I’ve written before about the ways in which some stores are using shoppers’ WiFi enabled smartphones to track their movements through aisles and departments. Nordstrom was doing so last year but stopped after receiving countless complaints to the signs posted in stores alerting customers about this practice.
But Nordstrom’s response hasn’t stopped other brick-and-mortar stores from starting to track customers’ movements in their stores. So what can consumers do? Well, the obvious is turning off the WiFi on their smartphones. But it’s easy for consumers to forget to do so and some consumers don’t want to disconnect WiFi.
Moreover, many customers aren’t even aware that their smartphones are being used as tracking devices. One Maryland legislator is trying to address this issue. Amrita Jayakumar recently reported that Delegate Sam Arora has introduced a bill that, if enacted, would require stores to post very visible and prominent signs alerting customers that their physical movements are being tracked (“Privacy advocates push back on stores’ tracking”; The Washington Post; A12; March 8th). Delegate Arora’s proposed bill is just beginning its legislative journey so may or may not become law anytime soon.
There’s another option for consumers who don’t want to be tracked via their smartphones. That option is provided by the Future of Privacy Forum (FPF). FPF has created a registry allowing consumers to opt out from having their smartphones monitored. The FPF registry is a Do Not Track-type registry. FPF’s website homepage has detailed information about the registry, the stores involved and the steps for signing up. All of this information is posted under the title of “Mobile Location Analytics” (www.futureof privacy.org).
An email went out last week over the name of Mike Perlis, Chief Executive Officer of Forbes to the million plus people whose Forbes.com accounts and passwords were hacked. Mine arrived on February 24th and outlined the steps for changing my password.
Here are the steps that were outlined in case you haven’t gotten the email yet, or just want to start a Forbes.com account:
- Go to http://www.forbes com;
- Go to the login which will be on the top right hand corner;
- Click on the red “Need to reset your password?” “Click here” link;
- In that “reset your password” window, enter your email; the security characters that will be displayed; and then click “Submit”;
- Check your email inbox for a message from Forbes with instructions on how to proceed;
- Click on the link in the email to launch “Reset Your Password” web browser window;
- Create and enter a new password that should be a minimum of 8 characters including 1 Capital letter, 1 small letter and 1 number; and
- Click “Done” on the “Your Password Has Been Changed”screen.
I’m going to create a new Forbes.com password but haven’t done so yet. I just want to let some time pass and make sure there aren’t reports of problems and/or new issues before doing so.
Microsoft will soon be issuing updates for its Windows Phone 8. One of the interesting updates will be Cortana which will be a personal digital assistant that will replace the built-in Bing search feature. Tom Warren wrote about Cortana recently and described the Cortana Notebook which, he said, Microsoft is highlighting as providing users with privacy protections for their information (www.the verge; “Apple has Siri, and Microsoft is about to get Cortana”; February 20).
Mr. Warren writes about the Cortana Notebook feature that is intended to provide users with control over the specific information that gets shared with the personal digital assistant. Via the Notebook feature, the Cortana digital assistant will be able to access user information including location data, reminders, personal information and contact information. However, he was informed that Cortana won’t be able to “freely access information without a level of user control.”
The information that Cortana learns about its user won’t be stored in Notebook without asking for the user’s permission — and information that does get stored can be edited or deleted. Cortana will perform voice or text search requests using the stored information; it will also make suggestions based on the search requests and information.
In his article, Mr. Warren lists the other personal assistant functions that Cortana will be able to perform (e.g., asking if the user wants calendar reminders; managing notifications and phone calls during hours when the user wants these notifications muted).
All of the personal digital assistant features could certainly be useful. However, providing users with more control over their personal information through Cortana Notebook could well be one of the key updates for Windows Phone 8.1.
I couldn’t access any of the links on Forbes.com in order to change my password. I decided to see if I’d have any success by directly contacting a Forbes.com official. So I did so on February 18th and was very pleased that a Senior Vice President responded very quickly to me and provided an update as well as a copy of the email being sent out over the name of Mike Perlis, the Forbes Chief Executive Officer. I also then got Mr. Perlis’ email that was sent out to everyone whose Forbes.com. password had been hacked.
