Previous month:
December 2011
Next month:
February 2012

17 posts from January 2012

Why You Shouldn't Install Those Entertaining Apps On Facebook

There is an excellent Facecrooks blog post that explains the risks of installing most "fun and entertaining" apps on Facebook. First, you have to understand the extreme limitations of Facebook:

"... there is no formal review process for applications or developers on the Facebook platform. Anyone and everyone (scammers included) can create apps. This is far different from the “Walled Garden” approach taken by Apple. Many unsuspecting users might be under the impression that if it’s on Facebook then it must be legitimate. That is totally not the case."

Second, think long and hard before installing any app that requires you to give it permission to:

  • Access all of the data in your Facebook profile
  • Access all of your Facebook friends list
  • Post as you
  • Just because the app address starts with HTTPS doesn't mean it is safe
  • Doesn't have a privacy policy
  • Has a privacy policy you don't like

Third, it is wise for Facebook members to "like" Facecrooks and follow its posts, so you are aware of emerging threats and scams.


Insider Identity Theft Example: Banc of America Broker

If you wonder what the phrase "insider identity theft" means, this case below is an excellent example. The basic definition of insider identity theft is when an employee (or contractor) at a company accesses personal information they aren't authorized to access. In the case below, it included the contact information of the company's clients. If you are one of those clients, this case illustrates how your contact information can be abused.

The Forbes article described how Dante J. DiFrancesco worked at Banc of America Investment Services (BAIS). When he left BAIS, DiFrancesco attempted to take his clients' contact information with him, only to clumsily discover that he'd take the contact information for 36,000 clients instead of his 180 clients.

The good news in this story is that BAIS discovered DiFrancesco's data access attempts. Companies with good data security have processes in place to detect when employees attempt to access information they aren't authorized to access, as BAIS did.

Like many things in business, the case went to court. The Financial Industry Regulatory Authority (FINRA) investigated, filed charges, and ultimately ruled in favor of BAIS. DiFrancesco appealed the ruling twice; first at FINRA (which affirmed the first ruling) and then at the U.S. Securities & Exchange Commission (SEC). The SEC ruled against DiFrancesco, too.


Slowly, More Consumers Consider Website Privacy Policies Before Buying

PC Pro recently reported the results of a recent Forrester Research study. Forrester surveyed 37,000 consumers in North America, and found that a growing percentage of consumers consider companies' website privacy policies in their decisions about whether to do business with a company:

"Websites need to rethink their privacy policies as consumers ditch those that hide data rules or leak information, according to research from Forrester. The analyst found that a growing number of consumers were reading how companies dealt with their privacy and voting with their feet if they didn’t like what they saw."

More than half of survey respondents over 55 years of age said that they refused to complete an online transaction because of the company’s terms of use or privacy policy. In 2008, 40% answered this question the same way.

The PC Pro article would have been more helpful if it linked directly to the Forrester Research report and included more facts. The Forrester research study found:

"Individuals see different types of data differently -- they're most worried about what we consider individual identity data, and far less concerned about the capture and use of their behavioral data... Most consumers are willing to share their data in exchange for value. But, what they consider "valuable" is very age-dependent..."

If the article had included examples of well-crafted privacy policies, this would help consumers learn about what to look for in privacy policies -- at websites, social networking websites, and with mobile-device apps. In 2011, the European Union Justice Commissioner described four pillars of online data privacy, which is a good start for any corporate privacy policy.

In 2008, a brief review of the privacy policy at Mint.com prompted a huge discussion on this blog -- that still continues today.


Investigate The Banks

Professor, political economist, author and former Secretary of Labor chief Robert Reich called on President Obama to hold big banks fully accountable for their part in the alleged mortgage abuses and housing market crash -- which the President finally addressed, in part, during his SOTU speech last night:

"We'll also establish a Financial Crimes Unit of highly trained investigators to crack down on large-scale fraud and protect people's investments. Some financial firms violate major anti-fraud laws because there's no real penalty for being a repeat offender. That's bad for consumers, and it's bad for the vast majority of bankers and financial service professionals who do the right thing. So pass legislation that makes the penalties for fraud count."

To learn more, visit YesHeCan.org.


