Previous month:
May 2012
Next month:
July 2012

11 posts from June 2012

How To Safely Dispose of Your Old Smart Phone

Everybody loves getting the latest smart phone. What to do with your old one? Perhaps, you plan to sell it on eBay or donate it to a charity. Whatever you decide, be sure to remove all sensitive data from it. Otherwise, you could create an identity theft and fraud problem for yourself.

The sensitive data on your smart phone isn't just your list of contacts and their phone numbers. The sensitive data also includes your passwords, email, browser history, calendar, and photos -- the things that document when and where you go both online and in the real world. The sensitivity of both your online passwords and browser history should be obvious. With access to your email, identity criminals could hack into your financial accounts and reset your online passwords. That would be an identity-theft disaster.

How to safely dispose of an old smart phone? Before selling or donating an old smart phone, security experts advise consumers to:

  1. Remove the SIM card
  2. Remove any memory cards
  3. Run a factory reset to delete sensitivie data. To do this, check the (print or online) manual for your smart phone.

But that may not be enough. Accessdata, a computer forensics firm, performed an analysis last year of several popular smart phones available on the resale market. Almost all had sensitive data from the prior owners. As Dark Reading reported:

"The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero... Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included information that would take someone with forensics tools and knowledge to extract from more hidden storage locations... Some of the details available within those four phones included user account information, Social Security numbers, geolocation tags for where the user had taken pictures using the phone, deleted text messages, and a resume. "

In this case, the only secure option is to go old-school: wrap it in cloth and then take a hammer to your old smart phone -- even the older clamshell types. Don't try to resell or donate it. Most consumers don't have access to industrial-strength hard-drive shredding services.

What did you do with your old smart phone? How did you remove any sensitive data from it? Or are your old devices gathering dust in a drawer or closet at home?


Website Exposes Embarrassing Facebook Status Messages

Much has been written about the benefits for Facebook members to properly adjust the privacy settings for their profiles. Still, many people don't. There is a new website, "We Know What You're Doing (WKWYD)," which collects and publishes status messages by Facebook users who make their status messages publicly available to everyone. As the WKWYD website explains in its disclaimer:

"All data is pulled directly from Facebook, it is not censored, and it is publicly accessible via the Graph API... the information is provided "as is" without warranty of any kind..."

So, the website is doing what you could do by searching for members' Facebook profiles that are open to the public. The WKWYD site describes itself as a "social networking privacy experiment" to get people to correctly use the privacy settings on their Facebook profile. The WKWYD site focused upon four types of embarrassing status messages:

  1. People who trash their boss
  2. People who show up at work hungover/drunk/etc.
  3. People who admit to takeing drugs (e.g., illegal substances)
  4. People who disclose their (or others) telephone numbers

I read a few of the messages, and they are truly embarrassing -- stuff you might tell close friends, but not publicly to everyone. Some of the messages could get some people fired from their jobs:

Status messages from the We Know What You're Doing website

To avoid having your Facebook status messages published on the WKWYD site, sign into your Facebook account, select "Privacy Settings," and under "Control Your Default Privacy" select either the "Friends" or "Custom" option. If you already see your Facebook status messages on WKWYD, to remove them delete the message(s) from your timeline.

To learn more about the WKWYD site, read CNN, or the Sophos Naked Security blog, or the Huffington Post.

A warning to the wise: use the privacy settings on your Facebook profile.


McAfee Study: Risky Online Behaviors And 10 Ways Teens Deceive Their Parents

Today, McAfee released findings from the company's 2012 Teen Internet Behavior study (Adobe PDF). The study investigated the online habits, behaviors, interests, and lifestyles of teens and documented the risky online behaviors of this group. Perhaps more importantly, not only do teens hide their risky online behaviors from their parents, but parents are largely unaware.