Here’s the latest news from Mr. Perlis’ email:
- His email is going out to all of the readers with a Forbes.com account since all of the passwords were exposed;
- In his email, Mr. Perlis said that “…no credit card information or subscription details were revealed”;
- The log-in functionality has been disabled and all of the passwords have been invalidated;
- Forbes.com readers won’t be able to access their accounts or add comments to the site while the log-in functionality is disabled;
- Readers will be getting a follow-up email when the log-in functionality is reopened; that email will contain instructions about how readers can reset their passwords to a different one.
Mr. Perlis’ email closed with the same warning that others have expressed. He wrote “…be cautious about interacting with email, especially from senders that are unknown to you, as the list of email addresses may be used in phishing attacks or scams.”
Do you read Forbes.com? Have you created an account so you automatically get access to that site along with blogs? If so, you might be among the over 1 million readers of that website whose account was hacked and personal information stolen February 14th. Credit for this attack has been claimed by the Syrian Electronic Army(SEA). There are excellent articles since the 14th providing the details about the attack; the defacing of the Forbes.com home page on its website; and the “secure” website the SEA looked for and then found in order to post the names, email addresses and passwords that they had stolen.
Graham Cluley found his name among the millions posted and warns people who have Forbes.com accounts to be on the lookout for emails or links that might appear to be from Forbes. He says these could really be phishing attacks and spam campaigns by the SEA or groups who bought some or all of the information. (graham.cluley.com; “Details of over one million Forbes readers leaked online (including mine)”). Paul Ducklin also alerts Forbes.com readers that through his efforts he discovered that Forbes readers’ passwords were hashed not encrypted —despite the security message posted by Forbes telling readers their passwords had been encrypted. (nakedsecurity.sophos.com; “Syrian Electronic Army hacks Forbes, spills 1M user records-here’s what you need to know”).
Here are the top 3 tips from Mr. Cluley and Mr. Ducklin:
- Change your password on Forbes.com and on any other site where you used the same password;
- Be on the alert for suspicious emails and links since the SEA made the list publicly available for sale; and
- Forbes didn’t send out emails alerting readers but other bloggers alerted them; Forbes.com now has an alert on its home page.
Here’s my key “heads up”:
- I tried changing my password on Forbes.com and couldn’t gain access to the “Log in” or “Help” links through either Safari or Chrome. I got messages on both saying the web page wasn’t available.
- This is likely due to the caveat in Forbes’ security message saying that people should change their Forbes account password “once we make sign-on available again.” As of Monday, February 17th, that sign-on wasn’t available.
This means that Forbes readers who need to change their passwords also have to be patient and diligent. Keep checking the Forbes.com website to see when sign-on becomes available and then change your password ASAP!
Consumers may wonder how it is that they get ads, emails and other information from companies with whom they have had no interaction on or off-line. Maybe they’re particularly confused if they’ve set their privacy settings to block cookies and other tracking devices.
The reality is that data brokers gather, compile and then sell lists of personal information to companies. So what can consumers do if they want to try and protect their information from being compiled and sold by data brokers? The answer is “it’s not easy” especially given the numbers of data brokers and the range of information they collect.
Julia Angwin has written a newly published book, Dragnet Nation, that focuses, in part, on her efforts to identify data brokers and then get the information that brokers have about her. I plan on reading her book as I heard her discuss it recently and have just read her January 30th article, “Privacy Tools: Opting Out from Data Brokers” posted on ProPublica (www.propublica.org).
Her ProPublica article summarizes the steps required by some of the data brokers in order for her to opt-out of information collection. As Ms. Angwin writes, there’s no law requiring data brokers to offer consumers that option. She very helpfully attaches two spreadsheets to her article with the names of companies tracking information along with links to their privacy pages and, for those data brokers offering an opt-out, the instructions for doing so. As she writes, many of the data brokers require consumers who want to opt-out to provide personal information and identification (e.g., driver’s license).
Ms. Angwin’s spreadsheets of 212 data brokers provides consumers with a very useful resource. She is also very candid in describing the difficulties in finding her own information and what she calls “some minor successes” in finding data brokers who had her information and opting-out.
Brian Krebs has investigated yet the latest in a long line of scams (krebsonsecurity.com; “Deconstructing the $9.84 Credit Card Hustle”). The Better Business Bureau (BBB) issued a “scam alert” based on Mr. Krebs investigation (bbb.org; “Watch Out for $9.84 Credit Card Charges).
