I've Been Mugged Blog

Earlier this year, the MBTA held 25 community meetings to collect feedback from the public about its two proposals; each including different amounts of fare increases, service reductions, and service eliminations. Yesterday, the MBTA release a third proposal, based upon feedback from the public, which includes smaller fare increases and fewer service changes than the first two proposals.

Highlights of the latest proposal:

• Reduces its single year deficit from $185 million to $159 million
• 23% overall fare increase
• 35% fare increase for ferry riders
• Green Line: elimination of E branch weekend service between Brigham Circle and Heath Street
• Commuter Rail: elimination of weekend service on Needham, Kingston/Plymouth, and Greenbush lines
• No reduction in RIDE service, but a $5.00 premium territory fare
• Creation of a "Watch List" for low-performing routes

While the overall, average fare increase reportedly is 23%, the actual fare increases for certain segments are greater. These increases are still painful for many residents who can least afford the increases. Single-fare increases:

• Seniors: local bus: 87.5%
• Seniors: rapid transit: 66.7%
• Student: local bus: 25.0%
• RIDE within ADA territory: 100.0%
• RID outside ADA territory: $5.00 surcharge per trip

Fare increases for selected passes:

• Senior/TAP: 40.0%
• Student 5-Day: 25.0%

Several documents describing the latest proposal are available at the MBTA.com website. The fare increases and service changes will affect everyone, not just MBTA customers. The MBTA Impact Analysis (Adobe PDF; 3.4 M Bytes) states the following about air quality and quality-of-life impacts:

"A reduction in transit trips and addition of automobile trips generally causes increases in the generation of CO, VOC, NOx, CO2, and particulates... as the numbers of automobile trips and vehicle hours increase, the congestion on area roadways also increases. This additional congestion results in lower travel speeds (which are associated with higher emissions of pollutants) for all vehicles, not just those of former transit users... Scenario 3 results in increases in all pollutant emissions and an overall worsening of air quality. VOC emissions increase by the greatest percentage, followed by CO and CO2. Scenario 3 bears out a general rule that usually applies in air quality analyses of this kind: any loss in transit ridership that results in an increase in auto vehicle-miles and vehicle-hours traveled will lead to some level of increase in pollutants."

The fare increases and service changes move the state away from sustainable solutions and towards a greater dependence upon automobiles (and petroleum), with both increased air pollutants and greenhouse gas emissions. This is the wrong direction. Commute times will increase and air quality will worsen for everyone. We cannot drive our way out of this problem.

Transportation systems in several American cities face fiscal issues similar to Boston's system. Several consumer groups are planning a national protest about mass transit for April 4, the 44th anniversary of the assassination of Dr. Martin Luther King.

In a New York Times article titled, "The Bright Side Of Being Hacked," reporter Somini Sengupta described several benefits for corporations of a data breach via hacking. The article concluded:

"Rather, what Anonymous has done, experts said at the big RSA computer security conference here last week, is raise the alarm about the unguarded state of corporate computer systems."

Yes, raised awareness is a good thing, as was recently discussed about unsecured corporate video conferencing systems. Sengupta's articles reminded me of a blog post I wrote in 2010 which listed six benefits for consumers of being an identity theft victim:

"1. Awareness: After an identity thief has stolen your personal data, account credentials, and/or money consumers seem to have a new awareness of of the value of their sensitive personal data.
2. Acceptance and curiosity: after having their identity information and/or money stolen, there is an acceptance that identity theft is a problem. There is a curiosity to learn about other ways identity thieves and criminals might harm them, so they can avoid this painful experience in the future.
3. Willingness to change behaviors: Not knowing how to protect yourself is terrifying to most people. The pain from this terror seems to be sufficient incentive for consumers to change their habits (e.g., practice safe online shopping habits, check their credit reports for accuracy, use strong passwords at online sites, maintain anti-virus software on their home computer, etc.). Of the people I have talked with, after being an identity-theft victim, none want to return to their old ways.
4. Stronger consumer interest: along with this awareness about identity theft is an interest in products, services, processes, and/or laws that address and protect the needs and assets of consumers. Getting good customer service seems to become more important, too.
5. Gratitude and appreciation: before becoming a victim of identity theft and fraud, many consumers perceive warnings by consumer and privacy advocates to be unnecessary and overly cautious. Some have called me paranoid. After experiencing the pain of the theft and fraud, a different attitude emerges which includes a sincere appreciation for identity theft protection advice to help them fix their fraud problem, and a context for listening to future warnings.
6. Participation in our democracy: when the perception is that local or federal laws haven't kept up with business practices, some been motivated to write to their Congressional reps to demand action."

While, identity theft and fraud are painful experiences for consumers, these events can be a huge wake-up call for consumers to change their habits and practice better data security habits at home, at work, at ATM machines, at their doctor's office, at social networking websites, and with their mobile devices.

This story caught my attention for reasons you might find surprising. It did not catch my attention because it involves a celebrity. It caught my attention because it shows how employees and independent contractors can become identity theft and fraud victims via an employer.

The Sports Illustrated article, "How Lenny Dykstra Got Nailed" explains how former Major League Baseball player Lenny Dykstra was jailed on identity theft and fraud charges. To fund a lavish lifestyle, Dykstra allegedly asked his employees to use their credit cards, never repaid them for the purchases, and used without authorization their sensitive personal information (e.g., Social Security Number) to apply for loans.

This story also highlights the importance of filing identity-theft and fraud complaints with both local law enforcement, the FTC, and the CFPB. Filed complaints allow law enforcement to discover patterns they might not discover otherwise.

Wilberto Hernandez, a personal credit repair consultant in Los Angeles had phoned local police after he received a notice from a credit agency that his Social Security number had been presented for credit checks at two car dealerships. Hernandez had helped one of Dykstra's business associates with credit repair services. Local police quickly saw a pattern among police reports filed:

"By Christmas 2010, [the police detective] had spoken with 17 people—personal assistants, drivers, private jet pilots and housekeepers—who claimed that Dykstra did not pay them for services, used their credit cards or got hold of their Social Security numbers and opened credit cards in their names."

