Previous month:
September 2012
Next month:
November 2012

18 posts from October 2012

Massive Data Breach In South Carolina Affects 3.6 Million Consumers

With all of the news and focus on hurricane Sandy, you may have missed this news item. On Friday October 26, the South Carolina Department of Revenue (DOR) announced a data breach where a hacker accessed and stole information affecting 3.6 million consumers, or about 77% of the state's population. The breach victims include consumers who have filed a state tax return since 1998.

The data stolen included 3.6 million Social Security numbers, and 387,000 debit- and credit-card numbers. All except 16,000 credit card numbers were encrypted. None of the Social Security numbers were encrypted.

On October 10, the state's Division of Information Technology informed the DOR of a "potential cyber attack." With the recommendation of law enforcement, the DOR contracted with Mandiant, an information security company, to help with the breach investigation, secure the computer system, and install new equipment and software for stronger protections.

On October 16, breach investigators discovered two breaches during September and one during August. On October 20, weaknesses in the state's computer systems were closed. The state has arranged for one year of free credit monitoring and fraud resolution services with Experian ProtectMyID. Affected consumers should contact ProtectMyID online or via phone (1- 866-578-5422) to see if there personal information was stolen.

By Monday October 29, about 455,000 consumers had called Experian, and about 154,000 had signed up for the ProtectMyID service. However, there have been problems and criticism of the state's response to the data breach. The complaints by consumers trying to call Experian (to see if their information was stolen) included busy phone signals, recordings, no answer, and long waits on hold.

Callers who got through successfully to Experian received a code so they could sign up online for ProtectMyID. At a Monday October 29 press conference, South Carolina Governor Nikki Haley announced the code so breach victims could sign up online for the ProtectMyID service.

If you were affected by the South Carolina data breach, please share your opinions about the state's response or the ProtectMyID service.


Data Breach Raises Questions About Whether Credit Reporting Agencies Can Adequately Protect Consumer Data

Experian logo If you haven't read it, there is a good news story at Bloomberg about a recent data breach that affected not only the credit union but a broader number consumers not affiliated with the credit union. The breach highlighs the fact that Identity criminals are smart and persisntent.

In this breach incident, they targeted Abilene Telco Federal Credit Union and stole the credit union's ID and passwords to its Experian account. Those stolen credentials allowed the thieves to access and steal 847 consumers' credit reports. The breach highlighted the fact that instead of attacking the credit reporting agencies directly, identity criminals target the companies and lenders (e.g., banks, credit unions, auto dealers) that often buy consumer credit reports.

In the United States, the three major credit reporting agencies are Experian, Equifax, and TransUnion. However, there are many regional and local credit reporting agencies. All credit reporting agencies make money by selling credit reports to potential lenders: banks, credit unions, auto dealers, clothing stores, and similar retailers that provide credit to consumers. However, the big-three credit unions also make money by operating credit monitoring services both for consumers and for client companies' post-breach response.

Bloomberg reported that this approach by identity thieves:

"... has netted more than 17,000 credit reports taken from the agencies since 2006... The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate... Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports..."

You can learn about those breaches in this blog. If a credit reporting company can't adequately protect consumers' sensitive personal information, then they don't deserve to be in business. It's that simple. And:

  • Client companies like the Abilene Telco Federal Credit Union, that allegedly fail to adequately protect sensitive data, should pay some (or all) of the post-breach management costs for all affected consumers
  • Credit reporting agencies should include mandatory, yearly data security training for their client users

What's your opinion?


Unclear About Data Brokers But Wanting Control And More Disclosure

While the U.S. Senate probes data brokers and consumer privacy issues, a recent study by Trusted ID provides some insights into how consumers view data brokers:

  • 80% of respondents do not have a good understanding of what a data broker is, what they collect and how they use information
  • About 80% of respondents state that it is important to control their data collected and archived by data brokers
  • 76% of consumers feel that it is important to be notified about information that data brokers collect
  • 80% of respondents want a centralized website to manage their information that is collected and archived by data Brokers

The survey was conducted online between August 23 and September 5, 2012, with a national sample of 2,960 Americans.

Earlier this year, the data broker Spokeo paid $800,000 to settle charges by the U.S. Federal Trade Commission (FTC) that it allegedly violated the Fair Credit Reporting Act by operating as a credit reporting agency and by maketing consumers' profiles to companies in several industries without implementing methods to protect consumers as required by the FCRA. The complaint (Adobe PDF) filed by the FTC, in June 2012 in the Central District Court in California, read in part:

"Spokeo assembles consumer information from 'hundreds of online and offline sources,' such as social networking sites, data brokers, and other sources to create consumer... In its marketing and advertising, [Spokeo] has promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting. Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates' online activities. Spokeo has affirmatively targeted companies operating in the human resources, background screening, and recruiting industries... Spokeo profiles are consumer reports because they bear on a consumer's character, general reputation, personal characteristics, or mode of living and/or other attributes listed in section 603( d), and are "used or expected to be used... in whole or in part" as a factor in determining the consumer's eligibility for employment or other purposes specified in section 604."

