Geoffrey Fowler reviews tech issues for The Washington Post ( I regularly read his columns because he provides insightful expertise. He’s written a column about the Amazon Key that I urge everyone to read (“Amazon wants a key to your house. I did it. I regretted it”; Sunday, December 10; page 1, Business).

Mr. Fowler’s first-hand  assessment is very objective notwithstanding that Jeff Bezos owns The Washington Post and is also Amazon’s Chief Executive.

His cautionary tale is important for anyone considering buying the $250.00 Amazon Key that allows Amazon delivery personnel access, via an Internet-connected lock, to Amazon Key users. Sounds like a good anti-theft device, right? As Mr. Fowler writes, that initial appeal pales in comparison to the reality that using the Amazon Key means giving Amazon  the ability to become the operating system for the user’s entire house.

Mr. Fowler provides details about using the Amazon Key, his reactions and those of his family and — ultimately — their decision to stop using Amazon Key.

Uber not only sustained a breach of 57 million accounts but it hid that information for over a year — outrageous!! The accounts hacked included payment information, names and other personal and financial information. The hacked data comes from accounts of Uber customers and drivers.

In announcing this massive breach, Uber said — as if this would be great news — that no Social Security Numbers were included in the data that was stolen.

Seriously, that’s cold comfort to the millions of people whose accounts were breached.

Uber customers and drivers must pay especially close attention to your financial accounts to see if your data’s being used by the hackers. That is particularly important with all the holidays during which so much spending with credit and debit cards happens.

Over the last week or so, there have been articles (i.e., New York Times) about disturbing and inappropriate YouTube videos aimed at young children. Sarah Buhr has published a very informative article summarizing the situation in TechCrunch (“YouTube implements new policy to flag inappropriate videos targeted at children”;; November 10).

As Ms. Buhr writes, YouTube is now implementing a new process that will — hopefully — stop young children from being able to access in the main YouTube app these types of videos. The videos have ranged from just being odd or strange to truly disturbing. As she writes, the videos have been targeted at young children using key words as well as children’s characters that are popular with them.

Parents with young children will need to double-check any YouTube videos being accessed by their children to make sure the new policy/process is in place — and more importantly, that’s it’s working.

As I’ve written in prior blogs, the EU General Data Protection Regulation (GDPR) is going to impose significant privacy and security requirements on U.S. companies that might fall within its reach. I was recently interviewed by Allison Proffitt, an editor and reporter for several health related publications.

One of the significant implications that I raised with her is the GDPR’s impact on U.S. based clinical trials. She quoted me at length in her recent article about this very issue. Her October 24th article is titled “What Europe’s New Privacy Regulations Mean for US Trials” and can be found at

This will come as no surprise given the way Yahoo has handled the 2013 data breach.

Yahoo announced yesterday (October 3rd) that all –yes ALL — 3 billion of its 2013 user accounts were breached. Originally, Yahoo had announced that it was only (!!) 1 billion user accounts that had been hacked.

Yahoo keeps saying that no credit card information or unencrypted passwords for these hacked accounts “appear” to have been stolen by the hackers. Okay, so let’s hope the next Yahoo announcement isn’t one that changes their hedging their liability language of “appear to have been stolen” to “uh, sorry folks but this information was stolen.”

As much as I dislike raising the specter of worse potential news to come, Yahoo’s assertions about this breach doesn’t engender much trust.

The Better Business Bureau (BBB) is warning consumers to be aware of scammers trying to make things even worse for victims of the Equifax data breach (; “Scam Alert: Con Artists Bank on Equifax Breach”).

How does the scam work? BBB warns consumers that scammers are sending out robo calls with a message that the call’s from Equifax which needs to verify the consumer’s account information. Asked to stay on the line, the call’s then connected to a “representative” who will try to get the consumer to reveal her personal financial information.

Don’t do it! Hang up the call ASAP! Yes, consumers getting these scam calls could be among the 143 million people whose information was hacked. But, per BBB, Equifax won’t (we hope) be calling consumers to confirm account information.

In addition to hanging up, BBB alerts consumers not to trust “caller ID”. Scammers know how to “spoof” phone numbers so their calls appear to be from a legitimate company or government organization.

Be alert for these phishing phone calls. Unfortunately, more scams are likely to keep emerging as scammers create more ways to use the massive Equifax breach for their criminal ends.






