Credit card data breaches cost big bucks

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Javelin Strategy & Research "estimates that credit and debit card issuers spent $252.7 million in 2009 replacing more than 70 million cards compromised by data breaches."

In 2009, "an estimated 39 million debit cards and 33.3 million credit cards were reissued due to data breaches, for a total of 72.2 million. An estimated 20% of those affected by the breaches had more than one card replaced." I had my MasterCard replaced twice.

Javelin's survey shows that "26%, or one out of four U.S. consumers received a data breach notification last year from a company or agency holding their personal data, including credit and debit card or checking account information."

What is very interesting is "of those notified (which is required by law in most states), 11.5% were victims of identity fraud compared with only 2.4% who weren’t notified."

I’ll say this again and then explain what I think this means. They say "a consumer who has been notified that his credit or debit card number was compromised is five times more likely to become a victim of identity fraud than a person who doesn’t get such a notice."

The report's reasoning behind this is that data breaches lead to fraud. Okay, yes, I’ll agree that data breaches do lead to fraud, and my belief is that the people who were notified simply took a closer look at their statements and recognized unauthorized charges. If they weren’t notified they are no less susceptible to fraud, they are just blissfully unaware they are paying for an identity thief's Las Vegas bender, and the fraud goes undetected.

DigitalTransactions explains, “Data breaches are one obvious pathway to fraud, but a breach alone doesn’t mean an affected consumer will become an identity-fraud victim. Banks often give free credit-report monitoring services to customers whose data may have been compromised.”

The flaw here is that credit monitoring only makes the consumer aware of new account fraud, when a Social Security number is used to open a new account. Credit monitoring has nothing to do with credit card fraud in which an existing account is compromised. Furthermore, in my experience credit monitoring is hardly ever provided when a credit card number has been compromised. Credit monitoring doesn’t help when an existing account is taken over.

“There’s a disconnect,” Javelin tells Digital Transactions News. He tells consumers to “pay attention to your credit reports after you’re notified, because you’re more vulnerable.”

Yes, it's true that if your Social Security number has been compromised, you are more vulnerable to fraud from a new unauthorized credit card taken out in your name. You are not more vulnerable to fraudulent charges on an existing credit card since your credit card number is not your social security number. Banks cancel compromised credit cards, so there shouldn't be any risk of account takeover there. And monitoring a credit report does nothing to prevent credit card takeover fraud.

The only way to combat credit card account takeover fraud is to pay close attention to credit card statements, while credit reports and credit monitoring are essential to prevent or detect new account fraud. Click here to read reviews of credit monitoring services.

I recommend checking your credit card and bank statements every day, or at least once a week, from a secure PC.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with McAfee to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on MSNBC. (Disclosures)

• Tweet

Replacing stolen passports and credit cards

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Travel season is upon us. Summertime is all about exploring new and exciting places. It’s the season of planes, trains, automobiles and… criminals. When you are out of your element and unsure of your surroundings, you are at a higher degree of risk. Travelers need to be on high alert for property crimes and identity theft.

Years ago, before my wife was my wife, she was traveling in Spain. She got off the plane, headed for the rental car terminal, rented her car, and drove off the lot. At the first stop sign, a man knocked on her passenger window and pointed, saying, “Tire, tire.” She put the car in park and walked over to the passenger side. The tire was fine and the man was gone. So she got back in the car and found that her purse had disappeared from the front seat. Her driver’s license, passport, cash, and credit cards were all gone. What a nightmare! When she went to the police, they asked, “Were you a victim of the flat tire scam?"

You’d think the rental car agency could have warned her. But the lesson here is that you cannot rely on others to protect you. You are ultimately responsible for your personal security.

Fortunately, she is a resourceful person and was able to handle the crisis quickly and efficiently. If your passport is ever lost or stolen in a foreign country, you can apply for an emergency replacement at the nearest embassy. Generally you'll need to show up in person, and it helps to have a traveling companion to vouch for you. The embassy will need to see some type of verification of your identity, and they'll likely request a copy of the police report.

When traveling, consider carrying your essential documents in a money belt or one that hangs from a lanyard around your neck, hidden under your shirt. You should always carry photocopies of your identification, but they won't do you any good if they're stored in the same purse that was just snatched from your rental car. One smart option is to scan all your pertinent documents in full color and upload them to a secure web-based encrypted digital vault. Some of these services are free, while others charge a small fee. In a pinch, you can download the necessary document from any computer with Internet access, and print a new copy.

For more information on coping with a lost or stolen password, see this list of frequently asked questions.

A lost or stolen credit card requires a different course of action, and its effectiveness largely depends on your preparation. Before traveling, call your card issuer and inquire about their policy for replacing a card. Pack a copy of your credit card that includes the front and back impression. If your credit card is lost or stolen, call the issuer and cancel the card as quickly as possible to mitigate any losses. In the best case scenario, the company should issue a replacement card and ship it overnight at no charge. Most card issuers will accommodate you, and if you find out ahead of time they won’t, find another card issuer.

