Tag Archives: data breach

Not cool: freezing my credit after yet another data breach

Posted on by
4

The text message I was especially uninterested in receiving hit my phone Sunday morning. “T-Mobile has determined that unauthorized access to some business and/ or personal information related to your T-Mobile business account has occurred,” it read. “This may include SSN, names, addresses, phone numbers and dates of birth.”

T-Mobile’s texted non-apology for a data breach affecting tens of millions of subscribers went on to note that “we have NO information that indicates your business or personal financial/ payment information were accessed,” as if those data points were the ones I couldn’t reset with a phone call or three.

Instead, I got to spend part of an evening at the sites of the three major credit bureaus to freeze my credit, just in case any recipient of the stolen T-Mobile data was going to try to go to town on my data. In the exceedingly-likely event that you, too, will have to clean up after a corporation’s carelessness with your data, here’s how that went down.

At Experian, at least I didn’t have to clutter my password manager with another saved login. After providing my name, address, complete Social Security Number, birth date and e-mail, the site asked me to verify my identity by answering a personal-data pop quiz (for example, picking previous cities of residence or a cost range for my monthly mortgage payment). After passing that test and starting the credit freeze, Experian generated a 10-digit PIN I could use for subsequent access.

Things were not quite as easy at TransUnion. I had to create an account and provide almost as much personal information as Experian demanded, except that TransUnion only required the last four digits of my SSN. On the other hand, the sign-up workflow included a tacky invitation to sign up for marketing spam: “Please send me helpful tips & news about my service, including special offers from TransUnion and trusted partners!” The site asked me to pick a security question from a preset menu, none of which would have been too difficult for a stranger to research had I answered them truthfully, and then verify my identity in another personal-data quiz.

The company that had itself lost my data before, Equifax, offered the easiest on-ramp. After coughing up another mouthful of personal data–including my full SSN as well as a mobile number–I was able to create an account and, after clicking through a link sent in an account-confirmation e-mail, put a freeze in place. I did not have vouch for my identity by picking a ballpark figure for my mortgage payment or identifying a phone number I’d used before… and I’m not sure that’s a good thing.

I do know it’s not a good thing that T-Mobile kept information like Social Security Numbers that it could not have needed after checking my credit–a failure its apologies have yet to acknowledge. Firing them for that data hoarding, compounded by weak security, might offer a certain emotional closure. But I have no reason to think that switching to AT&T or Verizon and then handing over the same personal data wouldn’t open me to the same risk, because I’m struggling to see anybody at the giant telcos who gives a shit about data minimization.

Advertisement

Credit-card fraud doesn’t care how much you obsess about security

Posted on by
6

Once again, I have a credit card cut into pieces and dumped in a trash can, thanks to somebody trying to treat themselves to a spending spree on our account.

This time, the card was a Citi Double Cash MasterCard, and the transaction that got my attention was a $969.90 Lenovo purchase. Neither my wife nor I had any recollection of making that–and neither Citi nor Intuit’s Mint personal-finance app had flagged it as suspicious.

After spotting that in our account, I saw two other, sub-$10 transactions with “OTC Brands” that also didn’t match up with anybody’s memory. A 14-minute call later, Citi had canceled our cards and ordered up replacements–I can already shop online with the new number–and pledged to investigate these three sketchy purchases.

So overall, we got off easy. But the experience has been a useful reminder that sometimes security is entirely out of your hands. There’s nothing we could have done to stop this from happening; at best, Citi’s security would have flagged the Lenovo purchase and asked me to approve or deny it, as it did when an unknown party tried using our card in March of 2016 at a Ukrainian site.

And no, having an EMV chip on this card did not enhance its security for card-not-present transactions. Even if this card had required me to key in a PIN instead of sign for in-person purchases, that also would have likely made no difference online.

Sometimes you just have to hope that the system works–and when it doesn’t, hope that you don’t wait too long for the system to get your money back. Having gotten Equifaxed last year, I can confirm that things could be worse.

