Security

Are we getting too comfortable with our online information?

In a survey by Webroot software, 70 percent of online shoppers are quite comfortable with entering their credit card numbers on an Internet site. Is this a trend or simply what it takes to integrate the Internet into our lives?

In a survey by Webroot Software, 70 percent of online shoppers are quite comfortable with entering their credit card numbers on an Internet site. Is this a trend or simply what it takes to integrate the Internet into our lives?

The kicker is that one in seven respondents to the Webroot survey also say that they have been a victim of some form of online fraud or identity theft.

Read the story from the International Times Herald.

What is this telling us?

This is difficult to write, because I have been a victim of identity theft. I have become incredibly sensitive to the idea that people don’t understand the criticality of safeguarding their personal information. But however sensitive I may be, the reality is that people either don’t know or don’t care how fragile they are online.

Some thoughts from the Herald article:

Be more suspicious than usual about your in-box. Junk e-mail is the usual nesting place of "spyware," hidden little applications that the crooks program to secretly sprout and sniff around your computer for financial data.

Sadly, spyware can be hidden inside of holiday e-cards too, so don't open those from people you don't know. And if your children surf from your personal computer, the spyware may already be lurking.

E-mail is also the source of alerts from financial institutions, lotteries or employers - or so they say - that need you to take some action or disclose some information.

They look genuine, but they are just "phishing" for some sucker to be drawn in. Sloppy typing or spelling are often cues that they are fakes, but in general, skip the sweepstakes and be extra vigilant of eBay and bank look-alikes.

Lastly on e-mail, just be aware that it is not a secure way of communicating. So don't send your credit card information or checking account number by e-mail. Buy from a Web site.

On those Web sites, look in the Internet address in the tool bar of your browser for an "s" at the end of "http" -that last letter indicates that transactions sent from there will be secured, according to ReputationDefender, another privacy company. Look for the padlock symbol in the corner of your browser: another security sign.

This is especially the case if you are shopping the Web using a wireless hot spot. Public networks like those in cafés and airport lounges are notoriously insecure, so don't even think about buying from there. And if you're "borrowing" a neighbor's signal, well, just think about how easy it was for you to hitch a ride.

From a business perspective, there are greater considerations. I may find it necessary to sell some corporate assets on eBay. How do I protect my presence? According to Javelin, I may not need to worry. Read the report (and associated links).

At the end of the day, I think that we have to keep some basic things in the forefront of our thinking when exposing ourselves online.

Assume nothing, check everything. An unsolicited e-mail will not hurt me if I delete it. Ten days ago, it wasn’t in my e-mail and I didn’t miss it. What will hurt me if I delete it today? And while I am thinking of it, why do I have to respond to everything that appears in my mailbox? This has a real social engineering element-- we have always believed that we should respond to all queries and all e-mail. Why?

If you are a contractor, there are additional concerns. For example, your online resume may make you a target for a different approach to phishing. Be wary of recruiters that ask for your Social Security Number or date of birth in the first contact e-mail they send. Some companies will ask for the last four digits of your SSN to submit your resume to a client. I just give them a different set of four digits.

How do we learn to protect ourselves? Try these links:

Identity theft and fraud (USDOJ)

Identity Theft and Consumer Fraud - How to protect your identity (Edward Jones)

Protect Yourself From Identity Theft (IdentityTheft.org and The ID Theft Center.org)

I looked for but could not find a list of best practices for corporations.

I can tell you in boring detail what it is like to have to fight your way out of identity theft. What I hope for is a time when that isn’t necessary. Hopefully, you are already taking action to stay safe. How do you protect yourself from identify theft?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

86 comments
NickNielsen
NickNielsen

This is what I do. So far it's worked. 1. Never click on a link in an email. Never, never, never. H3ll, if it's in the spam folder in three of my four email accounts, I don't even open it before I empty the folder. 2. No pre-screened offers!!! I have notified the credit bureaus that I do not want pre-screened offers. This not only greatly reduces the chances that somebody will open a card in my name (using one of those offers snagged from my mailbox), it had the added effect of cutting junk mail by almost 90%. 3. Daily checks. I use on-line banking to verify transactions daily. 4. Normal User mode. All primary user accounts on my home PC and corporate laptop are normal user accounts. I RUNAS or SU when I have to and actually log in as admin only when absolutely necessary. 5. Credit protection. The last time I went on vacation, I got a call on my cell phone that somebody was using my card in "so-and-so" (where I was). When I said it was me, they asked me to provide a number with a [u]local[/u] area code so they could call me back to verify. When they called back, I had to answer a security question to verify. Neat! $9.95/month to the card issuer and worth every dime. 6. Last, but not least, a bad credit rating. Completely unintentional on my part, but it actually helps right now. Not even a total n00b to credit theft is going to open a card with a fully-secured $500 limit. :D Edit: runaway [u]underscore[/u]