The study included 2,017 online interviews in the U.S. among teens ages 13-17 and parents of teens ages 13-17. Interviews included an even mix by age and gender, with 15% Hispanic and 15% African American respondents. The interviews, conducted May 4th through May 29th, included 1,004 teens and 1,013 parents of teens. Findings from the study:

"Many teens are accessing inappropriate online content, despite 73.5% of parents whom trust their teens to not access age-inappropriate content online. Specifically 43% of teens have accessed simulated violence online, 36% have access sexual topics online, and 32% have accessed nude content or pornography online... 15% of teens have hacked a social network account, 30.7% access pirated movies and music, and 8.7% have hacked someone's email online... Teens don't think online friends are dangerous strangers. 12% of teens reported meeting someone offline that they only knew through online interactions... Teens don't just witness cruel behavior, they join in. Teens have felt social pressure to participate in cyberbullying, with 9.5% of teens actually bullying, and 24.9% posting mean comments... 93% of teens who have witnessed cruel behavior online say that majority of cruel online behavior took place on Facebook..."

There are clear consequences resulting from these risky online behaviors:

"... over half of teens with a social network account have already experienced negative consequences as a result of being on a social network account, such as arguing with friends (35.4%), getting into trouble at home or school (25.2%), ending friendships (20%), fearing for their safety (6.8%), and physical fights (4.5%)."

The report state that 29% of parents are overwhelmed by technology, and just hope for the best. While many parents believe that their teens honestly tell them what they do online:

"... teens deceiving their parents are on the rise, as over 70% of teens have found ways to avoid parental monitoring, compared to 2010, where 45% of teens have hidden their online behavior from a parent."

The study documented ten ways teens deceive their parents about their online behavior:

  1. Clear the browser history after an online session (53%)
  2. Close/minimize browser when a parent walks nearby (46%)
  3. Hide or delete instant messages (IMs) or videos (34%)
  4. Lie or omit details about online activities (23%)
  5. Use a computer their parents don't check (23%)
  6. Use an internet-enabled mobile device (21%)
  7. Use privacy settings to make certain content viewable only by friends (20%)
  8. Use private browsing modes (20%)
  9. Create private email address unknown to parents (15%)
  10. Create duplicate/fake social network profiles (9%)

Download the McAfee study (Adobe PDF).


Consumers Pay With Methods Other Than Cash

Some statistics about consumers use of cash versus other payment methods:

"Last year 27 percent of all point-of-sale purchases were made with cash and that number is expected to drop to 23 percent by 2017... plastic cards purchases comprised 66 percent of all in-person sales, with nearly half of them, or 31 percent, made with debit cards, according to Javelin. Last year shoppers used credit cards for 29 percent of point-of-sale purchases; Javelin expects that number to rise to 33 percent by 2017. Shoppers deployed gift cards and prepaid cards for 6 percent of purchases made with plastic last year. A mere 7 percent of transactions involved use of a paper check..."

The Huffington Post article also mentioned a few retail stores than no longer accept cash.


Vermont Updates Its Breach Notification Law

On May 8, 2012, the State of Vermont amended its Security Breach Notice Act. was amended. The changes included:

  • The breach can be either a known unauthorized acquisition, or a "reasonable belief of an unauthorized acquisition..."
  • Breach notice must be provided to Vermont residents within 45 days after discovery of the breach
  • Breach notice must be given to the Vermont Attorney General with 14 business days of the date the breach was discovered, or the date affected Vermont residents were notified
  • Breach notice must include the date discovered, a description of the breach, the number of Vermont residents affected, and a copy of the notice sent to affected Vermont resident
  • Textual changes to make the law's description of sensitive personal information consistent with the industry-standard, PII (Personally Identifiable Information)

Breach notice to affected Vermont residents must describe the incident, the date of the breach, the types of personal data lost/stolen, and methods to protect sensitive personal data from further breaches

Download the amended Vermont Security Breach Notice Act (Adobe PDF).


Canadian Privacy Commissioner Introduces Graphic Novel To Help Youth Safely Use the Internet With Mobile Devices

The Office of the Privacy Commissioner in Canada has introduced a graphic novel designed to help teens and youth use the Internet safely with mobile devices. If you haven't read it, I highly recommend it. It is an easy read and it clearly describes some good, basic data security habits.

The graphic novel (Adobe PDF - 4.5 M Bytes) is good for youth (and their parents) everywhere, and not just in Canada. The skills needed to safely use mobile devices and maintain privacy are universal.

In the United States, the Federal Trade Commission (FTC) offers the "Heads Up: Share With Care" guide (Adobe PDF) for youth at the OnGuard Online website.


Is It Wise To Move Your Money To A Prepaid Card?

