Previous month:
July 2011
Next month:
September 2011

18 posts from August 2011

iPrank = iPad Scam

Do you think that two guys selling a couple Apple iPads in a McDonald's fast-food restaurant is legitimate? Say, they offered each iPad for $300. Would you buy one?

A South Carolina woman did, and sadly found out that when she arrived home that she had bought "a brick in a box." More precisely, the 22-year-old woman, Ashley McDowell, bought a fake Apple iPad made of wood and painted with an Apple logo on it. You can view a photo of this fake iPad at the Smoking Gun website.

Ashley offered and paid the scam artists $180 for the iPad, which was sealed inside a FedEx shipping box:

"But when McDowell drove home and opened the FedEx box containing the iPad, she instead discovered the wood with the Apple logo. The “screen”--which was framed with black tape--included replicas of iPad icons for Safari, mail, photos, and an iPod."

Police are searching for the two scam artists.

A word to the wise: if an offer sounds too good to be true, it usually is. Or, at least inspect the device before you hand over the cash.

How To Recognize Disaster Related Scams

You have just survived a natural disaster event. Perhaps you have some damaage to your home. Nobody wants to be victimized twice: once by the natural disaster and then by scam artists and identity thieves.

To help consumers and businesses deal with disasters and the scam artists that often follow, the U.S. Federal Trade Commission (FTC) operates the Disaster Recovery website. The website contains a variety of content including emergency preparation tips and advice about scams.

Unfortunately, several types of disaster-related scams target consumers:

  • Debris Removal Scams: The FTC advises consumers to get a written work estimate from any company promising to remove debris from your property. Don’t make the final payment until you have inspected the job and are happy with it. Shop around and compare prices to make sure you are not overcharged.
  • Fake Disaster Officials: Some scam artists claim to be government officials offering assistance to qualify for disaster relief payments. A “processing” fee is often included. Others masquerade as safety inspectors or utility repair workers who claim that immediate repair work is required. Some claim they can get you FEMA funds, for a fee. FEMA does not charge application fees. In fact, no government agency charges application fees. Always ask for identification from any officials who visit your home or your temporary shelter. Call the local agency office to confirm the person's identity.
  • Home Repair Scams: often the scam artists claims that the work must be done "now or never." Collect phone numbers to verify identities. Demand the time to consider the offer overnight. Before selecting a contractor, get at least two bids, get references, get the contractor's business license, check the Better Business Bureau website, deal with established vendors, don't give out personal financial information (e.g., credit card numbers), and structure payments in installments (e.g., upfront, 50% of work completed, 100% of work completed). The U.S. Federal Emergency Management Agency (FEMA) operates a Disaster Housing Program to help homeowners who have been forced out of their homes by disasters. This includes Disaster Home Repair Assistance, which provides grants to homeowners for minor but necessary disaster-related repairs. Call the FEMA Disaster Helpline at 1-800-621-FEMA. The U.S. Small Business Administration makes low interest loans of up to $200,000 to homeowners to repair or replace damaged or destroyed real estate.

To learn about more types of scams, visit the FTC Disaster Recovery website. Often, many of these scams lead to identity theft and fraud. The website recommends when you should and should not disclose your sensitive personal information (e.g., bank account numbers, credit card numbers, Social Security number, birth date, mother's maiden name).

Identity Thieves Target Phishing Attack On Users Interested In Cloud Computing

Interested in cloud computing? Want to store your files and documents in the "cloud?" Considering the Apple iCloud service? Identity thieves have adapted a phishing email for cloud computing services.

The good folks over at Sophos Naked Security blog reported a new email phishing attack which targeted at prospective Apple iCloud users:

"The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple's MobileMe service. Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in 'the cloud' and wirelessly push them to all of your devices)."

Many consumers consider Apple products relatively immune to malware and phishing attacks. You have been warned. Be alert for phishing emails about cloud computing.