One victim's situation was particularly instructive:

"Christopher Gavanis, then 30, had just moved to Los Angeles from Pennsylvania. Gavanis... couldn't afford a car to help him find work—but he did have a sterling credit rating. According to an interview police conducted with Gavanis on April 14, 2011, Dykstra promised him the car he desperately needed in return for the use of his credit... Dykstra also promised Gavanis a job with Home Free Systems once clients started rolling in..."

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today, she discusses the new trend in cloud computing and storage.]

By R. Michelle Green

I love looking at my books and records. (If that statement dates me, eh, kiss my AARP card.) I’m often a completist. If I really like something or someone, say David McCallum – I gotta check out the music he created as well. I like to display my stuff, share it with like-minded others. A neighbor once asked why I had so many movies, hadn’t I seen them already? My rejoinder: “why do you have so many books, haven’t you read them already?” She smiled broadly in understanding, and never questioned it again. I may not understand why Leno collects cars, but I grok the desire to collect.

With iPods, Kindles and their ilk, you don’t get to “look” at your stuff the same way.

Used to be you got such insight from that first walk into someone’s home. What’s the focal point of the living room? What has the person taken care to organize? A litmus test for me as a young person was a suitor’s library. My first and last date with one person hinged on their statement, “oh I don’t really like to read.”

And what to make of what we choose to display? Some visible books I haven’t read but plan to; others I’ve hidden precisely because I love them so – I won’t share them with just anyone. I chose my thesis advisor in part because his office contained both books I’d read and others I wanted to read. I didn’t even know that would matter, until it did. Were I choosing an advisor now, would I even have access to his digital tastes? And if I did, what would that knowledge tell me? My Kindle today does not represent my tastes well.

I would love the money and time to gloriously display the things I love. I used to have Scrabble tile holders taped to the wall to display album covers. Oh I know, you can still do that: if you purchase a track with artwork, if you configure your preferences correctly, if the artist/distributor provided artwork.... Many e-readers can’t be configured to display book covers (while their tablet apps might... but will they display them well?…).

If your collection is in the Cloud, do you really own it? Can you bequeath it to family? What happens if the Cloud provider goes bankrupt (or even just has an outage)? Don’t get me wrong. I’ll always be a technophile, and a wannabe early adopter. Using the Cloud will mean I can collect a lot more stuff, with vastly improved ability to access it, and with potentially perfect fidelity and backwards (and forwards?) compatibility. The Cloud satisfies my left brain’s pragmatism.

In some future home, a giant digital wall with cover art from my Cloud may replace my book wall. But what’s my analog today for the delight of sharing my library with visitors? My Interests page – oh sorry, interest feeds, on Facebook? Where people I do and don’t know see it at some time when I’m not present, and who may or may not give me feedback? And whose comments (if they comment) I may or may not get to see??

Sorry. My right brain (my heart?) says: doesn’t quite cut it.

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today, Michelle discusses mobile device security.]

By R. Michelle Green

So you’re really tired of everyone encouraging password use. Tens of articles, on this site alone... But (let the rationalizations begin) you need so many PWs! And everyone wants 8+ digits now, with symbols and stuff! And you live in complete and round-the-clock harmony with your significant other/roommate (and their SOs, family and friends). You’ve never left your laptop/smartphone/tablet unattended, right? (Or outright lost it?...) And you secure your phone/tablet when service people are in your home. And those 50 people you had at your house party last week (bitchin’ party, who were the folks who brought the great dessert and the weird Russian soda?) would never pick up your phone when you weren’t looking, right?

All subtlety aside: stop making excuses and secure your digital home. And first thing – put a password on your smartphone and your tablet.

I pick up people’s devices all the time (with their say so, of course), and I am always amazed if I can access one at will. We all like looking. For me it’s partially envy – I still haven’t bought a smartphone (dammit it’s a phone, and I want better than ‘Fair’ call quality as evaluated by Consumer Reports.). For most of us, it’s curiosity. Pretty pictures, cool apps, oh what’s this game? I’ve never looked in anyone’s medicine cabinet, but I hear it happens frequently. Perhaps such actions are innocuous, like picking up a book or magazine in someone’s home. But my magazines don’t have my bank statement in them, and they can’t access 1-click (the devil’s tool if I’ve ever seen one, there’s a reason the default at Amazon is enabled).

Symantec ran tests to study human behavior with lost smartphones. After leaving 50 phones abandoned in NYC, DC, SF, LA, and Ottawa CA, Symantec observed that 9 of 10 finders routinely trolled through the phone’s personal data. Even the 50% who returned the phone typically attempted to access private data on it first. Sure that might have been an effort to find the owner’s contact info, but you can cut down on opportunistic data loss. Part of good common sense is making it hard for people to behave badly (particularly with your stuff). Half the phones were accessed within the first hour.

As your smartphone transubstantiates into your personal computer, sensitive data becomes way easier to lift than Stephen King’s nearly three pound ‘11/22/63’. I could access my godson’s Facebook page for almost 2 months after his recent visit, despite my shutting down daily. How? He had checked “keep me logged in” when he used my computer. Andy Weir says it well: “You can build the world’s strongest lock, only for someone to absentmindedly leave the door wide open…”

Make sure your mobile device has a password on it, and not 1234, or Password1. Don’t leave yourself logged in on websites. And avoid shortcuts to purchasing that bypass authentication of the buyer or the purchased items. Don’t leave yourself wide open for some Mayhem wannabe to wreak havoc with your digital affairs.

The Electronic Frontier Foundation (EFF) issued a statement calling for a bill of rights for wireless users. Because mobile devices are always on and store a vast amount of sensitive personal data (e.g., contacts, Internet usage, social networking website usage, GPS location, calendar, phone calls made and received, online banking, photographs, user-created documents, etc.), the EFF believes firmly that:

"... he stakes are even higher for manufacturers, carriers, app developers, and mobile ad networks to respect user privacy in order to earn and retain the ever-important trust of the public."

