Previous month:
December 2013
Next month:
February 2014

16 posts from January 2014

Consumer Confidence In Online Privacy Falls Again

TRUSTe logo TRUSTe, a global data privacy firm, released this week the results of its 2014 U.S. Consumer Confidence Index. Key findings:

  • Trust continues to fall: 55 percent of U.S. Internet users trust companies with their personal information online, compared with 57 percent in January 2013 and 59 percent in January 2012
  • Business impact remains high: 89 percent of U.S. Internet users say they avoid companies that do not protect their privacy, compated with 89 percent in January 2013 and 88 percent in January 2012
  • Consumers' concerns about online privacy remain high: 92 percent of U.S. Internet users say they worry about their privacy, compared to 89 percent in January 2013 and 90 percent in January 2012
  • 76 percent of users are more likely to check Web sites and apps for privacy certifications and seals

Harris Interactive conducted the online survey of 2,019 adults for TRUSTe during December 2013. was Chris Babel, CEO of TRUSTe said:

"Even with all the media coverage of government surveillance programs such as the NSA’s PRISM, more consumers remain concerned about businesses collecting their information with only 55 percent regularly willing to share their personal data online. These findings send a clear signal that business data collection, not government activity, is the main driver for increased privacy concerns... While some businesses are taking steps today to address privacy concerns, many are not, and the bar is rising."

Good. A raised bar is a good thing.

In its press release, TRUSTe announced:

"74 percent of U.S. internet users are more concerned about privacy than a year ago and more users cite business data collection, than government surveillance programs, as the reason for the increase in their concerns."

So, consumers are afraid for their privacy with both, and more afraid for their privacy with companies. Both company and government executives would be wise to heed this advice about collecting consumers' sensitive personal information:

If you collect it, tell consumers and protect it. If you can't (or won't) tell consumers nor protect it, then don't collect it.

View results from the 2014 TRUSTe Consumer Confidence Index. View results from the 2013 TRUSTe Consumer Confidence Index.

How To View The Many Companies That Track You On Facebook, And Stop The Tracking

Facebook logo If you use Facebook, then you probably use the apps the social networking service offers. If you don't use Facebook apps, then your friends probably do. Those apps collect your sensitive personal information, and track your online usage across the Internet. Yes, both at the Facebook site and elsewhere. So, it's important to know which apps... the companies that are tracking you.

You can control how much of your sensitive personal information is shared with Facebook apps, and disable the Facebook software that allows apps to work with your profile and personal data.

Visit the Facebook page about Web site and mobile ad cookies that track your online usage. There is a button on this page to opt out of the tracking. However, Facebook made the opt-out needlessly difficult. Why? First, it is not a global opt-out. You have to opt-out in every different Web browser you use Facebook with. Second, you can undo this opt-out if you regularly delete your Web browser cookies. Facebook's approach is Facebook being Facebook: doing whatever it can to keep its users sharing as much personal information as possible. That's in Facebook's best interests, and not necessarily yours.

There are several software products and browser add-ons to help consumer delete Web browser and other types of files (often called Locally Shared Objects, Super Cookies, Flash Cookies, or "Zombie Cookies") web sites will store on your computer, smart phone, or tablet. Many people delete these files daily to maintain as much privacy as possible on the Internet.

Read this article and this blog post to learn about how Facebook tracks your online usage across the Internet and away from the Facebook site. This extensive tracking is one reason why I didn't enable the Facebook Comments Plugin for comments on this blog.

This Business Insider article includes instructions to view and edit your Facebook apps privacy settings.

The 'Mobile Surge' With Angry Birds And Your Mobile Devices

National Security Agency logo You probably love your smart phones. Spy agencies do, too. Yesterday, the Guardian UK reported about surveillance programs targeting mobile video games, including "Angry Birds." Both the National Security Agency (NSA) and Britain's Government Communications Headquarters (GCHQ) spy agencies operate such programs. The New York Times reported the two spy agencies:

"... were working together on how to collect and store data from dozens of smartphone apps by 2007, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor. Since then, the agencies have traded recipes for grabbing location and planning data when a target uses Google Maps, and for vacuuming up address books, buddy lists, phone logs and the geographic data embedded in photos when someone sends a post to the mobile versions of Facebook, Flickr, LinkedIn, Twitter and other services... The efforts were part of an initiative called “the mobile surge,” according to a 2011 British document, an analogy to the troop surges in Iraq and Afghanistan..."

Read this blog post to learn about the metadata with your photographs. So, it's not just people who play Angry Birds. In this extensive government spying, we are all targets.

You are probably thinking to yourself, "That's no big deal. I'm only playing a video game on my smart phone (or tablet). No way would mobile game playing interest a spy agency." Well, they are interested. Big time.

The Guardian UK explained why spy agencies have targeted mobile device usage for data collection:

"Exploiting phone information and location is a high-priority effort for the intelligence agencies, as terrorists and other intelligence targets make substantial use of phones in planning and carrying out their activities, for example by using phones as triggering devices in conflict zones. The NSA has cumulatively spent more than $1bn in its phone targeting efforts."