Consumers can conclude a couple things from this. First, sloppy data practices by data brokers can abuse consumers' information. Second, what you share online in social networking sites can affect whether or not you get a job, or even get an interview. In the rush to make money and create new revenue streams, social networking sites now use your information in ways you didn't originally intend. The I've Been Mugged blog first reviewed Spokeo in 2010.

Download the Trusted ID survey results in the, "Consumer Perspectives - Data Brokers In Review" report (Adobe PDF).


Compete Settles With FTC About Alleged Secret Tracking And Data Security

In a press release, the U.S. Federal Trade Commission (FTC) announced that it had reached a settlement with Compete Inc., a Boston-based Internet analytics firm, about alleged data collection without fully notifying consumers and failures to adequately protect the collected information. According to the FTC:

"... Compete got consumers to download its tracking software in several ways, including by urging them to join a “Consumer Input Panel” that was promoted using ads that pointed consumers to Compete’s website, www.consumerinput.com. Compete told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services... The proposed settlement will require that Compete obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers, that the company delete or anonymize the use of the consumer data it already has collected, and that it provide directions to consumers for uninstalling its software... the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years."

The proposed settlement is open for comment by the public until November 19, 2012. After that time, the FTC will decide whether or not to make the proposed settlement final.


KISSmetrics To Pay About $500,000 To Settle Class Action Lawsuit

Several news sources reported that KISSmetrics, an online analytics company, agreed to pay about $500,000 to settle a class-action lawsuit, which alleged that the company used a combination of newer Internet technologies, commonly referred to as "Zombie E-tags," to track consumers without notice nor consent. Reportedly, terms of the proposed settlement include a $2,500 payment to each plaintiff and $500,000 to the attorneys.

MediaPost reported:

"The proposed settlement calls for an injunction banning KISSmetrics from using ETags (or other hard-to-delete cookies) to "repopulate HTTP cookies or as an alternative method to HTTP cookies for acquiring or storing information about a user’s Web browsing activity and history, without reasonable notice and choice..."

A federal judge must approve the proposed settlement. Congratulations to the attorneys and to the plaintiffs. A second class-action lawsuit is still in play.


Federal Judge Rules Class Action Against Path Can Proceed On Several Counts

On October 17, a federal judge ruled that a class-action lawsuit against Path Inc. can proceed on several counts. Earlier this year, the class-action suit was filed in federal court in northern California for alleged unfair, deceptive, and unlawful business practices that abused consumers' privacy with a mobile device app that collected address book information without notice nor consent, and allegedly had also installed tracking software on mobile devices without notice nor consent.

In the lawsuit, the plaintiffs had identified three areas of harm by the Path app:

"... (1) diminished mobile device resources, such as storage, battery life, and bandwidth; (2) increased, unexpected, and unreasonable risk to the security of sensitive personal information; and (3) future costs to remove embedded code from media files uploaded through the Path App."

While the court rejected two of these three, it agreed with the plaintiffs who had documented the substantial cost to removed the tracking software from their mobile devices. The court upheld that the plaintiffs had sufficient "standing" to proceed with the class-action. This is good because courts have ruled that some prior class-action suits have failed to show the harm.

Below are the court's rulings on each of the ten (10) claims listed in the original complaint:

Plaintiffs' ClaimsCourt Ruling On Defendant's Motions To Dismiss
1. Violations of the Electronic Communications Privacy Act 18 U.S.C. 2510 Granted, but claim can be included in suit if amended
2. Violations of the Stored Communications Act Granted, but claim can be included in suit if amended
3. Violations of the California Computer Crime Law, California Penal Code § 502

Denied

4. Violations of California’s Invasion of Privacy Act, California Penal Code 630
Granted, but claim can be included in suit if amended
5. Violations of the California Unfair Competition Law, California Business and Professions Code 17200
Denied
6. Invasion of Privacy and Seclusion and Public Disclosure of Private Facts Granted, but claim can be included in suit if amended
7. Negligence Denied
8. Conversion Granted, but claim can be included in suit if amended
9. Trespass to Personal Property Granted, but claim can be included in suit if amended
10. Unjust Enrichment Denied

Download the court order (322 K bytes; Adobe PDF) in Hernandez v Path.


National Protect Your Identity Week 2012

Not sure what you can do to protect your sensitive personal information? October 20 - 27, 2012 is "National Protect Your Identity Week" (NPYIW).