I agree with this position, and this blog has covered numerous instances where mobile device manufacturers, telecommunications providers, advertising networks, apps-store operators, and/or app developers working singularly or together have abused consumers' privacy. The EFF's proposed Mobile User Bill of Rights contains six items:

1. Individual control: Users have a right to exercise control over what personal data applications collect about them and how they use it. Although some access control exists at the operating system level in smart phones, developers should seek to empower users even when it's not technically or legally required by the platform. The right to individual control also includes the ability to remove consent and withdraw that data from application servers. The White House white paper puts it well: "Companies should provide means of with drawing consent that are on equal footing with ways they obtain consent. For example, if consumers grant consent through a single action on their computers, they should be able to withdraw consent in a similar fashion."

2. Focused data collection: In addition to standard best practices for online service providers, app developers need to be especially careful about concerns unique to mobile devices. Address book information and photo collections have already been the subject of major privacy stories and user backlash. Other especially sensitive areas include location data, and the contents and metadata from phone calls and text messages. Developers of mobile applications should only collect the minimum amount required to provide the service, with an eye towards ways to archive the functionality while anonymizing personal information.

3. Transparency: Users need to know what data an app is accessing, how long the data is kept, and with whom it will be shared. Users should be able to access human-readable privacy and security policies, both before and after installation. Transparency is particularly critical in instances where the user doesn’t directly interact with the application (as with, for example, Carrier IQ).

4. Respect for context: Applications that collect data should only use or share that data in a manner consistent with the context in which the information was provided. If contact data is collected for a "find friends" feature, for example, it should not be released to third parties or used to e-mail those contacts directly. When the developer wants to make a secondary use of the data, it must obtain explicit opt-in permission from the user.

5. Security: Developers are responsible for the security of the personal data they collect and store. That means, for example, that it should be encrypted wherever possible, and data moving between a phone and a server should always be encrypted at the transport layer.

6. Accountability: Ultimately, all actors in the mobile industry are responsible for the behavior of the hardware and software they create and deploy. Users have a right to demand accountability from them.

The industry would be well advised to comply now with this bill of rights, rather than wait, deflect, and avoid. It can simply look at the airline industry as an example of what happens when an industry abuses it customers, loses the public's trust, and is then forced to comply with a airline passengers bill of rights.

While this blog has covered a variety of banking issues, one of the more important issues is that consumers need to know about the three types of "plastic" in your wallet or purse. Otherwise, you are likely to be "mugged" by your bank or card issuer.

As part of National Consumer Protection Week, the U.S. Federal Deposit Insurance Corporation (FDIC) listed the differences between credit, debit and prepaid cards. There are important differences about how interest rates, fees, and your liability apply. Your rights vary greatly with the type of "plastic" you choose to use.

What protections do consumers have with prepaid cards? How are prepaid cards different? The first thing you need to know is that there are several types of prepaid cards:

• "General purpose reloadable" (GPR) cards: these carry a brand of a card network (e.g., Visa, MasterCard) and can be used wherever that brand is accepted
• Payroll cards
• Gift cards

Prior blog posts have discussed payroll cards from Bank of America and the Walmart MoneyCard. How prepaid cards work:

"... allow consumers to spend only the money deposited onto them, can have a number of different features. For instance, some gift cards may be used only at a single merchant; most GPR cards may be used to pay for purchases and access cash at ATMs."

When using a prepaid card, your liability is different from a credit or debit card:

"Liability depends on the type of funds on the card. If the card is a payroll card, then the liability rules are the same as for debit cards. But if the card is a general purpose reloadable card or a gift card, then there are no protections to limit your liability under federal law."

What prepaid card issuers (e.g., retail store, employer, bank) must tell you in the prepaid card agreement varies:

"Disclosures depend on the type of card. For example, payroll cards must disclose any fees and the error resolution process, but a GPR card does not have any disclosure requirements. In addition, gift cards must disclose the terms of dormancy fees, whether there is an expiration date, and any other associated fees."

Similarly, your rights and access to statements are different with prepaid cards:

"Payroll cards must provide either a periodic statement or account balance by telephone as well as electronic transaction history. GPR cards and gift cards do not have periodic statement requirements under federal law."

When terms change for a prepaid card, your rights about advance notice of changes are different, too. With prepaid cards, you generally don't get as much advance notice as with credit cards (45 days):

"Payroll cards must provide 21 days notice before making changes to fees charged or the liability limits for unauthorized transactions. GPR cards and gift cards are not required to do so under federal law."

Some people like prepaid cards because they can avoid interest rates. It is wise for consumers to fully understand the types of fees that apply to prepaid cards:

"GPR cards and gift cards have certain restrictions on dormancy fees charged. There are no specific requirements related to payroll cards under federal law."

So, you are probably wondering if prepaid cards are a good deal, or not. That answer depends upon your financial situation and the type of prepaid card you expect to use.

Since I already have checking and savings accounts at a bank, prepaid payroll cards are of no value to me. I find extremely troublesome the lack of restrictions on payroll cards, which means the banks can change terms, fees, and interest rates whenever they want; and as high as they want.

If you don't have a checking account, then a payroll card may benefit you. (Given the fee schedules and lack of restrictions, payroll cards will definitely benefit the banks but not necessarily consumers.) However, closely read the card agreement and fee schedule first. You may be better off (e.g., fewer fees, lower rates) opening a checking account instead at a community bank or credit union.

I still find retailers' prepaid gift cards (e.g., Dunkin' Donuts, Stop 'n Shop, Cheesecake Factory) useful for some holiday or birthday gifts, but the lack of agreements with many prepaid gift cards is troublesome. The lack of an agreement means the card issuer can change things whenever they want and not notify you. I will likely reduce my use of prepaid gift cards to only those that have card agreements.

What's your opinion? Do you use prepaid cards? If so, which types? If not, why not?

Last week, the National Credit Union Administration (NCUA) announced a settlement agreement with HSBC. HSBC hs agreed to pay $5.25 million to the NCUA for a complaint about its sale of residential mortgage-backed securities to five failed credit unions. The settlement agreement does not require HSBC to admit fault.

