Previous month:
July 2012
Next month:
September 2012

13 posts from August 2012

Data Breach At University Of South Carolina Affects 34,000 People

The University of South Carolina experienced a data breach on an Internet-connected computer in its College of Education. The university is notifying 34,000 people, whose sensitive personal information has been exposed. The breach was discovered on June 6.

The University's breach announcement did not list the specific types of sensitive personal information exposed/stolen:

"Files on the server contained confidential, personally identifiable information of approximately 34,000 individuals."

McClatchy news service reported that the sensitive personal information exposed/stolen included the names, addresses and Social Security numbers of staff, researchers, and student at the College of Education since 2005.

The university advised breach victims to check their credit reports at the three major credit reporting agencies (e.g., Experian, Equifax, and TransUnion), and to place a fraud alert on their credit reports. The university did not name the credit monitoring/resolution service it has retained to assist breach victims, nor if it will provide that service freely to breach victims.

Organizations usualyy provide a couple years of free credit monitoring services after data breaches like this. This is the sixth breach at the University of South Carolina. Prior breaches:

  • March 2011: 31,000 records exposed/stolen on 8 campuses affecting faculty, staff, retirees, and students
  • June 2008: 7,000 records exposed/stolen during an office theft at the Moore School of Business
  • September 2007: 1,482 students' files, including Social Security numbers, test scores, and grades, were exposed on an Internet-connect computer
  • August 2006: 6,000 current and former students' sensitive information was exposed/stolen
  • April 2006: 1,400 students' sensitive information, including Social Security numbers, was attached to and distributed in an email message by a faculty member

Given this poor history, the university's chief security officer and IT staff need to step up faculty/staff training and data security procedures at the school.


9 Tips To Keep Your Personal Data Stored In The Cloud Secure

Okay. You've decided to use the cloud for storage of your personal dat. You've heard reports about cloud data breaches that have wrecked people's lives. So, how do you keep your personal data stored in the cloud safe?

There is a pretty good article at Consumer Research with nine tips to keep your cloud-stored data safe. Beyone the usual advice to use strong passwords, I found these tips helpful:

"Don't log in with social media accounts. More and more sites are enabling users to sign in with Facebook or Twitter. Sure, it's fast and easy, but if your social media account gets compromised, all those other sites do, too."

"Use two-factor authentication. Google, Facebook and others give users the option to use "two-factor authentication," which means you need a special code, in addition to your username and password in order to log in. A text message with the code is sent to your phone when you try to sign in to your account. If you don't have that code, you can't sign in, even if you enter your password correctly..."

"Back up your data! Honan lost a year's worth of data because he assumed it was safe and sound in the cloud... create local backups on DVDs or external hard drives for the really important stuff."

Read the entire list of tips at the Consumer Research web site. What the article doesn't cover is this: if you work as an independent contractor, make sure you have the right to use cloud services in your contracts, or request access to the cloud services your clients use.


Will A Credit Card Or a Debit Card Protect You From Fraud Better?

[Editor's note: today's guest post is by Odysseas Papadimitriou, a personal finance industry expert and CEO of the credit card comparison website Card Hub as well as the new personal finance social network Wallet Hub. I have written previously about CardHub.com, and hope to see the site develop more tools and information to help consumers make informed decisions about financial products. Consumers often ask whether debit cards or credit cards are better. Today, Mr. Papadimitriou answers that question regarding fraud prevention.]

By Odysseas Papadimitriou

We all work hard, pay obscene amounts in taxes, have seemingly endless bills to pay, and certainly don’t want to be handing out money to strangers or serving as the financial backing for common criminals. That’s why I regularly hear from consumers who are terrified of falling victim to fraud and are wondering about the best ways to safeguard their finances, especially whether a credit card or debit card will better protect them.

Spoiler Alert: The combination of federal laws and policies instituted by the major networks limit liability for unauthorized purchases made with either a credit card or a debit card, often to $0.

In other words, even if someone does get ahold of your card or account information, you probably won’t ultimately be out any money. That, combined with the fact that fraud only affects about 0.005% of all credit and debit card transactions, means it isn’t as big of a concern as many people think.