Hays Apologizes For Email That Caused Breach At Royal Bank of Scotland

An employee at Hays, a global staffing and recruitment company used by the Royal Bank of Scotland (RBS), apparently sent an email which caused a data breach at RBS. According to the Kroll Ontrack Data Recovery blog, the email message:

"... detailed the pay rates of around 3,000 contract employees and was sent to some 800 RBS staff... Research by the Ponemon Institute earlier this year revealed that 19 per cent of data security breaches in the UK were caused by mistakes with emails..."

In 2009, the UK Office of Fair Trade fined hays 30.4 million pounds for price-fixing violations, allegedy to prevent a competitor from entering the construction industry.

In 2008, a hacker broke into the computer systems of RBS' payment processing unit, RBS WorldPay. About 1.5 million records were stolen, including the Social Security Numbers of about 1.1 million consumers. Several class-action lawsuits resulted from that data breach.

A year ago this month, the UK Financial Services Authority (FSA) fined members of the Royal Bank of Scotland Group (RBSG) 5.6 million pounds (about US $8.9 million) for failing to have adequate processes and controls, when RBS allegedly performed money laundering to companies on the UK financial sanctions list.

Kroll Ontrack provides a variety of services for companies to search, analyze, and recover data, including computer forensic analyses. In 2007, IBM hired Kroll to assist with IBM's February 2007 data breach. Kroll provided credit monitoring services to IBM's data breach victims.

KPMG Survey: A Typical Corporate Fraudster Is...

KPMG recently released its 2011 Who Is A Typical Fraudster? report, describing the profile of a typical corporate fraudster, the impacts and amounts stolen, industries where fraud tends to concentrate, and the conditions which enabled the fraud. The report included 348 events in 69 countries. The fraud events included "white collar" crimes such as:

"... misstatement of financial results, theft of cash and/or other assets, abuses of expenses, and a range of other fraudulent acts."

The report excludes acts of no material value and misconduct.The report does not mention names. The average duration of the fraud was almost three and a half years from the start until its detection. In 74% of the incidents, fraudsters exploited weak internal controls. Companies fail to read and act quickly on the warning signs:

"The number of fraud cases preceded by a red flag rose to 56 percent of cases in 2011, from 45 percent in 2007... Just 6 percent of initial red flags were acted on in the 2011 analysis... Rarely is an act of fraud a one-off... In 2007, 91 percent of fraudsters were repeatedly fraudulent, compared with 96 percent in the 2011 analysis."

The average loss was $1.4 million in Asia Pacific, $1.1 million in the Americas, and $900k in Europe. The report described the following as one of the most interesting cases in the United States:

"At a U.S. financial institution, a larger-than-life chief executive surrounded himself with an inner circle of "yes men." The fraud, which involved subterfuge and complex bundling and unbundling of loans and transactions to make bad loans appear good... The investigation quickly uncovered conflicting stories told by the CEO's inner circle and the people working with the loans and customers. This case illustrates, in particular, how dominant and bullying behavior can coerce others to participate in fraudulent activity."

The corporate fraud includes identity theft. A case from Switzerland:

"Fraudsters attempt to extract money from dormant accounts or they assume the identity of a customer to trick advisers into making payments or transfers. Often this involves the collusion of an external party with an internal ally..."

I also found the consequences interesting:

  • Disciplinary action: 40% of cases (54% in the Americas; 23% in Asia Pacific)
  • Regulatory, legal enforcement: in 45% of cases
  • Civil recovery: 23% of cases
  • Resignation/voluntary retirement: 17% of cases (25% in Asia Pacific)
  • Out-of-court settlement: 6% of cases
  • No action taken: 3% of cases

The profile of a typical corporate fraudster:

  • Male (87% were men)
  • 36 to 45 years of age (41% were ages 36 to 45; 33% were ages 45 to 55)
  • Committed the fraud against his own employer (90% committed the fraud against their employer)
  • Works in the finance function or in a finance-related role (32% worked in finance; 26% were CEOs; 25% were in operations/sales)
  • Holds a senior management position (29% were in management; 53% were in senior management)
  • Employed by the company for more than 10 years (33% employed more than 10 years; 29% employed 3 to 5 years; 26% employed 6 to 10 years)
  • Committed the fraud in collusion with another employee (61% acted with others)

The report mentioned this about collusion:

"... male perpetrators (64%) are almost twice as likely to collude than women (33%). After taking account of male dominance in the perpetrator group, collusive females account for just 4 percent of activity. Perpetrator groups are most typically all-male or mixed gender."