In an emergency, you can always ask a friend or family member to wire you money. When a U.S. citizen encounters an emergency financial situation abroad, the Department of State’s Office of Overseas Citizens Services (OCS) can establish a trust account in the citizen's name to forward funds overseas. Upon receipt of funds, OCS will transfer the money to the appropriate U.S. embassy or consulate for disbursement to the recipient. The State Department's travel website offers more details on emergency money transfers.

And always be sure to carry some spare cash. Tuck it in that money belt so even if your purse or wallet is stolen, you'll be in good shape.

You can protect yourself at home an abroad by investing in identity theft protection. That way, if your documents go missing you can limit the potential damage the criminal can do to your credit and reputation.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with McAfee to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses travel security on Fox News. (Disclosures)

• Tweet

#vuvuzelabanned seems like a scam

The vuvuzela: it's annoying at soccer games, but it's also becoming a nuisance online. First, Webroot reported that a company was selling a bogus anti-Vuvuzela MP3 file that would reportedly cancel out the noise (it's a waste of money, and possibly malware to boot). Today, we found something new. There's a suspicious retweet claiming that "OMG! Vuvuzela Banned!" The tweet is spreading through bots and seemingly real twitter users alike. We're not sure if "OMG! Vuvuzela Banned" is a worm, virus, or bot, but the shortened urls that accompany the posts lead to a suspicious looking .php url at an unknown Russian domain. Even among seemingly legitimate users there seems to be some odd and consistent pairings of tweets, either offering free iPhones or links to "hot" or "sexy" content accompanied by an emoticon:

We didn't blur out any of the shortened urls in the above images, but needless to say, we don't recommend visiting them. It's reminding me a bit of the cari-weightloss Twitter spam we reported on a while back. If you see the "OMG! Vuvuzela Banned!" come up in your Twitter feed, just stay away. Really, what you end up with may be worse than a buzzing plastic horn. And so far there's no news reporting that it's been banned in the World Cup.

As always, surf smart, use a URL lengthener before clicking on a shortened url, and use Internet security software and keep it up to date. If you do click on the wrong link, it just might save your computer. You can check out our Internet security software reviews to find the Internet security software that's best for you.

• Tweet

Laptop theft: It happens all the time

A friend of mine had his laptop stolen this weekend. He was using it in a public place. Laptop theft is a common crime. In the neighborhood I live in, criminals make a habit of scanning coffee shops for unattended laptops. When people get up to grab a packet of sugar, go to the bathroom, or take a phone call outside, the thieves strike. Unfortunately, what a lot of us assume is that someone at a nearby table will 'know' that the laptop doesn't belong to the thief. We think our neighbor, deeply engrossed in their own work, will stop and say, "pardon me sir, that unattended laptop is not yours." Most people, however just aren't paying attention. And many, even if they are, don't want to get involved.

Laptop theft happens from places other than coffee shops too. It happens at offices. We think offices are secure, but a thief knows how to look like he or she belongs. The thief acts like a maintenance worker, a delivery person, or someone just waiting for a friend. And we like to think that our coworkers would ask a stranger what they're doing. But generally people assume the best of others, or they're too busy, polite, or scared to get involved. Laptop theft: it happens.

You can buy a lockdown cable for your laptop. This is a good idea, but not fool proof. The best thing to do is act a bit like you know it's going to get stolen. Yes, just assume that someone will walk off with it. Heck, even if you keep an eye on your laptop in a cafe, someone may be keeping an eye on you when you exit. And it's just not worth your life to defend your laptop.

If you assume your laptop is going to get stolen, you'll do two things:

1) Set a password on your laptop. Make it a good password and be sure your system requires a password to wake the computer from sleep. Do the same for the screen saver.

2) Get online backup. Let's face it: the most valuable thing on your laptop is the data (see point 1, above). Not only do you want to keep others from accessing it, you want to be able to rescue it. Backing up to an external drive is a good practice, but for those on the go, online backup is the only option that makes sense for keeping up-to-date backups. To find a good online backup provider, checkout NextAdvisor's online backup reviews.

• Tweet

What contingency plans do online backup services have in case their servers crash or are destroyed?

The following is an actual user-submitted question:

Q: What contingency plans do online backup services have in case their servers crash or are destroyed?

A: For an answer to this question, we looked at a blog post written on Carbonite's blog:

Carbonite uses RAID-6 redundant arrays which spread copies of the data across multiple hard drives. Each array has 16 drives. Three of the 16 would have to fail simultaneously and the user’s PC would have to crash at the same time before any data would be lost. These RAID-6 arrays are 36,000,000 times more reliable than the hard drive in your computer. We have redundant power, redundant Internet connections, redundant Web servers and so forth. The data center is guarded 24 hours a day, seven days a week; and admission is controlled by fingerprint ID locks.

The blog post further describes the data center as "bomb proof." So, short of a meteorite smashing into Carbonite's data center (at the very moment when your hard drive fails), you're pretty safe. Of course, meteorites and coincidences  do happen, which is probably why backup provider, SugarSync backs up your data at "two geo-redundant, carrier-grade data centers." That way, if something should happen to one data center, your data is also backed up at another. Really this is probably the safest option, though the chances of such a catastrophic failure are incredibly slim.

