Previous month:
August 2011
Next month:
October 2011

8 posts from September 2011

What It Means To Have An Unrequested Security Freeze On Your Credit Report

Recently, an I've Been Mugged reader wrote asking:

"I went to annualcreditreport.com to acquire my [free credit] report. I then get told i have a security freeze on my file that i DID NOT put in place?!?! What does this mean? Does this mean someone is stealing my identity?"

First, this reader went to the right place to get her free credit reports: annualcreditreport.com. When using the website, it is important to complete the online forms accurately.

Second, the credit reporting agencies do make mistakes. This is one reason why it is important for consumers to periodically check the accuracy of their credit reports. Mistakes happen because many people have the same name and/or share the same birth date. In 2004, I had a credit report agency list me as deceased when it erroneously co-mingled in my credit report data from both me and from my deceased father. So, while I have not heard before of the problem this reader described, I wouldn't be surprised if a credit reporting agency made a mistake and placed a freeze/lock on the wrong person's credit report.

What this reader must do next requires an understanding of how security freezes work. Identity-theft victims place a security freeze on their credit reports so criminals cannot obtain new credit (e.g., loans, mortgages, etc.) in their name without their consent.

I first suggested that this reader learn more by browsing the Security Freeze section of the Experian website. Perhaps a parent or relative placed a freeze/lock on their credit reports while the reader was a minor. Some parents have proactively signed up for credit monitoring services with coverage for their children due to the increase in identity theft affecting children.

The TransUnion and Equifax websites each have sections that explain the security freeze feature. Perhaps, the reader can use the instructions for "What do I do if I lose my PIN?" to get a new PIN to remove the freeze/lock on their credit reports.

I also suggested that the reader try to determine if a freeze/lock is on all 3 of their credit reports at Experian, Equifax, and TransUnion. I suggested this because of the way a security freeze works: a consumer pays to place (or remove) a freeze/lock on their credit report at each credit reporting agency. The reader may find that the freeze/lock is only on one or two credit reports -- and not on all three. That might decrease the amount of work, time, and fees to remove any freezes/locks on their credit reports.

The fees vary by state, so where this reader lives is important. Each credit reporting agency website includes those state-specific instructions.

This reader might think back as to whether she used a credit monitoring service previously. Perhaps the reader paid for that service to place a freeze/lock on her credit report(s).

I also suggested that she contact the Identity Theft Resource Center (ITRC). The ITRC has resources for consumers, and may have already encountered other consumers with the same situation.

What do you think? Do you have any suggestions for this reader?


Data Breach At Vacationland Vendors Affects About 40K Consumers

Vacationland Vendors, a supplier of arcade equipment and vending machines, announced at its website a major data breach affecting consumers who used their debit- credit-cards at the Wilderness Resort locations in Wisconsin or Tennessee during the period from December 12, 2008 to May 25, 2011. The company released very few details in its breach notice:

"Based upon its investigation to date, Vacationland Vendors reasonably believes that a computer hacker improperly acquired credit card and debit information. This incident did not involve an internal security issue within the Wilderness Resort."

While company did not disclose the number of consumers affected by the data breach, the Credit Union Times reported that an estimated 40,000 consumers were affected. Vacationland Vendors advises affected consumers to closely monitor their bank accounts for fraudulent charges, report any fraudulent charges to their bank, and then place a fraud alert on their credit reports.

Vacationland Vendors needs to do much more to help affected consumers, and explain more about its investigation, why the breach went on for so long -- over two years, and what the company is doing so another hack doesn't happen for so long a period.


Doctor Paid $40K For Illegal Disposal Of Patients' Files

Last week, North Carolina Attorney General Roy Cooper announced that Dr. Ervin Batchelor, owner and operator of the Carolina Center for Development and Rehabilitation (CCDR), has paid $40,000 for the alleged illegal disposal of patients medical records.

In June of 2010, the CCDR dumped 1,000 patient files at the West Mecklenburg Recycling Center. The files contained names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, insurance account numbers, and health information for 1,600 people. Mecklenburg County officials contacted the Attorney General’s Office, which then launched an investigation into the illegal dumping.

Besides the fine, Dr. Batchelor has agreed to comply with both state and federal data security laws to protect patients' personal financial and medical information. The CCDR has already notified patients of the data breach. North Carolina law requires businesses and local government agencies to notify consumers affected by a data breach.

In North Carolina, organizations must also report data breaches to the Consumer Protection Division. A total of 889 breaches involving information about more than 3.3 million North Carolina consumers have been reported since state laws on security breaches took effect in 2005 and 2006. AG Cooper said:

“Any business you entrust with your information has a duty to keep it safe. Sensitive financial and health information should never be carelessly dumped, putting customers and patients at risk of identity theft.”