KPMG is a tax, auditing, and advisory firm operating in 144 countries. A KPMG auditor caused a data breach in May 2010 when the auditor lost a flash drive containing 4,500 unencrypted patients records.

The Frenzied World Of Companies Collecting Consumers' Financial Histories

Many consumers believe that if you pay your bills on time, keep your (Experian, Equifax, and TransUnion) credit reports accurate, and keep your credit scores high, then all is well. Not necessarily. There are many more companies that track and collect data about consumers financial history.

Chances are, you haven't heard of their names. The Washington Post reported:

"But little attention has been paid to the firms that target consumers outside the mainstream financial system. Often they are students, immigrants or low-income consumers who do not qualify for traditional loans or choose not to use them... they carry particular weight for the estimated 30 million people who live on the margins of the banking system."

Who are some of the smaller firms? Some of them this blog has covered: ChoicePoint, Innovis, RapLeaf, Quantcast, First Data, Acxiom, Intelius, US Search, and Spokeo. Some are data brokers. Some collect website visitation statistics. Others focus on finance or insurance. Some are technology vendors working with ISPs. A prior blog post discussed the variety of brands of credit scores. Some other firms' names you may not have heard about:

"LexisNexis, whose parent company bought ChoicePoint three years ago, handles background checks, tax assessments and criminal histories. Bounced checks can be tracked through Chex Systems, TeleCheck or SCAN. Payday lenders report to a company called Teletrack. Alliant Data compiles information on so-called “installment payments,” industry jargon for recurring monthly fees such as gym memberships. The National Communications, Telecom and Utilities Exchange collects account information for 63 of that industry’s largest firms..."

The accuracy of the information collected by these firms is suspect:

"Arkansas resident Catherine Taylor didn’t learn about the fourth bureau until she was denied a job at her local Red Cross several years ago. Her rejection letter came with a copy of her file at a firm called ChoicePoint that detailed criminal charges for the intent to sell and manufacture methamphetamines. The information was incorrect... Taylor said she has identified at least 10 companies selling reports with the inaccurate personal and financial information, wrecking her credit history so badly that she says she cannot qualify to purchase a dishwasher at Lowe’s. Taylor must apply for loans under her husband’s name and has retained an attorney to force the firms to correct the record..."

And all of these firms do not include social networking websites, advertising networks, and mobile device marketers -- all collect information and profiles about consumers.

Given the long list of companies across several industries collecting consumers' personal information, you could call this a feeding frenzy.

Senator Schumer Asks Cellular Carriers To Deactivate Stolen Cell Phones

When cellular phones are stolen, often the cellular service provider remotely deactivate the SIM card in the stolen phone. While a deactivated SIM card prevents thieves from accessing the victim's contacts and email, thieves can insert a replacement SIM card and then either use or resell the stolen phone. To deter thefts, Senator Charles Schumer (D-New York) believes that phone companies should do more.

Last week, the Senator wrote a letter to several cellular service providers asking them to deactivate stolen cellular phones. That would make it impossible for thieves to use or resell stolen cell phones. CBS New York reported that New York City ranks second behind Miami in the number of stolen cellular phones annually. According to data from the New York Police Department:

"Forty-one percent of all thefts in New York involve a cell phone, meaning the cell phone is stolen alone or the cell phone is stolen with other goods..."

According to the Senator, the technology already exists today to remotely deactivate stolen cellular phones. Reportedly, on Verizon currently deactivates stolen cell phones. AT&T, T-Mobile, Nextel, and other cellular service providers don't.

Yeshiva World reported:

"IMEI numbers, unlike SIM cards, are assigned exclusively to each cell phone and are not replicated. In the United Kingdom, carriers have the ability to disable handsets based on IMEIs, serial numbers, or other unique identifiers. This prevents criminals from swapping SIM cards to activate a stolen cell phone."