The Scummy One
The Scummy One

to my users. Of course it looks better in Word than plain text, and parts are highlighted in red. Online Shopping Protection A few tips for Online Shopping for the upcoming holiday season. These tips can/should be used year round while shopping online, but are especially critical during the ?shopping season?. Crackers (hackers with malicious intent) are out to steal your money and/or identity, so please BE SAFE and follow these instructions to reduce your risk. 1. Shop ONLY at trusted websites. If you are uncertain about a company/site, you should investigate before entering your credit card or personal information. 2. Obtain a credit card specifically for online shopping. This should have a low limit to it, be a card that needs to be paid into before using, or have several proxy account numbers that only work for 1 transaction. 3. When in the checkout area, before entering any information, be sure to look at the Secure Status in your browser. If a lock icon appears in the status pane (in Internet Explorer), highlight it and make sure that it reads SSL Secured (128 bit). The status pane is outside of the web page, the lowest bar in Internet Explorer (on the bottom). Also the URL should read HTTPS:// instead of HTTP:// 4. Always use Antivirus and Anti-spyware. Keep these current. One of the biggest problems with online identity theft is with keystroke loggers. A program that captures your keystrokes (passwords) and sends them to a remote computer. 5. Keep a Firewall on your system, a good free one is Zone Alarm http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp 6. If you feel that you might not be on a safe site, or if you have accidentally navigated to a questionable site, Close Your Browser completely. If it will not close, or if many windows open, Unplug the LAN cable immediately, then select Ctrl ? Alt ? Del, open Task Manager ? go to the Processes tab and end task any and all instances of IEXPLORE.EXE or shutdown your system. Upon reboot Spend the Time to run an Antivirus and an Anti-Spyware scan before restoring your Internet connection. Use of Usernames and Passwords If you need to store personal information such as usernames and passwords or other information, keep it in a file on a cd/flash drive, or other EXTERNAL media. Only insert this media when it is needed to be accessed, and remove it as soon as possible after use. The reason that this may be a better solution than just writing it down and putting it in a safe place, is due to the amount of key-loggers (programs that register your keystrokes and send it to a server) that have been popping up over the last couple of years. Many of these ARE NOT detected from many anti-virus or anti-spyware utilities fast enough to be effective. During the shopping season, new ones are created very rapidly as well. However, there is good news. They do not register passwords/usernames that are copy/pasted into logon boxes. This can provide a safer way to enter usernames/passwords/and other personal content. Please note, that many websites DO NOT allow pasting by right clicking and selecting the Paste function, however pressing the hotkeys Ctrl + v will normally work. Hot Spots or Wireless access Hot spots (generally wireless) are insecure. This is the same for hotel and other public networks. These are generally setup for ease of access/use and not for security. As an example, there was (a few years ago) an IT Security convention at a hotel, where one of the speakers used a free cracker (hacker with malicious intent) program to prove how insecure these IT professionals actually were. During 1 hour, walking the floor he pulled up 112 username/passwords and over 20 credit card numbers. Although wireless security has advanced a lot since then, most hot spots DO NOT USE ANY security, or use the minimum available. This puts you and your data at risk. Anyone in the area can ?sniff out? your information across the air and capture it for later use. If a hot spot is needed to be used, then please use a VPN tunnel which will encrypt your data and help to safeguard you. For more about Wireless Home Security, I have created a separate document.

gadgetgirl
gadgetgirl

can I hijack this, too? We're getting a new intranet at work, and this is the sort of stuff I want to put on a new Home User section I'm making. I'll have to "de-geek" it too - I cover all staff from CEO to porters and cooks! I realised how much this was needed the week before Christmas; one of the staff called for help when she realised she'd been scammed in a hoax/bogus "Second chance to buy" on eBay for a car - and lost ?5200..... GG

JCitizen
JCitizen

the manuals and help guides sold here on TechRepublic. Unless you already do! I hadn't noticed as well organized thought as yours in some of those publications though!

boxfiddler
boxfiddler

I'm going to add it to my Blackboard for Internet Fundamentals class so my students can read it. I may edit a tad? :)

boxfiddler
boxfiddler

but I will peer you the copy of any changes I make.