Credit vs. Debit

With the above being said, there are differences between credit cards and debit cards when it comes to fraud. First of all, you won’t be liable for any fraudulent credit card transactions, whereas you may or may not be liable for debit card transactions, depending on how quickly you report the fraud and whether or not the transactions in question were completed with a signature or your account’s PIN.

In addition, the decision between a credit card and a debit card will affect how difficult fraud is to deal with from a logistical standpoint. The reason has to do with the fundamental differences between these products.

When you make a purchase with a debit card, funds are automatically removed from your account. On the other hand, the bank initially foots the bill when you pay with credit, and you aren’t required to spend any of your own money for days.

Therefore, you can usually sort out credit card fraud before it affects the rest of your life or requires you to retrieve any money. The same cannot be said for debit card fraud, as you might not notice the fraudulent activity before you are required to cut checks for other monthly obligations; if they bounce, you’ll have even more to sort out.

Other Anti-Fraud Tips

While using a credit card can help simplify fraud fallout, there are a number free and easy ways that you can proactively safeguard your finances.

  • Check your credit reports: Everyone is entitled to a copy of each of their three major credit reports (i.e. Experian, Equifax, and TransUnion) once every 12 months, and reviewing them is a good way to ensure that no one has opened any financial accounts under your name.
  • Lock your mailbox & shred documents: Thieves have been known to raid people’s mailboxes (especially when they’re out of town) and trash in search of direct mail credit card offers, replacement cards, and financial information they can use to open accounts in other people’s names.
  • Choose secure passwords: You don’t want someone to be able to hack into your e-mail or online banking account just because they know your child or pet’s name. You should ideally use a combination of letters, numbers, and selective capitalization and update your passwords every couple of months.
  • Be wary of giving out financial information: The best policy is to only give sensitive financial information to people you contact, rather than the other way around. This allows you to ensure you know who you’re dealing with and drastically reduces your chances of falling for a scam.

Final Thoughts

You should ultimately take three things from this article: 1) Fraud isn’t as problematic as the local news makes it out to be; 2) Credit cards protect you from fraud better than debit cards; and 3) There are a number of easy ways that you can protect yourself on a daily basis. In other words, you should be vigilant in protecting your money but not let the fear of fraud consume you.

What should be of greater concern is choosing the right financial products and managing them responsibly. Consumers are on pace to incur $50 billion in credit card debt for the second straight year, and not only is budgeting therefore in order, but there are also a number of excellent credit card offers out there that can help lower the financial burden.


California Legislature Approves Location Privacy Act

On Wednesday, the California legislation passed SB 1434, which requires government agencies to obtain a warrant before collecting your location-based information. All that is left is for the Governor to sign the law. The law reads:

"This bill provides that no government entity shall obtain the location information of an electronic device without a valid search warrant issued by a duly authorized magistrate."

"This bill would provide that no search warrant shall issue for the location of an electronic device pursuant to this section for a period of time longer than is necessary to achieve the objective of the authorization, nor in any event longer than 30 days, commencing on the day of the initial obtaining of location information, or 10 days after the issuance of the warrant, whichever comes first."

"This bill, as proposed to be amended, provides that extensions of a warrant may be granted, but only upon a finding of continuing probable cause by the judge or magistrate, and that the extension is necessary to achieve the objective of the authorization. Each extension granted for a warrant pursuant to this subdivision, shall be for no longer than the authorizing judge or magistrate deems necessary to achieve the purposes for which the warrant was originally granted, but in any event, shall be for no longer than 30 days."

Read SB 1434 for other provisions and exceptions. In an announcement, the ACLU emphasized the importance of this legislation:

"We shouldn't have to choose between using our smartphone and protecting our privacy. Unfortunately, outdated laws like the Electronic Communications Privacy Act of 1986 (yes, 1986!) do not provide the clear protection that sensitive information like location history - which can reveal your friends, activities, habits, and more - deserve. As a result, law enforcement agencies in California and elsewhere treat access to location information as a "routine tool" and frequently obtain this sensitive data with little or no judicial oversight."

Earlier this year, 35 ACLU chapters requested information from about 380 police departments in 31 states, and received about 200 replies. You can view the nationwide map with replies for your town and state of law enforcement tracking of consumers smart phones locations.

