Have A Safe, Enjoyable July 4th Holiday Weekend

I'm taking a break. Posts will resume sometime next week. Meanwhile, feel free to read some of my favorite I've Been Mugged posts:

• Identity Fraud Threat and Impacts Continue For Decades
• Are Facebook and Twitter Really Changing Data Privacy Rules?
• 10 Things You Should Know To Protect Yourself From Identity Theft
• Banks: The Next Loan Sharks and Extortionists of the 21st Century?
• Would You Sign A "Mutual Agreement to Maintain Privacy" With Your Doctor?
• Sesame Street Explains the Bernie Madoff Scandal
• Opt-out Resources For Consumers (Part 2)
• If It's So good For Consumers, Why Don't They Tell Us?
• Data Breach Humor
• Medical ID-Theft, Extortion, Credit Monitoring Services, and The State of Identity Protection
• Which Is Better: Debit or Credit Cards?
• Are Fraud Alerts Useless?
• Exploring The Online Tracking Of Consumers: A Look At Equifax and Experian
• Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 4)
• Who is Acxiom and What Does It Do With Consumers' Personal Data?
• You Are A Chump (Mugged By Wall Street, Round 2)
• I've Been Mugged -- Why It's Important In Your World Today

Or, browse the ID-Theft Humor section.

Too Big To Fail

This blog has covered the abuses by banks of consumers. Banks and companies that are too big to fail are simply too big. Enjoy the music video below from the Austin (Texas) Lounge Lizards:

Celebrating Two Years Online!

Two years ago today, I started the I've Been Mugged blog. Since then, I've learned a lot about identity theft, fraud, privacy, and data breaches. This blog has been a good tool to organize my thoughts, learnings, and the online resources I've found. During the past year, a new Twitter feed and Facebook page have helped I've Been Mugged reach new readers.

Some thank-you messages are definitely called for. First, I'd like to thank I've Been Mugged readers. Weekdays, the I've Been Mugged blog gets about 350 - 400 hits daily. I am grateful for our readership and for the comments you have submitted. W have explored together many interesting topics, and I look forward to more exploration.

Second, I'd like to thank the bloggers and the consumer advocates I've met online. Without their suggestions and encouragement, The quality of I've Been Mugged posts wouldn't be as high as it has been. Some bloggers I'd like to thank by name: John Taylor, Lori Magno, Diane Danielson, Michael Krigsman, Chris Ott, Drew McLelland, Ryan Barrett, Ronni Bennett (who leads by example far more than she realizes), and Jonathan Feeley.

Third, I'd like to thank my guest author, Bill Seebeck, for his insightful and controversial posts.

Fourth, I'd like to thank the Privacy Crusaders. If you know who they are, then you know the good they've done.

Fifth, I'd like to thank IBM for losing my sensitive personal data during their February 2007 data breach. That incident caused me to start blogging. The more I learned about data breaches and the way companies assist (or don't) their data-breach victims, the more I realized that I had to do something. Rather than be angry, blogging seemed like a healthy and appropriate response.

If you haven't noticed yet, I named this blog in honor of IBM's data breach = I've Been Mugged.

And, I especially want to thank my wife, Alison. Without her support and flexibility, I couldn't write I've Been Mugged.

What's next for the coming year? We'll continue to write about identity theft topics, data breaches, and areas where corporate responsibility is lagging. Of course, we'll follow hot topics such as medical identity theft and fraud, behavioral advertising, and identity-theft legislation.

We'll continue to report on emerging issues that affect consumers; like our February 2009 blog posts about higher credit card interest rates by banks in March and April that affected consumers. And, we'll sprinkle this blog with plenty of ID-theft humor, since it's never all doom and gloom.

When it comes to identity theft, data breaches and corporate responsibility, there seems to be plenty to write about.

Effort Vs. Security

How To Protect Yourself Against A Rental Scam

You've probably heard about in on the news. It is a variation of the Craig's List check scam I wrote about previously, but this scam affects both landlords and renters. I encourage you to watch this ABC News video (an advertisement plays first):

To avoid getting "mugged" via a rental scam, the FTC advises consumers to look for these signs:

"They want you to wire money... There’s never a good reason to wire money to pay a security deposit, application fee, or first month’s rent. Wiring money is the same as sending cash — once you send it, you have no way to get it back."