The Scummy One
The Scummy One

But if you edit, please let me know in case I want to change mine up a bit... :)

JustinF
JustinF

I had a call from my bank recently saying that a debit card in my name had been compromised in the UK, (I occasionally buy from an online bike shop based in the UK), and that it was going to be canceled. After a little digging I found out it was a card that had been supposed to have been canceled a couple of months before because when they issued a replacement they spelled my name wrong. It disturbs me that this card was still usable a couple of months after it was supposed to have been canceled. They wouldn't give me any details of how it was compromised or what retailer had been affected. The card had last been used in an online transaction about 6 months before it was canceled. My credit card company calls my mobile as soon as a transaction is made overseas or over a certain amount at home. If they can't get in touch with me the card is put on hold.

rmbabu
rmbabu

Generate Virtual Credit card every time. Hi I use citicards & they have a small program installed in my PC & when ever i go to any site for purchase this program pops up & i login to my account and create a virtual card. I can set the amount & the expiry date. I can create as any virtual cards. and these cards can be used only by that merchant.. it is cool

JCitizen
JCitizen

A previous post here at this discussion mentions that.

ITSecurityGuy
ITSecurityGuy

but I mentioned, early on, that Discover and Bank of America offer the same product - called DeskShop and ShopSafe, respectively.

ITSecurityGuy
ITSecurityGuy

Doing something about phishing emails, is their raison d'?tre, so I'm fairly confident that they are taking action if anyone is. After all, it is formed by the financial institutions which ultimately bear the heaviest losses as a result of phishing scams. Why not check out their site: http://www.antiphishing.org/ and learn more about them yourself?

JCitizen
JCitizen

that did one time credit transfers; I assume like your instruments. But I haven't investigated it because IE 7 has enough troubles with BHO's Thanks for the references on online card setup! What is your confidence level that reportphishing@antiphishing.org is actually doing something about the files it receives? I got to say, I'm not to impressed with the others out there.

HighTechAngel
HighTechAngel

Many people here are recommending to use prepaid cards and then my question is, are we talking about "online" shopping? How do you replenish a prepaid card? Do you go the bank every single time you want more money in your prepaid card? The first thing - and probably the most important one - is to check that the the protocol at the time of the transaction is "https", not "http". The second one, check carefully who you do business with. The third one, do not use automatic login processes or keep valuable information anywhere in your PC. The fourth one, ... just pray for not becoming targeted in any way.

boxfiddler
boxfiddler

I agree with all three of your statements, well actually all four. I would add a couple of things. Don't let your credit card information be held by the company with which you are shopping. My bet is that those are the card numbers most prone to theft. Big deal if it takes a little longer to log-n and then to enter the information. Better safe than sorry. Another good thing is to keep a credit card specifically for online shopping, with a small maximum. This risks only 1 credit card online, and should it be compromised risks only a small amount of money to boot. And don't keep personal banking information in your PC. It may be a minor pain in the wazoo to have to fill in your checkbook register yourself after completing your online transactions, but it is better than losing all your information to whatever/whoever manages to compromise your PC. Finally, if you do your taxes via software or the interactive .pdf's that many governnments offer these days and then keep a copy on your PC, stop that! Backup that tax return and then remove it from your PC. I have followed the above for many years now without compromise. I set my 'online' credit card policy after a credit card number was stolen from a company that kept that information (without my knowledge). It was 3 years before that stolen credit card number was used! So these guys are smart. We have to be smarter.