Weekly output: Facebook privacy, social media vs. disinformation, mobile-app privacy, data breaches

Posted on by
Reply

The Facebook-privacy news cycle doesn’t seem to be letting up, with every other day bringing some ugly new revelation about the social network’s stewardship of our data. I feel like I’m getting the tiniest taste of life as a White House correspondent these days.

4/2/2018: How Facebook should fix its privacy problem, Yahoo Finance

My key suggestions: collect less data, don’t try so hard to maximize engagement, and give U.S. users the same privacy controls that European users will get in May as required by the EU’s General Data Protection Regulation. On Tuesday, Facebook CEO Mark Zuckerberg wouldn’t commit to extending GDPR controls to the U.S.; on Wednesday, he said he would do just that.

4/2/2018: How Facebook should fight fake news, Yahoo Finance

Headline notwithstanding, this column is as much about Twitter as it is about Facebook–and a lot of it covers how large social networks like those two can’t necessarily adopt the strategies that have helped Wikipedia deter disinformation.

4/3/2018: After you delete old Facebook apps, take a hard look at Uber and Snapchat settings, USA Today

I would have written this piece faster if I hadn’t had the chance to see how the Samsung-ified Settings app on a Galaxy S7 buried a crucial app-permissions interface. Then I spent more journalistic processor cycles rewriting an explanation of how old versions of Facebook’s Android apps collected call and SMS logs.

4/4/2018: We need a federal law protecting consumers from data leaks, Yahoo Finance

This column inspired by Panera Bread’s data breach started in my head with the tweet I used to promote it. Reporting it involved an intersection of my college and professional lives: Stephanie Martz, the National Retail Federation lawyer I interviewed, is a fellow Georgetown Voice alum who graduated two years before me.

Weekly output: New laptops, IFA gadgets, online-video subscribers, wireless plans, Equifax

Posted on by
1

Technically speaking, I didn’t wrap up my IFA coverage until Sunday night, when I posted an album of photos from the show. Monday afternoon, I’m off to San Francisco for Mobile World Congress Americas, a successor to the CTIA wireless-industry show that I skipped last year.

9/5/2017: Why you might not want a laptop with a 4K display, Yahoo Finance

I liked most of what I saw in Windows laptops at IFA, but the idea of cramming Ultra High Definition resolution into a 13- or 14-inch screen seems idiotic to me.

9/6/2017: 4 amazing new gadgets you can’t get in the US, Yahoo Finance

Going to a gadget show overseas means you’ll see some hardware that you won’t be able to buy back home in the States.

9/7/2017: Best Cell Phone Plans, The Wirecutter

If I’d filed this on time, I would have had to rewrite the update to factor in Verizon’s downgrade of its most-advertised “unlimited” wireless plan. Instead, I had a hurried few days of revising the text I’d last updated in March to reflect that and many other pivots among wireless services.

9/7/2017: Measuring the OTT Subscriber, FierceCable

This piece–you’ll have to cough up an e-mail address to read it–covers how some online video services try to get a sense of their customer metrics.

9/8/2017: Why Equifax needs to give up some details about how it got hacked, Yahoo Finance

Equifax’s massive data breach–yes, I seem to be included among the victims–made me mad. Then it made me think about other posts I’ve written to denounce the reflexive silence of too many tech companies after they realize a third party has broken in and stolen customer data.

Weekly output: Chris Vickery, post-phishing advice, hyperloop competition

Posted on by
Reply

It was a back-to-work week after the previous week’s time off. In addition to what you see here, I filed a USA Today column that should go up tomorrow morning and a thousand-word feature that won’t run for a few more weeks.

8/15/2017: How companies leave your data online without your knowledge, Yahoo Finance

This post was the product of my one work appointment while on vacation in the Bay Area, a conversation with data-breach detective Chris Vickery.