The Senator's proposal makes sense to me. When your credit card account is hacked or your credit card is stolen, your bank will issue you a replacement account and/or credit card. Cellular service providers can do the same.

What do you think of the Senator's proposal?

Data Breach At A Retailer Has Affected BofA and Citi Customers

A data breach at a retailer has affected cardholders at both Bank of America and CitiBank. Both banks have deactivated some credit cards. According to American Banker, the banks have not disclosed the name of the retailer. According to Bloomberg, Bank of America sent several debit card customers new cards as a precaution after a possible breach. The banks have not disclosed the name of the retailer.

From my view, the two events are related and the retailer's breach is significant. A reader wrote to me yesterday:

"Wow. This morning BOA contacted me about suspicious activity on my debit card...3 transactions at some international art market. On the 3rd transaction, BOA caught it and declined the card. The rep said she thinks they had a fake card made. But wow! What the hell? Do you think this is a coincidence or could it be related?"

It's probable that this reader's debit card information was skimmed and cloned. It's great that BofA acted proactively and notified the reader of these suspect transaction, but the fraud has already happened. This reader's bank account information is out there among identity theft and fraud criminals. Now, this reader needs to get a new bank account and replacement debit card; plus update all of her online bill payment settings.

I encouraged this reader to use credit cards instead of her debit card when shopping at online and brick-and-mortar retail stores. Sure, debit cards are convenient, but the risk is just too high. When breached, it gives criminals direct access to your bank checking account.

Think of it this way: every time you shop with your debit card at a retail store, you are trusting that retail store and its employees to:

  1. Protect your sensitive bank account information,
  2. Protect their customer databases from hacks,
  3. Protect its point-of-sale terminals from skimming devices,
  4. Encrypt wireless transmissions of purchase transactions between it and its banks,
  5. Implement a "red flag" program to controla ccess to sensitive customer data and to discover insider identity theft,
  6. Comply with state laws to protect and delete certain transaction information within the appropriate deadline, and
  7. Comply with merchant guidelines (e.g., from Visa International, MasterCard)

So, the next time you enter a brick-and-mortar store, look around and ask yourself if you feel comfortable that that particular establishment has the resources, skills, and commitment to do #1 through #7 to protect your sensitive bank account and payment data. If the answer is "no," then use cash or a credit card. At gas stations, use your card inside and not at the pump. Learn how to avoid being a victim of skimming. Learn more about whether to shop with cash, debit, credit, or a charge card.

Me? I use my debit cards only at my bank's ATM machines.

If you are a Citi or Bank of America customer, were you affected by this latest breach? Did you receive replacement debit/credit cards, or did you have to demand them? If so, please share your experience below.

Living Life Online: New FTC Guide For Teens And Tweens

The U.S. Federal Trade Commission (FTC) has launched the Living Life Online website to help teens and tweens stay safe online, make good choices online, and understand the consequences of their online choices. A companion print guide (PDF, 3.4 MBytes) explains the website. Both include short articles, activities, quizzes, and an ask-the-expert column, all to help kids learn how to think critically:

"As you live your life online and off, some behaviors can help you be more successful: asking questions to help you figure out what’s real and what’s hype; thinking about things to do – or not – that can help you keep safe; figuring out ways to act that can help you treat others the same way you’d like to be

The guide addresses topics including sexting, cyber-bullying,online manners, your personal information to protect, photo-sharing, how to avoid cell-phone bill shock, and much more:

"What you post could have a bigger "audience" than you think. Even if you use privacy settings, it’s impossible to completely control who sees your social networking profile, pictures, videos, or texts. Before you click send, think about how you will feel if your family, teachers, coach, or neighbors find it. Once you post information online, you can’t take it back. You may think that you’ve deleted information from a site – or that you will delete it later. Know that older versions may exist on other people’s computers... Get someone’s okay before you share photos or videos they’re in."

The print guide includes resources (e.g., worksheets and information) for parents to encourage discussion with their kids. I found the Living Life Online website thin on interactivity and not nearly as robust as it could (should) be to fully engage kids. The website is more a webpage. A better implementation could have presented separate website sections for children and parents. Hopefully, this is the draft version of the webiste and enhancements will be released soon.

