid numerous fines, as banks had to reissue debit/credit cards to affected breach victims.

Prior to joining Heartland, Elefant held positions within the U.S. Secret Service and the F.B.I. crimes tasks forces. I found some of Elefant's comments very interesting, as it highlights the global nature of identity theft and fraud. About the person caught and convicted of the breach:

"... Gonzalez was not the mastermind. He was working with organized criminal rings in Eastern Europe, Ukraine and Russia. They will sell your stolen credit card numbers today over the Internet for $5 to $20 apiece. U.S. law enforcement knows exactly who they are but cannot get them extradited. Some of these countries have no cyber crime laws, so they cannot arrest them there..."

Thieves make money with stolen debit/credit card account information when they:

"... sell the numbers to other bad guys who obtain blank cards and an imprinter — used ones are available on eBay or Craigslist — and print their own credit cards or make counterfeit gift cards. They use the cards to buy big-ticket items like a $1,000 TV they sell for $500 to people who don't realize it's stolen merchandise."

About how Heartland's retail clients have responded after the breach:

"We lost very few clients and have been flat since then. So far about 10,000 of our 250,000 merchants have adopted end-to-end encryption."

If you want to learn more about Elefant, there is a good article at BankInfo Security.

Identity Thieves Modify Their Bank ATM Skimming Approach

Since I started writing this blog in 2007, I have learned that identity thieves are creative and persistent. The news story below is another example.

The Krebs on Security blog reported a few instances where identity thieves have installed skimming devices that are no longer attached to the ATM machine. How is this possible? The thieves installed the debit card skimming device inside the door-reader entry mechanism.

Many ATM machines are inside a small booth behind a locked door. This requires bank customers to insert their debit card in the door-reader to open the locked door to the booth. So the thieves installed the skimming device inside the door-reader mechanism, instead of over the card slot of the ATM machine. The camera to record your PIN number is installed on a wall outside the ATM booth.

At the Krebs on Security blog, you can view pictures of an opened door-reader mechanism with the skimming device attached. This skimming device installation is impossible for consumers to detect, just like skimming devices thieves installed inside gas-station pumps.

Why are identity thieves so persistent at hacking bank ATM machines? That's where the money is. Experts estimate that consumers withdraw $1 trillion dollars annually from bank ATM machines, and fraudulent withdrawals from ATM machines are about one-half of one percent. Do the math. That is still a lot of money stolen.

What should bank customers do? First, use your bank ATM machine during office hours when the door is already unlocked. Second, when using a bank ATM machine off hours, use a different card with a magnetic strip to open the door to the ATM machine lobby.

The Digital Divide: It -- Just -- Won't -- DIE

[Editor's Note: Today's blog post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. She has studied what makes some individuals embrace or avoid information technology. (She’s definitely one of the former.) Michelle helps others improve their use of technology in their personal or professional life. Today, Michelle tackles Internet usage in the USA.]

By R. Michelle Green

When I began studying technology and social policy, I wanted to know how the willingness to embrace technology affected people’s lives, personally and professionally. I worried that the digital divide that I observed in 1999 (when many of my friends didn’t even have email addresses, and I had for years) would disproportionately affect the social, economic and career outcomes for minorities, for the disadvantaged, and for low income Americans. I wasn’t the only one concerned. “Speed of technological diffusion is selective, both socially and functionally... [it] is a critical source of inequality in our society,” said Manuel Castells, quoted in a Consumers Union article published in 2000.

Well, it’s a decade later, and those worries were silly, right? Computers are everywhere, access to broadband is as easy as carrying your laptop or tablet to the local coffee shop. And for many of us, the internet is ever with us, courtesy of our smartphones. In fact, a January 2011, the Pew Internet & American Life project reported on their English language survey of American mobile device usage. The report said that English-speaking Latinos and blacks (87% of each group) have mobile phones, a greater (and statistically significant) percentage than whites (80%). Moreover, these minorities use more phone applications, with greater frequency, than whites: 70% of non-whites text, for example, versus 50% of whites. Only a third of whites use their phones to access the internet; 46% of blacks and 51% of English-speaking Latinos do. Over a third of non-whites access social networking sites online, compared to less than 20% of white mobile users. Nearly 50% of minorities have used their phone to record a video, compared to only 29% of whites. The list goes on. Hey, People of Color, you’re finally ahead! Woo Hoo!

Not so fast.

Based on additional analyses from Pew, this greater use of mobile devices is largely instead of, not concomitant with, laptop and desktop use. Many professional uses of computers (resume building, spreadsheet analysis, database use, or some forms of content creation come to my mind) are more difficult on a phone. One could infer from the data that minorities use their phones more for entertainment than economic or career advancement. To be fair: non-white users (60% for blacks, for example) also reported more positive attitudes toward civic engagement and political connection than whites (41%). Minority Americans reported a greater willingness to use social networks for neighborhood and community connection than whites. And for readers of this blog – it also means that these populations are more prone to inappropriate use of their private information than whites – they use mobile devices more, more exclusively, and with more intrusive sites.