So now, at least in California, search warrants are required first. It will be interesting to see how this affects the use by law enforcement of automated license plate readers, which can append GPS location and other meta data (e.g., time, stop duration, nearby stores) data to scanned plates.


Companies Lobby As Congress Considers Changes To The Video Privacy Protection Act

On Monday, this blog discussed a recent ruling by a California District Court judge regarding a lawsuit against Hulu.com, KISSmetrics, and several defendant. The suit alleged that the defendant companies tracked consumers without notice and consent. Hulu and others attempted to use the Video Privacy Protection Act (VPPA) as a defense, which the court rejected -- meaning movie/video streaming is covered by the VPPA. That blog post also mentioned lobbying efforts by Netflix and Facebook. Today, I'd like to discusses the lobbying activities related to H.R. 2471, and explore the related privacy issues.

H.R. 2471 was introduced in July 2011 by Representative Robert Goodlatte, and passed by the House of Representatives in December 2011. It amends 18 USC 2710, commonly referred to as the VPPA. The Senate has not yet voted on the proposed legislation. In July 2012, MediaPost reported:

"Sen. Patrick Leahy (D-Vt.) this week proposed amending the federal video privacy law to enable consumers to consent on an ongoing basis to the disclosure of information about their movie rentals. Leahy made the proposal as an amendment to a controversial Cybersecurity Act of 2012 (S. 3414)... even if the cybersecurity bill doesn't go through, Leahy's move indicates that the lawmaker agrees with Netflix that the law should be changed..."

Not everyone agrees that the law should be changed, or needs to be changed:

"University of Minnesota law professor Bill McGeveran testified to a Senate panel in January that Netflix could simply offer Facebook users a “play and share” button. If users click on that button, the company could then spread information about users' movie selections to their friends on a per-occasion basis."

Senator Leahy proposed the original VPPA legislation. Now, he supports changing it. You can read the senator's January 2012 statement about why he supports changing the VPPA. To the senator's credit, he mentioned several cautions:

"My original [VPPA] proposal was also to include library records, but we were unable to sustain that protection as the bill worked its way through Congress. More recently, I have worked to add protections for library and bookseller records to section 215 of the USA PATRIOT Act... I worry that sometimes what is “simpler” for corporate purposes is not better for consumers. It might be “simpler” for some if we had no privacy protections, no antitrust protections and no consumer protections, but that is not better for Americans... A one-time check off that has the effect of an all-time surrender of privacy does not seem to me the best course for consumers."

I think that there may be more going on. Forbes reported in December 2011:

"While Netflix has rolled out frictionless Facebook sharing for its Canada and Latin America customers, it has held off in the U.S. in the hopes that Congress will address the issue... Virginia Rep. Robert Goodlatte introduced an update to the Video Privacy Protection Act in July that will allow a "video tape service provider" to disclose people's activity on an "ongoing bases," and that "consent may be obtained through the Internet" -- meaning clicking a box will suffice... Political money analysis non-profit Maplight notes that "the online computer services industry (e.g., the Digital media Association and Netflix), which supported the bill, gave on average 73% more to House members who voted 'YES' ($2,644) than to House members who voted 'NO' ($1,525)."

A review of Senator Leahy's donors may also provide a clue. Media, entertainment, and film companies seem to dominate his donors who gave the most. As of August 15, the senator's largest donors ranked: Time Warner, 3; Walt Disney, 4; Vivendi, 5; Comcast, 9; and Sony, 14.

EPIC shared its views about the legislation:

"H.R. 2471 weakens the consent provision of the VPPA by diminishing the ability of users to control the use and disclosure of their personal information. Under the Amendment, companies like Netflix would be able to obtain one-time, blanket consent from a user and then continuously disclose on Facebook all of the movies watched by that user. Netflix would automatically post this viewing information regardless of whether users would choose to post such information themselves. In addition to transferring control over the user’s information from the user to the company, the Amendment’s blanket-disclosure provision allows companies to profit from the association between users and products. Currently, users of social networking services such as Facebook must take some affirmative action, such as liking or sharing, in order to associate themselves with the product. Thus, users are able to decide on a case-by-case basis which associations they want Facebook to disclose to their friends. By automatically disclosing everything a user watches, the Amendment would make simply watching a movie the equivalent of “liking” it."