The two spy agencies have targeted "leaky apps" that collect plenty of your personal information. Why? It's an efficient way to collect a lot of information about a lot of people, without having to target specific individuals' mobile devices. Plus, most consumers are blissfully unaware that their mobile devices collect and report back to the app developers sensitive data about them. And, some apps are more leaky than others. The spy agencies collect users' sensitve personal data as the mobile game apps transmit the information via the wireless telecommunications networks.

The sensitive data your mobile game collects and reports can cover your geolocation (e.g., where you are physically), the time, and descriptive information about your mobile device (e.g., brand, model, screen size, operating system, etc.). If the mobile game accesses your address book, then it collects and transmits information about your contacts (e.g., the people you communicate with regularly) and friends you play the game with. Think of this as metadata about your mobile game playing.

Your mobile device is a goldmine of information which spy agencies are happy to collect from leaky mobile apps:

"The data pouring onto communication networks from the new generation of iPhone and Android apps ranges from phone model and screen size to personal details such as age, gender and location. Some apps, the documents state, can share users' most sensitive information such as sexual orientation –and one app recorded in the material even sends specific sexual preferences such as whether or not the user may be& a swinger.

The spy agencies have targeted mobile devices because the data consumers have entered into phone and app profiles is very valuable:

"Depending on what profile information a user had supplied, the documents suggested, the agency would be able to collect almost every key detail of a user's life: including home country, current location (through geolocation), age, gender, zip code, martial status – options included "single", "married", "divorced", "swinger" and more – income, ethnicity, sexual orientation, education level, and number of children."

One government document emphasized the success of such data collection:

"... i]t effectively means that anyone using Google Maps on a smartphone is working in support of a GCHQ system."

Should spy agencies collect data from mobile game apps and developers? Is this where you want your government spending your hard-earned taxes?

It is a debate that needs to happen, as it threatens mobile gaming business revenues by US firms. Experts have already estimated that the massive NSA government spying program could cost U.S.-based cloud-services vendors $35 billion in lost revenues. In simpler terms:

Lost revenues by U.S. high-tech companies = lost American jobs = lost tax revenues to U.S. federal, state, and local governments

Would you use mobile games knowing that spy agencies secretly collect this information? Can you trust these agencies to keep such sensitive personal information private, and not share it with other government agencies? Can you trust these agencies when they've been secretive so far? Other agencies (e.g., CIA, DHS, FBI, IRS) already want access to the data collected, and some have gotten it. The potential for abuse is massive.

Freedom includes the choice about what personal information to share, with whom, and when. It is a huge loss of freedoms for consumers to not have control over what personal information is shared, with whom, and when.

Many people would say no to mobile game data collection. If you are not a suspected in a crime and the agency doesn't have a search warrant, then it's a privacy violation. What do you think. If this troubles you, contact your elected officials.

Michaels Stores Says It Experienced a Potential Data Breach

On Saturday, Chuck Rubin the CEO of Michaels Stores released a statement to its customers that the retailer probably experienced a data breach:

"... We recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting we may have experienced a data security attack. We are working closely with federal law enforcement and are conducting an investigation with the help of third -party data security experts to establish the facts. Although the investigation is ongoing, based on the information we have received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, we believe it is appropriate to notify our customers that a potential issue may have occurred..."

The "recently learned" portion of the statement probably refers to a Krebs On Security blog post. Sources from four different banks reported frauluent charges affecting hundreds of customers, that traced back to Michaels stores.

Similar to the massive Target stores data breach, the U.S. Secret Service is also involved. Michaels is the third retailer to have experienced a data breach during the past two months or so. While Neiman Marcus confirmed earlier this month that it had experienced a data breach, the retailer announced few details.

In May 2011, criminals hacked the point-of-sale registers at Michaels stores in Chicago. A subsequent  investigaton found hacked terminals in stores in at least 20 states. In 2011, the retailer replaced 7,200 PIN pads in its stores. In March 2013, this blog reported about a questionable and restrictive return policy by Michaels stores.

Michaels customers should read the full January 25 statement (Adobe PDF). It advises shoppers to be vigilant (e.g., check your bank accounts and credit/debit-card bills for fraudulent charges). Michaels will provide updates at its Web site. Shoppers with questions about the data breach can also call the retailer toll-free at 1-877-412-7145 from Monday through Saturday from 8:00 am to 11:00 pm CST, and Sundays from 8:00 am to 8:00 pm CST.

Obviously, there will be a lot more news coming about this data breach.

Net Neutrality: What It Is, the Recent Court Decision, And What It Means For Consumers

On January 14, a District of Columbia U.S. Appeals Court ruled (Adobe PDF) in favor of Verizon in its lawsuit against the Federal Communications Commission (FCC) about "Net neutrality." After a lower court ruled that the FCC has the right to regulate the Internet (e.g., issue rules about net neutrality within the United States), Verizon appealed the decision. The appeals court combined the Verizon suit with other related suits (e.g., MetroPCS Communications), and ruled in favor of Verizon that the FCC does not have the right to regulate Internet Service Providers (defined as information services and not as utilities).

You're probably wonder what the fuss is about, what "Net neutrality" is, and what the impact of the recent court ruling might be.

"Net neutrality" is the concept that when you, consumers, pay for access to the Internet you get access to the entire Internet. No filters. Not portions of the Internet. No blocked sites. No payment tiers. You choose where you want to go online, which search engine to use, and visit the Web sites you want to visit. Nobody chooses or decides for you. You are in control. You are free to roam about the Internet as you choose.