The ProtectYourIDNow site contains a wealth of information for consumers, plus local events by state. I visited the website to see what's available this year. There are some interesting statistics about how consumers don't protect themselves nor their sensitive personal information:

"68 percent of people with public social media profiles shared their birthday information (with 45 percent sharing month, date and year); 63 percent shared their high school name; 18 percent shared their phone number; and 12 percent shared their pet's name-all are prime examples of personal information a company would use to verify your identity."

While it may feel nice to receive birthday congratulations from your "friends" on social networking websites, the fact is that your birth date is a sensitive and critical piece of personal information that data brokers (and identity thieves) use to distinguish between multiple people with the same name. Experts warn consumers to stop doing these seven things on Facebook and other social networking websites. Some other interesting statistics:

"Seven percent of Smartphone owners were victims of identity fraud... 32 percent of Smartphone owners do not update to a new operating system when it becomes available; 62 percent do not use a password on their home screen... 32 percent save login information on their mobile device... Young adults, aged 18-24, took the longest to detect identity theft - 132 days on average... the average cost ($1,156) was roughly five times more than the amount lost by other age groups... Children may be 51 times more likely than adults to have their identity stolen..."

The NPYIW website includes tips to protect yourself, informative videos, advice about what to do if you are a victim of identity theft and fraud, and an online quiz to test your knowledge about identity theft and fraud. Sponsors of NPYIW include the National Foundation for Credit Counseling, the National Sheriffs Association, the National Association of Triads, the Consumer Federation of America, the Council Of Better Business Bureaus, the U.S. Federal Trade Commission (FTC), the Identity Theft Resource Center, the National Crime Prevention Council, the Credit Union National Association, and many others.

Did you attend a NPYIW event? If so, share your experience below.


California AG Asks United Airlines To Provide A Privacy Policy With Its Mobile Device App

Recently, Kamala Harris, the Attorney General for the State of California, posted the following on her Twitter feed:

"@KamalaHarris Fabulous app, @United Airlines, but where is your app’s #privacy policy? http://1.usa.gov/SWGCTm"

A quick scan of United Airline's twitter feed did not find a reply by the airline to the AG's request. Harris' request refers to a 2004 law in California requiring website operators that collect consumers' personal information to post a privacy policy on its website. While that law predates mobile device apps, Harris' request highlights an important privacy and data security situation. Prior studies have documented privacy abuses by mobile device apps, and either lacking or sporadic access to apps' privacy policies both before and after a user installs an app.

Of course, a privacy policy won't prevent a data breach nor prevent abuse of consumers' sensitive personal information, but it is an important disclosure tool, like food labels, to help consumers:

  • Understand what data is collected, archived, and shared with other companies by a product or service,
  • Utilize any opt-out or opt-in service settings,
  • Begin to evaluate whether or not a company complies with its own privacy policy, and
  • Compare data security offerings between competitive products or services

One could argue that given the privacy abuses, privacy policies are even more important for mobile device users. With a traditional desktop or laptop device, there is usually to parties involved: the consumer and the website he/she is visiting. With mobile devices, there are more parties involved: the mobile device manufacturer, the mobile device operating system developer, the app developer, the telecommunications provider, and the app store. It's critical for consumers to know which party's privacy policy applies; and an opportunity to streamline,, consolidate, and reduce the number of privacy policies.

Now that Harris has highlighted the issue, it is an opportunity for the california legislature to amend its state's laws to include apps; and for legislatures in other states to do the same.

What's your opinion of Harris' request? What's your view of privacy policies for mobile device apps?


Massive Data Breach At IEEE Affects 100,000 Members

Late last month, the IEEE (Institute of Electrical and Electronics Engineers) experienced a massive data breach affecting 100,000 of its members. The breach left the usernames and passwords of its members exposed in plain text for a month.

An independent security researcher discovered the breach and notified the organization on September 24. On September 25, the IEEE confirmed the breach.

The breach is an embarrassment for the IEEE, which describes itself on its website as:

"... the world’s largest professional association dedicated to advancing technological innovation and excellence for the benefit of humanity."

Basic data security methods include the encryption of sign-in credentials. CSO Online reported:

"Torsten George, vice president of worldwide marketing and products for Agiliance, a security risk management firm, called it 'plain stupid.' Paul Ducklin, writing at Sophos' Naked Security blog, called it, 'a veritable security disaster'... A number of IEEE members were also failing to use basic security... seven of the top-10 most popular passwords were combinations of the number string '1234567890,' in order. Others in the top 20 included 'password' and 'admin'..."


How To Lock Down Your iOS Mobile Device

Apple iPhones are very popular, and too many consumers believe that they won't get malware (or risky apps) on their Apple devices. You may not, but your device might be lost or stolen.