Similar to FDIC and the banks it oversees, the NCUA charges the credit unions it oversees with fees to cover failed credit unions and to protect depositors' assets. The NCUA uses the Temporary Corporate Credit Union Stabilization Fund (TCCUSF) to cover failed corporate credit unions. In this instance, the true risk of the mortgage-backed securities sold to corporate credit unions allegedly wasn't disclosed and led to the failed credit unions. Any payments the NCUA collects is used to offset future fees the NCUA charges for the TCCUSF.

The NCUA had filed five lawsuits against various securities firms, and had negotiated settlements with Deutsche Bank Securities ($145 million) and Citigroup ($20.5 million).

Corporate credit unions provide various services (e.g., short-term loans, check clearing, electronic funds transfers, ATM networks) to the consumer credit unions they serve. Consumer credit unions are the credit unions which we consumers join. Corporate credit unions are chartered by the NCUA or states.

In its 2010 annual report, the NCUA listed the following corporate credit unions:

The U.S. Federal Trade Commission (FTC) released the results of its survey of consumers who had reported to the FTC that they were identity-theft victims. The survey assesses consumers experiences with recovering from identity theft and contacting the national consumer reporting agencies (CRAs). The survey also assesses how consumers exercise their rights under the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transactions Act (FACTA - 2003).

Overall findings:

• 68% of survey respondents were somewhat or very satisfied with their overall experiences with the national consumer reporting agencies (e.g., Equifax, Experian, and TransUnion), but many consumers said it was difficult to reach a live person.
• Less than half of the respondents were aware of most of their rights under FACTA before they contacted the consumer reporting agencies.
• Few consumers exercise their right to block selected information in their credit reports from identity theft and fraud, since most consumers (78%) don't know about this right
• Some respondents complained about feeling pressured to buy additional identity theft monitoring products when they called the consumer reporting agencies.

FACTA gave consumers the right to:

• Pace Fraud Alerts on their credit file with the nationwide CRAs,
• Request a free credit report from each of the three national CRAs when placing a fraud alert,
• Block fraudulent information from appearing in their credit reports,
• Receive a notice of these and other rights from the CRAs

When placing a fraud alert, consumer only need to contact one of the three national CRAs. After successfully placing a Fraud Alert on their credit file with one CRA, most of the time the other two CRAs will automatically add Fraud Alerts to the consumer's file on their systems. When requesting a Fraud Alert, consumers can also request a free copy of their credit report. Survey results about Fraud Alert and free credit report requests:

• 44% of survey respondents were not aware before contacting a CRA of their right to place a Fraud Alert on their credit file. Despite this, 85% of respondents ultimately requested a Fraud Alert on their file.
• When requesting a Fraud Alert, 58% of survey respondents reported that all three national CRAs placed alerts when requested. 36% of respondents were unsure what happened, and 6% reported that at least one CRA didn't place a Fraud Alert.
• 44% of respondents who requested a Fraud Alert said they were very satisfied with the process, 32% said they were somewhat satisfied, and 17% said there were either somewhat or very dissatisfied with the process.
• Most survey respondents (56%) requested their free credit report (when placing a Fraud Alert) by telephone, compared to the website (33%), and postal mail form (14%).
• Most (51%) said that they received their free credit report from all CRAs they contacted, while 33% stated that they received it from only some of the CRAs they contacted. 11% said that they did not receive any credit reports.
• 43% of respondents said that they were very satisfied with the process of requesting free credit reports after placing a fraud alert. 32% said that they were somewhat satisfied. 22% said that they were either somewhat or very dissatisfied.

Errors occur in credit reports, either from identity fraud or from honest mistakes by the CRA or lender. Consumers can dispute this erroneous data and demand that it be removed or corrected. Survey results about credit report accuracy:

• Most survey respondents (60%) were aware before contacting a CRA that they had the right to challenge the accuracy of information on their credit report.
• 36% of respondents who contacted a CRA disputed the accuracy of information on their credit report in connection with the identity theft that led to the contact. Of those who disputed information, 72% filed disputes with a CRA and while 46% contacted the creditor that provided the information to the CRA.
• The types of credit report information disputed: 47% challenged identification and employment (47%), payments (48%) about a specific debt, and unauthorized lenders who obtained their credit report (40%).
• Of survey respondents who disputed information in their credit reports, 52% said that the information was corrected or removed, 22% said that the information was not corrected, and 18% said that they were not sure what happened.
• Of survey respondents who had information corrected by the CRA, 42% said that the error was corrected after a single contact. 27% said the error was corrected after two contacts. 24% said the correction required three to five contacts, and 4% said they contacted the CRA six or more times.
• Of survey respondents who disputed information in their credit reports, most (57%) said that they were either very or somewhat satisfied with the process. 17% said that they were somewhat dissatisfied, and 21% said that they were very dissatisfied.

Consumers can block certain information within their credit reports that resulted from identity theft and fraud. Blocks are different from disputes. CRAs must respond within four (4) days after receiving a valid request to block certain data in a credit report. Survey results about blocking fraudulent information:

• Of survey respondents who contacted a credit reporting agency, 78% were not aware of the right to block information in the credit file. Few survey respondents (21%) exercised this right to block the reporting of information resulting from identity theft.
• Of those who requested that information be blocked, 46% said that all CRAs blocked the information. 18% said that some of the CRAs blocked the information, and 9% said that none of the agencies blocked the information.

The FTC concluded in its report (bold emphasis added):

"Despite the 68% general satisfaction rate with the CRAs, the survey reveals three areas where respondents faced difficulties in exercising their FACTA rights. First, one prominent complaint was the difficulty in reaching a representative at a CRA with whom to speak about identity theft. Many respondents said that it was difficult or impossible to move past the automated response system... Second, the survey results suggest that a relatively small number of identity theft victims are aware of their FACTA rights. Less than half of the respondents were aware of most of their rights prior to contacting the CRAs. Even for the most well-understood right – disputing inaccurate information – only 60% of respondents who contacted a CRA were aware of this right prior to contacting the CRA... Third, both the survey respondents and the focus groups raised concerns about the CRAs using consumer contacts about identity theft as an opportunity to sell identity theft protection products. Several respondents and focus group participants complained that they felt pressured to buy one or more products and that, in some cases, they received services that they did not want or need."