PhilippeV
PhilippeV

There's now a problem with HTTPS. It depends on Root CA for signing the security certificates used in HTTPS. But WHO is certifying that the Root CA are reliable? Currently, there's noboy that can give a reliable list of trustable Root CA, and governments/polices are not helping here by not inspecting how they perform. Who is certifying that the Root CA that comes bundled and preinstalled with some browsers are really trustable? Why can't we inspect these certificate without using the very complicate methods currently used to inspect their content before we accept to install them? We know a few Root CAs by their branding name, but none of these agencies are helping users by giving advices about how to manage their portfolio of certificates, to see if they are correctly scoped. HTTPS is just a protocol, it is solid, but it highly depends on the qulity of Root CAs for delivering their job. However Root CAs are NOT providing any help for downstream users of their certicates that get finally used in a weak chain of "trust" where some service may get some subdelegation and reuse their signed certificate out of scope and without even having to identify themselves correctly with something else than just a domain name. What will happen when a "trusted" certificate gets identified by a domain name that gets abandonned, and immediately bought by a cybersquater? Remember this: as soon as a domain name is about to expire, during the first day of the grace period, ALL domain names are immediately preempted by cybersquatters, that will get the domain immediately after the end of the grace period, whoever they are. But they will imediately get also access to the certificates previously emitted. But how is it possible that these certicates continue to be usable when they are no longer in control by the signatory party? The dates don't coincide, Root CAs are always deliver certicates that exhaust the time of validity or reservation of domain names. They expose users to huge risks. In fact nobofy is corectly inspecting those certificates to see if they are really valid (or still valid). Note also that most browsers are preinstalled without enabling the support for CRLs (certification revokation lists): if some certicates gets compromized, almost nobody will know that, the compromized site will still appears valid for HTTPS! We need HTTPS, but this is not enough, we also need realiable revokation systems that will help users managing their certificates, where ever they are used: in browsers, or in VMs (don't forget the list of certificates in .Net and Java). Please note that there are tons on browser extensions that implement their own repository of accepted certificates, and the integration of those multiple repositories is not very advanced, especially in Windows where it is simply impossible for any average user (including some more educated ones) to see what is currently stored in their local repositories. The most dangerous certificates are those associated to a domain name, without other way to identify the source, and these certificates frequzntly contain identification data that is unverifiable (no equivalent in the WHOIS database, so no way to inspect if a domain name has expired and been seized by someone else, simply because the WHOIS database is also insufficient... it also frequently happens that the WHOIS database contradicts the info stored in the certificate, notably the country or organization name of the emitter that is different from the registered domain name owner!) Why don't domain names have public histories of their past use and delegation in the WHOIS database? If maintaining this history would mean higher costs for managing it, then one way to limit the proliferation of cybersquatted expired domains would be to give extra costs for those reusing a past expired domain with its history: anyone reusing the domain should be able and required to provide this history, at least for the past 10 years before its own registration (10 years is the time needed for most commercial legal actions). It's simply not acceptable that registries "forget" (delete) this past information. We then need some other external reputation system to monitor past all actions against some service provider. And we need a way to verify the information stored in certificates to see if they are still valid, because online merchants are also wanting us to review our online account regularly (at least each year, sometimes more frequently by requiring us to connect every month or 3 months to maintain an account active; and this requirement made by online merchants is one of the main source of private data theft).

JCitizen
JCitizen

If your a concerned internatinal internet user such as yourself and I; who does one complain to? IEEE? What lobbying power does one have to affect international causes such as this?

Tig2
Tig2

I would add only one thing. You should always have a record of your expiration dates. That goes for every single card you have. Fraud prevention will tell you that the time that a stolen card or number is most vulnerable is within a month of expiration.

boxfiddler
boxfiddler

I hadn't though of that before, but will now add it to my 'arsenal'. Thanks Tigs!

JCitizen
JCitizen

to lock out credit accounts that the card company refused to completely shut down. A thief could open any inactive account that was supposedly closed for years later.

JohnMcGrew
JohnMcGrew

Most of my bills are paid on-line via credit card as well. Using a credit card, my liability exposure is zero. If my credit card # gets loose, (and it has at least once) then I get a new # and life goes on. Other than the inconvenience of having to eventually change all of my automatic charges, there is no cost to me. Now, I think using debit cards or other cash instruments on-line is simply insane. In that case, you have to fight to get your money back. But I think the risk of using credit cards on the web to users is minimal. It's the banks and vendors who are taking the big risks.

JCitizen
JCitizen

protection as a credit card. The bottom line is the cost in fees and huge interest that credit card companies charge. Also if you have too many credit checks on your credit report from getting a lot of cards, it can affect your credit score for three years. Besides the fact that some of those companies don't disable the account like you tell them to. I've caught a lot of them doing that when I check my credit report. I always make them correct that at the reporting agency.