For those that value data security and want to protect their sensitive personal information (and their friends/colleagues in your address book), below is a tutorial from the security pros at Threatpost about how to lock down your iOS mobile device:


Massive Data Breach At TD Bank Affects 260,000 Consumers

Several news outlets have reported about a massive data breach at TD Bank, affecting about 260,000 persons from Maine to Florida. The affected consumers include 35,000 in Maine, 3,000 in Florida, 73,000 in Massachusetts, and 43,000 in New Hampshire. According to the CBS affiliate in Philadelphia, most breach victims -- about 150,000 -- are in states in the New England region of the USA.

The bank is notifying affected customers via letters. In a breach notice sent to the New Hampshire Attorney General (Adobe PDF), the bank said:

"We have determined that personal information of New Hampshire residents was included on two data backup tapes that we shipped to one of our locations in late March 2012. The tapes have been missing since then, and we have been unable to locate them..."

The sensitive personal information exposed/stolen includes full names, addresses, Social Security numbers, bank account numbers, birth dates, and driver's license numbers. The bank is offering breach victims with one year of free credit monitoring services via ITAC Sentinel Plus.

In a statement, Martha Coakley, the Massachusetts Attorney General, said:

"The loss of these tapes potentially puts the personal information of thousands of Massachusetts consumers at risk, and we remind consumers to take appropriate steps to protect themselves... We will be reviewing the circumstances of this breach and the steps that TD Bank is taking to address the loss.”

A close review of the bank seems appropriate, since banks are not supposed to lose things, since they are entrusted with valuable items. And, this is not the bank's first data breach:*

  • March 2011: "insider identity theft" involving an employee that sold the account information of about about 10 customers causing about $39,000 in fraudulent charges 
  • March 2010: a fraud ring, using a former employee, stole and sold the account information of customers to accomplices who then stole about $200,000 from bank accounts

This breach sounds similar to what I experienced in 2007 with IBM, where computer data tapes were lost or stolen during shipment from its headquarters fo an off-site storage facility. That breach sounded like theft, as does the recent TD Bank breach. Vendors don't just accidentally lose computer tapes. Misplace them, perhaps. Lose, no.

Things I noticed in the TD Bank breach notice to its affected customers lacked:

  • If a vendor or contractor was involved with transporting the missing/stolen computer data tapes, the corrective actions the bank is taking with this vendor to avoid a repeat of this breach
  • If an employee was involved with transporting the missing/stolen computer data tapes, the internal employee training and data security methods is taking to avoid a repeat of this breach. Sadly, there are numerous breaches where company employees left data tapes unsecured in parked autos.
  • Notice about how results of its breach investigaton will be communicated to breach victims
  • Whether or not the data on the tapes was encrypted; and if it wasn't encrypted why not
  • An explanation of why only 12 months of free credit monitoring, when the usability of stolen personal information is far longer

*Note: breach history from Privacy Rights Clearinghouse.


Massive Data Breach At Northwest Florida State College Affects About 300,000 Persons

Last week, officials at Northwest Florida State College (NWFSC) announced a data breach that affected more than 275,00 persons. The affected persons include about 76,500 current and former students, 200,000 Bright Futures scholars, and 3,200 employees.

The breach occurred between May 21 and September 24, 2012, and included the unauthorized access of one of the school's computer servers.The sensitive personal data exposed/stolen includes full names, addresses, birth dates, and Social Security numbers. The Bright Futures persons affected include students during the 2005-06 and 2006-07 academic years. The data exposed/stolen about Bright Futures students includes full names, birth dates, Social Security numbers, ethnicity and gender. NWFSC announced that no student academic files were compromised.

The data exposed/stolen about employees included full names, Social Security numbers, birth dates, banking direct-deposit account numbers, addresses, phone numbers, and college email addresses. A breach investigation is ongoing, where NWFSC has hired an unnamed technology consultant, and is working with local law enforcement. According to a press release:

"The college is coordinating its efforts with the Division of Florida Colleges in the Department of Education to formally notify all students impacted by the data breach."

Northwest Florida State College has contracted with an external consultant, to ensure the college’s data remains safe and secure. Further, the Okaloosa County Sheriff’s Office cybercrimes unit continues to investigate the matter with assistance from the Florida Department of Law Enforcement.

NWFSC advises affected persons:

"... individuals who notice improper use of their Social Security number and believe they may be the victim of identity theft should contact the Federal Trade Commission at www.ftc.gov/idtheft or at 1-877-ID-THEFT (438-4338). Affected persons may also call the local sheriff’s office and file a police report of identity theft, keeping a copy of the police report."

In an Oct. 8, 2012 memo to employees (Adobe PDF), NWFSC said:

"... one or more hackers accessed one folder on our main server. This folder had multiple files on it. No one file had a complete set of personal information regarding individuals. However, by working between files, the hacker(s) have been able to piece together enough information to be able to engage in the theft of identity of at least 50 employees..."