The "one-time, blanket consent" that concerns EPIC appears to be the same, "one time check-off" Senator Leahy said he is concerned about. So, I hope that Senator Leahy and the Senate explore improvements to H.R. 2471 that address these concerns. The "one-time, blanket consent" seems tilted too far for the benefits of companies at the expense of consumers.

In my opinion, H.R. 2471 as passed by the House is unacceptable and insufficient. It doesn't go far enough to protect consumers' privacy. How much farther should the legislation go? What might better legislation include?

Below is my list of privacy issues which better legislation, including changes to the VPPA, should include:

  • Keep consumers in control of their privacy. This means that the default privacy setting should be "nothing shared" unless the consumer gives explicit consent. A one-time consent is insufficient and undesirable.
  • Privacy policies need to be accurate and readable. Since the days of VHS tapes, the Internet has grown along with the use by companies of privacy policies at their' websites. The legislation needs to ensure that privacy policies (including Netflix.com) are crystal clear about what personal information is shared and to whom. That includes any meta data (e.g., viewing time, device, number of views) delivered with the video/movie titles. Otherwise, consumers have no way to make an informed decision about giving consent.
  • Mobile devices matter. This is critical since social networking web sites support mobile devices, and this support necessitates several corporate partners (e.g., the mobile device manufacturer, the device operating system manufacturers, telecommunications providers, co-marketing firms, advertisers). Given so many partners' privacy policies, it is difficult for consumers to determine which policy applies. The legislation needs to ensure that mobile app privacy policies are consistently accessible both before and after app installs, and are consistent with partners' website policies. Prior studies have documented poor and inconsistent access to mobile app privacy policies.
  • Flexible consent options. For users to maintain control, there should be several sharing opt-in choices. I'd rather see opt-in as device-specific and not global (e.g., across all devices a consumer has). That control may also need to be topic or genre specific. Remember, not all movies are entertainment. Some are closer in content to books (e.g., documentaries) and include sensitive topics (e.g., health care, diseases).
  • Consent has limits. The sharing options must provide consumers with the ability to distinguish between sharing with friends and sharing with advertisers. That control should distinguish between social networking websites. Some video/movie-sharing advocates claim, "... people are more willing to share information about what they're watching now." That doesn't mean all consumers nor all social networking websites. Consumers need the control to pick which social networking sites to share their video/movie choices. A single, one-time blanket consent to share is insufficient.
  • Children matter. None of the articles I have read about proposed VPPA changes discussed privacy for children. The modified legislation must fit with existing privacy legislation for children, since 56% of parents give their children smart phones for safety and security reasons. Changes to VPPA need to reflect this, which H.R. 2471 does not seem to do.
  • Consent can be revoked. Consumers change their minds. People get married, have children, change their consumption habits, experience a data breach, or whatever -- lifestyle changes and experiences impact consumers' privacy choices. The legislation needs to provide consumers with the ability to revoke consent and stop video/movie sharing. H.R. 2471 does not seem to address this.
  • Geography alone is an insufficient reason. Just because frictionless movie sharing is already available in other countries (which H.R. 2471 proponents mention), doesn't mean it should be available in the USA. Plenty of laws vary by country or region.
  • Speed is not the priority. The old saying, "haste makes waste" applies here, too. A speedy update of the VPPA is not wise. The issues need to be thought through and reconciled with other privacy laws.

In the interest of full disclosure, I am a Netflix subscriber.

If you have opinions or concerns about H.R. 2471, I encourage consumers to contact your elected officials in the Senate, as the Senate could vote to approve H.R. 2471, or develop its own version of legislation to amend the VPPA. Of course, if you are a Vermont resident, please contact Senator Leahy's office.

What's your opinion of H.R. 2471?


Latest Email Scam: Promises Not To Kill You If You Pay

Spammer and fraudster are persistent and creative. The latest email scam involves a threat where the criminal will not kill you if you pay instead. Honest. I am not making this up.

Michael Finney described the scam in his blog. So, if you see an email message in your inbox with the following subject line:

"Somebody you call a friend, wants you dead"

You can assume that it's probably a scam. The scammers are trying to trick you into wiring money to them.