This eCommerce Times article described the "Net neutrality" concept and how it protects consumers:

"... is short for "network neutrality" or "Internet neutrality." The concept addresses user access to the Internet, and the debate around Net neutrality centers on whether ISPs (Internet service providers) can limit, tier, block or otherwise affect Internet performance. Without Net neutrality, ISPs can even charge higher fees for more bandwidth and higher-speed access to one vendor and not others, thus establishing tiers of service... Or, if an ISP preferred (e.g. had a financial interest in) one search engine over another, that ISP could force its customers to the preferred search engine by charging customers more each time they used any other search engine..."

The FCC set up some initial rules in 2011 which Verizon challenged. The eCommerce Times article described the FCC's rules, which are based upon transparency, prohibits blocking, distinguishes mobile access, and prohibits "unreasonable discrimination." CNet provides good explanations of the net neutrality issues and history.

Of course, the ISPs want to make more money. They see how important the Internet has become. Their first forays were with behavioral targeting; to track your online usage and serve up custom ads based upon your Internet usage. Privacy advocates fought this early battle and largely won, but ISPs have not given up.

As I see it, ISPs have already proven with their actions that they cannot be trusted. They will abuse consumers if left unchecked. During the past seven years, the following blog posts documented instances where ISPs worked with advertising networks and technology companies to spy on consumers without notice and with failed opt-out mechanisms:

The Electronic Frontier Foundation (EFF) said this years ago about the FCC:

"... how far can the FCC be trusted? Historically the FCC has sometimes shown more concern for the demands of corporate lobbyists and "public decency" advocates than it has for individual civil liberties..."

The Huffington Post reported what might happen next:

"Though the FCC could try to rewrite its rule or appeal the decision, in the meantime ISPs like Comcast, Verizon, AT&T and Time Warner Cable are free to make deals with companies promising quicker content delivery in exchange for payment -- essentially creating Internet "fast lanes" for wealthy companies and making their websites easier to access than those of nonprofits, activist groups and smaller competitors."

What might the impact be without net neutrality? I look at cable television as a preview.

If you pay for cable TV, then you know what I mean about cable TV pricing schemes. It's expensive and you can't choose the cable stations you want. You pay a monthly fee for "basic" service and pay extra for each extra package of cable stations. For example, Comcast's cable TV packages: Basic, Expanded Basic, Family, Digital Economy, Digital Starter, Digital Preferred, Digital Premium, Sports Entertainment, Music Choice, Pay-Per-View, Sports Pay-Per-View, International, and MultiLatino. The cable TV provider chooses which stations are in each package. You can only choose packages and not individual stations. Highly profitable for the cable TV provider; expensive for consumers. Plus, the customer service is often horrendous.

The United States, where the Internet was invented, ranks 35th of 148 countries on Internet bandwidth. We pay a lot and don't get the speed nor value citizens get in higher ranked countries. Verizon happily filmed a commercial in Boston about FiOS, its fiber broadband service, even though the service isn't available in Boston.

So much for innovation and competition.

Consumers have little real choice and few freedoms while the companies make huge profits. And, it hurts the coutry since consumers don't get the value we deserve. The United States

Do you want your Internet service set up the same way as cable TV service? I don't and I bet you feel the same way as I. I don't want my Internet access mucked up like cable TV service.

What is at stake? To me, the first thing at stake is our democracy. A healthy democracy is based upon citizens having access to information; unfiltered by corporations that have their own interests. the second thing at stake is your freedoms; to access the whole internet and not pieces somebody else decides. If "Net Neutrality" is lost, then we consumers will likely pay a lot more.

Ideally, the FCC should classify ISPs as utilities, but lobbying in Congress may prevent that. The Congress has failed to act on this several times before. The New York Times reported:

"... Tom Wheeler, the agency’s new chairman, said the agency might appeal the decision, but had previously voiced support for allowing Internet companies to experiment with new delivery methods and products... In a statement, Mr. Wheeler said he was “committed to maintaining our networks as engines for economic growth, test beds for innovative services and products, and channels for all forms of speech protected by the First Amendment.”

So, the FCC will likely not act. Corporate cash has infected both political parties under the cloak of free speech for companies and vague promises of innovation. There was trickle-down economics. Now we have trickle-down Internet innovation. Maybe the benefits and cost savings flow to consumers.

Maybe... but I highly doubt it.

Contact your elected officials today and demand action.

Study: Princeton Researchers Predict Facebook Will Lose Millions of Users Within Three Years

In an attempt to predict the changing popularity of existing social networking websites, researchers from the Department of Mechanical and Aerospace Engineering at Princeton University predicted that Facebook will undergo a massive decline during the next few years. The researchers, John Cannarella and Joshua Spochler, analyzed the popularity of specific "online social networks" (OSNs) by using mathematical models of the spread of infectious diseases:

"The application of disease-like dynamics to OSN adoption follows intuitively, since users typically join OSNs because their friends have already joined. The precedent for applying epidemiological models to non-disease applications has previously been set by research focused on modeling the spread of less-tangible applications such as ideas..."