In short, we think you're safe with any of our picks for online backup services.

• Tweet

Feel the love, Apple-style

The launch of a new online dating site only for Apple enthusiasts has the online community aflutter.  Cupidtino caters specifically to Apply fanboys and fangirls who can't get enough of their Mac/iBook/iPhone 4 and thinks their mate should feel the same way.  The site launched it's beta version this month and already has 16,000 members.

Have a PC?  You're outta luck.  Cupidtino recognizes the operating system and browser you're trying to access the site through and will only let those using an Apple device (Mac or iBook) sign up.  PC folk are redirected to a parody of the PC/Mac ads that have been so prevalent the last couple of years.

Don't worry if "you're a PC" though, you can still sign up for one of the more popular (20 million members and counting) online dating sites we've reviewed.

• Tweet

I went to annualcreditreport.com to get my credit report, and it is saying I've already used another website to my credit reports – but the last time I used that website was 2009. Can I still get my credit reports mailed to me, or do I have to wait until next year to get them?

Q:  I went to annualcreditreport.com to get my credit  report, and it is saying I've already used another website to get my credit reports – but the last time I used that website was 2009.   Can I still get my credit reports mailed to me, or do I have to wait until next year to get them?

A: I'm not clear about what type of error message you received at annualcreditreport.com, but it seems you may have already received your free credit reports from another website.  This can happen if you have already requested your free credit reports from the 3 credit bureaus (Experian, Transunion and Equifax).

Basically, annualcreditreport.com is directly accessing each of the 3 credit bureaus to retrieve your free credit report.  In fact, they literally send you to each of the 3 credit bureaus' websites.  The credit bureau then accesses your records, and can see if you've already received your free report.  If you've gotten one in the last 12 months you won't be able to get another until that 12 month period is up.

We actually strongly recommend that you sign up for one of our top reviewed credit report monitoring services.  This is because your credit report is just a snapshot in time of your credit history.  It can change 5 minutes after you get your free copy, and you wouldn't know about it until you got your next free one in a year.

Credit report monitoring services will actively and constantly monitor your credit history, and update you if there are any changes.  This is the easiest and least expensive way to know exactly what's going on, and to be alerted if there are any potentially negative changes.

• Tweet

AT&T's iPhone security breach

No, this is not a rerun. But with AT&T it's déjà vu all over again. Less than a week after it was revealed that a (relatively minor) AT&T security breach leaked 144,000 email addresses, the company has allegedly had a serious security meltdown that granted AT&T subscribers access to other AT&T subscribers' accounts. It seems that AT&T was not prepared for the onslaught of iPhone upgrades.

The iPhone will get its fourth major release on June 24th. Those looking to upgrade through AT&T at the stores met with crashed computers. Those at Apple stores didn't have much better luck. Those trying the same thing from home may have found themselves logging into accounts that weren't their own.

According to Gawker, whose love-hate relationship with Apple is approaching an obsession, "An AT&T customer logged in to his wireless account to attempt to pre-order the forthcoming iPhone 4. The next thing he knew, he was staring at a stranger's account screen." They have photos to prove it, though it's kind of a hard thing to prove with photos. The Wall Street Journal is also reporting it, though it's not apparent they have corroborating evidence. AT&T and Apple have yet to say anything either.

This was not seemingly the result of a hack, and one would think that those simply looking to be early iPhone adopters would not take advantage of a security snafu to do whatever one could possibly due with access to an AT&T account. Still, AT&T customers have to be thinking more and more about leaving the network. If you're an AT&T customer thinking of upgrading to the newest iPhone, you might want to think about identity theft protection instead.

• Tweet

Do you have a diet containing no wheat, barley or rye for celiac patients?

Q: Do you have a diet containing no wheat, barley or rye for celiac patients?

A: That's a tough one.  The majority of meal delivery plans do include gluten, so they wouldn't be appropriate for those with celiac disease.  However, we were able to find some potential options.

Medifast offers products that have been certified "gluten free" by the Gluten Free Certification Organization.   These include eggs, shakes, soups and puddings.  However, Medifast does require that you provide one meal a day to supplement the meals they ship you.

eDiets has a wheat-free meal delivery plan, but their plan may include products that contain gluten, such as rye, barley or oats.  Bistro MD has some gluten-free meals in their plan, but not a full menu.

• Tweet

Can online backup be used as a primary storage device as you would use your computer?

The following is an actual user-submitted question:

Q: Can online backup be used as a primary storage device as you would use your computer?

A: This is an interesting idea, but it's not really what online backup is meant to do. Online backup works by mirroring the irreplaceable portions of your computer's hard drive: i.e. the documents folder. But your computer's hard drive does much more than just storing documents. It also stores the necessary applications and system software which allow your computer to function, something you could never use these online backup services to do.

Some devices, such as netbooks, use pure cloud-based storage, and online apps (such as Google apps). It's something which just hasn't caught on withe majority of users, mostly because it's just a little too virtual. Using a local drive with off-site backup gives you the most security and flexibility because you can access and save documents even if your Internet connection is down.

• Tweet