I agree. This is a good example of why it is important for all organizations that archive consumers' personal medical and financial information should have data security procedures in place to prevent data breaches. Unfortunately, several special interest groups have lobbied the U.S. Congress for exemptions to Red Flag Rules, notably physicians and accountants. Special interest groups often claim that the Red Flag Rules are an unnecessary and cumbersome burden.

Well, post data breach responses are a huge burden on organizations. The above fine is one of many costs. And, the improper disposal or theft of consumers' sensitive personal financial and medical information is a huge burden on consumers. Instead of wasting time and resources looking for ways to avoid protecting consumers' information, these groups should be doing the opposite. Protecting consumers' data is in both their and consumers' best interests.


Smartphone Insurance From Asurion: A Good Deal?

Consumers love their smartphones. The convenience is a huge benefit: email, contacts, photos, calendar, travel directions, and plenty of customized, personal data readily available 24/7/365 at your fingertips wherever you go. How should you protect yourself if your smartphone is lost, stolen, or breaks?

Some consumers go it alone and pay out-of-pocket to replace their smartphone when it is lost, stolen, or breaks. Some consumers pay for smartphone insurance from a company named Asurion. The Asurion website presents an impressive description and benefits:

"... 60 million phones are lost, stolen or damaged each year. Without insurance, the average cost of replacing your phone is $300! Our coverage protects you from phone loss, theft and damage (even water damage). We offer fast, easy replacement with overnight shipping to any address you choose... Over 90 million wireless customers around the world just like you are protected by Asurion. Asurion partners with North America’s top 5 nationwide wireless carriers, many regional providers as well as other worldwide wireless companies to help customers get a replacement phone quickly..."

Asurion covers a variety of mobile devices: cellphones, smartphones, and tablets. A Mobile Recovery app allows users to remotely lock and wipe a stolen or lost smartphone.

When Wenner Exius bought his Android 2 smartphone in October 2010 with service from Verizon Wireless, he signed up for the smartphone insurance from Asurion which Verizon had arranged, and paid $6.99 per month premium. I happen to know Wenner personally, as we were coworkers at a digital agency in Boston about six years ago.

This summer, Wenner suffered a broken leg that forced him to work from home during his recovery. As a copywriter at a digital ad agency in Chicago, working from home was an option as he had a laptop and smartphone. While working from home, Wenner's Android 2 smartphone stopped working. Wenner contacted Asurion and received the following email:

From: Asurion - [email protected]
Date: Mon, Aug 15, 2011 at 8:30 AM
Subject: Asurion Confirmation.
To: wenner.exius@...

"Dear WENNER EXIUS,

Thank you for contacting Asurion and filing your claim with us. Our mission is to help you reconnect with your world quickly, easily, and at a cost far less than paying full price for a new device! For your convenience, simply click on the links to the right to obtain all the information you will need as you move forward with your claims process. You should also receive a separate shipment tracking e-mail within the next 12 hours*.

For security reasons, please click here to retrieve your Claim ID. Once you are redirected to the website, simply enter your wireless number, the security code, and then click the “Forgot Claim ID?” button.

As a reminder, please return your defective device by using the return envelope provided within 15 days to avoid a non-refundable charge to your credit/debit card. Please note that this process does not apply for customers with a lost or stolen device.

If you experience any issues with your shipment you should contact Asurion within 7 days. Additionally your replacement device is under Warranty with Asurion so if you experience any operational problems with your device within the next year, please contact us."

Wenner filled out the appropriate paperwork, paid the $99 deductible, mailed his broken Android 2 smartphone to Asurion in the packaging provided, and waited for Asurion to send a replacement smartphone. When the replacement arrived, he started using it immediately. Like many consumers, Wenner never turns off his smartphone. It stays on for days or weeks at a time. When he did turn off his replacement smartphone, it wouldn't turn back on again.

Wenner contacted Asurion again to return and replace his defective replacement smartphone. Asurion denied this request, stating its policy that he did not contact Asurion within 7 days about a defective replacement smartphone. No credits either.

To get work done at home, Wenner paid $200.00 out-of-pocket for a new smartphone since he couldn't get a working replacement smartphone from Asurion. Wenner is dissatisfied with Asurion's customer service, partly because of the economics. His total payments to Asurion:

$76.89 (11 months X $6.99/month premium)
+ $99.00 deductible
$175.89 total (for a non-working replacement smartphone)

The payments are about the same as what Wenner paid for a new smartphone. He questions the benefits of smartphone insurance with Asurion insurance provides, since he doesn't have a working replacement smartphone from Asurion. He admits that he contacted Asurion about the defective replacement smartphone after the 7-day period, but believes that the company did not adequately explained the 7-day limit. As proof, Wenner cites the above email he received from Asurion.