With about 1.19 billion users worldwide, Facebook definitely qualifies as a large social networking website. Anyone active on Internet knows that social networking websites (Who remembers Friendster?) come and go:

"Despite the recent success of Facebook and Twitter, the last decade also provides numerous examples of OSNs that have risen and fallen in popularity, most notably MySpace. MySpace, founded in 2003, reached its peak in 2008 with 75.9 million unique monthly visits in the US before subsequently decaying to obscurity by 2011."

Accurately predictions of changes in the popularity of specific social networking websites can help investors with financial decisions. the researchers used Google search data to specific social networking websites:

"The epidemiological models presented in this study are used to analyze publicly available Google search query data for different OSNs, which can be obtained from Google’s "Google Trends” service. Google search query data has been used in a range of studies, including the monitoring of disease outbreak, economic forecasting, and the prediction of financial trading behavior..."

The researchers adapted and validated their mathematical model using the adoption and decline data from the Myspace OSN. The researchers concluded:

"Extrapolating the best fit model into the future suggests that Facebook will undergo a rapid decline in the coming years, losing 80% of its peak user base between 2015 and 2017."

The Los Angeles Times reported:

"... Myspace is not the best social network with which to compare Facebook. At its peak, Myspace had 75.9 million monthly active users. Facebook, meanwhile, said it had 1.19 billion active members in September. Facebook has reached levels Myspace never hit... Although search queries -- not active users -- for Facebook did decline in 2013, the company has only seen its monthly active user base grow since it launched in 2004. Seeing a drop as big as the one the researchers predict would be more than surprising -- it'd be the first time Facebook sees a decline in users."

The Motley Fool reported that teens are leaving Facebook in substantial numbers, but it may not matter:

"... Facebook's teen base had fallen 25% in the past three years. Facebook CFO David Ebersman confirmed that the issue is real during a recent earnings call... the iStrategy Labs study draws from Facebook's Social Advertising platform... Facebook has 4,292,080 fewer high-school aged users and 6,948,848 college-aged users than it did in 2011... it definitely shows that Facebook is not as hot with teens as it once was... According to the same iStrategy Labs Study, the number of users 55+ has exploded with 80.4% growth in the past three years. These older users may not be as desirable as teenagers, but they are more stable and less likely to leave..."

While the researchers analyzed search data, there are more metrics that describe social networking website popularity. Some metrics that come to mind include:

  • Active users
  • Average time and $ on site per user by demographics (e.g., age, country, income, etc.)
  • Average time and $ spent on site by platform (e.g., smart phone, tablets, etc.) by user
  • Average profile completion percentage per user (e.g., work history, residential history,  education history, basic information, relationship and family information, etc.)
  • Average number of connection types (e.g., groups, fan pages, pages Liked, events, etc.) per user
  • Average data usage per user (e.g., megabytes of photos, videos uploaded)
  • Gaming $ spent per user
  • Advertising $ spent per user

Then, you would want to see which of those metrics most accurately precede subscription terminations.

The OSN study has not been peer reviewed. Download the Princeton study: "Epidemiological Modeling of Online Social Network Dynamic" report (Adobe PDF). It is also available here (Adobe PDF, 436.3K bytes).

Slowly Details Emerge About The Hacking Techniques In The Massive Target Data Breach

Target Bullseye logo Slowly, details emerge about the sophisticated teniques hackers used in the massive Target data breach, where debit- and credit card payment information about 70 million shoppers was stolen. The hackers used a sophisticated tactic.

NBC News reported that the hackers infected the retailer's point-of-sales (PoS) computers and cash registers with a specific type of computer virus software designed to steal shoppers' payment information at a specific point during the purchase process when that data is most vulnerable:

"The data breach was caused by a type of malware, similar to a computer virus, placed in a store's point-of-sale systems... The insidious file triggers a "hook" and starts to suck up information on transactions in the memory of the cash register system or the server that controls it. Since the data on credit cards is encrypted, the system works by getting it in the authorization stage while it is in the memory of the PoS system, unencrypted."

According to ComputerWorld, the specific malware is Trojan POSRAM:

"... the POSRAM Trojan as a customized version of BlackPOS, a piece of malware that has been available in the cyber underground since at least last February. Like BlackPOS, the POSRAM Trojan is designed to steal a card's magnetic stripe data while it is stored momentarily in a POS system's memory... the malware monitors the memory address spaces on the device for specific information. When it finds something of interest, the software saves the data to a local file and then transfers it to the attackers at preset times. It then is coded to delete the local file to cover its tracks.."

The hacking tactic was mentioned in a report by the computer firm iSight Partners, which was submitted to the U.S. Secret Service.

InfoWorld reported that the stolen debit/credit card information was sent to a server in Russia. And, the hackers have more stolen data than they can use; which means they are reselling it to other criinals.

It seems that this hacking tactic poses little risk to criminals and a big risk to PoS systems used by many retailers in the United States.

U.S. Department of Labor Recovers Money In Several Employer-Operated Retirement Plans

The Employee Benefits Security Administration (EBSA), a division of the U.S. Department of Labor (DOL), announced the results of several court cases involving employer-operated 401(K) retirement plans. Unfortunately, company executives decide not to deposit contributions into employees' retirerment accounts more often than you might think.