The FTC sent survey invitations to about 3,000 consumers who had previously reported to the FTC hotline that they were identity-theft victims. The survey questions were based on six focus groups conducted in 2009. 634 consumers responded. The FTC maintains the anonymity of all survey respondents. Download the FTC, Using FACTA Remedies Report (Adobe PDF - 4.9 M Bytes), which is also available here.

Want to learn more? Suggested readings about credit and CRAs:

• Fraud Alert Renewal: Easy And Fast
• Placing a Freeze (Or Lock) On Your Credit Files
• Fraud Alert or Credit Freeze: What's The Difference?
• Are Fraud Alerts Useless?
• Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms (Part One)?
• Have You Heard About Credit Reports From Innovis?
• Directory Of Credit Reporting Agencies
• What It Means To Have An Unrequested Security Freeze On Your Credit Report
• A Primer On Credit Scores
• FTC Testifies Before Congress About Identity Theft And Fraud
• FTC Changes Disclosure Rules For Sites Offering "Free" Credit Reports
• FTC Releases Report Of Top Complaints Submitted By Consumers During 2011

William, an I've Been Mugged reader, received the below email message from Upromise.com:

"From: Upromise ([email protected])
Subject: Important information regarding Personalized Offers
Date: March 10, 2012 12:14:23 AM EST
To: ***********@************

Dear William,
Our records show that you had the TurboSaver® toolbar installed with the optional Personalized Offers feature enabled at some point through January 21, 2010. Through that date, because of an issue with vendor-supplied software, the use of this feature resulted in the unintended collection and transmission of certain categories of your personal information to Upromise or our vendor. Depending on how a particular web page was configured, this could have included information you entered into forms such as usernames, passwords, search terms, credit card numbers or financial account numbers. Our members' privacy is extremely important to us, and we took immediate action when we learned of this issue in January 2010 by directing the software vendor to disable the Personalized Offers functionality. As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled.

As always, if you would like to uninstall the TurboSaver toolbar, simply access the toolbar menu by clicking the Upromise logo on the left hand side of the toolbar, select "Uninstall" and follow the prompts. If you have any questions, or need additional information, we welcome you to contact us at 1-800-877-6647 or email [email protected].

Sincerely,

The Upromise Customer Care Team
www.upromise.com"

William doesn't remember receiving a prior breach notice from Upromise, and says he is diligent about opening both email and postal mail from companies he does business with. William wants to know what is happening at Upromise, and why he received an email that looks like a breach notice two years after the data breach.

William does not appear to be the only concerned Upromise member. You can read posts by a couple customers in the Upromise community forum.

A review of the Upromise Facebook page and Upromise Insider blog did not find any posts during 2012 about a breach notice. I contacted Upromise and a representative, Deborah Hohler replied:

"When the matter came to our attention two years ago, we immediately addressed it and saw no evidence anyone’s data was misused. The protection of personal information is extremely important to us. This email communication was in connection with a proposed consent order from the FTC, and we worked with them on actual content and timing of the message."

At this point, a little history might help. In January 2010, PC Magazine reported about the Upromise breach involving the Upromise Toolbar:

"Privacy researcher and Harvard Business School Professor Ben Edelman has written a report on the practices of the Upromise Toolbar, called TurboSaver by the company. Upromise is a membership system through which you can earn money for college savings by buying items from certain vendors through Upromise. The toolbar facilitates this in your browser and tracks user behavior."

Another breach at a Sallie Mae company seems to have been the result of insider identity theft. In July 2011, WTHR Channel 13 in Indiana reported:

"The suspect is an employee at another Sallie Mae spin-off in Massachusetts - College Choice... In a letter sent to more than 300 parents, College Choice admitted an employee with its program manager, UPromise Investments, accessed names, social security numbers, birthdays and other contact information for seven months while on the job."

Also during July 2011, Upromise filed a breach notice (Adobe PDF) with the State of New Hampshire Department of Justice. The notice did not disclose how many customers were affected, but confirmed the WTHR news report and that letters were mailed to breach victims on June 23, 2011 -- about six months after the toolbar breach was discovered. I also checked Maryland, Vermont, and Wisconsin. None contained any Upromise breach notices, but Maryland hasn't yet uploaded breach notices received during 2011.

William lives in a state that does not post online the breach notices it receives.

The January 18, 2012 U.S. Federal Register (Adobe PDF) mentioned a proposed settlement agreement between the U.S. Federal Trade Commission (FTC) and Upromise, which alleged that:

"... Upromise engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for the personal information it collected and maintained. Among other things, Upromise: (1) Transmitted sensitive information from secure web pages, such as financial account numbers and security codes, in clear readable text; (2) did not use readily available, low-cost measures to assess and address the risks to consumer information; (3) failed to ensure that employees responsible for the information collection program received adequate guidance and training; (4) failed to take adequate measures to ensure that its service provider employed reasonable and appropriate measures to protect consumer information."

The proposed settlement agreement includes six parts describing the actions Upromise must take to improve its data security and notices to its members (bold emphasis added):

"Part I of the proposed order requires Upromise to disclose to consumers—before the download or installation of software that records or transmits information about any activity occurring on a computer involving the computer’s interactions with Web sites, services, applications, or forms—the types of information collected and how the information will be used. The disclosure must be clear and prominent and separate from other notices. The company must also obtain consumers’ express affirmative consent before the consumer downloads, installs, or otherwise activates such software. In addition, the company must provide this clear and prominent notice, and obtain express affirmative consent, before enabling data collection through any previously installed TurboSaver Toolbar and before making any material change from stated practices about collection or sharing of personal information through the Toolbar.

Part II of the proposed order requires Upromise to provide notice to consumers who, prior to the issuance of the order, had the Personalized Offers feature enabled. The notice must inform consumers about the categories of personal information that were, or could have been, transmitted by the feature, and how to disable the Personalized Offers feature and uninstall the Toolbar. Part III of the proposed order requires the company to destroy data it collected during the years covered by the complaint unless otherwise directed by the Commission.