8/17/2017: These college students are vying to build Elon Musk’s hyperloop, Yahoo Finance

I drove up to College Park Tuesday morning to see the test hyperloop pod that this UMD team is taking to a SpaceX-hosted hyperloop competition at the end of this month, then used part of my resulting writeup to discuss the overall feasibility of the hyperloop concept for transporting people. In the process, I got to employ a quote that I’ve had sitting in Evernote since last November.

8/18/2017: You got phished. Now what?, USA Today

This ran about a week after I filed it, thanks to my original e-mail not being addressed to the right editor and the right editor a) missing my re-send of that e-mail and b) being really busy. Fortunately, phishing and e-mail security in general are both evergreen topics, so this summary of the advice I gave to a friend’s dad was at no real risk of getting scooped.

 

Weekly output: e-mail hijacking, orphaned apps

Posted on by
1

Thursday’s delightful snowfall took a chunk out of my productivity this week, like that bothered me all that much. Except it kind of does–Saturday evening, I start my journey to Barcelona for Mobile World Congress. Which means Monday can’t be much of a holiday for me.

2/10/2014: Why the Bad Guys Want Your Email, Yahoo Tech

This was originally going to explain the business models behind e-mail hijacking (I felt vaguely insulted to be told that in most cases, a hijacked e-mail gets used for nothing more ambitious than sending spam) and then critique the Computer Fraud and Abuse Act. But my editor said the CFAA parts read like a separate column, and I had to admit he was right. I’ll get back to that, but not next week: There’s a certain gigantic proposed cable merger that calls for my attention first.

USAT orphaned-app column2/16/2014: How to hang on to an orphaned app, USA Today

This was a somewhat shameless case of my taking advantage of the fuss over Flappy Bird (sorry, I don’t care about that game) to address a reader query I’d received months earlier about a different app. But Apple’s decision to boot a Bitcoin-wallet app from the App Store also factored into the timing here. The tip here about how developers keep less of the price of an app sold at the Mac App Store revisits a topic I’d last addressed in a January 2011 Post blog post.

At Sulia, I shared two sets of quotes from a great panel discussion among teenage social-media users led by my Yahoo Tech colleague Dan Tynan, recounted a tech startup’s testimony about its experience beating a patent troll in court, listed two questions left up in the air about Comcast’s proposed purchase of Time Warner Cable, complained about NBC Washington’s reportedly strong but now-unwatchable over-the-air signal, and provided an update about the fake Facebook account I’d set up when writing a privacy cheat sheet about the social network for Yahoo.

Weekly output: data breaches, triple-play bills

Posted on by
1

I hear there’s some sort of football game scheduled for this evening that many Americans will watch to the exclusion of other things, so I’d better post this while it still has a potential audience.

Yahoo Tech data-breach politics1/27/2014: Weak Data-Breach Laws Leave Us All In A Compromised Position, Yahoo Tech

This critique of Congressional inaction and ill-thought action on data-breach issues wound up running on Data Privacy Day, basically due to dumb luck. In another bit of unintentional timing, three days later Yahoo reported a breach of some Yahoo Mail credentials from “a third-party database compromise.”

2/2/2014: Q&A: How can I lower my cable, Internet, phone bills?, USA Today

To judge from the number of times this post has been shared on Facebook and Twitter–not to mention the 43 comments it’s racked up as of this writing–I should cover telecom costs every week.

On Sulia, I decried a ridiculous argument against cities launching their own municipally-owned broadband networks, shared a recipe for looking up service costs at telecom sites that insist you cough up a street address before they’ll display a price, shared my first impressions of Cove’s low-cost co-working space in Logan Circle, denounced the way Patch sacked most of its underpaid and overworked local-news journalists while leaving its sites up as if nothing had happened, and wondered when enough phone thieves will realize that iOS 7’s Activation Lock reduces the resale value of stolen iPhones to zero.