The EBSA announced last week in a news release that a judge in U.S. District Court in Northern Illinois ruled on a lawsuit the agency filed in February 2013 against the Hico Flex Brass Company. The EBSA complaint sought $79,104.11 for employees participating in the company's 401(K) retirement plan. The EBSA lawsuit alleged:

"... the company, Hico Flex Brass Co. Inc., as well as former vice presidents and Plan trustees Mark Isaacs and Neil Isaacs, violated the Employee Retirement Income Security Act by withdrawing $702,153.99 in Plan assets and thereafter failing to distribute the full amount of Plan assets to participants."

The judge ruled on the case and issued a Consent Order:

"Pursuant to the Consent Order and Judgment, Mark Isaacs and Neil Isaacs agreed to restore $79,104.11 in undistributed Plan assets to the Plan and are permanently enjoined from serving as fiduciaries or service providers to any employee benefit plan subject to the Employee Retirement Income Security Act."

A prior Consent Order dated June 4, 2013 by the Court:

"... held Hico Flex Brass Co., Inc. liable for failing to distribute plan assets to participants and enjoined Hico Flex Brass Co., Inc. from serving as a fiduciary or service provider to any employee benefit plan subject to the Employee Retirement Income Security Act."

Also last week, the EBSA announced the recovery of money for employees of a failed Rhode Island day care service. The Rumford Day Nursery Inc. (RDN) of Rumford, Rhode Island operated a Simple IRA plan for its employees.The business stopped operations in December 2009. According to the EBSA news release, the business:

"... operated day care centers in Barrington, Coventry, East Providence, North Kingston and Westerly, R.I. and in Seekonk, Mass... RDN was the plan's administrator and Deborah Very-King, the company's owner and chief operating officer, was the sole decision maker for the plan."

The EBSA filed a lawsuit alleging:

"Beginning in 2007, the defendants failed to forward about $23,506.98, plus lost opportunity costs, in withheld employee contributions to the plan and failed to collect about $20,947.14 in employer contributions, plus lost opportunity costs, due to the plan."

The ruling included:

"... a consent judgment orders the defendants to pay $52,945.96 in principal and pre-judgment opportunity costs to the plan in monthly installments... The judgment also permanently prohibits Very-King from serving as a fiduciary to any ERISA-covered benefit plan."

Opportunity cost is the lost interest by retirement plan participants. When employers fail to deposit contributions into employees' retirement plan accounts, the employees lose interest.

Within the U.S. Department of Labor (DOL) federal agency, its Employee Benefits Security Division (EBSA) oversees employee benefits programs, including about 684,000 retirement plans, 2.4 million health plans, and related employer-sponsored benefits plans (e.g., stock plans, IRA plans). All of these plans cover about 141 million individuals (e.g., employees and their dependents), with assets of about $7.6 billion.

During January 2014 and December 2013, the EBSA announced the filing of several lawsuits against employers and executives to recover benefits for employees in retirement, stock plan, profit sharing, and health plans. The companies named in these lawsuits:

  • Western Steel Erection, Inc.
  • F.V. Zanetti Inc.
  • Kephart Trucking Company
  • Double D Excavating LLC
  • Miller's Health Systems
  • Sunstrand Electric Company
  • Home Valu Inc.
  • Central Pennsylvania Pulmonary Associates LLC

I congratulate the DOL for these actions. It is important to recognize both their hard work and the benefits recovered for employees. When employers and executives fail to follow wage laws and fail to deposit contributions into employees' retirement accounts, there has to be substantial consequences.

Target Data Breach: The Math Says That Crime Pays Well

If you haven't read it, there is an excellent article at Finextra Research about the Target breach; specifically the value of stolen shoppers' information. The article explains how your location information makes consumers' stolen payment information more valuable to thieves:

"... Target hackers have undertaken to selling location usage data alongside the card data, and can charge a premium for such data. Value added service to the fraudsters and clearly a strategy that is paying off. Fraudsters are paying anything between $20 and $100+ for a skimmed Target payment card – location data has added a premium to what the fraudsters charge. That’s puts the “value” on the 40million+ payment cards stolen from Target at between $800million and $4billion! If we assume that their ROI is a minimum of 10 times their “investment” then we are looking at a fraud value of between $8bn and $40bn."

Plus, the numbers are much worse. Why? First, Target increased the size of its data breach to 70 million from 40 million. Second, this math is based upon what we know so far. The breach news is far from over. Third, news reports have mentioned three other retailers impacted besides the Target and Neiman Marcus breaches.

This math is important because any risk-analysis systems used by retailers (and banks) use data elements (e.g., location data) that thieves have stolen... and will continue to steal. The thieves are upping their game, and industry needs to respond. It is long past time for the U.S. retail and banking industries to upgrade from obsolete credit/debit card technology to smart payment cards.

The math is important to consumers. Why? You now know how valuable your location information is for thieves. Don't be so quick to give up your location data to social networking websites, banks, and retailers without getting something substantial in return.

Neiman Marcus Confirms Data Breach Affecting Its Shoppers, But Says Little Else

Neiman Marcus logo During the weekend, several news sources reported a data breach that affected shoppers at Neiman Marcus stores. Fraudulent credit and debit card charges have occurred for consumers who shopped at the retailer's stores.