As outlined by Mr. Krebs and the BBB, the latest scam involves the relatively small amount of $9.84 being charged on victims’ credit cards. While the amount might be small the impact on consumers is huge as it means their credit card numbers have been stolen and are now compromised. Why would the scammers pick $9.84? Because they’re counting on consumers being too busy to check their credit card statements closely and to overlook this small of a charge.
The $9.84 charge will look as if it’s from a website — but one that the consumer won’t necessarily recognize. Consumers who try to find out more by going to the web address will learn that it’s not the business website. Instead, as BBB and Mr. Krebs report, it’s a generic page allegedly offering “Customer Support.” That generic page instructs consumers that they can get a full refund by using either the listed phone number or email address. The BBB article states that some consumers did call and were told they would get a full refund. But BBB urges consumers not to assume the scammers are really going to do that.
What should consumers do if they find this charge on their credit card statement? Immediately follow the BBB’s advice as follows:
- Call your bank or credit card company and immediately contest the charge; and
- Cancel the credit card that was used and get a new one.
And, of course, the key starting advice is to read credit card statements carefully.
I’ve previously written about Facebook’s ‘Sponsored Stories’ and the controversy surrounding it. Very briefly, this was the Facebook product which turned Facebook users’ “Likes” about, for example,a place or a product, into Sponsored Stories’. What were these? Turns out they were ads using the Facebook user’s profile photo. The ads then went to the feeds of the user’s Facebook friends.
A class action lawsuit was filed alleging that ‘Sponsored Stories’ violated Facebook users privacy rights since the ads were created without asking for permission (and allowing the user to say “no”) and without paying the Facebook user whose “Likes” were being used. A $20 million settlement was reached in August 2013. As Drew Guarini wrote, the settlement works out to about 2 cents per Facebook user (www.huffingtonpost.com; “Facebook Finally Axes Controversial ‘Sponsored Stories’ Ads”; January 10th).
But the biggest news is what’s captured in the title of Mr.Guarini’s article. Facebook just announced that it will no longer be using ‘Sponsored Stories’ starting on April 9th. This change was detailed in Facebook’s January 9th blog posted for developers; there’s a link to the developer’s blog in Mr. Guarini’s article if you want to read the technical terms about the change.
This is good news for Facebook users. But they should also keep alert to see whether their “Likes” start being used in other ways for which they didn’t give permission.
It hasn’t taken scammers long to create more havoc for consumers following the breach of the Target point-of-sale system. What’s the latest? Phony emails, text messages and phone calls pretending to be from companies wanting to help consumers whose credit and debit cards were compromised.
How does the scam work? As outlined recently by the Better Business Bureau (BBB), the scam comes in multiple versions (www.bbb.org; “Watch for Scams Following Target Data Breach”, January 3, 2014).
In the text message version, the consumer gets a text alleging it’s from the consumer’s credit card company. The message says the consumer’s credit card’s been blocked in response to fraudulent transactions that were spotted following the Target breach. A phone number’s included in the text and the consumer’s supposed to call that number to verify his account information. The text might seem legitimate but it’s not; consumers should not call the number as it’s a ploy to get card as well as other personal information.
BBB describes the call version as followers: the consumer gets a call from the scammer who’s claiming to represent Target. The scammer asks for the consumer’s name, address, SSN and other personal information in order to supposedly see if the consumer’s credit or debit card is on the list of cards compromised in the breach.
What can consumers do to protect themselves against post-Target breach scams? In addition to the steps I’ve recommended in prior blogs, read the BBB guidance (“BBB’s Suggestions for Target Customers”; http://www.bbb.org) which offers very good advice. I’ve added some additional ideas to the following BBB advice:
- Go to the official Target website: here’s where consumers can find the official information and communications from Target (Target.com/paymentcardresponse);
- Don’t be fooled by appearances: scammers are using increasingly sophisticated technology to make their scam messages look very close to those from the legitimate, reputable company or source; I suggest that consumers always look at the incoming .url since the scam message will often (but not always) have one that’s different from the .url of the legitimate company ;
- Don’t open the links or attachments: check the Target website to see if they’re sending emails to affected consumers; otherwise, as I’ve noted in prior blogs, consumers opening links or attachments in unexpected emails could be unwittingly downloading malware; and
- Read the message carefully: typos and poor or incorrect grammar are “red flags” and absolute giveaways that the message is from a scammer and not a corporation.
Consumers whose cards were compromised cannot, unfortunately, relax just yet. They need to stay alert for more scammers trying to take advantage of the Target data breach.