The memo to employees outlined three specific identity theft and fraud actions by the thieves:

"The first is to use PayDayMax, Inc. as a conduit for taking out a personal loan which is repaid by debiting your bank account. The second is the same process using Discount Advance Loans. The third is to apply for a Home Depot Credit Card in an employee’s name and then use that card..."

Given this active identity fraud, both students and employees should take the threat seriously, and take immediate actions to check their credit reports at the three major credit-reporting agencies; and place a Fraud Alert or Security Freeze if appropriate. Plus, NWFSC should offer breach victims free credit monitoring and resolution services for at least two years.


Equifax And Its Customers To Pay $1.6 Million In FTC Settlement About Alleged Improper List Sales

This morning, the U.S. Federal Trade Commission (FTC) announced that Equifax Information Services LLC., the credit reporting agency, and some of its customers, had agreed to pay $1.6 million to settle allegations about the improper sales of customer lists between January 2008 and early 2010. In a lawsuit (Adobe PDF) filed in U.S. Distrcit Court in Southern California, the FTC alleged that the sales of customer lists violated the Fair Credit Reporting Act (FCRA):

"Defendants buy and sell “prescreened lists,” which are lists of consumers that meet certain pre-selected credit criteria. For example, in this case, Defendants bought and sold “prescreened lists” of consumers who were, among other things, 30, 60, or 90 days late on their mortgage payments... Information such as whether a consumer is 30, 60, or 90 days late on their mortgage bears on, among other things, a consumer’s credit worthiness and credit standing and is used or expected to be used as a factor in determining a consumer’s eligibility for credit. Section 604(f) of the FCRA, 15 U.S.C. §1681b(f), prohibits persons from using or obtaining consumer reports in the absence of a “permissible purpose.” In addition, Section 607(e) of the FCRA, 15 U.S.C. § 1681e(e), requires persons who procure consumer reports for resale to establish and comply with reasonable procedures designed to ensure that the consumer reports are only resold for a permissible purpose. The only permissible purpose for using a prescreened list is to make a firm offer of credit or insurance..."

The following companies and individuals were named as defendants in the complaint:

  • Equifax Information Services
  • Direct Lending Source, Inc., based in Key Largo, Florida
  • Bailey & Associates Advertising, Inc., based in Florida and with in El Paso, Texas and San Diego, California
    Virtual Lending Source, LLC, based in San Diego, California
  • Robert M. Bailey, Jr., the Executive Vice President of Direct Lending, Bailey & Associates, and Virtual Lending
  • Linda Giordano, President of Direct Lending, Bailey & Associates, and Virtual Lending and an owner of Bailey & Associates and Virtual Lending

Terms of the settlements require Equifax to pay $393,000 for alleged inadequate procedures that led to the sale of lists of consumer information to companies that it should not have sold the information to. According to the FTC, Equifax sold more than 17,000 prescreened lists of consumers to companies including Direct Lending Source, Inc., which subsequently resold some lists to third parties, who used their data to pitch loan modification and debt relief services to people in financial distress. Direct Lending Source will pay a $1.2 million civil penalty,and will be barred from using or selling prescreened lists.


States' Attorney Generals Urge Congress To Reject Payday Lender Bill

On Friday, several states' Attorney Generals announced that they had sent a letter to Congressional leaders urging them to oppose HR 6139, known as the Consumer Credit, Access, Innovation, and Modernization Act. The letter read in part:

"Most states have enacted laws and rules to regulate short term lending, including payday loans. Many of these states have chosen to strike a regulatory balance that preserves access to alternative forms of credit while protecting consumers from repeated debt cycles and other pitfalls associated with such products. H.R. 6139 would turn back existing consumer protections... H.R. 6139 would give nonbank financial services providers – including payday lenders, installment lenders, car-title lenders, prepaid-card issuers, check cashers, and others – access to a federal charter issued by the Office of the Comptroller of the Currency. The bill would totally preempt state licensing laws for nonbank financial services providers... In place of state safeguards, the bill would establish only minimal consumer protections... the bill establishes no standards for determining a consumer’s ability to repay. Moreover, the bill would exempt loans with terms of one year or less from the disclosure requirements of the Truth in Lending Act – the universal standard for measuring the true cost of credit – and substitute a cost metric that is confusing and misleading..."

The letter was sent on Friday October 5, 2012 to House Speaker John Boehner, House Minority Leader Nancy Pelosi, Senate Majority Leader Harry Reid, and Senate Minority Leader Mitch McConnell. 41 states' Attorney Generals signed the letter, including Guam and Puerto Rico.