The retailer confirmed the data breach, but didn't say whether other retail stores (e.g., Bergdorf Goodman, Horchow) the company owns were affected. The Washington Post reported:

"... Neiman Marcus said it was informed of the breach in mid-December by its credit card processor and subsequently informed law enforcement officials, including the Secret Service. The company is taking steps to contain the breach... The company apologized to its customers for the breach through messages on its Twitter feed and said that it is working to notify those whose cards were used fraudulently after visits to Neiman Marcus stores."

A TechCrunch article explored reports that the Target and Neiman Marcus data breaches were part of a larger, coordinated holiday attack that included data breaches at three other unnamed U.S. retailers.

Obviously, this breach story is just beginning.

Target Increases Number of Shoppers Affected By Data Breach. BBB Warns Shoppers To Expect More Spam

Target Bullseye logo On Friday, Target updatd details about the retailer's recent data breach. More people were affected and more data was stolen than first announced. The updated total includes 70 million persons affected, up from 40 million. More data was stolen, including names, mailing addresses, phone numbers, and e-mail addresses:

"As part of Target’s ongoing forensic investigation, it has been determined that certain guest information—separate from the payment card data previously disclosed—was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals."

The retailer also announced the closing of eight stores in the United States. The following stores will close on May 3, 2014:

  • West Dundee, Illinois
  • Las Vegas
  • North Las Vegas
  • Duluth, Georgia
  • Memphis, Tennessee
  • Orange Park, Florida
  • Middletown, Ohio
  • Trotwood, Ohio

The additional data stolen makes the information stolen during the breach more valuable. the stolen data is simply more useful by identity thieves , spammers, and fraudsters. It also means that breach victims will probably experience spam and phishing attacks via e-mail and/or telephone spam. I've reported in this blog about many types of phishing attacks, including the fake Microsoft affiliate phone scam.

Also on Friday, the Better Business Bureau (BBB) warned consumers and Target breach victims to be alert for scams:

"Be on the lookout for scammers pretending to be Target or your banking institution. Prepare to get fake phone calls, emails and letters in the mail. They may ask for your personal information and direct you to click on links. The correspondence may look official, but do not respond. If you receive a phone call from someone claiming to be from your bank stating you've been affected by the Target hack, hang up. Then call the bank number on your credit card to confirm if you are actually a victim. If you receive an email claiming to be from Target, do not reply back. Instead go to You can also contact Target’s victim hotline at 866-852-8680."

A fake Target data breach notification is already circulating on the Internet.

The New York State Attorney General, Eric T. Schneiderman, offered several tips for shoppers affected by the Target breach. Those tips include advice for shoppers considering Target's free credit monitoring offer, and how breach victims can protect themselves and their personal information.

In related news, several banks in Alaska are scrambling to reissue credit and debit cards to cardholders affected by the Target breach:

"Denali Alaskan Federal Credit Union said more than 2,200 debit and credit cards it issued were affected by the breach. About 2,000 cardholders were affected at First National Bank Alaska, and almost 1,100 customers of Alaska-based Northrim Bank were affected."

I expect we'll hear a lot more news in the coming weeks about banks reissuing cards for their cardholders. Somebody will pay for this, as T.J. Maxx learned.

As I warned in a prior blog post, any retailer or company cannot know the scope and extent of a data breach until after its breach investigation is completed. I am not surprised at all that the retailer increased both the number of shoppers affected and that data elements stolen. With this latest breach update and with Target offering free credit monitoring to breach victims, the retailer's tagline applies in several ways: "Expect more. Pay less."

This story is far from over.

The Best Blog Posts Of 2013

For new and infrequent readers, below are links to the best blog posts from 2013.

Whay is the best? Topics that cover critical, far-reaching, and often controversial issues that affect consumers -- the products and services you use or are considering to use. Reading these posts will also get you caught up on the latest privacy, identity theft, banking, and corporate-responsibility issues:

  1. Amazon's Plan For Drones To Deliver Packages To Customers, And A Primer About Drones
  2. How To Opt Out Of Tracking Programs And Keep As Much Privacy As Possible
  3. Police Body Cameras. What They Are And The Privacy Issues
  4. What Is Metadata? Why Is It Important?
  5. 83% Of The Leading Mobile Apps Put Your Sensitive Personal Information At Risk
  6. Study: Employees Face Huge Difficulties Collecting Unpaid Wages From Employers
  7. Geo-Location Data. What They Know And Collect About You Via Your Mobile Devices
  8. 8 Questions That Highlight The Issues About Government Surveillance
  9. July 1: New Online Privacy Rules For Children Went Into Effect
  10. Google Glass And Wearable Mobile Devices. Several Privacy Issues Emerge
  11. Five Ways Retail Stores Spy On Their Shoppers
  12. The Top 5 Places You Should Never Use Your Smart Phone
  13. The Mugshot Industry. Accurate Information That Is Beneficial For Consumers?
  14. Report: It Takes Months For Organizations To Detect And Resolve Data Breaches
  15. For Consumers Who Believe Their Apple Products Are Immune From Malware
  16. Publishers Consider Ways To Further Use Data Collected By E-Readers
  17. Six States Now Ban Employers From Snooping On Your Social Networking Accounts

And, read the best I've Been Mugged blog posts about Facebook.

Did Target Executives Know Their Systems Were Vulnerable And A Breach Was Likely?