The Personal Data Elements Consumers Want To Keep Private Online

At the All Things D blog, Liz Gannes has posted a very interesting inforgraphic about the data elements consumers care about and want to keep private online. The inforgraphic was created from a research report by Forrester Research. Some of the data elements and the percent of consumers that care about each item:

  • 72% - Social Security number
  • 71% - credit card number
  • 62% - driver's license number
  • 57% - credit score
  • 52% - Internet browsing history

This was a good infographic. It would have been even better if it included consumers' GPS location history, since so many mobile phone companies, telecommunications companies, and social networking websites collect this data. When and where you go in the physical world is very valuable and equally sensitive data. It is a way of uniquely defining you.


Learn About Credit Unions. Free Workshops At A Nearby City

While there hasn't been much mentioned lately in the mainstream news media, consumers are still moving their money out of the big banks to local community banks and credit unions. If you want to learn more about what a credit union is and its benefits, the National Credit Union Administration (NCUA) is hosting free workshops in several citys.

The NCUA is the independent federal agency that regulates and supervises federally chartered credit unions. The NCUA operates the National Credit Union Share Insurance Fund (NCUSIF), which insures deposits at federal credit unions and most state-chartered credit unions. Deposits are insured up to $250,000 per account.

Upcoming workshop dates and locations through June 2012:

  • March 3: Phoenix, AZ
  • March 10: Los Angeles
  • March 22: Richmond, VA
  • April 11: Chicago
  • April 12: Portland, ME
  • April 19: Philadelphia, PA
  • May 3: Detroit, MI
  • May 11: Minneapolis, MN
  • May 19: New York, NY
  • May 23: Albuguerque, NM
  • May 30: Baltimore, MD
  • June 2: Denver, CO
  • June 7: Omaha, NE
  • June 9: Dallas, TX

To learn more and register for a workshop, visit the NCUA website. The NCUA operates the MyCreditUnion.gov website for consumers, with plenty of resources, tips, and advice. This prior blog post includes basic information about how to find a credit union near where you live.


Data Breach At City College Of San Francisco Affects Thousands

The San Francisco Chronicle reported that a data breach at the City College of San Francisco (CCSF) could affect tens of thousands of students, employees, faculty, and staff. After the Thanksgiving holiday, computer viruses were found installed on computers in the college's computer labs.

The computer viruses had been installed as long as 10 years ago, and transmitted stolen data to locations in several countries. The data stolen included personal banking and other sensitive personal data. According to the newspaper report:

"Each night at about 10 p.m., at least seven viruses begin trolling the college networks and transmitting data to sites in Russia, China and at least eight other countries, including Iran... Servers and desktops have been infected across the college district's administrative, instructional and wireless networks. It's likely that personal computers belonging to anyone who used a flash drive during the past decade to carry information home were also affected."

The college has posted a page with frequently asked questions to assist its users. the page stated in part:

"Currently there is no evidence that any of the College’s main servers and databases held in trust by the College have been compromised. Our security consultants are still conducting their analysis but it appears at this time that the viruses focused on information taken off individual workstations and computer servers for student labs. Confidential student and employee information is held in trust and stored on District servers. Our network security consultants are continuing their analysis of the servers and we will communicate the results of this work as soon as it is available."

For users that have experienced identity theft or fraud, the college FAQ page directs users to the U.S. Federal Trade Commission (FTC) website for further assistance.

If this FAQ page is the extent of the breach notice by the college, then -- in my opinion -- it is woefully inadequate. It would seem that the data breach caught the school administration unprepared.

The notice should inform users about the results of the breach investigation and actions so this breach doesn't happen again. Since online banking credentials appear to have been stolen, that represents ways for identity criminals to access the bank accounts of breach victims to steal money and/or more personal information: personal data: full names, email addresses, street addresses, Social Security numbers, and mobile phone numbers. With this core personal data stolen, thieves can obtain credit fraudulently.

Given this, the breach notice should also provide contact information and links to the credit reporting agencies. Simply suggesting to users that they change their online passwords is not enough given the personal information exposed. If further fraud happens, the college needs to step in and provide free credit monitoring and resolution services.


Scammers Target American Airlines Customers With Phishing Emails

Earlier this week, a reader wrote about an email message he had received. The email message included a confirmation for tickets purchased through the American Airlines website. The reader was concerned that his bank information had been hacked, because he had not purchased any airline tickets.

The email message:

Subject: Your Order#647842534
Date: 15 Jan 2012 07:14:55 -0000
From: American Airlines ([email protected])
Reply-To: American Airlines ([email protected])
To: [email protected]

Hello
FLIGHT NUMBER AA683
ELECTRONIC 885741402
DATE & TIME / JANUARY 30, 2012, 10:22 PM
ARRIVING / Raleigh
TOTAL PRICE / 395.22 USD

Please find your ticket attached. You can print your ticket. Thank you for your attention.
American Airlines.