In Congressional testimony during July 2012, the Office of the Comptroller of the Currency (OCC) stated its concerns:

"The effective result of H.R. 6139 would be to create a class of federally chartered companies (National Consumer Credit Corporations, hereinafter referred to as “NCCCs” or “companies”) focused on consumer credit products of the very nature and character that the OCC has found unacceptable based on consumer protection and safety and soundness concerns. In particular, it is our experience that the profitability of many of the types of small dollar, short-term loans that NCCCs would likely seek to offer is dependent on effectively trapping consumers into a cycle of repeat credit transactions, high fees, and unsustainable debt... The bill will result in a decrease in protections for categories of consumers that may be the most vulnerable. We have ample evidence from the recent financial crisis that the goal of enhanced access to financial products and services must be coupled with assurances that those consumers are subject to meaningful consumer protections and that the firms offering those products and services must do so on a prudent, safe, and sound basis. In this regard, the Consumer Financial Protection Bureau (CFPB) has been provided the authority to issue rigorous, uniform, and nationally-applicable consumer protection standards for financial products and services. It is important that the types of products envisioned for NCCCs not be carved out of coverage of CFPB-administered lending standards..."

There are plenty of examples of this cycle of repeat credit transactions, high fees, and unsustainable debt. In February 2009, CBS News reported about the payday lending industry:

"They've now grown into a $59 billion industry. But six states - Arkansas, Georgia, New Hampshire, North Carolina, Ohio and Oregon as well as the District of Columbia - have now effectively banned these loans... there are 24,000 payday lending stores in America - more than Starbucks and McDonald's combined. They provide 19 million American households a quick way to make ends meet... A typical customer takes out about eight payday loans a year..."

CBS News reported in April 2009:

"The payday loan industry, threatened by Congress with extinction, has deployed well-connected lobbyists and hefty sums of campaign cash to key lawmakers to save itself. The strategy has paid off."

This 2011 news report explained how many layday lenders charge unbelievably high interest rates. Last month, the City of San Francisco negotiated a settlement with payday lender Money Mart (a/k/a Loan Mart), which agreed to pay to $7.5 million to reimburse consumers for alleged illegal lending activities and interest rates as high as 400 percent. Consumers eligible to receive reimbursements may receive payments ranging from $20 to $1,800.

The letter caught my interest for three reasons. First, it seems to avoid unnecessarily the CFPB. Second, it mentioned prepaid-card issuers, which this blog has covered extensively. Banks and non-bank prepaid-card issuers have targeted the same market as payday lenders: consumers who have a checking or savings account and not both (e.g., underbanked), or who have neither (e.g., unbanked). About 8 percent of U.S. households are unbanked, and 20 percent are underbanked. Unbanked and underbanked households are typically non-Asian minorities, low-income, young, and unemployed.

Third, anytime a proposed Congressional bill mentions both "modernization" and financial services, a closer inspection is usually wise. (The Graham-Leach Bliley Act, which repealed Glass-Steagall comes to my mind.) Things often get modernized for some, not for others who really needed it, and there are always unintended consequences. One of the OCC's concerns is money-laundering, which is connected to a host of other global ills. Legislation that creates a new class of financial institutions needs to be well constructed, closely reviewed, an adequately discussed publicly.

The Attorney Generals' letter to Congress is available at the Illinois Attorney General website (Adobe PDF). Download H.R. 6139 (Adobe PDF) and see page 24, lines 3 through 8. That's a deal breaker. And, I suggest that you read the full testimony about H.R. 6139 by the OCC Deputy Comptroller of Compliance Policy (Adobe PDF).

You've Been 'Mugged' In An Auto Accident Insurance Scam. What To Do Next?

Recently, an I've Been Mugged reader wrote asking what to do. She had been the innocent victim in an auto insurance scam:

"Two days ago, I was surprised to find myself in a situation that I believe is a clever scam. It involves auto insurance and a trumped up claim. Although the situation is still unfolding, and my carrier may not pay once they investigate, I am shaken at being on the business end of such a scheme. I'm afraid to drive. I feel unsafe because this person has my address and who knows what else such a person might do."

While I had heard about these scams, I have never been involved in an auto accident insurance scam. And, I had not thought about an insurance claim scam as also being a potential identity theft risk, too. It stands to reason that if some criminals are willing to stage a bogus accident, intentionally cause a collision, and/or submit bogus medical claims after an accident, then they are also willing to abuse the other driver's personal data.

So, what should a consumer do to protect yourself? What can a consumer do to protect yourself after a staged accident?

First, I did some online research to learn about the types of auto insurance scams. My thinking is that by understanding them, it would be easier to recognize them and not get tricked. The Allstate Insurance page lists the types of auto insurance scams and fraud schemes:

  • Swoop & Squat
  • Sideswipe
  • Shady Helpers

I am not going to repeat the scam descriptions here. You can visit the site and read them for yourself. Some are intentional collisions. Sadly, criminals will stage bogus accidents or cause intentional collisions. In 2010, Florida led the nation in the number of complaints about insurance fraud related to staged accidents.