JohnMcGrew
JohnMcGrew

This week, two airlines closed shop: Aloha and ATA. If you had bought your ticket with a credit card, you are out nothing; you will get a full credit for the price of your ticket. However, if you bought it with a debit card, you are SOL. Of course, you could file a claim with the bankruptcy court and get a few cents back, but good luck with that.

JCitizen
JCitizen

I was checking my credtit on Equifax the other day and it said one could pay ten dollars to put some kind of watch on ones credit file. But I didn't have the patience to read how often they charge. If this was once a year it might be worth doing at all three agencies. I've never checked the commercial companies doing this, and how much it costs, but most of those outfits are untrustworthy if you ask me.

JohnMcGrew
JohnMcGrew

...which is pretty much owned by the bank and credit reporting industries. The one thing that would eliminate much of the ID theft problem would be allowing people to freeze their credit. (many states are now doing this on their own) Sarbanes/Oxley, by the way, had nothing to do with consumer protection. It was a rash response to the Enron/MCI/Global Crossing fiascoes. In hindsight, it's done little to solve the securities fraud issue (the marketplace pretty much did that) and has in fact only served to increase costs and drive more coprorations overseas.

JCitizen
JCitizen

One can't get a handle on these problems without some vigorous discussion on the matter. Sounds like you use the best practices a person should. I still feel like congress could have gone farther in the Sarbanes/Oxley act to protect consumers; but that day is coming - I'm sure!

JohnMcGrew
JohnMcGrew

If I had used my credit card at TJMaxx, all they'd have on me would be my card #, which would quickly be replaced. After that, there's nothing the thieves could possibly do to me.

JCitizen
JCitizen

My argument should have been focused on the personal information.. This is not card or financial type specific. If the criminal gets your personal information it isn't going to matter if it is a credit or debit card; they can re-acquire you quickly with that information that doesn't change. Of course it helps motivate when your're a lucrative target; but today's thiefs operate on volume. They don't mind ripping off people in the marginal income range.

JohnMcGrew
JohnMcGrew

Again, if your credit card information got hijacked in the TJMaxx data theft, then the damage to yourself would be pretty much limited to having to change your credit card #. However, if it was your debit card info that got loose, then you'd have much bigger problems, like those I've already described; overdraft fees, waiting to get your money back from the bank, etc. No, the TJMaxx episode was actually an argument for credit cards and against debit cards.

JohnMcGrew
JohnMcGrew

Aquiring a merchant account is hardly a practical alternative to an individual who is occasionally conducting a garage sale on ebay. I certainly don't sell enough junk on ebay to justify it.

JCitizen
JCitizen

I am learning from this discussion that this now possible; as I've been lucky enough not to have a problem yet; I hadn't checked on the present capability. Ten years ago I had no luck inquiring on this method. Checking one's credit report for free at least three times a year with the big three agencies is still prudent. I need to get into that habit.

ITSecurityGuy
ITSecurityGuy

on your credit report just to have a new number issued by the same bank, as a replacement for a compromised number.

JCitizen
JCitizen

because of they way I felt they burned me; but it is really the system that is faulty. At least John, you admitted to doing the same thing I just related in the previous post. I quote you: "Personally, I minimize my exposure to PayPal by only having it draw from a credit card. When I get a payment from Paypal, I dump that money into what I call the "suicide" checking account, where I keep very little money. My exposure on PayPal is rarely more than a couple of hundred dollars." I'm sure your practices with credit cards will prevent you from suffering incident similar to this: http://www.news.com/T.J.-Maxx-parent-company-sued-in-credit-card-hack-probe/2100-7348_3-6169450.html That is why discussion of this is important and I hope many readers of the title story read this as well; because it needs to be brought to the fore front. Another reason I like Paypal is precisely because there are too many newbie merchants who practice poor methods of handling our credit card information and Paypal takes this out of their control by making the actual transaction thru their system. Of course we don't really know how the money transfer from Paypal to the merchant is handled, so a large assumption is made that it is at least better than the poor security practiced by so many online merchants. Nick is right - one doesn't have to use paypal to use credit cards on ebay but I trust ebay less than Paypal with my credit cards. I try to balance the risk; if I trust the merchant I might use my credit card; if I don't, I MIGHT use Paypal. If I don't need to do business with the merchant I won't even consider either. Some of them I just call because I don't trust the site at all. My AV suite won't let me go to totally untrusted sites so that isn't always the problem.