"They want a security deposit or first month’s rent before you’ve met or signed a lease. It’s never a good idea to send money to someone you’ve never met in person for an apartment you haven’t seen... do a search on the landlord and listing. If you find the same ad listed under a different name, that’s a clue it may be a scam."

"They say they’re out of the country. But they have a plan to get the keys into your hands. It might involve a lawyer or “agent” working on their behalf. Some scammers even create fake keys. Be skeptical, and don’t send money overseas."

Log-in Credentials Breach At Several Corporations

Who said banks' web sites are bullet-proof? SC Magazine reported:

"A trojan has reportedly been uncovered that is harvesting FTP login data of major corporations, including the Bank of America, BBC, Amazon, Cisco, Monster.com, Symantec and McAfee. According to a report in the Friday edition of The Register, Jacques Erasmus, CTO at Prevx, an internet security vendor headquartered in the U.K., discovered a site where a trojan is uploading FTP login credentials from more than 68,000 websites. Once an individual's PC is infected with the trojan, that user's stored FTP login credentials are harvested. An attacker can then login to the FTP site..."

And we all know that your log-in credentials (e.g., username and password) are just as valuable to identity thieves and criminals as the money in your bank accounts. And companies like McAfee, a provider of anti-virus software, should know better, too.

Michael Jackson: A Life of Great Creativity & Very Human Challenges

[Editor's Note: today's blog post is by guest author William Seebeck. During the 1980's, Bill and I worked together at Lexis-Nexis in Dayton, Ohio. Bill has a wealth of experience in online systems, banking, publishing, and public relations. Bill also blogs at Seebeck's View.]

By Bill Seebeck

I can still remember watching 40 years ago as Michael Jackson and his brothers went on the stage of the Ed Sullivan show, with Diana Ross, who discovered them, sitting in the audience.

What startled me that night was how Michael took the microphone, as if he had been doing it for a thousand years and with a voice that from the moment you heard it, knew it was special, began singing and dancing about the stage. He stopped you. You had to watch. You instantly fell in love with him and for quite some time afterward, he became known as "Little Michael Jackson".

Well, Michael Jackson and his brothers became famous overnight and they never looked back, everything was before them and we, the audiences throughout the world, were the beneficiaries of his amazing creativity.

I was in college when Michael first hit the scene and only saw him once in person, it was during the 1993 Super Bowl in Pasadena, California where he was the half-time show. Watching the video again today of that performance reminded me of his extraordinary gifts as one of the most exciting entertainers of all time.

We will always listen to Michael's music. We will also remember the songs he wrote for the world, including Black or White, Heal the World and We Are The World, the last, a song written for African relief and performed as a group by just about every major talent in the music business at the time.

Unless you have traveled the world, it is hard to appreciate the enormous impact American music has had on so many cultures. I remember sitting in a Fuddrucker's restaurant in Jeddah Saudi Arabia 10 years ago and watched as a group of Saudi high school boys entered the restaurant dressed not in their traditional garb but in cargo pants, Abercrombie & Fitch t-shirts, LA Laker hats worn backward and listening to the most popular radio station in the Kingdom back then -- U.S. Armed Forces radio. What were they listening to? Yes, American music and they all knew Michael Jackson.

However, the type of overnight success that fell upon Michael was both a great joy and a great burden. In our times, when you gain "your 15 minutes in the sun" as Andy Warhol used to say, your life is taken from you by the public. You're watched and followed twenty-four hours a day and someone always wants something from you for themselves. Now sometimes what they want is legitimate, yet more times than not, it is not. It feels at times that they are sucking the very marrow out of you and one of the things that you lose is the ability to trust others. It is a difficult life. You try very hard to create a life that you can trust, withdrawing into a type of cocoon. That space becomes your safety zone, the place you can always run to and survive the latest hurt or betrayal. That space became where Michael, despite all of his world fame, lived. It is no surprise then that this is where he was tempted by his demons, the same ones that tempt each of us in our lives of non-perfection.

So today, I remember Michael Jackson, the boy I first saw and heard, the man we all came to experience, the incredible entertainer that graced our lives and with whom he shared his truly extraordinary God given gifts. We are forever grateful.

May God's peace be upon you Michael.

Copyright 2009 WBSeebeck. Reprinted with permission.

Identity Theft Humor

The identity theft and data breach topics I write about can be scary at times. It is not all doom and gloom though:
c

Are Defaults On Student Loans The Next Financial Bubble to Burst?