Second, I found that auto insurance company websites often provide advice for their policyholders about how to protect yourself, and what to do if you suspect fraud. The State Farm site lists the types of auto insurance frauds and provides instructions for its policyholders:

"To report suspected insurance fraud, call State Farm or the National Insurance Crime Bureau (NICB) hotline: 1-800-TEL-NICB / 1-800-835-6422"

So, if you suspect fraud, you should inform both your auto insurance company and the NICB. I visited the NICB website to learn more.

The NICB, based in Des Plaines, Illinois, is a non-profit organization dedicated to preventing, detecting, and defeating insurance fraud and vehicle theft. The NICB works with more than 1,100 property and casualty insurance companies. The NICB offers an Apple iPhone app for consumers to report suspected insurance fraud.

According to the NICB, staged accidents occur in every state in the nation. In 2010, the top five cities with the most staged accidents and related auto insurance fraud schemes were:
  1. New York, New York
  2. Tampa, Florida
  3. Miami, Florida
  4. Orlando, Florida
  5. Houston, Texas

And, the top five states were:

  1. Florida
  2. New York
  3. California
  4. Texas
  5. Illinois

The NICB also describes the types auto insurance scams:

  • Swoop & Squat
  • Sideswipe
  • Panic Stop
  • Drive Down

While at the site, I downloaded the NICB Staged Automobile Accident Fraud brochure (Adobe PDF) to learn more. It sounded to me like the I've Been Mugged reader had experienced a "Drive Down" scam.

The NICB also offers a really good flyer for consumers about what to do after an auto accident. Download the Accident Checklist (Adobe PDF). The NICB advises consumers to:

  • Tend to the injured. Call emergency and/or ambulance personnel if needed
  • Keep a disposable camera in your auto. Take photos of the entire accident scene, and damage to your car, the other car(s), and any buildings affected. Take photos of all cars' license plates and Vehicle Identification Numbers.
  • Notify the police immediately, and call them to the scene
  • Get the information (e.g., name, address, phone, insurance certificates) of all other drivers involved, and of any witnesses. Either write down the informaton, or take photos of any documents, especially if the driver is not the registered owner of the other car
  • Notify your insurance company immediately
  • Don't disclose your Social Security Number or bank account information

If you suspect that others involved in the (staged) accident have abused your personal information or committed identity fraud, file a report with local police and get a copy of that police report. I have used the Identity Theft Resource Center (ITRC) website before, and highly recommend it. The site provides plenty of information and advice for a variety of identity theft and fraud situations. If you suspect other drivers in the (staged) accident are abusing your personal information, then Fact Sheet 110 seems to apply. It makes sens to file fraud complaints with your insurance company and with the U.S. Federal Trade Commission (FTC).

If you are feeling particularly vulnerable, you might arrange a consultation with an attorney to get advice about what to do next. Get an attorney referral from somebody you trust and know. I also visited the websites for several states' Attorney General offices, as these websites often contain advice and resources for consumers.  For example, the New York State Attorney General website provides advice for consumers about how to fight auto insurance fraud.

I am sure that some I've Been Mugged readers have opinions or experience with auto insurance claim scams. If you were a victim in a staged auto accident auto insurance scam, what did you do to protect yourself? What resources did you find most helpful?


PlaceRaider: Part Of The New Class Of 'Visual Malware'

You may remember news stories during past years where thieves used the Google Earth service to find buildings with valuables on the outside -- roofs made with precious metals, so they could return at night to steal the metal and resell the stolen goods for a profit. Now, imagine a scenario where thieves take over the camera in your smart phone (or tablet) to find valuable items inside homes, to return later when you are away or at work to steal the items they remotely recorded on video.

This sounds like science fiction, eh? Or maybe a fictional episode of NCIS?

Well, it's not science fiction. It's science fact, and the software is available today.

A reader alerted me to an article in Technology Review about PlaceRaider, an Android app already created to secretly record via the victims' mobile devices their personal spaces. With the secretly recorded video, the user can create a three-dimension virtual model of the recorded space:

"... Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of 'visual malware' capable of recording and reconstructing a user's environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information... the malware would be embedded in a camera app that the [victim] would download and run..."

The military applications of this are obvious. It's a stealth method to gather intelligence by recording the battlefield (or urban landscape) before the battle by using malware installed in the enemy's mobile devices. An accurate 3-D virtual model, complete with tools and papers lying about, would enable military officials to plan a more effective and efficient attack -- and know ahead of time what documents to look for and to capture.

An app like this in the hands of identity criminals would be equally devastating. It could secretly record a victim's home office, small business office, doctor's medical records storage area, or similar sensitive interior space. Did you leave credit- or debit cards lying about on your desk or bedroom dresser? PlaceRaider could record the account numbers lying exposed. Did you leave your online banking screen open on your desktop computer monitor? PlaceRaider could record that, too.