The print guide is a good resource for kids and parents to start the process of learning and discussing good decision-making online. Kids living in the USA must ultimately learn who the FTC is and how to use its resources -- chiefly to recognize phishing, to protect their sensitive personal information, and to file identity theft and fraud complaints.

With a variety of topics, the Living Life Online print guide is a good first step to help kids learn to make good decisions online. What do you think of the guide?

Browser Plugin Tracks And Shares Your Online Activity

Wondering how much time you spend on Facebook? Curious about which social networking website you spend the most time at? Well, Voyurl is a new browser plugin that tracks (and shares) your online usage. According to Mashable:

"Voyurl‘s private beta version was a recommendation engine based on friends’ and the general community’s online activity, as collected by a plugin they installed. When you added a friend, you could see what new sites he or she was visiting. You could also see what sites the community visited most often... A curated list of recommendations is created based on what sites you visit and how you behave on them. Factors like scrolling and mouse hovering are taken into account to decide what you like."

In my opinion, this product sounds like something for the brainless and clueless. I don't need to know every website my friends visit. They'll often tell me what they like and how they use it. Based on that and my own needs and assessment, I can determine if the site is important or relevant enough to use.

If you want to follow the herd and make decisions based on which sites your friends use most, then go ahead and use Voyurl. Me? I prefer to make decisions about which websites I register at based on:

  • The website's terms of use and privacy policies
  • The website's features and options for me to maintain my privacy and control my profile data
  • The website's data security and history of data breaches
  • My content and information needs
  • The website's added value (an evaluation of its price and benefits)
  • The websites alert and news features (e.g., RSS feeds, e-mail, posts within the social networking sites of my choice)

Consumer Receives Email Inquiry From Calgary Police About Stolen Credit Card

What would you do if you received an e-mail from a police department in another country claiming that your personal and financial information had been stolen? This happened last week to my friend, Beth (her name has been changed upon request). Beth lives in Boston received the e-mail message below:

From: Calgary Police Service
Date: Wed, Aug 3, 2011 at 4:31 PM
Subject: Police Inquiry - Identity information recovered

[Beth's personal information removed for security reasons.]

I am a constable with the Calgary Police Service (CPS) in Calgary, Alberta, Canada. The CPS recently executed a search warrant at a Calgary residence and one of the items seized was a sheet of paper bearing the personal information of 144 people; this information included credit cards, expiry dates, full names and addresses. The above information, accompanied by your e-mail address was listed. It is my intention to charge the suspect with unlawfully possessing credit card and identity information. In order to prosecute, I require confirmation that the above information is (or was) correct.

Your personal information appears to have been compromised. Therefore, I am recommending that you notify the bank that issued your credit card to have it cancelled immediately. I would also encourage you to contact your local credit reporting bureau and check to ensure that your personal information has not been used to obtain any other banking services or products.

This is a legitimate law enforcement inquiry and my credentials can be verified via the Calgary Police Service website at If you are unsure of the legitimacy of this e-mail, please present it to your local law enforcement agency, so they might assist in this investigation.

Cst. K Grier #4572
District 3 GIU
Break and Enter Detail
Calgary Police Service

First, I would like to thank Constable Grier and the CPS for catching and prosecuting identity-theft criminals. It is always good to see local law enforcement in action.

I spoke with Constable Grier about her e-mail. Since most of the identity-theft victims in this case were from other countries outside Canada, CPS notified banks and took the added step of notifying theft victims directly, when possible. Constable Grier suspected that the credit card information was either stolen from a website or accounts were hacked. Like all law enforcement, CPS appreciates the assistance the public and breach victims can provide.

This case has several implications. First, it highlights the fact that identity-theft criminals often commit other types of crimes -- in this case, burgulary. While pursuing a burgulary suspect, CPS discovered the credit card thefts. So prosecuting and jailing identity-theft criminals can also stop other crimes.

