First, the good news for consumers: the U.S. government's investigation into how dozens of well-known online stores worked with controversial marketers to "deceive" customers out of $1.4 billion has prompted some retailers, including Continental Airlines, to sever ties with the marketers.
Mark Goldston, chairman and CEO of United Online, parent company of Classmates.com, which banked $70 million from marketing practices now under investigation by the Senate Commerce committee.
(Credit: United Online)Now, the bad news: the marketers--Affinion, Vertrue, and Webloyalty--are still in business and judging from the responses of many of the retailers involved, such as Priceline, Classmates.com, FTD, Shutterfly, and Orbitz, it will be business as usual. They see nothing wrong with the marketing practices that millions of angry online shoppers and members of the U.S. Senate have called a "scam," "robbery" and "theft."
While the U.S. Senate Commerce committee produced a staggering amount of documentation during a hearing last week that appears to show consumers are misled into signing up for so-called loyalty programs, the retailers continue to suggest it's their customers who are at fault.
The controversy began last May, when the Commerce committee launched an investigation into the practices employed by Vertrue, Affinion, and Webloyalty. The committee's investigators found thousands of complaints going back years from people who said they discovered "mysterious charges" on their credit cards and struggled to discover how they got there.
The Senate's investigators said they learned that the retailers had made an unholy alliance with the marketers. Under most of the agreements between the marketing firms and retailers, an advertising page is presented to a shopper while they complete a transaction at the retailer's online store. Many shoppers say they entered their e-mail address and pushed a large "Yes" button on the ad because it appears to be a $10 cash-back offer or coupon. Many of those that complain say they thought they were being rewarded by the retailer for making a purchase.
Written in much smaller print within the ad are the full terms of the deal. A customer is notified there that by providing their e-mail address they are joining a membership program and agreeing to pay one of the marketing firms a monthly fee, typically between $10 and $20.
Despite being blasted last week by members of the Commerce committee, most of the retailers involved haven't done much repenting.
Orbitz "does not pass on any personally identifiable customer information to third party vendors without their permission," the travel site said in a statement.
United Online, parent company of FTD and Classmates.com, a company that the government said banked $70 million via the three marketers said: "We believe that our marketing practices provide clear disclosure. We do not transfer our customer's credit or debit card information to third parties without our customer's consent."
Priceline said the terms of the deal have "been clearly and fully explained."
It's all your fault
The inference is clear: The people complaining about this are the ones who screwed up. The terms of the deal were all in the ad so that means anyone who was charged the monthly fee either wanted it at the time or was negligent.
I can start by listing all the information that the government has found that shows that as many as 30 million consumers were unaware that they were signing up for the loyalty programs. But first, let's look at the obvious.
Webloyalty, Affinion and Vertrue all say they do their best to make it clear to consumers what they're signing up for. That's nonsense of course. If their claim was true, they would simply insert the following graph or something like it high up into their ads:
BY ENTERING YOUR CREDIT CARD NUMBER YOU ARE REGISTERING FOR MEMBERSHIP PROGRAM AND YOUR CREDIT CARD WILL BE CHARGED $12 PER MONTH FOR THIS SERVICE UNTIL YOU CANCEL YOUR MEMBERSHIP. ENTER CARD NUMBER HERE:________. EXPIRATION DATE HERE:________.
Voila. End of confusion.
This simple fact was presented in a Jan. 8, 2007, court filing that was part a class-action lawsuit filed against Webloyalty, one of several suits filed against the three marketing companies over the years. In this case, the attorneys representing plaintiff Joe Kuefler sized up why they believed Webloyalty doesn't display its terms in this clear way or ask consumers to input their credit card information themselves.
"The answer is nefarious," the lawyers wrote. "If customers had to retype their credit card numbers, they would know that they were registering for a monthly fee-based service and defendants would not be able to get rich by fooling people into signing up."
Confusion breeds deception
Here's the next obvious fact that readers should know: burying important contractual information deep inside big blocks of text isn't new. Creating confusion around a purchasing experience and then obtaining a consumer's credit card information from someone other than the owner to make charges isn't novel. These ideas have been around in some form or another for decades and are outlawed in many parts of the brick-and-mortar world. These tactics won't fool everyone, but they will mislead enough consumers for the companies to profit.