JohnMcGrew
JohnMcGrew

There's a big difference between someone getting and using your credit card # and someone fully taking over your ID. In fact, I think the risk of ID theft is another argument against debit cards in favor of credit cards. Like I've said before, the collateral damage to you when someone steals your credit card # is practically nothing. I tell the bank which charges were not mine, I'm sent a new card, and I go on my way. But when someone gets access to your bank account, that can be another matter entirely. Of course, neither of these compare to full-blown ID theft, when someone gets your SS# and takes over your ID. As for PayPal, what alternative would you suggest? Personally, I minimize my exposure to PayPal by only having it draw from a credit card. When I get a payment from Paypal, I dump that money into what I call the "suicide" checking account, where I keep very little money. My exposure on PayPal is rarely more than a couple of hundred dollars.

JCitizen
JCitizen

that I can't live without it, unfortunately. I will try alternatives anytime someone with any reputation at all provides them; but they always die on the vine. I just make sure that Paypal is connected to a junk account; and takes my chances. If they ever get busted for letting out my information or getting hacked, I won't have any choice and it will be too late - Oh!Well! I've done business with credit card companies that have the same or worse public profile. I dropped them, but I had choices there. So far I don't see a practical alternative to Paypal. I do however have a huge lobbyist who knocks on congress's door keeping pressure on the banking, credit, and privacy issues - that would be Consumer's Union. Anyone can become a political activist with them, even if you are not a member and don't take the magazine/ezine.

NickNielsen
NickNielsen

This is what I've found on Paypal data leaks: http://news.zdnet.com/2100-1009_22-5550046.html I don't like Paypal. Not for that reason, but because too many have friends and family have had problems. (How can an account be frozen for fraudulent activity within 5 minutes of creating it and depositing $1000?) Additionally, there are too many documented cases of Paypal arbitrarily freezing accounts with no notification and no apparent reason. http://www.aboutpaypal.org/ http://www.paypalwarning.com/ To top it off, they seem to believe they do not need to comply with federal law. These excerpts from the 2004 Class Action settlement (http://www.scambusters.org/urban-legends/paypal.html) say it all: [i]...The lawsuit alleges that PayPal violated the federal Electronic Fund Transfer Act ("EFTA"), 15 U.S.C. ?? 1693 et seq., including provisions requiring PayPal to supply customers with information about dispute resolution procedures and to follow certain procedures when investigating complaints of unauthorized or incorrect electronic fund transfers. For example, the lawsuit claims that PayPal did not provide account statements in the manner required by the EFTA.[/i] [i]...PayPal does not believe that it did anything wrong. In fact, PayPal disputes that the EFTA, originally passed in 1978, applies to its business. PayPal denies any and all liability for the claims alleged in the lawsuit. [/i] Some of that is obligatory lawyer-speak and can be ignored. To me, the most telling thing is their belief that, even though they provide an electronic funds transfer service, they are not subject to the laws governing such. The EFTA defines a financial institution as "a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, [b]or any other person who, directly or indirectly, holds an account belonging to a consumer;[/b]" 15USC 1693a(8) (my emphasis) Sorry, but if a merchant only accepts Paypal, I'll take my business elsewhere. Edit: grammar

JCitizen
JCitizen

Sounds like a winner John!...and like you say, it is the Banks who should worry about our personal information. But maybe... With todays threats I worry about what I do with it too; as it is so easy to drop one's guard a let slip one more item that makes it easier for the ID thiefs. The loss of that can be worse than any credit transaction. I have met people who have spent 10 years to get their ID straighted out only to have the perpetrator get out of jail and start the process all over again. I am also living with a victim of some recent electronic Bank heists and he can't even touch his money because of the freeze the FBI put on his assets. Probably 40,000 in assets, and his last business adventure went to pot, so he is just out of luck. These court cases can go on for years; meanwhile he has to pray he is eligible for unemployment, or go on welfare untill he can start a new business or get employed before he ends up in a soup line. Loss of identity can be a nightmare with/or without a credit card. Now this incident was a brute force attack; but what if the same crooks simply got your loggon from your computer? That can be done easier than a direct attact on the bank, if you don't keep up with the latest threats. These thiefs make use of every piece of information they can get to build a plan to ruin ones financial standing, for their own gain. One of the reasons people like PayPal is that the personal AND account information is separated from the transaction; so if there is a man in the middle or one of the new attacks they at least don't know enough to make an end run for your assets. People criticise PayPal but I haven't seen one incident in the news of compromised account information like I have vendors that use other methods. Are we getting too comfortable with our online information? YES! We should be AFRAID - VERY AFRAID!!!