Many Black Americans celebrate a little known holiday called Juneteenth. On the nineteenth of June, 1865, Black Texan slaves learned that they were free, 2 years after the Emancipation Proclamation in 1863. Essentially, lack of information kept them in chains. This incident is particularly poignant today. We’ve got an incalculable amount of information at our fingertips, but is it knowledge? Is the problem no longer access, but evaluating and using all that data to advantage? Do demographic differences in adoption and use of smartphones matter? Will ubiquitous mobile-adapted access to the internet reproduce, improve, or worsen current social inequalities? (somebody stop me, I’m running out of question marks.) Looking forward to your thoughts on the subject.

27-Person Identity Theft Ring Busted in New York City

In case you hadn't heard, the Manhattan District Attorney in New York City, Cyrus R. Vance, announced on Wednesday the indictment of 27 persons for operating a "credit card forgery and identity theft ring" based in Brooklyn. The theft ring had allegedly stolen personal information from hundreds of bank accounts, created fake credit cards, and fraudulently purchased Apple products from stores around the country to resell for profit.

The theft ring operated between June 2008 and December 2010, and were investigated by the New York County District Attorney’s Office’s Cybercrime and Identity Theft Bureau and the United States Secret Service. What gave this story visibility was the theft ring's purchases of Apple brand computer products: iPods, MacBooks, iPads, and gift cards. The theft ring bought products from Apple retail stores in Alabama, Connecticut, Florida, Indiana, Georgia, Nevada, New Jersey, New York, Oregon, Pennsylvania, Virginia, Wisconsin, and the District of Columbia.

The theft ring called itself “S3,” and allegedly purchased stolen bank account information (e.g., names and credit card account numbers of identity-theft victims) online from data traffickers. After purchasing the stolen information, the theft ring:

"... would store the stolen credit card information in shared email accounts, allowing several defendants to begin creating counterfeit credit cards. The defendants then recruited individuals to act as “shoppers,” who entered stores armed with these manufactured cards containing the shoppers’ real names paired with stolen account information. The counterfeit credit cards were used to purchase goods for S3’s own use, or to resell for profit."

Prosecutors produced documents showing that the theft ring was a family affair. Its leader, Shaheed Bilal, managed the operation for a time while in jail on Rikers Island. Bilal allegedly used his girlfriend, Ophelia Alleyne, to manage the daily operations of the theft ring. Bilal allegedly provided Alleyne with instructions about how to purchase stolen credit card numbers, manage shoppers, and create fake credit cards. Bilal's brothers -- Ali Bilal, Isaac Bilal, and Rahim Bilal -- allegedly participated.

One of the theft ring's "shoppers," Anthony Harper, allegedly left the theft ring to start his own operation, which operated using similar methods. When I read the DA's press release, I found it interesting that most of the defendants were in their mid- to late-twenties.

Congrats to the Manhattan DA and various investigators on this theft-ring bust.

Do You Trust CEOs and Company Breach Notification Letters?

Recently, Fast Company published a news item about the public's trust in various institutions. The main point: from 2009 to 2010 trust in CEOs was greater than trust in "persons like yourself" for the first time. The key graphic:

Comparison of trust measures from 2009 to 2010

I found this hard to believe after the Madoff scandal, the BP oil spill, the recession, the public's anger towards banks, the huge credit card interest rate increases, the bailouts, and huge bank executive compensation. If we believe this Edelman study, then we consumers still trust CEOs, including those at banks, more than we just people who are similar to ourselves.

I'll ask the question a little bit differently. When you receive a breach notificaiton letter via snail mail:

  • Do you really trust that the company (and its CEO) did everything possible to protect your sensitive personal information, which it has since lost or had stolen?
  • Do you trust that the breach notification fully explained what happened and the risks to you?
  • Do you that the company will openly, honestly, and directly tell you the results of its breach investigation?
  • Do you trust that the company has taken all appropriate steps to implement data security methods to prevent another data breach?

For those readers who are social networking and smartphone users:

  • Do you trust the the social networking site will adequately protect your personal information?
  • Do you trust the social networking site fully disclosed all of the other company it sold your personal information to?
  • Do you trust the social networking site to adhere to its privacy policy?
  • Do you trust the apps at the social networking site to protect your personal information?
  • What about the apps on your smartphone or tablet?

Health Net: The Cost of a Data Breach

You may recall, in 2009 a data breach at Health Net exposed the personal and medical information of 1.5 million patients in several states: Arizona, Connecticut, New Jersey, New York, and Vermont. Some updates:

  • The Hartford Courant reported that the State of Connecticut fined the insurer $375,000, as the breach affected 446,000 Connecticut residents
  • The insurer will pay a $55,000 fine to the State of Vermont for failing to notify affected Vermont residents of the breach
  • In July 2010, the insurer had settled with the State of Connecticut for a $250,000 fine and a "Corrective Action Plan" to prevent future breaches

The actual costs to the insurer are far more, including the cost of security investigations, internal process and data security changes, two years of paid credit monitoring service for breach victims, and legal fees.