The email included a ZIP file attachment. Clearly, this was a phishing email scam since it included an incomplete itinerary and the ZIP file attachment. A real airline wouldn't do either. Like most phishing emails, this one tries to trick consumers to open the ZIP file attachment which installs a computer virus on the victim's computer to collect password data, directs the victim's web browser to a fake American Airlines website to collect personal data, or both.

If you receive a phishing message like this, or from any other airline, experts advise consumers to:

  • Don't click on any links within the email message,
  • Don't open any files attached to the email message,
  • Don't send a reply email message to the sender,
  • Manually enter the website address into your web browser to visit the airline's official website to verify the email message, and
  • Check your credit card or bank statement for any fraudulent charges

The official American Airlines website has a page devoted to phishing email scams. It provides examples of various email scam messages, and advises consumers:

"American Airlines will never ask you to perform security-related changes to your account in this fashion or send emails to collect user names, passwords, email addresses or other personal information. If you receive an email claiming to be from American Airlines, that asks for account information, it should be considered fraudulent... do not click on any links, open any attachments, call any phone numbers listed or follow any instructions in the email. Instead, forward a copy of the email, including the header to [email protected] so that we can investigate further."

The Snopes.com website also contains information verifying email phishing scams, including the above scam.


Several Websites Are Dark Today To Protest SOPA And PIPA

To protest the proposed SOPA and PIPA legislation in the U.S. Congress, several websites have gone dark for the day. Critics of the legislation are concerned about the legislation's negative impacts on jobs and on free speech on the Internet. You could call the proposed legislation an online mugging.

Some of the websites that have promised to go dark on Wednesday:

  • Free Press
  • iSchool at Syracuse University
  • MoveOn.org
  • Mozilla
  • Reddit
  • TwitPic
  • Wikipedia
  • WordPress
  • XDA Developers

Other websites, like Google, support the protest by remaining available but with anti-SOPA and anti-PIPA messaging:

"End Piracy, Not Liberty"

In December, GoDaddy reversed its support of SOPA after many users protested by moving their websites to competitors' hosting services.

If you want to learn more about the online protest, read this. If you want to learn more about SOPA and PIPA, read the analysis by EFF. The text of the SOPA legislation is here. ABC News has a basic summary.


Zappos Data Breach Affects 24 Million Consumers

Several news organizations and USA Today reported about the data breach at Zappos.com, an online shoe and clothing retailer. Identity thieves hacked into the Zappos website and stole the names, street addresses, email addresses, telephone numbers, the last 4 digits of credit card numbers, and the online passwords of 24 million customers.

The Zappos CEO advised his employees via email that affected customers would receive the following notice, which read in part:

"... there may have been illegal and unauthorized access to some of your customer account information on Zappos.com... The secure database that stores your critical credit card and other payment data was NOT affected or accessed. For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password. We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail... We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there..."

While the company has reset online passwords and notified affected customers about how to create stronger passwords, the types of personal data stolen are sufficient for identity thieves to create plenty of damage. The damage can include spam using stolen email addresses, spam to/from linked mobile phone numbers, and further hacking into consumers online accounts.

How might further hacking happen? Too many consumers still use the same password for all of their online accounts. Simply, identity theives could access your debit/credit card numbers at other online retailer or bank accounts where you use the same password.

It is important for consumers to remember that identity criminals are persistent and re-sell stolen personal information. So, the thieves that attempt to hack into your online accounts probably won't be the same thieves that stole your personal information. Re-sold stolen personal information creates a situation where many thieves can ultimately create further damage.

Experts advise:

Addendum - January 18: After further consideration, I found the above breach notice and response by Zappos far from satisfactory for consumers. Their response assumes breach victims won't experience any identity fraud, since their message does not include any instructions about what consumers should do if they do experience identity fraud. And, the Zappos breach notice does not seek to explain to their customers the final results of their breach investigation, including why a breach like this won't happen again. The whole event can be summed up as "ooops, we lost a few passwords. reset them and everything will be okay." Not necessarily so.

Addendum - January 19: At least one lawsuit has been filed again Zappos and its parent company, Amazon.com.