Court Rules Online Video Streaming Is Protected By VPPA

If you have a broadband Internet connection at home, you probably download or stream videos and movies. What you may not know is that several companies are working and lobbying to roll back privacy protections for consumers regarding your video and movie usage.

Fierce Online Video reported (links added):

"A Northern California court has ruled that the Video Privacy Protection Act (VPPA), a 1998 law enacted during the era of movie rental stores, applies to online video service providers as the modern-day extensions of those old brick-and-mortar structures... Hulu, which is owned by News Corp., Comcast's NBCUniversal, Providence Equity Partners and Walt Disney Co. had claimed that VPPA was not relevant because it covered only information about consumers who obtained physical objects from physical stores."

The ruling occurred in the Northern District Court of California (San Francisco). The suit (Garvey et al v KISSmetrics) included Hulu as a co-defendant, and was the consolidation of several class-action lawsuits, one of which was Couch et. al v KISSmetrics et. al (PDF - 6.3 MBytes). The plaintiffs in that complaint were represented by a familiar name: the Law Office of Joseph Malley. The Privacy Cruasader strikes again!

Some news outlets reported that Hulu.com was sued because of the VPPA. That isn't accurate. Hulu.com, and several other companies, were sued becuase they allegedly used "Zombie E-Tags" to track consumers without notice and without consent. This blog reported about that suit back in October, 2011. Hulu.com (and several  defendant companies) attempted to use the VPPA as a defense, which the court rejected.

So, for better (or worse) the actions of these defendant companies have brought attention to the VPPA, which some lawmakers in Congress believe needs to be modified. Later during 2011, Hulu stopped using KISSmetrics to track subscribers' online usage after researchers documented that consumers could not avoid nor opt out of it. Fierce Online Video also reported (links added):

"... other streaming video services are watching intently. Netflix, for instance, wants to create a similar link between its video service and Facebook."

So, it will be very interesting to watch how various online video/movie distribution outlets respond, given the court's rejection of the VPPA as a defense. Earlier this year, Netflix paid $9 million to settle a class-action  lawsuit which alleged that the company illegally retained and shared subscribers' video habits.

Providence Equity Partners is a global private equity firm (similar to Bain & Company) with $23 billion under management. It invests in media, entertainment, and education companies. The Providence, Rhode Island-based firm has offices in Beijing, Hong Kong, London, New Delhi, and New York. Rumors suggest that the firm wants to invest in Electronic Arts, a video game company. In its website, the firm describes itself:

"We partner with companies across different stages in their development, from growth capital and complex recapitalizations of family-owned businesses to large buyouts and take-privates. We can employ a variety of financing structures and target equity investments of $150 million to $800 million. We prefer to lead our investments, serve on company boards, and work collaboratively with company management. From broadband to broadcast, music to film, wireline to wireless, publishing to Internet, we bring unparalleled industry, financial and operational expertise to each of our portfolio companies."

News Corporation owns several newspaper and media companies, including the Wall Street Journal, Fox News, and several British newspapers recently involved in the bribery and mobile phone hacking scandals. The scandals resulted in numerous arrests, several lawsuits, and have cost the company about $224 million. Comcast delivers cable television services throughout most of the United States.

To learn more about the VPPA, visit the EPIC site. Several states have enacted similar legislation to provide consumers with greater protections. You can also read the full text of the VPPA, which is also available here.

Consumer privacy protections will become increasingly more important as video content migrates from older distribution channels to newer ones. Companies would love to profit by selling your movie-viewing habits to marketers and other third-party companies. (And, it's probably easier to profit when there are fewer laws protecting consumers' privacy.) What you watch says a lot about you, your values, your health, and your lifestyle. Fortunately, the judge ruled that when it comes to movies, video is video no matter how it is delivered.

Astute readers noticed that I mentioned the word "lobbying" in the opening paragraph. This blog will discuss that later this week.


The Risks Of Buying Drugs Online

Everyone loves a good deal. And the Internet provides several sources of deals and discounts. If you seek deals on prescription drugs, there are several things you should know so you don't get "mugged" by a rogue online pharmacy website.