Second, this case highlights potential gaps in cross-border breach notification laws. While local law enforcement in another country may promptly notify breach victims' banks, my understanding is that there is no guarantee of data breach notice to U.S. citizens across country borders. I did some light reading and the current Red Flag Rules do not apply to breaches at bank branches located outside the USA (PDF document). Perhaps some legal scholars can expand and clarify on international laws regarding cross-border breach notification.

Third, it highlights the need for breach victims to take action. I am sure many readers want to know what to do should you receive an e-mail like the one above. Beth found this situation scary as she had never visited Calgary. She wondered if the above email was real or a scam.

Since there are so many online scams and phishing e-mail messages, I advise consumers to first verify the e-mail via an alternate method. By "alternate method" I mean an independent, different method than the format of the suspect message. Don't disclose any more personal information until you have verified that the message is real. Example: If the suspect message is an e-mail, don't press the "Reply" button. Instead, independently verify it via the phone (or an in-person visit to your local law enforcement). Example: if the suspect message is a phone call, independently verify it via e-mail or the Internet. Or, ask your local police department for help with verification of an inquiry from another police department.

In this case, verification was easy. I performed a Google search to independently find the CPS website, since I didn't want to rely on the contact information in the e-mail. At the CPS website, I found the main phone number for District 3, and called to verify that Grier is a Constable there.

I shared all of this with Beth, who started to feel better. Later she contacted Grier. The thief had stolen credit-card information for an account Beth had already closed a long time ago. While consumers may ignore the situation because credit-card theft liability is small and often limited to US $50, helping law enforcement is important. As this case highlighted, identity theives often commit other types of crimes. So, prosecution for identity theft can stop other types of crimes, too.

The Calgary Police Service Identity-theft page has advice for consumers to both avoid becoming identity-theft victims, and for identity-theft victims. If you are an identity-theft victim, CPS advises:

  • File a report with your local police department and obtain a case number.
  • Notify all creditors by phone and in writing about the crime.
  • Keep a log of all your contacts.
  • Use a credit bureau sample dispute letter.
  • Look at the crime before & after the event to learn how it happened. This will often help to lead investigators to multiple crimes.
  • Prepare to complete an ID Theft Affidavit.
  • Learn as much as you can!!

Several Internet Service Providers Hijack And Replace Consumers' Search Results

Paxfire logo When you use a search engine like Google, Yahoo, or Bing you expect it to reliably deliver the search results the search engine was built to deliver, and not a replacement set of links from an intermediary -- without notice and without your consent. New Scientist reported that several internet service providers (ISPs) have modified and redirected these search results:

"The hijacking seems to target searches for certain well-known brand names only. Users entering the term "apple" into their browser's search bar, for example, would normally get a page of results from their search engine of choice. The ISPs involved in the scheme intercept such requests before they reach a search engine, however. They pass the search to an online marketing company, which directs the user straight to Apple's online retail website."

Commission Junction logo Last week, the New York-based law firm of Reese Richman filed a class-action lawsuit against one of the ISPs, its marketing firms, and Paxfire, the technology company which reportedly provides the equipment used to redirect and replace searches. Experts believe that the redirect process violates several statutes, including wiretapping laws. One of the marketing firms identified with the alleged serch redirection is Commission Junction. The ISP identified in the lawsuit is RCN.

Researchers at the International Computer Science Institute in Berkeley, California discovered the redirection and have monitored it for several months. Reportedly, a total of ten (10) ISPs were found to perform search results hijacking and replacement.

"The redirection can also produce unwanted results. A user wanting to read an article in The Wall Street Journal, for instance, might search for "wsj"; the redirection system would take them to a page offering subscription deals for the paper..."

If you want to learn more, there is a good article at the Electronic Frontier Foundation website:

"Major users of the Paxfire system include Cavalier, Cogent, Frontier, Fuse, DirecPC, RCN, and Wide Open West. Charter also used Paxfire in the past, but appears to have discontinued this practice."

It would seem that once again greed trumps common sense. The search results hijacking and replacement alters a basic function of how the Internet operates. You could say that users were "mugged" for their searches.