Thoughts For Today

While writing this blog, I have tried to consistently argue for the rights of consumers... of individuals. Given today's holiday and threats such as Internet blacklist legislation, these quotes seem as relevant today as when they were originally said:

"Nothing in all the world is more dangerous than sincere ignorance and conscientious stupidity."
-- Martin Luther King, Jr.

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy."
-- Martin Luther King, Jr.

"Never forget that everything Hitler did in Germany was legal."
-- Martin Luther King, Jr.

"That old law about 'an eye for an eye' leaves everybody blind. The time is always right to do the right thing."
-- Martin Luther King, Jr.

"Injustice anywhere is a threat to justice everywhere."
-- Martin Luther King Jr.


Debit Cards: A New I've Been Mugged Topic

Since many consumers have shifted their purchases from cash and credit cards to debit cards, I have added a new topic in the tag cloud in the near right column. With recent events in the banking industry, new offerings allows employers to perform direct deposits to employees payroll cards, a customized version of debit cards. The "Debit Cards" topic includes this content of interest to consumers and residential banking customers. I hope that you like the new category.


Plenty Of Collateral Damage From a Credit Card Theft

There is a good article in PC Magazine that describes the scope of damages from identity theft when credit cards, smart phones, and spammers intersect. Jacqueline, a sales manager, had her credit card stolen and cloned, which resulted in over $2,000 in fraudulent charges. (Damages #1.) Her bank cancelled the exisitng credit card account and issued her a new credit card account. You would assume that was the end of the story, but sadly it wasn't.

Then, the credit card theft and card cloning happened with the replacement credit card -- which suggests an insider identity-theft problem at the bank Jacqueline uses.  Her bank cancelled the replacement credit card account, and issued her a second replacement credit card. End of the story, right?

Wrong. Next, Jacqueline and her contacts began to receive a flood of text message and phone call spam from unknown phone numbers. Apparently, the identity criminals had also stolen Jacqueline's mobile phone number (Damages #2.) along with her credit card information. Jacqueline's company-issued Blackberry-brand smart phone had been spamming people and phishing for consumers' Sovereign Bank sign-in credentials.

Jacqueline doesn't work at Sovereign Bank. After more investigations by the IT department at Jacqueline's employer, her mobile carrier, Verizon, informed them that the text message spam wasn't coming from its network, but from a computer pretending to be Jacqueline. Apparently, the credit card thieves re-sold Jacqueline's personal data and mobile phone number to other identity criminals, which included a spammer (Damages #3.):

"Someone had gotten a hold of her mobile number and was spoofing other phones using her digits. It turns out there's software designed specifically for businesses to send bulk SMS to lists of phone numbers from a computer."

Wow! What a mess. This saga highlights several issues, including the:

  • Creativity and persistence of identity thieves,
  • Efficiency of online forums where consumers' stolen personal data is resold and traded,
  • Value of consumers' (digital) personal information, and
  • Duration of damages from identity theft and fraud.

The average consumer doesn't think about how valuable the various bits of their personal information are. But, identity criminals think about it deeply.

The good news in this story was that the IT department at Jacqueline's employer was able to rule out any leaky smart phone apps that could have compromised her data security.

Today, there's not much more Jacqueline or her employer's IT department can do. Her personal identity information is out there in the thieves' domain. As I see it, all she can do is file police reports to document the trail of theft, and lock down her credit reports to keep the damage from spreading to her financial accounts. If the thieves also have her Social Security number, then they can obain fraudulent identification cards and drivers licenses. And, there's nothing to restrict the thieves' action with the USA borders.


BBB: Top 10 Scams Of 2011

Earlier today, the Better Business Bureau (BBB) announced the top ten scams of 2011. With these scams, consumers can lose their money, personal identity and bank information, or both. The leading scams were:

  1. Job Scams: included secret shopper schemes, work-from-home scams, and phony job offers. Typically, the scammers seek to trick victims to reveal bank account information.
  2. Sweepstakes and lottery scams: supposedly you've won a lot of money. The pitch often includes a bogus celebrity participation.
  3. Social networking and online dating scams: scammers may pretend to be on of your "friends" or have hacked the online accoount of one of your "friends." Typically, the pitch is to get you to click on a link -- sometimes a racey video-- which downloads a computer virus that invades your computer and steal sign-in credentials for several social networking accounts.
  4. Home Improvement scams: contractors visiting your neighborhood offer a low price for the work, accept your deposit, and then never complete the job -- leaving your home in worse condition than before. Sometimes, the pitches come after a natural disaster.
  5. Check cashing scams: scammers use legitimate companies (e.g., Craig’s List, Western Union) offering to buy something you are selling online. The scammer's check is larger than the price of the item you are selling. The victim sends the scammer a valid check for the difference, and the victim deposits the scammer's bogus check in their bank account. Of course, the scammer flees with money from cashing the valid check, the bogus check bounces, the victim still hasn't sold their item, and the victim's bank charges bounced check fees.
  6. Phishing scams: these can be offers via phone, email, or a fake website. The typical pitch is to trick victims into revealing sensitive personal and bank account information. When you visit the bogus website to "verify" your account information, the website installs a software virus on your computer to steal more information.
  7. Financial scams: these target consumers in tough situations, and include bogus offers about debt reduction and home mortgage modifications. The promised services are never delivered.
  8. Sales scams: these include "penny auctions" or ways to supposedly pay far less than standard retail prices. Usually, there is a fee to bid. The BBB states clearly that not all penny auctions are scams, so consumers should treat these as a gamble and inspect closely the website policy and terms before entering.
  9. BBB scams: a bogus email that looks like it's from the BBB, claims that a complaint has been filed against your business. To reply to the complaint, the email includes a link which instead downloads a document that spawns a software virus that can steal banking information, passwords and other sensitive personal information.

Last month, I received one of these fake-BBB phishing emails, with the telltale bad grammar and other clues. So you are aware, here is the text of the phishing message:

Subject: Your customer complained to BBB
From: "Better Business Bureau"
Date: Tue, 20 Dec 2011 08:47:19 +0000

Good afternoon,
Here with the Better Business Bureau notifies you that we have been filed a complaint (ID 37975886) from a customer of yours in regard to their dealership with you. Please open the COMPLAINT REPORT below to find the details on this issue and inform us about your opinion as soon as possible. We are looking forward to your prompt reply.

Faithfully,
Fernando Grodhaus
Dispute Counselor
Better Business Bureau Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277


Timeline Security Hoax Circulates On Facebook

If you use Facebook.com, perhaps you have seen the following status message:

"With the new 'FB timeline' on its way for EVERYONE, please do both of us a favor: Hover over my name above. In a few seconds you'll see a box that says "Subscribed." Hover over that, then go to "Comments and Likes" and uncheck it. That will stop my posts -- and yours to me -- from showing up on the side bar (ticker) for everyone to see, but MOST IMPORTANTLY it LIMITS HACKERS from invading our profiles. If you re-post this I will do the same for you. Thanks! (Click like on this post so I will know you unchecked.)"

Beware. This status message is a hoax -- an effective one too, since it trades on consumers' security fears. To learn more about why it is a hoax, visit Snopes and Facecrooks.

I can share this from personal experience. A couple Facebook friends sent this status message to me, and this hoax tricked me, too. The whole experience is reminder:

  • Don't believe everything you read on social networking sites, and
  • Verify claims before forwarding them as status messages to your friends.

Traveling Outside The Country? Before You Leave, Notify Your Credit Card Issuer So Your Purchases Aren't Denied

With the increase in identity theft and fraud during the past few years, many banks have increased their security efforts to fight identify fraud. This includes proactively flagging or automatically denying credit card purchases in another country. This increased security has both good and bad news.

The good news: consumers are better protected against fraud. The bad news: valid purchases by cardholders traveling outside the the country may be denied. The last thing anyone wants to experience is a denied credit card purchase when you are in a different country and low on cash in the local currency.

To avoid this, I notified my credit card issuers before my recent vacation travel. Credit card issuers will want to know your card number, travel destinations, travel start/stop dates, and cardholders traveling.

The letter I used, which you are welcome to adapt for your upcoming trip:

"This regards the [insert Visa/Discover/MasterCard/Amex/etc.] account ending XXXX. I am the cardholder for the above account. This letter is to inform you that I will be traveling on vacation from November 22, 2011 to December 9, 2011, and visiting the following locations: Mexico, Guatemala, Panama, and Colombia (Cartagena). Hence, you will see purchases on my [insert Visa/Discover/MasterCard/Amex/etc.] card at these locations, and from the XXXXXXXXX cruise line."

With some credit card issuers, you can report upcoming travel via a toll-free phone number. I prefer a written letter which documents the communication. The address to use is on your monthly statement. Check the website for your bank or credit card issuer about how to report upcoming travel.