Earlier this year, Pew Health Group released the results of focus group research about how consumers view and use prepaid cards. Key findings:

  1. Consumers view prepaid cards as a way to avoid hidden bank fees
  2. Consumers use prepaid cards to budget and control spending
  3. Some prepaid card users like the privacy of prepaid cards, since they don't have to register with their personal information
  4. Consumers dislike fees on prepaid cards
  5. Prepaid card users don't want either overdraft protection, nor credit lines on prepaid cards
  6. Prepaid card users want direct deposit, a savings option, and credit building tools
  7. Consumers incorrectly assume federal government oversight of prepaid cards

Finding #1 and #2 together suggest that some consumers view prepaid cards as an easy way to avoid spending money you don't have and avoid the overdraft fees banks charge. For these consumers, moving their money from a checking account to prepaid cards seems attractive. But what are the "costs" or consequences of using prepaid cards instead?

Life has taught me that there are always consequences; some unintentional. Read on.

The overdraft fees banks charge have been so large and frequent, that some consumers seem conditioned to view prepaid cards as a cheaper alternative. We've all heard stories about the $35.00 cup of coffee. Nobody wants to pay that.

CNN Money reported that the average prepaid card charges $300 a year in fees. That $300 in annual prepaid fees may seem cheap if you incur overdraft fees (at $35 each) more than 9 or 10 times a year. This seems to be the case with some of the Pew focus group participants. Pew shared one participant's comments:

"I don’t like the fees on prepaid debit cards... It costs to load (them). It costs $3.95. I don’t like that I pay the $3.95... I’m good with my checking account. Nobody wants to pay extra fees. If we had to, I’d take the $3.95 any day over the $35 overdrafting or for some other fees."

If only the load fee was the only fee on prepaid cards. Both CNN Money and Consumer Reports found a wide variety of fees when it investigated prepaid cards: activation fees, monthly fees, reload fees, cash withdrawal fees, inactivity fees, online payment fees, paper statement fees, customer service phone call fees, and more.

That same $300 in annual prepaid fees seems expensive when compared to a $5 - $10 monthly checking fee many banks charge (assuming good budgeting with no overdraft fees inc urred). That $300 seems ridiculous and avoidable when compared to far lower fees or free checking available at some banks and credit unions.

Are consumers confused? Probably. Banks charge both overdraft fees and fees for overdraft protection. Wise consumers know the difference. And, to avoid overdraft fees It may be better or simpler for you to decline auto-enrollment of overdraft protection.

I found it disheartening that the focus group participants didn't seem to understand the banking practice to reorder debit purchases to maximize overdraft fees. In early 2009, this blog reported about this  banking practice, which increases the frequency of overdraft fees. The CFPB is tackling the overdraft fees issue, and seeks comments from consumers by June 29.

I find particularly troublesome finding #7 above. When deciding to use a checking account or a prepaid card, consumers need to consider:

  • The fees on prepaid cards (see the above list and related articles), and which will apply given your usage
  • The limits, if any, on fees and interest rates
  • Prepaid cards don't build your credit history
  • Your rights to receive periodic statements, disclosures of fees, error resolution process, and changes in terms
  • Your liabilities when your card is lost, stolen, cloned, includes unauthorized transactions, or includes transactions in error

There are huge differences between credit cards, debit cards, and prepaid cards. There are different types of prepaid cards: gift cards, general purpose, health care spending, and payroll. This blog discussed payroll cards from Bank of America and the Walmart MoneyCard.

Wise consumers know that not all prepaid cards are the same:

  • Consumer's liability (e.g., loss, theft, unauthorized transactions) is different for payroll prepaid cards versus gift/general purpose prepaid cards
  • Statements and disclosure requirements are different for payroll prepaid cards versus gift/general purpose prepaid cards
  • Employer-provided health care flexible spending prepaid cards often have an entirely different set of rules

To learn more and be a smart shopper:

  1. Ask the retailer/bank/employer for a copy of their terms and conditions policy for the prepaid card you are considering,
  2. Read that policy,
  3. Read this FDIC comparison of debit cards, credit cards, and prepaid cards, and
  4. Browse related articles in the "Prepaid Cards" section of this blog.

What's your opinion? Do you think it is wise to move your money from a checking account to a prepaid card?