JohnMcGrew
JohnMcGrew

In fact, I actualy make money. I'm always amused by the assumption that the use of credit cards automatically implies that one is paying interst. It's not true. It's easy to see why people make that assumption, since so many people are using credit to subsidize their lifestyles, which is a very stupid, costly, and frequently financially suicidal mistake. However, the reality is that using a credit card doesn't have to cost anything. Just don't spend more than you have and pay the damn bill every month. That's it. If you can manage to do that (and if you can't then you probably shouldn't be using one) then it's a great advantage. I alternate between two cards on two different billing cycles, and as a result, I often get 45+ days float on my money; this means that I am actually making interest, not paying it. Considering that I frequently purchase high-ticket items for clients (computers, servers, and what-not) that can really add up. (and that's not counting the "points" that I earn as well, which goes to pay for our vacations)

JCitizen
JCitizen

Fortunately the contractor usually pays for the rental in my instance.

NickNielsen
NickNielsen

The only extreme disadvantage I found was car rentals. Most agencies that accept debit cards treat them as cash transactions. So, just like with cash, your debit account coughs up the $150 (or more!) deposit that your credit card bill never sees. They refund the deposit when you return the car, but if you aren't ready for it, it can be an unpleasant surprise.

JCitizen
JCitizen

online or business transactions. It doesn't happen to me anymore; there was a time when debit cards weren't taken at all; now with the VISA or other logo cards I never have a problem. Or at least not for many years I haven't. It is just a preference of mine because I refuse to pay anymore interest than I have to. I keep one credit card and it is always paid off; so my credit rating stays maximized. I agree with you that you have to use credit; because if you don't that will lower your credit rating also. I just make sure they have no or low fees and, as you said, low interest rate: (credit card interest is calculated way different that debit credit loans done through overdraft protection; personal loans are calculated like regular car loans;for example) Personal loans are easier to pay off - way easier than, revolving credit loans like credit cards. Banks don't like to tell customers things like that, because they want to sell credit cards. Credit Unions are more honest to their customers in my experience; probably because we own the credit union - not the bank. Sorry to keep hammering on this; I just hate credit cards! I guess they are just a necessary evil!

JohnMcGrew
JohnMcGrew

...that you and your vendors are inconvenienced, and their banks charge them fees when your account bounces your checks. Yes, you eventually get your money back. But the damage has been done. And it's really fun when it happens in the middle of a trip when you're suddenly out of money, and dealing with vendors & banks is less than convienient.

JCitizen
JCitizen

your bank. If my debit account has no money in it, and I don't have overdraft protection on it; they simply don't approve the transaction and it doesn't happen. Vendors always contact me on these problems, and it is easily remedied(doesn't happen very often)This costs me nothing. I don't use checks - I use plastic with the VISA logo with a regular VISA account number system on it. I have had credit card companies suddenly "approve" higher credit limits without my permission. I don't know if this is legal anymore, but it is just one of the reasons I don't use them anymore. My credit union treats transactions on my Visa debit card just like a regular credit card with protections. It depends on the transaction - if I do it on a machine and enter the PIN then it is done as a regular debit card without the protections. Any suspicious transactions, determined by inhouse methods, are flagged and held untill either it is determined safe or I am contacted to clear it. Once my account was locked out because Paypal didn't have my account verified. I actually like this for safety sake. My institution has several verification methods in force, just like VISA and other credit cards, done thru the VISA system for online transactions.

JohnMcGrew
JohnMcGrew

Oh you do get your money back, but long after collateral damage has been done to your personal finances. Usually, you don't find out about the problem until your debit card stops working with the dreaded "insufficient funds" message, or angry vendors start calling because all of the checks you've written lately have bounced. Then you have to convince your bank of that the fraudulent charges are just that, and then you need to pay all of the bounced-check fees that your vendors are going to charge you. Your money is gone until your bank gets around to deciding that you are not a theif, and then when you finally get it back, you yourself have to go clean up the mess. No thanks! Having "too many credit cards" is only a problem if you are dumb enough to carry high balances on them. (I pay my full balances on the due-date; 18%+ interest is for losers) Your credit score is based upon the ratio of available credit to outstanding balances; over 50% will ding you. I pay every bill I can on credit (which is paid off each cycle) and my credit score is over 800.