To learn more about Asurion, I visited the company's website and was frankly underwhelmed. First, the only policy readily available online was the privacy policy. The terms and conditions policies for its various insurance products seem to be available only behind the log-in function. Why the secrecy? Users should be able to easily and quickly access the policies and terms for their insurance products. Across providers, consumers should receive similar or the same insurance coverage.

Second, the Asurion website is all about claims and not for prospective customers. Links about claims dominate the home page. It does not appear that an individual consumer can sign up for an insurance product directly at the Asurion website. Consumers must sign up through their mobile service provider. So, I visited Verizon's website, selected "Illinois" and searched the website for information about Asurion. The Verizon website returned this search result:

Search results page at Verizon Wireless Illinois website

I selected the "Total Equipment Coverage" link above, and the Verizon Wireless website displayed a detail page about the smartphone insurance plan Wenner purchased:

"Total Equipment Coverage offers combines the benefits of Asurion’s Wireless Phone Protection with the Verizon Wireless Extended Warranty program and is now enhanced with Asurion’s Mobile Recovery on compatible devices. If your device or covered accessories are lost, stolen, damaged or experience a mechanical or electrical defect after the manufacturer’s warranty expires, you are protected.

Advanced Devices
- $6.99 per month per covered device.
- $99 non-refundable deductible per approved claim.
- 2 replacements in a 12-month period with an equipment maximum of $1500 per claim (in New York, 2 claims per policy year)

Replacement devices may be remanufactured equipment. If the same model is not available, a comparable model will be provided. You may cancel at any time and receive a prorated refund of your monthly fee. For a list of equipment in the Phones, Advanced Device and Tablet programs, please visit Asurion's website or call Asurion at (888) 881-2622."

This page was somewhat helpful, but it didn't mention anything about the 7-day limit by Asurion. A document at the Asurion-Verizon website seems to include the smartphone insurance plan terms and conditions (1.9 MBytes, PDF) for the plan Wenner purchased. Section 2H mentions a 60-day period for late claims. I did not see anything in this document about the 7-day period deadline for notifying Asurion about defective replacement smartphones.

I tried to contact Asurion about the 7-day notice policy and to get the company's point-of-view on the situation, but emails to the company went unanswered.

I re-read the above email and the last paragraph in it does not seem to clearly convey Asurion's position about what happens when users do not contact Asurion within the 7-day period. There also seems to be some ambiguity in the email about exactly when the 7-day period starts. Does it start from the date of the above email message, or when Wenner received the replacement smartphone? Regardless, that is not much time for a consumer to fully inspect and test a complicated device such as a smartphone; especially when the replacement is a different brand and/or model.

Wenner wants his $99 deductible back since he never got a working smartphone from Asurion. He plans to cancel his smartphone insurance with Asurion.

I began to wonder if Wenner's experience with Asurion was unique. A quick search of the Internet discovered stories from many other consumers who experienced customer service problems with Asurion. While the company has an A+ rating by the BBB, actual reviews and experiences by customers tell a different story. The Consumer Affairs website lists numerous complaints about refurbished replacement equipment, damaged replacement equipment, and incorrect billing issues. Many of the stories are similar to Wenner's.

You can read more experiences reported by customers at Ripoff Report. In November 2010, BusinessWeek reviewed Asurion and reported:

"Some accident-prone owners—and parents of phone-toting kids—praise the sense of security Asurion provides. Consumer advocates, though, almost uniformly say the insurance isn't worth the extra expense... Those refurbished phones may not even work that well. Robert Nissenbaum, owner of Blue Ridge Wireless Cell Phone Repair Center in Tucson, Ariz., sees many used phones from Asurion and other, smaller insurers..."

Is this smartphone insurance plan from Asurion a good deal? You'll have to decide for yourself as your mobile usage habits probably vary. Some people are harder on the equipment than others. In my opinion, this Insurance plan coverage is weak for the following reasons:

  • Asurion doesn't guarantee new equipment and delivers re-manufactured equipment
  • Asurion doesn't guarantee that the same make and model smartphone will be available as a replacement
  • Consumers are limited to two replacements per 12-month period. A smartphone is a high-use mobile device prone to abuse (e.g., drops, weather, liquid spills) and theft
  • Full disclose seems spotty. Neither company's website provides easy access to the full insurance plan terms and conditions for prospective customers. The above Verizon copy directs users to the Asurion website and the Asurion website requires customers to log in to view the terms and conditions
  • As Wenner's experience showed, the amount he paid in insurance premiums just about equaled what he paid for a new smartphone
  • Based on the Asurion website pages and documents I have seen, the disclosure of terms and conditions seems sloppy
  • The experiences reported by Asurion customers describe questionable customer service quality

What do you think? Is smartphone and mobile device insurance from Asurion a good deal? If you signed up for smartphone or tablet insurance from Asurion, please share your experiences.