Equifax announced yesterday a breach of historic proportions — up to 143 million consumers whose most sensitive data has been breached. This includes SSNs, dates of birth, addresses and whatever other data Equifax — a credit reporting agency — has on millions and millions of individuals.

Everyone needs to go ASAP to the website they’ve created to see if they are among the millions whose information has been hacked. That website is: The first step on that site is the “Check Potential Impact” tab where you enter your last name and the last 6 digits of your SSN. Doing so brings up a message of either “no impact” or “thanks” with a date on which to enroll in TrustedIDPremier — meaning that you’re among the millions whose information has been hacked.

The public will likely never know how this happened. Consumers have to be pro-active — go to the Equifax site; go to the Federal Trade Commission website ( to learn about additional protective steps to take; and of course, keep a very close eye on credit card statements and bank accounts.


Phishing scams continue to proliferate. As Graham Cluley wrote in a recent article, one of the main reasons for this ongoing problem is that users keep clicking on links and/or attachments in emails and other documents. But Mr. Cluley also noted in that same blog that Google is taking a pro-active step to help Gmail users avoid links and attachments meant to capture and/or infect the users’ iPhones and other devices (; “Gmail now warns iOS users about suspicious links in fight against phishing threats”; August 14).

As Mr. Cluley wrote, Google just announced this new anti-phishing security check for Gmail. Now when a Gmail user clicks on a link that’s been detected to be suspicious on an iPhone or iPad, an alert reading “Suspicious link” will pop up on the screen. The user will be advised to confirm whether the link or attachment is valid. The very useful steps Gmail users should take when seeing such an alert are outlined in both Mr Cluley’s blog and the Google announcement (

Gmail users should read Mr. Cluley’s blog and the Google announcement to familiarize themselves with these steps ahead of time. That way, they’ll be ready in case they ever see the “Suspicious link” alert.

The FBI’s Internet Crime Complaint Center (IC3) issued an alert about a music application gift card scam (ONLINE SCAMMERS REQUIRE PAYMENT VIA MUSIC APPLICATION GIFT CARDS;;August 1, 2017). IC3 has been receiving consumer complaints about this scam which is part of multiple fraud schemes.

This is such a complex web of scams that I am including the following description from the IC3 alert:

“[t]hese schemes include auction frauds, employment/opportunity scams, grandparent scams, loan frauds, romance scams, ransomware, tax frauds, and various other online schemes. In this scam involving music application gift cards, the perpetrator directs the victim to a specific retailer to obtain music application gift cards of varying amounts. Once the victim has purchased the gift cards, the perpetrator directs the victim to reveal the numbers on the back of the cards and provide them to the perpetrator via telephone, email, text, or a designated website. Once the perpetrator obtains the music application gift card data, the perpetrator either continues to request additional funds through more gift card purchases or ceases all communication with the victim. The financial impact to victims can range from hundreds to thousands of dollars. IC3 victim complaint data from January through June 2017 involving music application gift cards indicate that these scams have impacted hundreds of victims with reported losses exceeding $6 million. This scam is also associated with other fraud scams involving victims having won a prize, needing to pay a tax debt, having qualified for a loan, or that a friend or relative is in trouble and needs a payment via music application or other prepaid gift card to assist.”

I encourage everyone to read the complete IC3 alert. It includes steps to try and avoid becoming a victim of an online scams and/or to take if a consumer believes she is or might be, a scam victim. Consumers can file a complaint about online scam at As IC3 notes in all of its online scam alerts, there is no dollar requirement for filing such a complaint; the IC3 does request that the filer provide as much information about the scam as possible.

Scammers are using LinkedIn to get consumers’ money and/or personal information. The Better Business Bureau (BBB) has published an alert about this latest scam (; “Scammers Use Bogus Connection Requests on LinkedIn”).

How does this work? Per the BBB blog, there are several variations with all of them coming via a LinkedIn message that looks and sounds as if it’s from a legitimate recruiter. The scammer might have even created a legitimate looking LinkedIn profile. In one version, the scam message asks the recipient to fill out an online job application that could even ask for an uploaded resume or other personal information (e.g., SSN, address). Another version asks the recipient to respond with an instantaneous “you’re hired” message popping up and asking the recipient to pay first for training and/or other expenses before the “official” job offer is sent.

These types of overtures are appealing, particularly in a tough job market. But don’t fall for it or the only result could be lost money and potential identity theft.