About three years ago, in an attempt to increase their revenues several ISPs installed deep-packet inspection software on their servers to server display targeted ads while tracking without notice and consent all of their subscribers Internet activity (e.g., e-mail, text, searches, web browsing). Consumers and privacy advocates protested strongly; both in both the United States and Europe.

Several ISPs testified in hearings before the U.S. Congress, and at least one ISP admitted to the secret spying on its subscribers. In their rush to make money, ISPs abused their subscribers' privacy and trust.  Several technology companies, like Adzilla and Phorm, were sued and either settled class-action suits against them or went out of business.

It would seem that we are about to repeat another round of privacy abuses by ISPs with their technology and marketing partners. Executives at these companies are either ignorant of or ope that consumers have forgotten the lessons of three years ago. Well, we have not forgetten. Privacy, disclosure, and consent still matter.

I predict several more class-action lawsuits will emerge, plus an updated list of ISPs to avoid doing business with because of privacy abuses. Not matter how they might spin it, it is not right to replace the standard search results from search engines with garbage for an ISP to build its revenues. Consumers' needs matter.

Bank Of America To Settle Class-Action Lawsuit With Overdraft Fee Rebate Program

Bank of America logo Back in 2009, this blog warned about how banks can manipulate their computers to charge consumers excessive fees. This month, Bank Of America started notifying customers about its proposed rebate program to settle a class-action lawsuit about overdraft fee abuses.

The bank has set up a $410 million fund to provide rebates to customers charged excessive overdraft fees, as a result of the bank's alleged processing debit card transaction by size rather than chronologically and not declining transactions after an account is overdrawn. You are automatically included in the rebate program if you had both a Bank of America consumer checking and/or savings account and debit card between January 1, 2001 and May 24, 2011, and were charged one or more overdraft fees.

There is an important deadline of October 3, 2011 if you want to exclude yourself from the settlement and retain the right to individually sue Bank of America about this issue. To learn more, visit or call 1-800-372-2390. If you disagree with the proposed settlement agreement, then you (or your attorney) must provide your objection about it to the court by the same October 3 deadline. The court will have a hearing on November 7 to consider approving the proposed settlement agreement.

I saw a legal notice about the proposed settlement in the August 8, 2011 print edition of Sports Illustrated magazine (page 67). Frankly, the print legal notice is clearer and easier to understand:

"The lawsuit claims that Bank of America processed debit card transactions in order of highest to lowest dollar amount to maximize the number of overdraft fees assessed to its customers. Specifically, the lawsuit claims that, instead of declining transactions when an account had insufficient funds to cover a purchase, Bank of America authorized the transactions and then processed them in highest to lowest dollar amount order..."

Bank of America has had several data breaches in 2005 through 2008. You can find in this blog a review of the Bank of America PrivacySource credit monitoring service.

Despite legislation by Congress, the problem of excessive overdraft fees continues. According to the Miami Herald:

"A survey released Wednesday by the Consumer Federation of America found that the median overdraft fee is $35, the same as it was last year. The highest fees also remain $33 to $37 per overdraft. The fees can be triggered if customers overdraw their checking accounts by as little as $5. In addition, the survey found that two-thirds of banks continue piling on fees if customers fail to balance their accounts within a set time. For example, JPMorgan Chase charges an "extended overdraft" fee of $15 after each five-day period that an account stays in the red."

So, the legislation may have somewhat improved how banks process your debit card transactions with more frequent disclosures, but when you overdraw your account the fee amount you pay remained high. And, there are lots of new fees.

What's a consumer to do? Move your money to a local bank or credit union.

Belmont Savings Bank Settles With Massachusetts Attorney General Office For Data Breach

The Massachusetts Attorney General Office announced that it had reached a settlement agreement with Belmont Savings Bank after the bank had failed to protect consumers information during a May 2011 data breach. The terms of the settlement includes a $7,500 fine and:

"... Belmont Savings Bank must ensure the proper transfer and inventory of backup computer tapes containing personal information; store backup computer tapes containing personal information in a secure location; and effectively train the members of its workforce on the policies and procedures with respect to maintaining the security of personal information."