[Update: Sept. 15: Wenner reports that Asurion has contacted him and now claims that they never received the original defective Android he sent to them.]

[Update: Sept. 20: I received the following email from a representative at Weber Shadwick, the public relations agency representing Asurion:

From: Kokoruz, Aaron (DAL-WSW)
Sent: Tuesday, September 20, 2011 12:35 PM
To: [email protected]
Subject: Asurion Sept. 14th Blog Post

Dear Mr. Jenkins,
I am emailing in regard to your September 14th blog post about Mr. Exius’ experience with Asurion. First and foremost, allow me to extend my sincere apologies for the frustrations that Mr. Exius felt. We understand that losing or breaking a mobile device is a stressful situation for anyone, even more so for Mr. Exius coping with a broken leg and the need to work from home. We always work hard to ensure our customers have a positive experience and we’d like to do what we can for Mr. Exius.

Every year we provide millions of customers with replacement phones so that they can reconnect with family and friends as quickly as possible. We ask every customer with whom we interact to rate their experience. Any customer expressing dissatisfaction is contacted by Asurion for more information. Happily, most customers are pleased with our service and value. However, we realize in this case we didn’t meet the customer’s expectations.

We carefully review the feedback we receive online and appreciate the details that you provided in your blog. We take your comments seriously and will use the opportunity to speak with Mr. Exius directly to further discuss his experience and see how we might provide better service going forward.

Thank you for bringing this to our attention.

Kind Regards,

Aaron Kokoruz on behalf of Asurion
Account Supervisor
Weber Shandwick
1717 Main Street, Suite 1600
Dallas, TX 75201"
]


FTC Testifies Before Congress About Identity Theft And Fraud Affecting Children

On September 1,the U.S. Federal Trade Commission (FTC) testified before the House Committee on Ways and Means Committee Subcommittee about identity theft and children. At the hearing in in Plano, Texas, Deanya Kueckelhan, Director of the FTC’s Southwest Regional Office, delivered the FTC testimony.

The theft and fraud involving children's Social Security numbers is a growing problem. Identity thieves can access and steal Social Security numbers from children’s records in schools, doctors offices, social services agencies, and other sources. Sometimes, family members who have fallen on hard economic times use the identities of their children to obtain credit they couldn't obtain otherwise. Experts explore the problem recently in the Stolen Futures forum, hosted jointly by the FTC and the Department of Justice’s Office for Victims of Crime.

For adult identity theft, the Bureau of Justice Statistics reported in its National Crime Victimization Survey Supplement that about 11.7 million persons, about 5% of all Americans ages 16 or older, were identity-theft victims during a two-year period ending December 2008. The financial of that theft was $17.3 billion.

For child identity theft, a study by ID Analytics found 142,000 instances of identity fraud each year in the United States where children are the victims. Another study by the Carnegie Mellon CyLab of 40,000 children who had been enrolled in an identity protection service found that 4,311 of those children -- about 10.2 percent -- had loans, property, utility, and other accounts associated with their Social Security numbers.

In her testimony, the FTC's Kuechelhan describe another aspect of the child identity theft:

"... a child’s unused SSN is uniquely valuable to a thief because it typically lacks a previous credit history and can be paired with any name and birth date. In effect, a child’s identity is a blank slate that can be used to obtain goods and services over a long time period because parents typically do not monitor their children’s credit..."

Kuechelhan also described the identity protection problem:

"... fraud alerts, a key tool used by adult victims of identity theft to warn potential creditors of possible identity theft, are premised on the existence of a credit file. Parents ordinarily cannot place a fraud alert on their child’s credit file if the child has no such file. Further, remedies available under federal law such as extended fraud alerts, access to documents underlying the theft, and blocking of erroneous debts typically require a victim to obtain a police report to document the crime... children victimized by parents or guardians are often reluctant to file a police report naming a loved one or a source of financial support as the perpetrator."

Read the FTC testimony (PDF).