Target Bullseye logo The National Association of Convenience Stores (NACS) reported this week:

"The Star Tribune reports that several years before Target incurred its massive loss of credit card data last month, it was well aware that a theft risk existed and it had unsuccessfully pursued “innovative solutions” to counter such threats... In the early 2000s, Target had installed “smart card” technology at all of its U.S. stores, an effort to thwart the very theft that the retailer suffered. The company said it abandoned the three-year pilot because few other retailers adopted the technology, which put Target at a disadvantage because the emerging technology slowed checkout times..."

The breach has jeopardized Target's REDcard program. The Star Tribune reported:

"In fiscal 2012, REDcard purchases made up 13.6 percent of Target’s sales, compared to 5.9 percent two years before... Target’s REDcard program, which offers 5 percent off each purchase and free Internet shipping, is a crucial component to the retailer’s strategy of getting consumers to frequently shop at Target stores and buy more stuff. It also collects enormous amounts of consumer data..."

So, consumers are to believe that a retailer followed the herd and rejected a newer, safer technology only because it wanted to avoid long checkout lines. Are you willing to trade security for shorter checkout lines? Target shoppers: were you even asked about this?

It seems to me that Target executives failed to recognize security as a benefit for consumers. Consumers already choose between regular and express checkout lanes in supermarkets nationwide. It's not a  stretch to offer checkout lanes dedicated to shoppers with smart REDcards; at least market test or survey the concept. My point is: give shoppers the choice. Given the large number of data breaches during the past decade, I'll bet the many shoppers wil pick security. Breach victims experiencing the hassles of fraud, changed PINs, changed bank accounts, and related damage would gladly move to a smart REDcard.

Ironically, the data breach has forced Target to now pitch security as a benefit. The retailer's REDcard page:

"It is safe for you to use your REDcard debit and credit card. If you would like additional peace of mind, you can always change your PIN number on your Target Debit Card and set up alerts for your REDcard through Manage My REDcard..."

Europe has already moved to smart credit/debit cards with EMV chips. Why does the United States lag in this area? Why would banks and retailers in the United States continue to use credit/debit cards with antiquated magnetic-strip technology? Read this blog post to learn a few reasons why.

Why The U.S. Justice Department Has Not Prosecuted Bank Executives For Fraud

Department of Justice logo You may have missed this news story while preparing for the holidays. Jed S. Rakoff, a Federal Judge, wrote an article which appeared in the New York Review of Books: The Financial Crisis; Why Have No High-Level Executives Been Prosecuted? If you haven't, I strongly encourage you to read it.

In his article, Rakoff put forth three reasons why the U.S. Justice Department has not prosecuted bank executives for fraud; even though the government has successfully prosecuted individual bankers before:

"But if, by contrast, the Great Recession was in material part the product of intentional fraud, the failure to prosecute those responsible must be judged one of the more egregious failures of the criminal justice system in many years. Indeed, it would stand in striking contrast to the increased success that federal prosecutors have had over the past fifty years or so in bringing to justice even the highest-level figures..."

Some of the history of successful prosecution of high-level bank executives:

"... in the 1970s, in the aftermath of the “junk bond” bubble that, in many ways, was a precursor of the more recent bubble in mortgage-backed securities, the progenitors of the fraud were all successfully prosecuted, right up to Michael Milken... in the 1980s, the so-called savings-and-loan crisis, which again had some eerie parallels to more recent events, resulted in the successful criminal prosecution of more than eight hundred individuals, right up to Charles Keating... the widespread accounting frauds of the 1990s, most vividly represented by Enron and WorldCom, led directly to the successful prosecution of such previously respected CEO as Jeffrey Skilling and Bernie Ebbers."

While banks have been prosecuted and fined for fraud recently, no executives have been prosecuted. This blog covered several instances, including fines levied upon and paid by JPMorgan bank. I found these comments by Rakoff informative:

"... before 2001, the FBI had more than one thousand agents assigned to investigating financial frauds, but after September 11 many of these agents were shifted to antiterrorism work. Who can argue with that? Yet the result was that, by 2007 or so, there were only 120 agents reviewing the more than 50,000 reports of mortgage fraud filed by the banks..."

About oversight failures by the U.S. Securities and Exchange Commission (SEC):

" the very time the financial crisis was breaking, the SEC was trying to deflect criticism from its failure to detect the Madoff fraud, and this led it to concentrate on other Ponzi-like schemes... as Professor John Coffee of Columbia Law School has repeatedly documented, Ponzi schemes and misallocation-of-asset cases have been the primary focus of the SEC since 2009, while cases involving fraud in the sale of mortgage-backed securities have been much less frequent... moreover, the SEC has been hard hit by budget limitations..."

About the role of the U.S. government:

"... had a part in creating the conditions that encouraged the approval of dubious mortgages. Even before the start of the housing boom, it was the government, in the form of Congress, that repealed the Glass-Steagall Act, thus allowing certain banks that had previously viewed mortgages as a source of interest income to become instead deeply involved in securitizing pools of mortgages in order to obtain the much greater profits available from trading. It was the government, in the form of both the executive and the legislature, that encouraged deregulation, thus weakening the power and oversight not only of the SEC but also of such diverse banking overseers as the Office of Thrift Supervision and the Office of the Comptroller of the Currency, both in the Treasury Department..."