Earlier this year, the National Association of Boards of Pharmacy (NABP), which accredits online drugstores, released the results of a study where it reviewed more than 9,600 online pharmacies. Key results:

  • Most are rogues sites: 96.6% (or 9.349 of 9,677 online pharmacies reviewed) operated out of compliance with existing laws and standards
  • Only 2.7% (259 online pharmacies) to be legitimate websites, and 0.7% (69 sites) were accredited through an NABP verification program
  • Of these 9,349 online pharmacies, 8,122 don't require a valid physician's prescription
  • 4,648 offer foreign or drugs not approved the U.S. FDA
  • 3,363 have internet servers outside the USA
  • 1,523 don't have secure web sites

The problem is intensified by drugs that are in short supply. Fraudsters know this and try to take advantage of the situation:

"The most critical shortages involve cancer, antibiotic, nutrition, and electrolyte-imbalance medicines, according to the FDA. For many community pharmacies, health-system pharmacies, and patients the lack of availability of needed -- and often life-saving -- medications through official, authorized supply channels means resorting to unconventional and more dangerous means of obtaining the medications, sometimes turning to unknown sellers online. The unfulfilled demand for these medications has created a lucrative market for counterfeiters..."

The results: several risks to consumers. One risk is that you may not get what you paid for:

"... health care facilities and patients have no assurance that the substances they receive are what they are purported to be. Many of the replacement drugs purchased online are unregulated, meaning there are no safeguards in place to ensure their identity, safety, efficacy, where and under what conditions they were made, or how they were handled."

A second risk is to your health. Counterfeit drugs can fail to address your medical conditions, make you sicker, or kill you:

"... two-thirds of the online drug sellers discovered in this study are represented on the NABP list of Not Recommended sites. These illegal online drug sellers pose serious risks to patient health. The risk is especially high with vaccines..."

A third risk is identity theft or fraud at those online pharmacies that operate unsecured sites.

Earlier this year, the U.S. Congress House Committee on Oversight and Government Reform investigated "gray market" companies, that operate outside of authorized drug distribution networks to provide short-supply drugs at hugely inflated prices. In July 2012, the committee released its report (Adobe PDF), which found:

"... a growing number of prescription drugs sold in the United States have experienced supply shortages. Because these shortages have been most severe among a group of injectable drugs used to treat patients with cancer and other serious illnesses, they have had a particularly serious impact on hospitals... During drug shortages, hospitals are sometimes unable to buy drugs from their normal trading partners, usually one of the three large national “primary” distributors... some short-supply injectable drugs do not reach health care providers through the manufacturer-wholesaler distributor-dispenser chain that policymakers and industry stakeholders present as the typical model for drug distribution. Instead, these drugs “leak” into longer gray market distribution networks, in which a number of different companies – some doing business as pharmacies and some as distributors – buy and resell the drugs to each other before one of them finally sells the drugs to a hospital or other health care facility. In more than two-thirds (69%) of the 300 drug distribution chains reviewed in this investigation, prescription drugs leaked into the gray market through pharmacies. Instead of dispensing the drugs in accordance with their professional duties, state laws, and the expectations of their trading partners, these pharmacies re-sold the drugs to gray market wholesalers..."

The investigation also found:

"... a number of businesses holding pharmacy licenses that do not dispense drugs, but instead appear to operate for the sole purpose of acquiring short-supply drugs that can be sold into the gray market.... Some gray market wholesalers gain access to shortage drugs by recruiting pharmacies to act as their purchasing agents..."

The impact is far higher drug prices than otherwise for health care facilities, hospitals, and consumers.

The NABP operates several online pharmacy accreditation programs, including the Verified Internet Pharmacy Practice Sites (VIPPS), the Veterinary-Verified Internet Pharmacy Practices Sites (Vet-VIPPS), and the e-Advertiser Approval Program. The NABP has appllied to the Internet Corporation For Assigned Names and Numbers (ICANN) for a specific domain-name to help consumers recognize accredited online pharmacies.

To protect yourself online, experts advise consumers to:

  1. Buy drugs online from reputable stores you already know
  2. Look for NABP VIPPS and Vet-VIPPS symbols when shopping
  3. Visit AwareRX.org, which maintains lists of both NABP-recommended and not-recommended online pharmacy websites
  4. Visit SafeMedicines.org operated by the Center for Safe Internet Pharmacies (CSIP), which contains a tool for patients to check if doctors in their state purchased counterfeit cancer medications
  5. Watch this public service announcement produced by the CISP:

Download the full NABP report: "Internet Drug Outlet Identification Program Progress Report for State and Federal Regulators: April 2012" (Adobe PDF).


The Consequences When Your Data Stored In The Cloud Gets Hacked

It seems that in most places you read, companies and technologists advise consumers to use the "cloud" for data storage: your data is stored remotely in Internet-connected computers hosted by third-party companies. That data can be a variety of files (e.g., music, spreadsheets, text), calendar appointments, and contact information (e.g., work email, home email, address, mobile phone, work phone). Your data can then be synced across, and easily accessed by multiple devices: laptops, tablets, and smart phones.

What happens when there is a security breach, and your data stored in the cloud gets hacked?

This happened to Matt Honan a former technology writer at Gizmodo, and his story can serve as a cautionary tale for all of us.

Matt uses Apple branded products and services (e.g., MacBook Air notebook, iPad, iPhone, iCloud) and Google Mail. When his smart phone stopped working, he first thought it was a software glich. When he tried to connect his laptop to restore from a backup, he found he couldn't log in. Then he knew it was bad:

"At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:05, they remote wiped my MacBook Air. A few minutes after that, they took over my Twitter... When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four digit pin. I didn’t have a four digit pin."

The hacker had accessed his accounts and then reset his passwords. The hacker was able to access his iCloud account, remotely wiped clean all data from his mobile devices, deleted his Gmail account, and deleted his archived data. How did this happen? IT World concluded:

"... as Honan would learn during his investigation, how was the hacker able to obtain Honan's iCloud account by calling Apple support and social engineering that information from Apple? If true, this is a huge hole in Apple's security procedures, and one that puts Apple iCloud users at serious risk... Laying this all on Apple's feet would be easy to do, and there's no getting around the fact that Apple has a problem that needs to be solved. But beyond Apple, this incident also points out potential problems with the growing dependency consumers have with cloud data storage..."

Some technologists argue that what happened to Honan was a best-case scenario. A best-case scenario because the hacker dsabled Honan's devices, making it easy to determine that his deviceds had been hacked. More likely, hackers or spammers would not disable your devices making it more difficult to determine if your devices had been hacked. Instead, they would likely install malware on your computer and then use it to send spam, or use keylogging software to capture your sign-in credentials for your bank and financial accounts.

If you use the cloud for data storage, experts advise consumers:


How To Evaluate Prepaid Card Options

Perhaps, you have already noticed. Banks now offer a variety of prepaid cards. They are popular to. According to a 2012 report by CardHub.com:

"Consumers loaded $57 billion onto prepaid cards in 2011, a nearly 33% increase from 2010, and that number is expected to rise by 44% to $82 billion in 2012, according to the Mercator Advisory Group. By 2013, the group predicts consumers will load $117 billion onto prepaid cards, which would mark a 200% usage increase in just three years."

With so many prepaid card options, how can a consumer pick the best card? It all depends upon your financial situation. Of course, if you have the money, opening traditional checking and savings accounts at a bank or credit union is probably the best route. There are several articles in this blog to help you decide if moving your money to a prepaid card is a wise choice.

If you are determined to use a prepaid card instead, the best card for you probably depends upon your specific financial situation: how often you are paid, how much you are paid, the format of your pay, your spending and shopping patterns, and if you perform online banking.

In its 2012 report about prepaid cards, CardHub.com presented three scenarios to help consumers evaluate and find the best prepaid card. The three scenarios:

  • Scenario 1:a person paid $2,000.00 monthly, whose employer offers direct deposit, visits an ATM once per week, expects to makes five purchases per week with their prepaid card, and pays two bills per month by check.
  • Scenario 2: a person gives their teenager a $100.00 monthly allowance. The teenager visits an ATM twice per month and expects to makes two purchases per week with the prepaid card each week. In this scenario, money is loaded onto the prepaid card from the parent's bank or PayPal account.
  • Scenario 3: a person paid weekly and earns $1,600.00 monthly, does not have the direct deposit option, and expects to make three purchases per week with the prepaid card. In this scenario, the person must load money to their prepaid card and make ATM withdrawals each week.