What is a parent to do? First, concerned parents should understand the available credit file protection tools: fraud alert, credit-file freeze, and the differences between the two tools. Second, investigate a credit monitoring and identity protection service to cover both parents and children in your family. Several services exist, which I will explore in future blog posts. Shop around because monthly prices and features vary.

Third, teach your children, tweens, and teens about money, credit, the sensitive personal information they must protect, and their responsibility when they become adults to monitor their credit files produced by the major credit-reporting agencies: Equifax, Experian, and TransUnion. You can find plenty of information in this blog.

In my opinion, a broader solution to the problem would be for credit reporting agencies to automatically place a free Security Freeze on the credit reports of all children. This freeze would automatically be lifted (for free) when the child turns 18. Parents could temporarily lift the freeze for children younger than 18 for instances to apply for education loans for that child.

What do you think of child identity theft?


Login Notification Security Feature via Email

I have written in this blog several posts of Facebook.com features I don't like. Today's post is about one feature I do like: e-mail notifications about log-ins.

When I change my Facebook password every 90 days (don't you too?) at the Facebook website, I have to log out and log back in with my smartphone to enable my Facebook apps. Like many other people, I configured my smartphone to allow me to automatically post photos to Facebook.com. Facebook sends to me the following email message for this smartphone activity:

"Hi George Jenkins,

It looks like someone used your Facebook account to log into Facebook for Windows Phone (Friday, September 2, 2011 at 12:23pm).

Was this you? If so, you can disregard the rest of this email.

If this wasn't you, please follow the link below to protect your Facebook account information:
[Facebook login link redacted]

To learn how login notifications like this one can help you to protect your account information, visit the Help Center: http://www.facebook.com/help/?topic=loginnotifications. Please note: Facebook will never request your login information through email.

Thanks,
The Facebook Team"

What I like about this email:

  • It confirms login activity I know about
  • It's a good security alert feature. If an identity thief stole my password and logged in with his/her smartphone, I would be notified -- and can change my passwords
  • It contains a link to relevant help information that's useful for Facebook members who aren't sure what about these alerts
  • The alert uses a different method (e.g., mail) rather than simply rely on traditional in-page website confirmation messages

I wish more websites used a similar alerts security feature.

Want to learn more? Some tips about how to use Facebook securely:


France Isses New Breach Notificaton Law for ISPs And Telecommunications Companies

Information Age reported that Internet service providers and telecommunications companies operating in France must report data breach to both the affected consumers and government regulators. The France lesgislation defines a data breach as:

"... any security breach that accidentally or unlawfully results in the destruction, loss, alteration, disclosure or unauthorised access to personal data."

ISPs operating in France must report data breaches to their regulator, the the Commission nationale de l'informatique et des libertés (CNIL). Violators face both prison time and a Euro 300,000 fine. Germany and Spain have similar breach notification laws, but the fines are far lower -- less than one percent of the fine in France.


California Amends Its Breach Notification Law

California was the first state in the nation to enact a breach notification law. The 2002 law required organizations that store records with consumer information -- both companies and government agencies -- to notify consumers when their sensitive personal information was lost or stolen. Last week, California Governor Brown signed into law SB 24. What's new about SB 24:

"Specifically, SB 24 establishes standard, core content for data breach notifications including a general description of the incident, the type of information breached, the time of the breach, and toll-free telephone numbers and addresses of the major credit reporting agencies in California.... In addition, SB 24 also requires data holders to send an electronic copy of the notification to the Attorney General, if a single breach affects more than 500 Californians."

SB 24 (Adobe PDF) goes into effect January 1, 2012.

This is good news for consumers, as other states' breach notification laws have followed California's lead. I believe it is also good because too often, consumers have no idea what to do next when they receive a breach notificaton letter. Too many don't know about the credit reporting agencies: Experian, Equifax, and TransUnion; nor the consumer's responsibility to keep their credit reports accurate; and the need to monitor their credit reports after a breach/theft.

Since writing this blog I have talked with many consumers. A breach notification letter is often a wake-up call that he/she needs to take action to protect their sensitive personal and financial information.

Moreover, the InfoLaw Group appropriate emphasized that SB 24:

"... adds California to the list of states and other jurisdictions that require some type of regulator notice in the event of certain types of data security breaches... Other states that require some form of regulator notice in some circumstances for certain kinds of entities (sometimes for a breach, and sometimes to explain why an entity has determined there was no breach) include Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia."

Don't see your state on this list? Write to your elected officials and demand an improved breach notification law for your state.

Sadly, only four states' governments post online the breach notifications they receive: Maryland, New Hampshire, Vermont and Wisconsin. Online postings are a good way for consumers to verify the breach notifications they receive.