Credit Reporting Agency Wants Access To Your Facebook, LinkedIn, And Twitter Information

Schufa logo The leading credit reporting agency in Germany wants access to your personal data at popular social networking websites. Spiegel Online reported that business documents leaked to the news media describe the interest by Schufa to access and data-mine consumers' profile, messages/posts, and connections information at Facebook.com, LinkedIn.com, and Twitter.com data to evaluate consumers' creditworthiness.

Schufa's interest seems to focus on both the relationships between consumers (e.g., who you know), residential addresses, and address changes. Reportedly, there are about 20 million Facebook users in Germany, and Schufa has credit files on about 66 million consumers.


Mintz Levin: Breach Notification Laws In The United States

The law firm of Mintz Levin has produced a report listing data breach notification laws in the United States as of June 1, 2012. The report includes details by state, and includes the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Typically, breach notification laws include a:

  • Description of the personal information that must be protected
  • List of the businesses, organizations, and state/local agencies that must comply with the state's breach notification law
  • Process for the timing, content, and distibution of a breach notification
  • Any exceptions to the law (e.g., encrypted files)
  • Other provisions and applicable state laws
  • Penalties for violations
  • Whether breach victims (e.g., state residents) can sue, and if so against whom

Four states do not have any breach notification laws:

  • Alabama
  • Kentucky
  • New Mexico
  • South Dakota

If you live in one of these states, contact your elected officials and demand that your state pass a breach notification law. When companies or government agencies have consumers' sensitive personal information lost or stolen, you need to know to protect yourself.

The report is also available here (Adobe PDF, 469 k bytes).


Data Breach At LinkedIn.com Exposes Passwords of 6.5 Million Users

Several news sources have reported a data breach at LinkedIn.com, which affected as many as 6.54 million users' passwords. According to The Next Web:

"Norwegian IT website Dagens IT reported the breach, with 6.5 million encrypted passwords posted to a Russian hacker site. Security researcher Per Thorsheim has also confirmed reports..."

Even though the passwords were encrypted, about 300,000 had already been cracked. At press time, LinkedIn had not issued an announcement. LinkedIn is a popular social networking website for professionals to find jobs and establish business contacts.

Experts advise LinkedIn.com users to change their passwords. And, if you use the same password at other websites, you should change those, too. That means, you will need to change the passwords for any mobile apps, too.

This potential breach is in addition to other bad news. Earlier today, researchers at Skycure Security discovered that the LinkedIn.com apps for iPhones and iPads leak sensitive, complete meeting details without notice to users, a potential violation of Apple's privacy policy. Plus, the apps don't really need the full meeting details collected and transmitted.

Read more about this breach at the New York Times.

I already changed my LinkedIn.com password, and I am glad that I don't use the same password everywhere. I look forward to hearing from the LinkedIn.com management about their breach investigation and data security fixes.

Update {2:30 PM EST]: The LinkedIn blog advises its users to change their passwords.

Update [8:00 PM EST]: after several news sources reported that the hackers had stolen passwords from both LinkedIn.com and the eHarmony.com dating website, eHarmony also advises its users to change their passwords.

Update [10:00 PM EST]: Forbes correctly warns that if LinkedIn doesn't fix its data breach and detect ongoing threats, then users changing passwords may not be enough.

Update [11:30 PM EST]: LinkedIn confirms breach.


Photo of Cash Posted On Facebook Leads to Home Robbery

There are some things you should never post photographs online about. The BBC reported that two armed thieves robbed a home after an Australian teenager posted photographs on Facebook of a large amount of cash. The teenager had helped her grandmother count the cash, which was saved for retirement.

It was unclear how the thieves obtained the home address. The teenager no longer lives at the address.

What can consumers learn from this?

  • Be careful about posting online messages or photos fwith cash, jewelry, or similar valuables
  • Adjust the settings on your mobile device or smart phone to remove geo-tags from photographs and video you post online
  • Avoid announcing online when you will be away from home
  • Make sure that your profile and post/video/photo sharing settings are set to "friends only"
  • Don't accept friend requests from people you don't know. Verify their identity via a separate method (e.g., phone, email)
  • Delete from your list of friends nmes you don't know or recognize
  • Don't assume all of your friends practice good data security and privacy habits. Too many don't.
  • Be careful about the apps you install on your smart phone or the apps you accept on Facebook
  • Parents should discuss experiences like this, and how to safely use social networking websites