Part IV of the proposed order prohibits the company from making any misrepresentations about the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any information collected from or about consumers. Part V of the proposed complaint requires Upromise to maintain a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of such information (whether in paper or electronic format) about consumers. The security program must contain administrative, technical, and physical safeguards appropriate to Upromise’s size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees. Specifically, the proposed order requires Upromise to:
- Designate an employee or employees to coordinate and be accountable for the information security program;
- Identify material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks;
- Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures; - Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Upromise or obtain on behalf of Upromise, and require service providers by contract to implement and maintain appropriate safeguards; and
- Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Part VI of the proposed order requires Upromise to obtain within the first one hundred eighty (180) days after service of the order, and on a biennial basis thereafter for a period of twenty (20) years, an assessment and report from a qualified, objective, independent third party professional, certifying, among other things, that: (1) It has in place a security program that provides protections that meet or exceed the protections required by the proposed order; and (2) its security program is operating with sufficient effectiveness to provide reasonable assurance that the security, confidentiality, and integrity of sensitive consumer, employee, and job applicant information has been protected."

Upromise is a rewards program where members save towards college by making everyday purchases with Upromise partners: brick-and-mortar and online stores, restaurants, grocery stores, drug stores, and similar retailers. Upromise members include parents, grandparents, and other family members saving for college for a child, grandchild, or family member. Upromise members can invest their savings in a high-yield savings account or tax-deferred 529 plan, and then use that to pay down student loan, or request a check to pay for college expenses.

What might all of this mean?

According to Hohler at Upromise, the email message William received was part of the above proposed settlement agreement with the FTC (probably Part 2). Given this, the email is in my opinion confusing and unnecessarily vague. It raises more questions than it answers.

A better email update would have reminded Upromise members that this email was follow-up to a prior breach notice, and that it was prompted in part by the settlement agreement with the FTC. The email update didn't mention the settlement agreement at all.

A better email update would also explain why Upromise left a toolbar installed in customers' web browsers that might display inaccurate messaging which might confuse users:

"As a result of this change, the toolbar is not collecting or transmitting Personalized Offers data, even if your toolbar indicates that the feature is enabled."

This seems to conflict with Upromise's reply that, "... we immediately addressed it..." about the toolbar data breach. A defective browser toolbar still operating two years after the breach would make anyone wonder.

A better email update would instruct users how to upgrade the defective toolbar. A better email update would have mentioned the proposed settlement agreement with the FTC, and then outlined everything Upromise is doing, or has already done, to comply.

The comprehensive and detailed scope of the proposed consent agreement suggests to me that there were more data security problems at Upromise than a toolbar breach. It seems to me that most of the six parts of the proposed settlement agreement are data security methods a company would implement anyway to protect sensitive assets and customer information.

Having received a breach notice via postal mail after IBM's 2007 breach, I can definitely tell you that a breach letter is not something you would easily forget nor misplace. So, I believe William 100% when he said that the above email is his first notice from Upromise about its 2010 data breach.

In the 4+ years I have written this blog, I have encountered situations where companies experiencing data breaches have created a website about its breach investigation. IBM created such a web site after its 2007 data breach. I searched for such a site at Urpomise and didn't find one. Perhaps its exists and is behind a secure log-in available only to customers. Then again, William would have mentioned it if it exists. A better email update would summarize its breach investigation(s) and explain the proposed consent agreement.

As it stands, users like William are unsure and left wondering exactly what is happening. Transparent communication promotes trust.

If you were affected by the Upromise breach, what has been your experience? What do you think of Upromise's post-breach response? What are your opinions of the proposed settlement agreement?

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today's post is a follow-up to an earlier post about prepaid-card payments for health-care expenses; a new payment method that seems more complicated than the previous system it replaced.]

By R. Michelle Green

You may recall Caren, the subject of my last post. Her employer provided United Healthcare Consumer Account Card for Flexible Spending Account purchases failed to function as expected, and she lost money. She has taken advice from our blog host and many of his readers. (My thanks, BTW, to all those who responded!) Unexpected news: Caren may not have lost money after all. Yay for her, right?

Patience, Gentle Reader.

I wrote that United Healthcare believed she had been paid. They produced as proof comparison of her failed charges and a list of completed transactions, approximately 70% identical and clearing 1-2 business days later. Turns out both she and United Healthcare were right. Her credit card statements disagreed with her receipts, differing by the amount of the disputed transactions.

Allow me to illustrate. She goes to the pharmacy, offering her consumer accounts card to pay for a $20 prescription. It fails to take. She offers instead a credit card to pay for the prescription, some groceries and newspapers, for a total of $50, so marked on her receipt. Her credit card statement, however, shows she was charged only $30. And $20 was deducted from her FSA account. Somehow, the transaction that failed to take is magically clarified at a later date. Why didn’t all the transactions match? Some were cash transactions – the other 70% were credit card transactions. (To paraphrase Jimmy Fallon, nobody’s giving back cash.)

Software fairies! They took those transactions that were eligible, and attributed them to the most economic pathway, her pre-tax flexible spending account.

Arthur C. Clarke just texted me, reminding me that it’s likely technology, not magic. I infer a process, I allege a policy. Can we reverse engineer this?

Caren has a unique bar code that gives her discounts as a frequent drugstore customer. The transactions (one failed, one successful) are likely sequential, and thus easily paired in the day’s logged transactions, implying clear intent on the user’s part. Items eligible for FSA reimbursement are indicated on the receipt, care of their own bar codes. Big Brother, Benevolent at last! So: Caren did get the benefit of her Flexible Spending Account. What corporation was thoughtful enough, integrated enough, Jobs-ian enough, to make this happen? No one’s claiming the credit (oops, so much for the Jobs analogy…).

The most likely candidate, the drugstore, steadfastly insists that their retail accounting software cannot and does not do this.

So let’s pick this new conundrum apart, shall we? Let’s leave aside the fact that Caren benefits – ends often do not justify means. Let’s assume that it’s not magic, that there’s conscious programming in play. Let’s also not dwell on how long it took Caren to confirm this (the last time I took OCD joy in checking off each receipt against my credit card bill and stapling the checked receipts to the reconciled statement, I could still ask friends to help me move for the price of pizza and soda).

What’s my beef with the alleged process?

• Accuracy: have you been offered someone else’s loyalty card at a store so you could benefit from a discount? Is my credit card number now associated with that person’s account? Implied intent does not cut it here.
• Communication: Caren was totally in the dark. The pharmacy’s employees (including local management) vehemently deny it exists.
• Policy Transparency: there is none here. How many of you read or saw Terms of Agreement when you signed up for your own frequent customer user card? The average American family is enrolled in at least 14 loyalty programs, and actively engaged in six of them.
• Privacy: is there a privacy violation in play in the association of two sequentially used payment cards?
• Legality: can a corporation associate your credit card number with your frequent user number without your knowledge/consent/authorization? I would hope not… What if one card were not hers but her spouse’s? Would this ‘benefit’ have created a fraud in her name?

I have a CVS Extra Care card, and just for giggles, tried to find its terms of use online. I have never linked it to online use, I just flash it at purchases. I found no terms online, albeit short of registering the account.

I have always found conspiracy theories entertaining, while clucking softly to myself about how carried away their creators are, how inappropriately suspicious they are. Yet here I am, waving my own baby Oliver Stone flag. Is this how it begins? Is it paranoia if they’re really chasing you?

Gotta go, I got a ton of credit card statements to check.

By now, you have probably heard about the new Consumer Financial Protection Bureau (CFPB), a federal agency designed to ensure that financial products and services for consumers are beneficial for consumers. Previously, the CFPB accepted complaints about credit cards and mortgages. Consumers can now submit complaints about checking and savings accounts to the CFPB. The website has a different form for consumers to share their stories about experiences with financial products.

Also, the CFPB is investigating how checking account overdraft programs affect consumers. Part of this investigation the CFPB seeks feedback from the public about a proposed “penalty fee box” disclosure on a consumers’ checking account statements to clarify the amount overdrawn and total overdraft fees charged.

Reportedly, the average overdraft fee ranged from $30 to $35 in 2011. A 2008 study (Adobe PDF) by the Federal Deposit Insurance Corporation (FDIC) found several alarming trends and statistics about overdraft programs.The CFPB has four concerns about overdraft fees:

1. Transaction Re-ordering that Increases Consumer Costs: the way that overdraft fees are applied by some banks increase costs to consumers. One practice is the co-mingling of all checks, bill payments, debit card transactions, and ATM withdrawals each day and processing the largest transactions first -- rather than in the order received. This maximizes the number of transactions that will trigger overdraft fees.
2. Missing or Confusing Information: the CFPB is analyzing how consumers anticipate and avoid overdraft fees given current banking disclosures -- and if there is a better way.
3. Misleading Marketing Materials: the CFPB is investigating reports that consumers have received misleading marketing materials about overdraft fees, since opt-in rates to overdraft programs vary widely by bank.
4. Disproportionate Impact on Low-Income and Young Consumers: The CFPB is concerned that overdraft programs disproportionately affect certain groups. The same 2008 FDIC study found several alarming statistics, including that 9 percent of checking account customers pay about 84 percent of overdraft fees.

You can view a prototype of this "penalty fee box" at the CFPB website (Adobe PDF). To submit feedback about overdraft fees, include the Docket No. CFPB-2012-0007 with your submission by:

• Online instructions: www.regulations.gov,
• Email: [email protected]
• Postal Mail: send letters to Monica Jackson, Office of the Executive Secretary, Bureau of Consumer Financial Protection Bureau, 1500 Pennsylvania Ave, NW, (Attn: 1801 L Street, NW), Washington, DC 20220.

The CFPB began operation on July 21, 2011. In its annual report (Adobe PDF) to the U.S. Congress, the CFPB reported that by December 31, 2011, it had received 13,210 complaints from consumers, including 9,307 credit card complaints and 2,326 mortgage complaints. 44% of all complaints were submitted through the CFPB website, and about 15% via telephone calls.

The FTC advises consumers who experience identity theft or fraud with financial products to both submit a complaint to the CFPB and submit a complaint to the FTC.

In its annual report, the new Consumer Financial Protection Bureau (CFPB), a federal agency designed to ensure that financial products and services for consumers are beneficial for consumers, listed the leading complaints submitted by consumers. The CFPB accepts complaints about credit cards and mortgages.

The CFPB began operation on July 21, 2011. In its annual report (Adobe PDF) to the U.S. Congress, the CFPB reported that by December 31, 2011, it had received 13,210 complaints from consumers, including 9,307 credit card complaints and 2,326 mortgage complaints. 44% of all complaints were submitted through the CFPB website, and about 15% via telephone calls. The leading types of credit-card complaints received:

The types of mortgage complaints received:

The FTC advises consumers who experience identity theft or fraud with financial products to both submit a complaint to the CFPB and submit a complaint to the FTC.

I like the CFPB's mission and its website. The agency's consumer response mechanisms are still new and in their infancy. They will become more beneficial as the agency identifies and resolves problems. What is your opinion of the CFPB?

On Monday, the PHI Project released a report about the state of data security within health care organizations titled, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security." Key findings:

• Weak Data Security: health care organizations are entrusted with safeguarding patient privacy, but their security efforts are not keeping pace with the growing risks of lost/stolen protected health information (PHI),
• Data Breach Activity: the number and size of data breaches including PHI are increasing. The negative impacts are financial, legal, clinical, and reputational for the organizations experiencing data breaches,
• The PHI Project recommends that health care organizations implement a five-step method – PHI Value Estimator (PHIve) -- to evaluate the risks of a breach of PHI data, and implement preventative measures.

According to Rick Kam, president and co-founder of ID Experts and chair of the PHI Project:

“No organization can afford to ignore the potential consequences of a data breach... We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI.”

The PHI Project is a partnership including the American National Standards Institute (ANSI) via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) -- with assistance from ID Experts.