The bank lost an unencrypted backup computer tape containing the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents after a bank employee failed to follow the bank’s data security policies and procedures. The employee left the computer tape on a desk instead of storing it in a vault overnight.

According to Attorney General Coakley:

“Consumers expect businesses to not only develop policies and procedures to safeguard their sensitive personal information, but to follow these procedures as well... Our office will continue to take action against companies that fail to follow protocol to protect the information entrusted to them by consumers.”

Good. We'll be watching.

The Dangers of Public WiFi Hotspots

[Editor's note: this is not an endorsement. This video is presented for informational purposes. Always shop around and compare before purchasing a product or service.]

If you are unfamiliar with wireless or WiFi technology, then you will likely find this video informative. If you seek a solution for a secure connection at public WiFi hotspots, this is one of several solutions available.

Attorneys General Increase Enforcement Of State Data Breach Laws; WellPoint To Settle Class Action Lawsuit

One way to understand what organizations and executives should know about data security and data breach laws is to read about the advice their law firms provide. The law firm of Dickstein Shapiro advises its corporate clients on several topics including dispute resolution, corporate finance, energy, government law, government contracts, public policy, and intellectual property.

In an alert to its clients, the firm discussed the recent settlement agreement between WellPoint and the State of Indiana Attorney General Office:

"... the AG settled with WellPoint for violations of the State's data breach notification law (although, notably, not for violations of federal health care data protection rules under HIPAA)... Wellpoint notified affected customers three months after it had corrected the problem. Additionally, WellPoint did not notify the AG of the breach. Under the settlement, WellPoint was required to: (1) pay a $100,000 fine to a state fund providing restitution to defrauded consumers; (2) provide up to two years of credit monitoring and identity theft protection to each person exposed; and (3) provide up to $50,000 to address further losses each person exposed might experience."

About the proposed Federal data breach legislation, the alert said:

"Until there is a comprehensive data protection and notice law at the federal level applicable to businesses generally, AGs will continue to be aggressive in enforcing their States' data breach notification and data privacy laws. At present, 46 States have data loss notification laws, and the majority of States also have laws requiring that businesses protect customer and employee data. AGs have used these laws to obtain substantial settlements, protect consumers, and change business practices."

About medical records data security, the alert said:

"State AGs also have the authority to enforce federal data breach notification laws governing protected health information. The HITECH Act, Title XIII of the 2009 stimulus bill (the American Recovery and Reinvestment Act) imposes notice obligations on entities covered by HIPAA when they experience a breach affecting protected heath information and allows for enforcement of the Act by State AGs using their parens patriae authority. AGs may bring a civil action in federal court for injunctive relief or monetary penalties... AGs also may seek to recover costs and reasonable attorneys fees incurred in prosecuting a successful action."

According to American Medical News, WellPoint has agreed to settle the class-action lawsuit filed in California. The terms of the reported settlement agreement seem similar to the terms of the agreement with the Indiana AG. The class-action settlement includes:

  • Two years of credit monitoring service for all breach victims
  • Reimbursement to class-action participants for identity theft losses of up to $50,000 per incident,
  • Extended time to file identity theft claims until May 31, 2016,
  • Class-action participants filing claims are eligible for an additional five years of credit monitoring, and
  • WellPoint will donate $250,000 total to two nonprofit organizations involved with consumers online privacy

10 Dangerous Habits Consumers Still Do Online

Based on a recent Symantec survey, the ZDNet Security blog posted a list of ten dangerous habits consumers still do online. The list can be summarized into two broad behaviors:

  • Consumers trade convenience for security
  • Consumers ignore online risks they are aware of

The list of detailed dangerous habits:

  1. Sharing too much information in social networking websites
  2. Trusting company websites to protect their information
  3. Assuming the links in email, text messages, and social networking posts are safe to click on
  4. Not educating themselves enough about the threats and ways to protect themselves
  5. Not updating the anti-virus and malware software on their computers and mobile devices

My pet peeve is number four. Regarding number three, every Facebook user should follow the alerts from websites like Facecrooks, which greatly helps you learn about which links to avoid.To view the complete list of dangerous habits, visit the ZDNet Security blog.