There are several posts in this blog about how banks are "mugging" consumers with higher credit card interest rates, lower card limits, increased minimums, and other fees. There is a debate about whether these changes, the high cost of college, and the recession will push many consumers to default on their student loans, or if the problem is poor financial planning and an attempt to avoid personal responsibility. At about the 13-minute mark are hints that the problem may be caused in part by predatory lending and collections policies:

Are Facebook And Twitter Really Changing Data Privacy Rules?

There's a pretty good commentary by Michael Fitzgerald in ComputerWorld Norway:

"CIOs generally don't care about privacy," says Peter Milla, former CIO and chief privacy officer at Survey Sampling International (SSI). Milla says most CIOs either focus on technology, or regard privacy as outside their domain, the province of a chief privacy or chief security officer. He finds both attitudes wrongheaded."

I agree with Milla. It seems stupid for a CIO to focus on information and ignore data security. They go hand-in-hand. One is wholly dependent upon the other.

"Milla says he recently worked to modify a request from a big-box retailer who wanted information about the people surveyed by his company on their behalf. 'They were bewildered and frustrated that we wouldn't give it to them,' says Milla. The retailer already collects plenty of data on its customers and didn't see what the problem was with a bit more. But Milla saw a breach of privacy, a contractual violation. If it leaked out that SSI shared personal data about its panelists, it could devastate its business. Milla says the big-box retailer's attitude is endemic. Companies think the data they gather belongs to them."

To me, this episode demonstrates an arrogance and entitlement about the consumer and customer data their company archives. Without customers, their company wouldn't exist. Fitzgerald points to one historical example of this arrogance:

"Ten years ago, then-Sun Microsystems CEO Scott McNealy told us, 'You have zero privacy anyway. Get over it.' "

Given the recent rise in use of social networking sites by consumers, Fitzgerald listed some of the companies, behavioral advertising efforts, and lawsuits about bungled consumer privacy. Fitzgerald highlighted one episode:

"In the wake of its privacy faux pas with Beacon, Facebook has moved to asking its users their opinions on its privacy policies. It has also created more ways for its users to control who sees their data. To Fenwick's CTO, Matt Kesner, this creates an expectation about control over data that will ripple through the IT world."

Yes, Facebook has made some changes. In my opinion, more changes by Facebook are needed. The site still doesn't disclose how and with home customers' personal data is shared by those popular Facebook applications. And, browsers still don't provide options for consumers to block Web beacons.

Yes indeed. I, the consumer, have an expectation about control over my personal data -- all of it, not just some of it. Fitzgerald highlighted a behavioral advertising example:

"one of the British ISPs, BT, acknowledged piloting the program using actual consumer data, without asking for permission. That has landed BT in hot water. The European Commission has initiated legal action against the United Kingdom over its refusal to stop companies like BT from using live customer data without permission. Meanwhile, Amazon and Wikimedia have said they will block Phorm from accessing traffic on their sites, and in late April, the U.S. Congress began holding hearings on deep-packet inspection."

While some executives (and some consumers) maintain the myopic position that there is no privacy for consumers, these folks entirely miss the point.

First, it is about choice. Consumers choose whether or not to disclose their personal data when doing business with these companies. Second, control matters. Just because consumers choose to disclose their personal data (at the cash register or at the company's web site) doesn't mean that consumers give up all rights to control their personal data. Third, legal compliance matters. In the USA there are existing laws that require companies to protect certain types of sensitive consumer personal data (e.g., financial data, medical data, etc.).Fourth, it's about notice. Consumers expect opt-in mechanisms and to be notified about when and how their personal data is used. Opt-out mechanisms are not enough.

For me, my awareness as a consumer has been raised about privacy and various Internet technologies. It is no longer acceptable for a company:

• Not to disclose in its online privacy policy how it uses browser cookies and web beacons,
• Not to disclose in its online privacy policy the exact names of vendors, advertising networks, and third-parties it shares consumer and customer data with, and the circumstances when consumer data is shared with these companies,
• To perform a behavioral advertising program without first notifying consumers and getting consumers' explicit permission via opt-in,
• Not to disclose in its web site policies the offshore outsource vendors it works with and which circumstances and when it shares consumer data with those offshore vendors,
• Not to disclose data breaches by the offshore vendors the company does business with,
• Not to provide a mechanism for customers to communicate directly and immediately to a company representative via the company's web site using e-mail, reply forms, or similar methods.

Company executives that don't understand this and the shifting landscape are setting up their companies to go out of business, and suffer class action lawsuits.