Of course, you can pick the scenario that matches or is closest to your financial situation. It might be that none of these scenarios adequately describe your financial situation. Maybe you have more children, earn a vastly different amount, or shop more often (e.g., groceries, lunches while at work).

Of course, you have the option to give your teenage child an allowance in cash and let him or her learn by deciding whether or not to transfer their cash to a prepaid card. Regardless, if is important for both parents and youth to learn the differences between credit cards, debit cards, and prepaid cards. Banks can charge a variety of fees on prepaid cards. Some employers offer banking services, pay their employees via prepaid cards, and administer health care spending accounts via prepaid cards.

In its 2012 report about prepaid card, CardHub.com listed the monthly costs for various banks' prepaid cards for the above three scenarios, and which prepaid cards are not suitable. Some of the monthly costs exceed $26.00, which is a lot ot pay for any banking option. So, it is wise to shop around and do your homework first. Know your pay and spending patters, then compare prepaid cards based on your banking habits.

Whatever you decide, it is wise to revisit your decision after a few months to see if your banking habits changed. A change in pay, ATM withdrawals, out-of-network ATM withdrawlas, and/or spending may make a prior decision no longer best for you:

"... every card has different fees based on the specific usage of each card. How often a person uses an ATM and how much money they load onto the card each month are the most important drivers in the cost of each card..."

If you use a prepaid card, what do you use it for. And what factors influenced your prepaid card choice?


Global Payments Takes $84 Million Charge For Its Data Breach

The Wall Street Journal reported that the Global Payments will cost it $84.4 million. Earlier this year, the Atlanta-based company experienced a data breach where payment information for about 1.5 million credit- and debit-cards was stolen. The breach could cost the company an additional $25 to $30 million in 2013.

There definitely are consequences when companies fail to protect sensitive consumer information.


Yahoo! Inc. Faces Lawsuit Over Its Data Breach

You may remember that earlier this year, Yahoo! suffered a data breach which where about 450,000 users' passwords were stolen. Bloomberg.com reported that Yahoo! was slapped with a lawsuit claiming negligence that led to its data breach. Allan v. Yahoo! Inc. was filed on July 31 in U.S. District Court in Northern California. Jeff Allan, the lead plaintiff in the class-action suit, reportedly received a fraud alert when hackers attempted to break into his eBay account, which had the same sign-in credentials.

 


Data Breach At EPA Affects About 8,000

The Environmental Protection Agency (EPA) announced last week a March 2012 data breach which affected about 8,000 persons. In a statement to the Washington Business Journal, tha EPA said that it had notified about 5,100 current employees and about 2,000 "other individuals." The EPA did not state whether contractors were involved.

The information lost or stolen included Social Security numbers, bank account routing numbers and home addresses. The EPA has offered one year of free credit-monitoring services to breach victims.

Several news sources reported that a computer virus, possibly delivered via an e-mail attachment caused the breach. The affected computers were reportedly hazardous-waste program servers frequently used by contractors.

It is unclear exactly why the agency took two four months to notify breach victims. The agency stated that it had performed a risk analysis about the breach, and like most other breach notices concluded that the exposed data had not yet been used fraudulently. In 2008, the EPA published its breach notification guidelines (Adobe PDF), which stated:

"... all notification for Category I PII incident should take place within (48) business hours of the completion of the risk evaluation and score determination. The time between discovery and reporting is one (1) hour. The time between reporting and risk evaluation should not exceed (48) hours... Each Category within its provided constraints should also consider legitimate time requirements of law enforcement and national security entities... the delay should not exacerbate risk or harm to the individual, Agency or related investigations..."

When it is your bank account information lost or stolen, early notification seems best so consumers can check for any fraudulent charges.

In testimony before the U.S. Senate this year, the Government Accountability Office (GAO) reported some troubling statistics about data security at federal agencies. There were 15,500 breaches during 2011, up 19.2% from 13,000 breaches during 2010.