A Better City (ABC), a nonprofit transportation advocacy organization, has released a position paper about the fare increases and services cuts proposed by the MBTA. ABC analyzed both proposals by the MBTA to close a $161 million budget deficit forecast for the fiscal year beginning July 1, 2012. In its paper, ABC concluded:

"... the T should seek to close part of its budget gap with a more reasonable fare hike and limited service cuts. The T should then work with MassDOT, Massport, the Patrick administration and the legislature to address the remaining budget shortfall for FY 2013, and to begin work on a long-term, comprehensive finance plan for the Commonwealth’s entire transportation system."

The MBTA had proposed service cuts including the termination of late night and weekend commuter rail service, weekend "E" Green Line service, Mattapan Line, many bus routes, and all ferry service. About these cuts, ABC stated:

"... The T should not cut Commuter Rail service after 10pm and on weekends, nor should it cut weekend service on the E Branch of the Green Line or the Mattapan Trolley. Commuter boat service should be preserved, with a lower public subsidy and operated under the auspices of Massport. Due to the severe impact on riders, bus route service eliminations or reductions should be limited to the ten least efficient routes in the system. Going forward, the T should adopt more stringent and rational service planning criteria across all modes and commit to adjusting service accordingly."

According to ABC, everyday the Boston's population doubles as people commute to work. 55% of those work trips, and 45% of all MBTA trips, include commuting to work. The service cuts proposed by the MBTA would make it difficult for employees to get to work, employers to staff positions, patients to visit doctors and hospitals, and customers to visit entertainment venues:

"Across all sectors, ABC member businesses told us they are concerned about the impact that fare hikes and service cuts would have on their employees’ ability to get to work. Some of our members in the hospitality industry noted that the T’s current service hours are not adequate for employees working odd shifts... The viability of T service, then, has a direct impact on the size of this industry’s job shed, and particularly on the job prospects of low-skilled workers... The health care industry operates 24 hours a day, 7 days a week, and the hospitals of the Longwood Medical Area would be particularly impacted by the proposed service cuts to the Green Line E Branch and the Commuter Rail. These cuts would impact the ability not only of doctors, nurses and support staff to get to their jobs, but also of patients to make their appointments... These businesses have also deployed flexible scheduling and staggered shifts to best utilize their real estate and cope with our already-congested transportation network."

The service cuts would force more autos onto already congested roads, resulting in:

"... 55,000 and 92,000 more cars on the road daily... if there were no public transportation in the Boston area, the additional traffic congestion would cost the regional economy $663 million annually. Based on this estimate, if one-tenth of the T’s current ridership elect to abandon the T and drive their commutes... the additional congestion could cost Massachusetts $66 million a year."

Parking around the city, already a problem, would become worse as more people drive and many parking lots are replaced by office buildings:

"ABC members located in the South Boston Waterfront were particularly concerned that changes at the T would increase demand for parking at a time when large lots currently used by commuters to the Waterfront and to the Financial District are slated to be developed over the next decade. South Boston, East Boston and Downtown are all subject to Parking Freezes. The City of Cambridge also enforces a Parking and Transportation Demand Management ordinance. These policies, implemented to curb air pollution, have made both cities heavily reliant on transit to support future economic growth..."

The higher education industry would be similarly affected:

"... increased demand for parking is at odds with their plans to expand. UMass Boston is a commuter school with a 45% transit share. It’s attempting to increase that number to 60% so that it can utilize its surface parking lots for staging construction of new campus buildings. Boston University, which purchases $2.1 million in T passes for faculty, staff and students, and spends $1.6 million operating its shuttle service, is also planning to reduce its parking spaces in order to make room for new construction. T fare hikes and service cuts will make it harder for both these institutions to grow..."

The entertainment and tourism industries would be similarly affected:

"The proposed cuts to evening and weekend Commuter Rail service would have a significant impact on fans’ and patrons’ ability to get into and out of the city for games, concerts and other cultural events."

ABC suggests that the MBTA:

• Limit its fare increase to 25% and pursue smaller, more frequent increases,
• Maintain commuter rail, trolley, and ferry services,
• Cut only the "10 worst" bus lines,
• Better match resources (e.g., buses and trains) to demand

ounded in 1989 as the Artery Business Committee, A Better City is a nonprofit association representing Greater Boston’s business and institutional community on transportation, land development and environmental sustainability. Download the ABC position paper (Adobe PDF, 1.9M Bytes), which is also available here (Adobe PDF, 1.9M Bytes).

After consumer backlash last fall forced it to abandon plans to add fees for consumer debit card accouns, the Bank of America is now testing new fees for checking accounts in three states: Arizona, Georgia, and Massachusetts. Reportedly, the new monthly fees apply only to new accounts and range from $9 to $25 depending upon the consumer's account balance.

Meanwhile, the Massachusetts Secretary of State Galvin seeks legislation for national banks operating within the state to offer free checking accounts for young adults under 19 years of age and elders ages 65 and older. Galvin wants to prohibit these banks from holding state and local government deposits unless they offer free checking for these two groups. State-chartered banks in Massachusetts are already required by law to offer free checking to these two groups.

To learn more, visit the banking authority for your state.

March 4 - 10, 2012 is national Consumer Protection Week (NCPW). About 30 federal agencies and the U.S. Federal Trade Commission (FTC), plus consumer groups, state, county, and local government agencies are participating with the goal to:

"... focus attention on the importance of consumer information and provide people with free resources explaining their rights in the marketplace."

During the week, various groups will share information and tips about how to:

• Avoid identity theft, and scams,
• Protect your privacy, and
• Manage your money

NCPW began 14 years ago. The website has materials in both English and Spanish. David Vladeck, Director of the FTC's Bureau of Consumer Protection, said:

"The information on NCPW.gov can help consumers understand their rights, protect their privacy online and off, manage credit and debt, avoid identity theft, recognize foreclosure rescue scams, and report fraud... Visitors can download and print materials to share with friends and neighbors, or use the toolkit to plan a larger community event."

To learn more, visit NCPW.gov.