JCitizen
JCitizen

if you trust paypay anyway. I've noticed their security practices have improved exponentially over the last five years. Now if people will quit clicking on phishing emails claiming to be PayPal.

T.wizzard
T.wizzard

For the most part I will only deal with online retailers that except paypal, or if I must have it I will use my card that has a very low limit (it is just for on-line use) also with those fishing emails I love to click on them and fill in all kinds of crap. For the password I always tell them were to go ;-)

JCitizen
JCitizen

service that one whould feel is actually DOING anything about it. I'm glad your ISP is offering some help.

JCitizen
JCitizen

And I sent it to the FTC; who knows if they really do anything. If I keep getting them I need to declare war. SpamCop is totally difficult to use if your not a member so I will record some of these reporting suggestion for the very near future. I got a different one (not Paypal) that was scary because it had my actual name and proper email address in it. I have already sent it to the SEC. Next step is the state attorney general. It is probably legit but I would like to kill whoever sent my name and email to them. I don't do money speculation. Time to grab a free credit report!

T.wizzard
T.wizzard

You make some good points, but for one I use Linux so 99% of all bad things out there I will not get ;-) also the spoofed emails I reply to are CITI and Paypal, (I get about one a year) and I do forward them to the Spoof@whatever.XXX When I do mess with these people the link in the email is 123.123.123.123 so these people are amateurs at best. If it looks like a pro I leave these people alone (I am not a dummy) :-D and I would never have someone like my mom do anything but forward the email to spoof@whaterver then shift delete it.

PhilippeV
PhilippeV

When clicking phishing emails, even when you provide false information, you are giving money to phishers, because they are also collecting advertizing revenues in their forms using various tricks. As they know you are following their links, the next time they will bring you in a much less known (and undetected) dangerous site where they will exploit some security hole. Your PC will get trapped, and infected, with a quite specific spyware that will monitor the rest of your online activity, and then they will be able to steal your data. There's NO reason to follow ANY phishing email. Once you start doing that, for whatever reason, you'll be targeted by much more dangerous security threats. You'll become more exposed, and it's not your antivirus and antispyware that will help you much because the next attack will get unnoticed by these tools! Let only serious security providers inspect the content of phishing emails and see what happens next. You certainly don't have all the necessary tools needed to track those phishers, that are actively tracked worldwide using very costly services and legal departments paid by banks and financial services that want to limit the cost of reimbusing their customers whose data has been stolen. For every reason when you see that some information may be illegal or illegitimate, or so badly written or translated with many typos or errors, don't follow the link. This will go to the dustbin or if you want to really help, signal your phishing email to an antispammer site. I'm in France, and personnally I prefer signaling the spam to a site supported by ISPs, by consumer associations and by French police and judiciary authorities (they will work with the collected data with other international organizations): http://www.signal-spam.org/ They are better trained to work with the specific risk and measures that can help French users, in a French legal context, against this sort of risk. For other countries, look at a trustable national organization like this, and signal your spam and phishing attacks, don't use them for anything. Dangerous thieves have millions dollars to spend in their attack, they are certainly better armed than you.

JCitizen
JCitizen

almost never get junk there. When I do I'm carefull to chase it down to the junk folder. A very small amount of junk somehow goes to the deleted folder instead of the junk folder; who knows how the spammers control this; but I always chase it down and send it to the junk folder, so hopefully it will get identified as junk. Now that google has purchased Postini, they may lead the pack now.

T.wizzard
T.wizzard

Yea, yahoo is great for that, I setup a junk account and use that for filling out online stuff, so when I get spammed on that account I love to reply then if it gets out of hand I just delete the account and setup a new one. Also I have a hot mail account that I have used for ~7 years for online forms etc and it gets only about 2 spam emails a week, go figure??

JCitizen
JCitizen

Kudos on giving the phisher's crap; but I don't like giving them any clue that my email account is active. By answering them it does that. If you have a good spam filter, however it is no worry and one can have great fun! I have one junk account where I do the same thing you do, and postini does a good job blocking the blockhead spammers!

Tig2
Tig2

I only use pre-paid. I don't do a lot of online shopping and I generally have a very good idea of what I am buying and what the cost is. That reduces the number of times I need to replenish the card. Watching the address bar is also good. But I know many people who never think to do it. Seller rep is also very important. Not using automated processes is the best.