When I hear politicians say they, a) want smaller government, b) want less regulation, and c) oppose reinstatement of Glass-Steagall, it makes me wonder if these politicians are happy with a marketplace with continual banking fraud, and implicitly authorize more. The Volcker Rule would correct much of this, but the banks oppose it.

In an interview published by Real News, William K. Black, an economics and law professor at the University of Missouri Kansas City, discussed Rakoff's statements. Black said:

"... Judge Rakoff is a judge that hears many cases involving sophisticated financial frauds and has a background in prosecuting. And he excoriates the Department of Justice for the failure to prosecute the elite individuals that the Department of Justice says drove the frauds that drove much of the crisis. And he goes through the excuses that the Justice Department has offered for failing to prosecute, and he says that each of them makes no sense... this is an extraordinary thing for a judge to do. He hasn't violated any of the judicial canons. He hasn't talked about any pending cases. He's made sure to keep it in policy terms. But he points out that these cases can be prosecuted and that they should be prosecuted as a matter of justice if the Department of Justice believes what it says in its complaints, and that you will not get effective deterrence unless and until you prosecute the elite individuals..."

CNBC reported this about why Rakoff wrote the article:

"... Rakoff said he wrote the article because he was puzzled by what he called "seeming inconsistencies," with some parts of the government—such as the independent Financial Crisis Inquiry Commission—concluding that there was fraud, while the Justice Department has so far declined to prosecute top Wall Street executives."

I applaud Rakoff for sharing his views. It needed to be said. It needs to be discussed. Bank executives must be prosecuted. About the effectiveness of fines to prevent banking abuses, former Secretary of Labor Robert Reich said in September 2013 on

"Fines effective only if risk of being caught x probability of being prosecuted x amount of fine > profits to be made."

14 Things Facebook Users Need To Know

Facebook logo If you already use Facebook, or are considering it, we have compiled in this blog post the information and privacy tips you need to know:

  1. Study: Facebook Saves And Analyzes Your Unpublished Posts And Comments
  2. How To Lock Down Your Facebook Privacy Now That Old Posts Are Searchable
  3. Criminals Use Your Posts On Social Networking Sites. More Facebook Being Facebook
  4. What You Post Online Could Be Used To Determine Your Mental State
  5. Why You Shouldn't Install Those Entertaining Apps On Facebook
  6. Consumer Reports Reviews Facebook And How To Use It Safely
  7. Credit Reporting Agency Wants Access To Your Facebook, LinkedIn, And Twitter Information
  8. Website Exposes Embarrassing Facebook Status Messages
  9. I’ve Got The Facebook Social Plug-In Blues…
  10. Facebook Decides To Continue And Make Public More Of Your Private Data
  11. Facebook Photo Tagging With New Facial Recognition Software: What You Need To Do About Your Privacy
  12. Facebook Newbie? Read This First
  13. Just How Helpful Can Facebook Be?
  14. 7 Things You Should Stop Doing On Facebook

ID Experts Introduces Medical Identity Theft Service To Detect And Lower Health Care Fraud

ID Experts Corporation logo Just before the holidays, ID Experts Corporation introduced Medical Identity Alert System (MIDAS), a new service to help health care plan providers, employers, and consumers prevent and reduce medical identity theft and fraud. The F.B.I. estimated health care fraud at $80 billion each year. The 2013 Survey on Medical Identity Theft by Ponemon found:

"... most cases of identity theft result not from a data breach but from the sharing of personal identification credentials with family and friends. Or, family members take the victim’s credentials without permission."

About 1.84 million people in the USA are currently affected by medical identity theft and fraud. This can lead to misdiagnoses, mistreatments, delayed treatments, and wrong prescription medications. Only 54 percent of patients review the Explanation of Benefits (EOB) statements from their health care providers.

MIDAS uses real-time text messages and emails to alert users when a healthcare transaction is submitted to their health plan. The alert links to a secure wesite where the member can validate the transaction, or flag it as “suspicious.” Then, MIDAS resolution experts follow up on the flagged transactions.

The MIDAS website lists several benefits:

  • Lowers health care costs
  • Detects health care fraud and medical identity theft
  • Engages patients for Affordable Care Act (ACA) compliance
  • Uses proven fraud reduction strategies
  • Simple yet powerful
  • Accessible from anywhere with an Internet connection
  • Service is backed by experienced identity protection experts

Bob Gregg, CEO of ID Experts said:

“Consumers have easy access to their personal financial data yet their medical care transactions are a closed door... MIDAS will change this by bringing transparency to healthcare transactions, engaging members as the first line of defense in protecting their identities and uniting health plans with their members to combat fraud.”

PHIprivacy investigated the service, and reported that ID Experts does not share MIDAS users' information with other companies.

This service appeals for a three reasons:

  1. Lowering health care fraud should translate into lower health care costs and premiums for consumers,
  2. Most credit-monitoring solutions focus only upon financial transactions, and do not cover nor monitor for medical identity theft and fraud, and
  3. MIDAS can help more patients review their medical transactions; something experts advise patients do to, just like financial institutions and credit reporting agencies advise consumers to review their accounts and credit reports for fraud.

Note: this is not an endorsement. It is simply a news article to inform readers of a new service. I do not have any arrangements or relationship with ID Experts. If you subscribe to MIDAS, please share you opinions and experience below.