10 Things You Should Know To Protect Yourself From Identity Theft

Over at WalletPop, there's a good list of tips for consumers about how to avoid identity theft and fraud:

1. Thieves don't need your credit card number in order to steal it. Conversely, they don't need your credit card in order to steal your identity.

2. The non-financial personal information you reveal online is often enough for a thief. Beware of seemingly innocent personal facts that a thief could use to steal your identity. For example, never list your full birthdate on Facebook or any other social-networking Web sites.

5. If an ATM or store terminal looks funny, don't use it. "Make sure there is no device attached to any ATM card slot... As a general rule, the mouth of a card receptacle on an ATM machine should be flush with the machine or have only a very slight lip.

8. Pay attention at the checkout line. If a cashier or salesperson takes your card and either turns away from you or takes too long to conduct what is usually a normal transaction, she may be scanning your card into a handheld skimming terminal to harvest the information. But they... can take a picture of the front and back of your card with a cell phone or merely swap out cards.

One protection tip that hadn't occurred to me when traveling on vacation or on business:

"... cut up your used hotel key cards when you check out... since these keys contain important information about you and your finances, including your name, address, phone, and the credit card you used to pay for your room. When you toss them out or leave them lying in the hotel room, anyone can pick them up and use them to steal your identity,"

To read the entire list, visit the WalletPop site.

The NAI Behavioral Advertising Opt-out Mechanism: Good or Bad?

Thanks to rcalo for alerting me to this site. If you have read this blog over the past year, then you know that I have written a lot about behavioral advertising (BA). My interest in BA is partly because some Internet Service Providers (ISPs) have attempt to use a form of BA with the Deep packet Inspection (DPI) technology, which goes far beyond the older tracking technologies, like Web browser cookies, which advertisers have traditionally used.

Congress and consumers are right to take a long, hard look at firms using DPI. And, however favorable the FTC's proposed behavioral advertising guidelines are for corporations, those guidelines are not finalized. My interest in BA is not just the consumer privacy concerns, but the data security concerns due to the fact that company data breaches soared in 2008 compared to prior years. Too many companies don't take data security seriously enough. DPI allows companies to collect a lot of inormation more quickly -- and lose it later in a data breach, regardless of their claims about anonymizing the data.

Plus, ISPs play a key role in providing consumers with trustworthy access to the Internet. Even though NebuAd closed last month, Phorm is part of a larger situation where ISPs rush for advertising revenues and abuse consumer privacy.

With all of that as a backdrop, I have mixed feelings about the Network Advertising Iniative (NAI) opt-out site below, since it is predicated on a business model where all consumers are, by default, included. This places the burden on consumers to become BA experts and track which sites they visit use BA with, in order to opt-out effectively. And, opting out is no guarantee since companies can easily include users back in BA with a change in web site privacy and terms of use policies. The whole model should be based with a default where consumers aren't included until they opt-in.

When you use the NAI site to opt-out of BA, it provides a status of the advertiser networks that have already placed a BA Web browser cookie on your computer. For me, I learned that I had active BA cookies from:

• Advertising.com
• Atlas
• AudienceScience
• BlueLithium
• Burst Media
• Collective Media
• Mindset Media
• Undertone Netowkrs
• Yahoo Ad Network, and
• TACODA Audience Networks

That was far more BA cookies than I thought I had. A thorough check would be to see if any of the sites I have visited regularly mentioned any of these advertiser networks in their privacy and terms policies. I doubt it.

The NAI's BA opt-out mechanism has limitations. First, it won't protect a consumer against DPI. Second, consumers will have to use the BA opt-out mechanism again if you delete the cookies on your computer, change Web browsers, or get a new computer. Given this, the NAI's BA opt-out mechanism is not a true opt-out. Too much burden is still on the consumer, and it is too easy for a consumer to get sucked back into BA again.

If you have used the NAI site below to opt-out of BA, I'd love to hear your experiences. How did you tell if the opt-out worked? Did you see a change in the online ads display at the sites you visited?

When I opted out of pre-screened credit offers and telemarketing calls, it was easy to see the change. The number of pre-screened credit card and loan offers I received via postal surface mail stopped -- period. So too for telemarketing calls; those dropped to zero, too.

So, it's easy for consumers to see and evaluate the effectiveness of opting out of postal surface mail offers. But what about BA? How can a consumer tell if this BA opt-out mechanism works?

Anyway, here's the NAI video: