Monday, July 30, 2007

Answers About ID Theft

What is “Identity Theft?”

Identity theft is a slippery subject. The words conjure up images of body snatchers and zombies from old movies. The connotations are very negative.

The news media likes the term, because it is sensational. And so, they use it fairly indiscriminately. I saw a story recently titled, Laptop Thefts: The Latest Form Of Identity Theft. I've also seen purse snatching and dumpster diving described as Identity Theft.

Opportunistic business people have grabbed on to the term also. There are more than a few companies hyping the “problem,” and offering various products and services to deal with it. Ironically, or is it predictably, many of these products are regarded by the experts as being overpriced and unnecessary.

Identity theft occurs when a fraud or other crime is committed by a person masquerading as someone they are not. The person being masqueraded is the victim of identity theft, assuming they are not involved in the fraud.

It's a big problem, isn't it?

In one sense it is. For example, I bet many people listening to us have been or will be victims of Identity Theft. A couple of years ago, I was. Someone charged an expensive plasma TV at a store in the UK using a counterfeit copy of one of my credit cards.

On the other hand, I would much rather be the victim of identity theft than the victim of the fraud. All I had to do was call the credit card company and explain that the charge was not mine. The store was left holding the bag. They were out several thousand dollars after the credit card company reversed the credit.

In most cases the identity theft victim suffers no loss and no out-of-pocket expenses. However, in some cases, people are denied loans, miss out on promotions, and/or are falsely arrested for crimes. A large portion of all ID thefts are done by family members. And in many of those cases, the victim will pay the bills rather than have their family member arrested and prosecuted.

What are people doing to protect themselves from ID theft?

It varies. As I said, there are products and services available. Some people have bought ID theft insurance. Stand-alone ID theft insurance is relatively expensive. If you have homeowner's or renter's insurance, you can get an ID theft insurance rider for a fraction of the cost.

You can contact each of the credit bureaus and put an alert on your information requesting that no credit be extended to your name without contacting you. If you live in Texas or California, you can put a freeze on your credit report. But credit card companies are famous for sending out pre-approved credit cards to people in spite of these alerts. And these can be grabbed by family members or somebody looking in your mailbox. You can go to optoutprescreen.com to opt-out of such mailings. This is supposed to work like the “do not call” registry.

Some companies sell services designed to handle the work involved putting alerts on credit reports, opting out of pre-approved credit cards and requesting your annual free credit report.... On the one hand, these services are pricey. On the other hand, they make sure the right things get done.

Increasingly people are shredding their bills and papers before they throw them out.

Some people avoid online shopping and online banking. But, experts say that online shopping and banking is more secure than providing your credit cards, checks, deposit slips, etc. to clerks and tellers in the real world.

Most people don't do anything intentionally to avoid identity theft, except worry about it.

Fortunately, however, many of us are doing the right thing in terms of protecting our computers from hackers, viruses and malware. In doing so, we are also making it difficult for the bad guys to steal our usernames, passwords, account numbers, etc. Many of us know better than to open emails from people we do not know. Many of us know better than to click on browser pop-ups that tell us we've won a prize.

Do these steps work?

Under specific scenarios they work. Shredding your trash will protect you from dumpster divers. ID theft insurance does only what the fine print says it will, which is generally not much. Credit monitoring services remember for you and provide you with credit reports. But no anti-virus program will stop every virus. And none of these steps will protect you if your name and social security number are stolen or lost by an employee at your bank, your doctor's office, the government ...

What else should people do?

Protection is the best Prevention. Do what you can to protect your personal information from being discovered.

Use a firewall and antivirus software. Download and install security patches and upgrades for your computer software. Security patches can be downloaded and installed automatically. Upgrades usually are not automatic. For example, Internet Explorer 7.0 is something you have to choose to install, and you should. Browser security is a big problem nowadays.

Usernames and Passwords are the only security we have on most of our online identities. And most of us have not followed best practices in terms of selecting them, keeping them safe and changing them regularly. Most people choose usernames and passwords that are easy to remember easy, rather than secure. Most people choose a small number of usernames and passwords that they use for many different accounts and identities. Many people never change their passwords. Many people have their usernames and passwords written on paper beside their computers or in an unencrypted document on their computer.

I use a tool that generates long random passwords and stores them in an encrypted database. It is called KeePass. It is free software. You can get it at keepass.info. I have it on a USB flash drive that I always carry with me on my keychain, so I don't have to remember all those unintelligible strings. I copy and paste them into the login fields on the different web sites I visit. Click here to read my Gimme KeePass.

But, no matter what you do, even if you do everything you can, you still might become a victim of identity theft.

Why is this such a murky issue?

I think it has to do with the nature of the crime. There is lots of information out in the world about each of us, but our identity is not stolen until somebody poses as us. We are not going to know when that happens except after the fact. Even then, we may never know for sure.

For example, many instances of “identity theft” are nothing of the kind. If/when you see a large wire transfer of funds out of your bank account that you did not order, and you call the bank and report it, the bank will restore your funds and investigate the matter. Chances are good that you will not hear anything from the bank about the results of their investigation. You'll never know if somebody hacked your computer and got your account information, if the Russian mob hacked the bank's systems, if a bank employee pulled an inside job or if it was an innocent keypunching error. The bank is not going to tell for fear of revealing something about its security systems and for fear of eroding confidence.

At the same time, the fight against ID theft is the only weapon that financial institutions can publicly wield against certain frauds, so even if it was only a typographical error, the bank is okay with having you think it was ID theft.

Does it make sense to fight ID theft in order to defeat electronic financial fraud?

This is a not a war with only one front. There is an overt war on ID theft and there is a covert war on electronic financial fraud. At the same time, I am not sure that the covert war is being fought in a way that helps the fight against ID theft.

What do you mean?

The frauds associated with ID thefts tend to be relatively small, around $5,000 while a hacker gaining access to its systems can cost a financial institution millions. These institutions are certainly doing everything they can to prevent big losses.

In terms of battling ID theft, I am not sure that the banks and credit card companies are doing their share. Charge cards are so profitable that banks and charge card companies are not going to take steps to prevent the fraud associated with ID theft if that might reduce the overall profitability of the cards.

  • Consider that the banks and credit card companies are usually able to avoid the losses arising from fraudulent card charges by reversing the payments to the merchants.
  • Consider also that many of these fraudulent charges are done by family members, and the card holders end up paying them anyway.
  • Finally, many of the institutions selling ID theft products and services are financial institutions.

So, the banks and charge card companies have little incentive to pursue their side of ID theft. At the same time, the merchants lack the resources and the information to pursue the bad guys. Ultimately, the losses associated with ID theft are passed on to consumers in the form of higher prices.

What does the future hold?

The war against ID theft will not be won without the concerted efforts of financial institutions. They are the only players in the game that can see the big picture. If there is an organized ring that is counterfeiting credit cards, the banks and credit card companies will know, but merchants and consumers will not.

Unless merchants or regulators force them into the game, identity theft will be a continuing problem. Unfortunately I don't see that happening.

What's your final word?

ID theft will be with us for a long time. It is not going to go away soon. Your vulnerability has more to do with your relatives, muggers and thieves than it does with electronic privacy and security. Electronic information and transactions are relatively safe because they are generally protected. So I want people to adopt best practices for safeguarding your computer and your network. Use a firewall, antivirus software, download and install software patches and upgrades, and be smart about opening suspicious emails and browser links.

Monitor your credit reports and financial accounts. Take action quickly when you see something that you do not recognize.

Finally, I want everyone to improve the security of the usernames and passwords they have for online access to all their accounts. Increase the complexity of your passwords, use different passwords for each of the different accounts you have, and periodically change your passwords. Check out Keepass to help get you on the right path.

For further information, go to bbbonline.org and idtheft.gov.

Monday, July 23, 2007

Save Our Privacy

According to the Washington Post this morning, all the major search engines are tightening their privacy policies in the face of mounting concern about the vast amounts of personal data they collect and store.

I don't like the idea of Google, Microsoft, Yahoo! or any other organization collecting, storing and analyzing data about my web searches and web surfing. They all say they do it "to improve the quality of their search services." As if that is sufficient reason for them to collect and analyze mountains upon mountains of data. Quality assurance/improvement is typically done using statistical analyses of relatively small, random samples.

We all have to use search engines to find information on the web. Individually, we are powerless to prevent the collection and storage of all that data about each of us.

What can you and I do about it? The only compelling reason for these companies to collect, analyze and store these vast amounts of data is to help them sell advertising and help their advertisers sell products. Take away the ad revenue, and they have no incentive to collect all that data. Take away the ad revenue, and they will not be able to afford to collect and store the data.

In the Firefox browser, there is a free extension that you can install that blocks most of the advertising on web pages served by Google, et al. Here's how you get the extension: in Firefox, select Tools/Add-Ons/Get Extensions/Adblock Plus to download and install the extension. Once you do, you will no longer see most of the ads currently running on the web.

As more and more of us do this, the money will go out of web advertising, and these companies will no longer have the incentive to collect all that data. Just the prospect of this happening is probably enough to get the search engines to stop amassing these mountains of data.

So, if you too are concerned about the activities of the search engines, you can do your part to stop them by using Firefox and Adblock Plus. Do it today.

More...

Google assures us that it does not "profile" users for marketing purposes. However, Microsoft and Yahoo! both use the information they collect to profile users and "behaviorally target" advertisements to them. According to the Wall Street Journal, "Microsoft says that in testing in the U.S., behavioral targeting increased clicks on ads by as much as 76 percent."

Microsoft says that users will soon be able to opt-out of demographic ad targeting if they choose. Good luck finding out when and where to sign up for that, and does that cover behavioral ad targeting, too?

Governments around the world will be itching to see this information, and these companies will supply it to them. For example, last year, Yahoo gave a user's emails to the Chinese government, and those emails were used to jail a Chinese dissident. Google, for its part says, "Companies like Google are trying to be responsible corporate citizens," in complying with lawful (in each country) requests for data.

Maybe our elected officials will get involved and require adequate protections. For instance, Rep. Bobby L. Rush (D-Ill.), chairman of the House Energy and Commerce subcommittee that addresses consumer protection, says about Google's proposed acquisition of DoubleClick, "Concerns have focused not only on the implications for competition -- in online advertising and other possibly affected markets -- but also on the potentially enormous impact on consumer privacy." On the other hand, maybe Congress will renew the Patriot Act.

Tuesday, July 17, 2007

What!?

I recently found myself living in a strange and different world. People were speaking to me; I knew because their lips were moving, but I couldn't hear them. I suddenly had become "profoundly" deaf, which is the step beyond "severe" deafness.

As you might imagine, necessity being what it is, I have gotten smart about hearing aids. For instance, while Moore's Law has held sway in the computer industry since 1980, the same cannot be said for hearing aids. They are unreasonably expensive. $1,000 - $3,500 per ear, depending upon which device you buy. This is the same technology you'll find in an iPod or a smartphone, more or less. Music players and cell phones cost hundreds, not thousands of dollars.

Why do hearing aids cost so much!? Why isn't Apple making an iHear? Don't tell me it's a small, dying market. It could be twice the size of Viagra and those other ED meds. And Viagra used to sponsor a NASCAR race car! Phonak, the Swiss hearing aid manufacturer, sponsors a bicycle racing team.

The hearing aids business is a regulated and collusive affair. Everybody involved is making good money, and nobody wants to rock the boat. Potential newcomers face a daunting gauntlet of regulatory and institutional resistance designed to spoil change and protect the status quo. So patients/consumers pay through the ear for hearing aids.

I recently spent $2,600 for a pair of hearing aids. Before I have to replace these (average life of a hearing aid is 5 years), I want to foment change that will give people like me more options when it comes to hearing aids and LOWER COST. This isn't just about me saving some (serious) money, it is also about making these devices available cost-wise to a much larger segment of the population that needs them but cannot now afford them.

I don't want to fight the entrenched forces-that-be, because that would be too expensive and time consuming. And it probably wouldn't work.

Instead, I want to promote the development of assistive listening in mass-market mobile entertainment and communication devices. The makers of cell phones and MP3 players should want consumers to stick a set of earpieces in their ears and leave them on and in all day. That way, consumers will make more calls and buy more music.

The problem with this scenario is that people have to be able to have a face-to-face conversation with the people around them, without removing their all-day earpieces. They need to hear horns honking, sirens wailing, dogs barking, and children crying.

The solution will be to put capabilities in the devices to allow people to hear the world around them when they want or need to, through the earpieces, without removing them.

So, for the always-on-and-in mobile entertainment/ communication device scenario to happen, the makers are going to have to put "hearing aids" in these devices. And, once that happens, it should be a small matter to make these devices compliant with the Americans with Disabilities Act (ADA) by letting the hard-of-hearing (HOH) adjust the volume and the sound profile of the device to suit their needs.

In order to invest the HOH with the power of the pen on this issue, here is a list of some of the specifications that these devices will need to meet to satisfy the particular needs of the hearing impaired. Please feel free to comment if you have additions/corrections/etc. to this list:
  • Two problems, frequency-specific sensorineural hearing loss (loss of sensitivity) and frequency-specific loudness recruitment (reduction in dynamic range), are generally experienced by the HOH. Only a digital, programmable hearing aid that can dynamically shape individual frequencies will be able to deal effectively with both problems.
  • Users should be able to dock the devices to a PC to download updates and content and to program various functions, including hearing aid settings. Users should be able to input their audiogram data into the PC as a basis for programming device settings.
  • Users should be able to program multiple hearing aid profiles into a device to deal with different use cases (eating with friends in a noisy, crowded restaurant, driving in a car, talking with someone in a quiet room, speaking to someone on a cell phone, or watching a movie or a play).
  • In compliance with the ADA, assistive listening technologies have been installed in many public and private locations. These technologies include inductive loops, infrared, and radio frequency (FM) systems. One or more of these technologies should be accessible with the communications and entertainment devices of the future. (That way no one will miss their flight because they cannot hear the PA announcement when they are listening to the Queen's greatest hits.)

What's the next step? I want to get some feedback from the HOH community and from you. What do you think? Post a comment and let me know.

Down the road, if it looks feasible, I'd like to get the backing of an appropriate organization, or organizations, to publish requirements and standards and test always-on-and-in products put forward by manufacturers.

Friday, July 06, 2007

Real Power Protection

A colleague of mine challenged my assertion last month that, "there is nothing you can do" to protect your electronic equipment from damage by a lightning strike. I admit, that was a bit of hyperbole. There are things that you can do to provide protection from a lightning strike.

The real point is that most consumers lack the time, money and expertise to identify and implement a plan for protecting some or all of the electronic equipment in their homes from transient power anomalies like those created by a lightning strike.

For anyone who is interested, there is an excellent booklet from the IEEE (Institute of Electrical and Electronics Engineers), "How to Protect Your House and Its Contents from Lightning; the IEEE Guide for Surge Protection of Equipment Connected to AC Power and Communication Circuits."

What can you do?
  • Identify and fix problems with your home's Building Ground(s).
  • Install "whole-house" surge protection devices for all service wires and pipes entering/leaving your home and bond them to the Building Ground.
  • Install "point-of-use" surge protectors between the equipment to be protected and all service wires connected to the equipment.
What's it going to cost? More than you want to spend, I bet.

Proper grounding is the foundation for effective protection for electronic equipment from power surges. Without a well-designed and properly executed Building Ground, and circuits and receptacles all grounded to the electrical panel and the Building Ground, other steps and expenditures to safeguard your electrical equipment may not provide effective protection.

Popular belief holds that electricity, like water follows the path of least resistance as it travels to ground. This is not correct. Electricity follows all paths available — in inverse proportion to the impedance of the paths. Without proper grounding, surges can travel in unexpected ways and propagate throughout your home.

Most, if not all, single-family homes today have problems with electrical grounding.

Grounding problems in older homes arise from the fact that building codes did not require what today is considered proper grounding. In newer homes grounding problems arise if/when electrical contractors do work that does not conform to the code everywhere in the home. Inspectors do not (cannot) catch all code violations.

Even if the electricians do it right, they aren't the only ones wiring homes today. Alarm, cable, phone, and satellite technicians along with DIY homeowners all install electronic equipment and wiring inside and outside the house. None of these people are likely to have the expertise and take the time to properly ground their work. Things like outdoor lights, spas, dog fences, satellite dishes, etc. can all provide pathways for lightning currents to enter homes instead of the ground.
  • "Since the[se] different electronic systems are often interconnected by signal and control wiring, a defect in the lightning protection for one system can allow surges from lightning to propagate to other systems, producing massive damage." (IEEE booklet, pg. 2)


What's a home owner to do!?

There's no quick and inexpensive way to get real protection. But if you have put a lot of money into computers, audio, video, kitchen appliances, and other electronic devices in your home, it might make sense to protect them. The alternatives are to:
  1. Insure your electronic equipment (make sure that you are covered for any and all power related losses) and design and implement an automated, off-site back-up for your data files.
  2. Put a few "point-of-use" surge protectors around the house to give yourself peace of mind and a false sense of security.
  3. Do nothing and hope for the best.
  4. All of the above.

Personally, I'm sort of a #4. My home computers are pretty well backed up. I've got a few point-of-use surge protectors guarding computers and some other electronics. These surge protectors advertise big-money pay-backs if any connected equipment gets damaged. Does that count as insurance? I don't know. I imagine they don't make it easy to collect on damage claims.

Finally there is lots of other equipment in my house that I have done nothing to protect. I am hoping to dodge the surge. I know that this is a false hope, and I cannot say I have peace of mind when it comes to lightning. <SIGH/>

Tuesday, July 03, 2007

What's Your Language?

So where's the action in computer programming nowadays? Offshoring has had a big impact in some places and in some languages/platforms. The US is no longer where the action is programming-wise, although, the case can be made that the US is still where interesting, inventive programming is being done.

Click the graph for a larger view.

In the graph above, results of my trend-analysis of computer programming languages are presented. The languages were Java, Perl, PHP, Ruby, SQL, and Microsoft's ASP.net. The analysis revealed three distinct tiers, based on the volume of search activity. Interest is highest in Java. Interest in PHP and SQL are about same, abeit lower than Java. Interest in Perl, Ruby and ASP.net are about the same, albeit lower than PHP and SQL. So, why do I have ASP.net listed as Tier 4 in the graph?

Methodology

As my regular readers know, I have recently set about to learn Perl. From this experience and earlier experiences learning and using other programming languages, I know that there are LOTS of searches involved in the process. "What's the Perl syntax for ______?" and "Perl regexp tutorial" and "________ doesn't work in Perl" ...

Thus, the basic premise of my analysis is that search activity is a good proxy for the work being done in a particular programming language. Given this assumption, it follows Java is the programming language most used today, since it has the most searches of the languages analyzed.

Furthermore, Google Trends provides information on the top-10 regions and cities where the search activity is distributed, so it is possible to say, based on my assumption, where the work is being done. So, while Tier 3 programming languages each show the same amount of interest/work, where that work is being done is different for ASP.net as compared to Perl and Ruby. This is not the case in Tier 2 (and Tier 1 (Java)). Because of the geographic dimension, Tier 4 is separate from Tier 3.

Tier 1

Over the period 2004 through the first quarter of 2007, most programming work was being done using the Java programming language. And it was being done mostly outside the US, in India, Singapore, and several of the former Soviet-block countries.
Java Trend Analysis By Geography (1st Q 2007)
1. India6. Czech Republic
2. Singapore7. Ukraine
3. Romania 8. Hong Kong
4. Poland 9. Hungary
5. Indonesia 10. Slovakia

Tier 2

PHP and SQL are "second-tier" in terms of activity over the period 2004 through the first quarter of 2007. Like Java, work in PHP and SQL is being done outside of the US, in developing countries. Indonesia is #1 for PHP, although the top 10 each have about the same market share. India is a clear leader in SQL work.
PHP Trend Analysis By Geography (1st Q 2007)
1. Indonesia 6. India
2. Czech Republic7. Malaysia
3. Ukraine8. Romania
4. Philippines9. Bulgaria
5. Russia10. Slovakia
SQL Trend Analysis By Geography (1st Q 2007)
1. India 6. Malaysia
2. Singapore7. Japan
3. South Africa8. Taiwan
4. Pakistan9. Czech Republic
5. Hong Kong10. Russia

Tier 3

The levels of business activity are comparable between Tiers 3 and 4. The distinction between the two is based on where the work is being done, and therefore, perhaps, the nature of the work.
In Tier 3, the United States appears to be leading the way, and the work is being conducted in venture capital hot-spots such as Silicon Valley, New York, Metro DC, et al. This suggests to me that while it is not the largest piece of the programming pie, it is a) being done to a large degree in the US and b) it is probably interesting, creative work.
Perl Trend Analysis By Geography (1st Q 2007)
1. Sunnyvale, CA, USA 6. San Jose, CA, USA
2. Bangalore, India7. Osaka, Japan
3. Tokyo, Japan8. Moscow, Russia
4. Chiyoda, Japan 9. San Francisco, CA, USA
5. Santa Clara, CA, USA
10. Chennai, India
Ruby Trend Analysis By Geography (1st Q 2007)
1. San Francisco, CA, USA6. Rochester, NY, USA
2. Pleasanton, CA, USA 7. Cincinnati, OH, USA
3. Raleigh, NC, USA 8. Seattle, WA, USA
4. Washington, DC, USA 9. Portland, OR, USA
5. New York, NY, USA 10. Salt Lake City, UT, USA

Tier 4

Bad news if you are a Microsoft ASP/ASP.net programmer living in the developed world: a) this is not a particularly active technology, and b) India and Pakistan account for most of the work in the period.
ASP.net Trend Analysis By Geography (1st Q 2007)
1. India6. Iran
2. Pakistan7. South Africa
3. Singapore8. United Arab Emirates
4. Viet Nam9. Hong Kong
5. Malaysia10. Taiwan

About Google Trends

Google Trends analyzes a portion of Google web searches to compute how many searches have been done for the terms you enter, relative to the total number of searches done on Google. The results are graphed over time, plotted on a linear scale. Below the search-volume graph is a news reference volume graph which shows you the number of times your topic appeared in Google News stories. For more, see http://www.google.com/intl/en/trends/about.html