Legitimate Credit Monitoring Offer or ...?

Breaches in consumer account data are prevalent. Unless you're a child or live on the street and use only cash for everything, you probably received a notice from a lien holder that its data was broken into. Your notice might include a free offer of credit monitoring. All you have to do to accept this free offer is to navigate to a website and enter every last bit of personal information you have.

"Yeah right," you think to yourself, or you should.

Certainly I knew that Countrywide bank, with whom I had a mortgage, had data stolen several months ago. But how could I ascertain whether the offer of free credit monitoring was just another scam, a bit of clever social engineering? I called the phone number, which was answered by a pleasant-sounding female voice recording. She identified ConsumerInfo as an Experian company. But anyone could take out a toll-free number and find a pleasant-sounding female to record.

I decided to go directly to the Experian website instead. I was familiar with them, since I occasionally get a free credit report from them every three months or so. I searched the site and found this reassuring FAQ result¹:

Dear Experian,

I received a letter about an incident with an archive tape being lost with critical data. The letter offers a free subscription to Triple Alert. The site does ask for a Social Security number, birth date, etc. The letter provides a number to verify the issue, but how can I verify it separate from the letter?

- BAR

Dear BAR,

-snip-

Your question is a very good one. Here are a few tips for verifying the information for contacting Experian is legitimate:

* Look closely at the Web address provided in your notification letter. Experian owns and operates several different Web sites that provide consumers with credit monitoring products. The following Web addresses are legitimate Experian Web sites:
o partner.consumerinfo.com
o partner.experiandirect.com

Please note that there may be other information after the “.com” part of the address. This other information also is legitimate and is no cause for concern.

And so I signed up for the service rather than let the offer lapse as I've done two other times.

Perhaps this will help you figure out whether to accept your offers.

---

¹ http://www.experian.com/ask-experian/20080709-ensuring-security-breach-notices-are-legitimate.html

Are They Nucking Futs?

When someone joins Facebook, it presents a list of members the person might know. The idea is that anyone can start out right away with a network of friends.

I discovered this about one month ago, when I first joined. My new account hadn't even been confirmed when I saw the names of a couple of dozen Facebook members to invite as friends.

I joined Facebook only because my daughter joined. Why my daughter joined Facebook is interesting.

She received an e-mail from a family friend, my wife's adult friend, "AS". The e-mail invited my daughter to view some photos that AS posted on her Facebook account. However, AS's account is not public. So when my daughter, my impressionable 11 year old daughter, clicked through to view those photos, she was directed to join Facebook. Which she did because she assumed AS wanted her to, and that it was okay.

But Facebook does not allow minors to join without some extra effort. So she lied about her year of birth. (That's regrettably something I actually told her that I did when I created an account for her on DeviantArt.) She chose 1981 as the year of her birth, making her 28, and she got on. She quickly befriended a few adult folks whom we know. I wasn't too upset about that, because she didn't use her real name or photo, and I maximized the privacy options.

Facebook's advertisements appear on the right sidebar. But they're designed to blend in nicely with the site so as to appear to be regular content. You can clearly see the word "Sponsors" above the ads and ignore them, unless you're an impressionable 11 year old.

Now for some conjecture. I assume that what happened next is that an ad for MyYearbook appeared on Facebook. It invited my daughter to join and meet her friends online. What I do know is that her e-mail account had messages from the MyYearbook accounts of sleazy, leering, shirtless 16 year old boys. And when I went onto MyYearbook (logged into the computer as my daughter), I saw that her profile page had her first and last name, plus our town and state. And it said that she was 17 years old. I nearly blew a gasket.

But I managed to calmly ask my daughter what MyYearbook was. (Had I been even calmer, I'd've said, "Hey, I heard about this neat website called MyYearbook," and she might've talked freely about it.) Anyway, she was upset when I showed her that her name and town were out there. And she asked me if I could delete it, which made me feel better. Because it's quite possible that she was upset about being caught, not about her violation of privacy. She also decided that she didn't need to belong to Facebook, either, so we closed that account, as well. An interesting side effect of all this is that she spends a lot less time on the computer.

Now back to the subject of the post. It used to be that when folks got e-mail accounts, they were very careful not to give their e-mail addresses out lest they get inundated with spam. When I created my Yahoo ID back in 1997, I used the account only as a throwaway e-mail address. I wouldn't dare send anything to a friend or put friends' e-mail addresses into my Yahoo address book for fear that Yahoo would spam them. But today, incredibly, some folks see nothing wrong with giving to Facebook their login credentials and permission to access their e-mail accounts.

Thanks to brilliant Facebook marketing, the idea seems innocent enough. Facebook offers to find your friends, which it can do most easily if you let it log onto your online accounts and comb through your address books or contacts lists. What you might not realize is that Facebook saves that data in case someone like me joins a few years later. I know. I got presented with invitations to the Facebook accounts of everyone who surrendered control of their e-mail accounts to Facebook. How else would Facebook know whom to suggest as friends?

Even scarier is when you combine the seamless advertising with this idea of gaining e-mail account credentials. That's nearly as priceless as getting credit card account information directly. If an advertisement can masquerade as a legitimate networking site and get folks to provide e-mail account credentials, it can do the following:

• Log on to the e-mail account.
• Search through all the messages in all the folders, including Sent Items.
• Send out impostor e-mails based on messages in Sent Items to attract "new members."
  
• Locate e-mails from financial institutions and attempt to log on to those accounts using the e-mail account credentials.

That last one is a killer. If even a tiny percentage of folks who respond to the ad use the same username and password for all their accounts, they're going to get wiped out. Is that you? Do you always use the same username and password for all your online accounts? Don't. At least use a unique password. You can use a password manager¹ to generate random passwords and store them.

So I wonder about these folks who give out their e-mail username and password. Are they completely out of their minds? There's some low fruit, ripe for picking.

---

¹Two free password managers for Windows are KeePass, and PasswordPrompter.