Meanwhile, what's a consumer to do? All of the usualy steps:

  • Be carefult about the apps you download. Look for trustworthy apps with privacy policies that they comply with
  • Install and maintain anti-virus apps on your mobile device(s)
  • Password protect your mobile device(s)
  • Be careful about which WiFi hotspots you use your mobile device at, just as you would with any other computing device
  • Use a mobile VPN connection when appropriate
  • Use strong passwords, and change them every 90 or 120 days
  • Don't use the same password for all of your online accounts and devices
  • Place masking tape over your mobile device's camera lense when not using it for long periods.

Maybe some time soon, mobile device manufacturers will get smart and build lens covers into their mobile devices.


American Express Centurion Bank To Pay $112 Million To Settle Deceptive Credit Card Marketing And Debt Collection Practices

American Express Centurion Bank has agreed to pay $112 million to settle allegations of deceptive credit card marketing and debt collection practices. The Consumer Financial Protection Bureau (CFPB) and the Federal Deposit Insurance Corporation (FDIC) announced the settlement this week.

The FDIC, the Utah Department of Financial Institutions (UDFI), the CFPB, and the Office of the Comptroller of the Currency (OCC), and the Board of Governors of the Federal Reserve System had all took separate actions against the bank. The settlement agreement requires the bank to pay $85 million to reimburse more than 250,000 affected consumers, and to pay $27 million in civil penalties.

The investigations found violations between 2003 and the spring of 2012. The affected consumers included people who had signed up for the American Express "Blue Sky"credit card program. The bank promised them $300 in bonus points that were never provided. According to the CFPB:

"... American Express Centurion Bank and American Express Bank, FSB billed late fees on certain cards based on a percentage of the debt in violation of the Credit CARD Act... American Express Centurion Bank used a credit scoring system that treated charge card applicants differently on the basis of age. For a period of time, the bank did not fully implement the system for applicants over the age of 35. This violated the Equal Credit Opportunity Act because it requires credit scoring systems that take age into account to be properly designed and implemented... American Express Centurion Bank and American Express Bank, FSB failed to report the existence of certain customer disputes to credit bureaus, which is a violation of the Fair Credit Reporting Act... All three of the American Express subsidiaries deceived consumers into believing there were certain benefits to paying off old debt. Consumers were wrongly told that if they paid off the old debt, the payment would be reported to credit bureaus and could improve their credit scores. In fact, American Express was not reporting the payments and the debts were so old that even if they had tried to report them, many of the payments would not have appeared on these consumers’ credit reports or affected their credit scores..."

American Express Centurion Bank, a subsidiary of American Express Travel Related Services Inc., is based in Salt Lake City, Utah. In a press release, the CFPB emphasized that affected consumers do not need to do anything to receive payments:

"...If the consumer no longer holds the American Express card, American Express will mail a check or credit any outstanding balance.Customers who were promised $300 for signing up for a Blue Sky Credit Card will get the $300. Consumers who paid an illegal late fee will be reimbursed, with interest. Consumers who paid old debt in response to deceptive promises to report payment to credit bureaus will be reimbursed the money they paid plus interest. Consumers who were promised their debt would be forgiven but were denied new American Express cards because the debt was not really forgiven, will receive $100 and a pre-approved offer for a new card with terms we and the FDIC find acceptable. If the consumer already paid the waived or forgiven amount in order to get a new card, they will be refunded that amount plus interest."

[Correction: an earlier version mentioned $102 million. The correct amount of reimbursements and penalties equals $112 million.]


Anthem Blue Cross Settles With California Attorney General Over Data Breach

Everyone who is security conscious knows that a business should never printer consumers' Social Security numbers on health care identification cards, statements, and letters. Doing so facilitates identity theft, fraud, and medical identity theft -- a big help for identity thieves.

Yesterday, the California Attorney General announced both a lawsuit and settlement involving Blue Cross of California, which operates under the name Anthem Blue Cross. The lawsuit, filed in Los Angeles Superior Court today along with the settlement, alleged that Anthem printed Social Security numbers on letters it mailed to more than 33,000 from April 2011 and March 2012. The lawsuit claimed that this violate state law prohibiting the disclosure of Social Security numbers. After the breach, Anthem offered those subscribers one year of free credit monitoring.

This blog has discussed repeatedly how the risk of identity theft doesn't end after a year or two - typically the period businesses offer breach victims free credit monitoring services. Identity criminals will use stolen credentials until they know the credentials are no longer usable.

Terms of the settlement include a $150,000 payment and:

"... requires Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates."

The fine seems light since this is not the first breach involving Anthem. A breach of the company's website in June 2010 affected about 470,000 subscribers nationwide.