Financial Privacy Blog

Yahoo! - May 19, 2008

This Yahoo! article says hackers could use telescopes to view tiny reflections in glasses, teapots and the human eye and capture valuable screen information. Some researchers have found ways to correlate visual keystrokes to data. This sophisticated interception research is called side-channel research. Do we all need privacy shields on our computer screens? And, then type in the dark? Crazy.

WSJ - May 13, 2008 - D1

It’s easier than you might think. Googling someone is so 2007. These days publicly available information is free and at your fingertips. You may want to check out these services to see what dirt you can dig up on yourself before someone else finds it.

• Zabasearch.com - Provides criminal history and birth dates
• Spock.com and Wink.com - Offers “people” search engines that find personal web pages, such as social networking profiles, buried in the web
• Spokeo.com - Displays activity of friends on other web sites (including online shopping lists)
• Zillow.com - Estimates the value of your home
• Fundrace.huffingtonpost.com - Displays individual campaign donations
• Jigsaw.com - Shares business card data among users

Many other online sites make some quasi-private information public by default. The list includes your Amazon.com wish list, Pandora.com personal music stations, Flickr.com photos, del.icio.us saved web site links and Google’s street view of your home. Many people opt-in to provide even more information to the public.

WSJ - May 5, 2008 - A13

The WSJ again raises good questions about how marketers track online behavior via web cookies. According to the author, the key questions remain:

• How are personal data used?
• Are our names, addresses, and financial and health records really secret?
• Is anonymity permanent?

Some advocacy groups contend we should allow surfers to “opt out” of cookie tracking just like we can now opt out of direct marketing phone calls with the No Call List. Still, the $20 Billion spent on web advertising is the engine that drives the “free” Internet. How many of us would willingly trade free use for enhanced privacy? No more free email or free web searching?

Is better disclosure the answer? One WSJ site offers its own model of full tracking cookie disclosure. Clearly, the tension between usability and privacy continues to frustrate web users and marketers alike.

Once again, the best interim answer seems to be to randomize your critical private financial data and accept the loss of complete anonymity.

WSJ - April 29, 2008 - A9

Data breaches occur even at companies that fully comply with the Payment Card Industry Security Standards Council, known as PCI. Among other things, these standards require retailers to encrypt or mask customer data, regularly update antivirus software, restrict access to card data to only certain authorized personnel and protect stored information with firewalls. Clearly, even when retailers do everything they are supposed to do, customer financial information can be lost or stolen. Some recent examples include:

• Hannaford Bros. (New England supermarket chain) - Data for 4.2 million credit card holders may have been stolen
• Okemo Mountain Resort (Vermont ski resort) - Lost card data for 50,000 customers

Security experts say that many of these attacks could have been prevented by installing encryption at the cash register (for less than $100 per terminal), but this is not required under PCI. Still that cost adds up and may be prohibitive for smaller merchants. Even if these point-of-sale sites are shored up, thieves will still attack merchants and merchant processors because the data  stolen is so valuable.

National Public Radio - March 21, 2008

State Department contractors were caught accessing data on presidential hopefuls Barack Obama, Hillary Clinton and John McCain. Luckily, software that monitors high-profile individuals caught the snooping, but, of course, average Americans don’t enjoy the same enhanced protections.

Ira Flatow used this incident to launch an NPR Science Friday Online Privacy discussion. A couple of highlights:

• Users “pay” for Internet sites with personal information, but it is not clear the value-received matches the privacy cost. Facebook provides a great example of users freely sharing information with friends and not truly understanding the cost of the privacy loss until much later (e.g., when your party photos become public and threaten your Miss America pageant hopes).
• The social contract between site operators and users is critical to maintaining any web privacy (e.g., Google’s Gmail will use personal information in your email inbox to place targeted advertising, but not re-sell that personal information to third parties).
• Online privacy could take a significant step forward if web site operators changed from a opt-out to an opt-in policy for using information collected from site users.

Whether information is financial or not, if seems clear that users need to act more proactively to shield information from misuse rather than relying on the social contract and technologies to protect data already collected.

Discover Magazine - January 2008 - P. 45

Discover Magazine posted a short article in their January 2008 issue explaining how computer scientists in Switzerland (it just had to be the Swiss - they of ultimate banking privacy and security) are getting closer to breaking the 1,024 bit encryption coding used to secure Internet messages.

I’m no mathematician, but apparently hackers could use this new factorization technique, along with multiple computer load distribution, to more quickly crack a random 1,024 bit number.

We’re in no imminent danger of unsecured Internet transactions, but this just highlights to need to move away from technical protocols to more basic data devaluation, i.e. make the data worthless so no one has any incentive to steal it.

WSJ - January 10, 2008 - D5

Alternative web payment systems (PayPal, Bill Me Later, eBillMe, etc.) can be useful, but there are some pitfalls:

• Fraud protection on unauthorized purchases with credit cards is mandated by federal law. Fraud protection with alternative web payment systems is voluntary and limited.
• Services that extend a new line of credit (and then max out that line) can cause a precipitous drop - up to 100 points - in your credit score.
• Interest rates can be much higher on pay later services, ~20% annual rate versus ~14% for the average credit card.

Buyer - and payer - beware.

WSJ - December 5, 2007 - D1, D8

Several WSJ articles cover the good, the bad and the ugly of online holiday shopping.

The Good

Online payment systems are rolling out incentives to capture part of the estimated $28 Billion in online shopping during the 2007 holiday season. These services are becoming widely available so some of these offers could really translate into big savings.

• PayPal partners with retailers such as Barnes & Noble, eToys, and Blue Nile to offer up to a 20% credit on purchases
• Bill Me Later subsidizes shipping costs (always a customer pleaser) and defers billing at retailers like eToys Direct and KB Toys
• Even Google Checkout has gotten into the act with free shipping on orders of $50 or more with some merchant partners and is offering United or Continental Airlines miles for purchases

The Bad

Online shopping increases during the holidays and that provides even more opportunities for criminals to steal data and defraud consumers. With $198.4 Million in fraud losses in 2006, it’s clear that cyber criminals aren’t going away.

The Ugly

It’s 2007 (more than a decade since the rise of e-commerce) and still no widely available online payment system offers real protection against fraud, identity theft and privacy invasion.

• PayPal offers some anonymity when buying online (which is a good step forward), but they have been notoriously lax in protecting against fraud and truly serving customer interests. (Just Google “PayPal fraud” to get up to speed on some of the problems.)
• Bill Me Later simply changes the information that’s at risk. Rather than exposing your bank card number, address and name, you share the last four digits of your SSN, your DOB and your name. Here we see convenience trump security.
• Regular Bank Payment Cards (debit and credit cards) provide good fraud protection ($50 max liability on credit cards and good, but not as comprehensive fraud liability protection, on debit cards), but these cards clearly don’t protect your privacy and offer no real safety from ID theft.