In the court filing against Webloyalty, Kuefler's lawyers said that if they could get their hands on the company's internal documents they could prove Webloyalty knew that most "members" were duped into signing up. Well, the government did obtain documents.
According to the Senate Commerce committee's report a Vertrue employee once wrote that "cancellation calls represent approximately 98 percent of call volume" to the company's customer service operations. One Webloyalty employee said in an e-mail that "90 percent of our members don't know anything about the membership."
Documents obtained by the government show Affinion estimated that the chances of obtaining money from a consumer would be four times higher if a retailer handed over a customer's credit-card information to the marketing firm than if the firm had to get it from the actual cardholder.
Prentiss Cox, a former assistant attorney general and now a Minnesota law professor, says that in his decade-long experience studying the marketing practices employed by Affinion, Vertrue and Webloyalty, it's clear to him that those who voluntarily sign up for the loyalty memberships run by those companies is less than 5 percent.
Since I began writing about this in July, I've seen a lot of reader feedback from people who don't believe they could ever be misled into signing up for the membership programs. But I've also read thousands of complaints, which can be found here, here, and here. Among those that have claimed to have been duped are lawyers, computer programmers, vice presidents, U.S. Army veterans, and journalists.
The government wrote that more than 35 million people have been enrolled in Affinion, Vertrue, and Webloyalty's clubs.
Cox says the marketing techniques used by Affinion, Webloyalty, and Vertue work because shoppers have been conditioned to believe that on the Web they can't be charged without entering their credit card information. He notes the ads that Affinion, Vertrue and Webloyalty stick in the faces of consumers come late in the transaction process, when a consumer might think they need to click the "yes" button and enter their e-mail address to verify their identities. In addition, the ads "are sold as free offers," Cox said. This lowers a shopper's guard.
Another effective technique employed by the marketing companies is that they know many people will be embarrassed. Many consumers will hear that they entered their e-mail address and will assume they erred. Some won't make a stink because they don't want to admit that they don't check their bank statements well enough.
By saying, "we never release credit card information without the consumers authorization," the marketing companies and their retail partners imply that the money their customers lost was caused by their own negligence.
Affinion, Vertrue, Webloyalty, and their retail partners are all profiting from their customers' shame, when it is they who should be ashamed.
Webloyalty illustrated for potential clients how much easier it is to generate "high revenue" from a consumer when the firm can get their credit card information from a retailer ('card on file') instead of the card owner. Members of a Senate committee have called such practices a 'scam.'
(Credit: U.S. Senate Commerce committee)Click here for a related podcast.
VeriSign, which runs the master database for such domains as .com and .net, says a significant Internet security vulnerability will be closed by 2011, after delays caused by technical aspects of the implementation.
The problem is that DNS, the Domain Name System that translates Internet addresses into numerical values, can be seeded with false values and used to misdirect users. VeriSign told ZDNet on Friday that it will put in place DNSSEC, a protocol that will guarantee the origin and integrity of DNS data for the .com and .net domains, by the first quarter of 2011.
Read more of "VeriSign: Major internet security update by 2011" at ZDNet UK.
Another day, another data breach.
If you bought something at a Best Buy store in West Palm Beach, Fla., late last year, or stayed at a Wyndham hotel in Florida last summer, or use a U.S. government travel Web site you might want to check your credit card statements closely.
Best Buy warned this week that 4,000 customers of a store in West Palm Beach may have had their credit card information stolen when they made their purchases.
The chain terminated the employment of a worker at the store after learning that a skimming device was used to steal data from the magnetic strips on credit cards last November and December, according to an advisory issued by Best Buy (PDF).
Best Buy said it learned of the data breach on January 5 and that the employee was taken into federal custody on January 7.
Also in Florida, Attorney General Bill McCollum urged people to monitor their credit statements and said up to 21,000 state residents may have been affected by a data breach at Wyndham Hotels last year.
Wyndham said in a frequently asked questions statement that it noticed unusual activity on one of its servers during a routine administrative review in September and discovered that data had been stolen in July and August by an attacker who penetrated the computer systems of one of the Wyndham hotels.
"By going through the centralized network connection, the hacker was then able to access and download information from several, but not all, of the other WHR properties and create a unique file containing payment card information of a small percentage of our WHR customers," a separate customer alert said. "The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system...At this time, no criminal identity theft related to the use of the consumer data has been identified."
And the University of Florida this week said someone had penetrated the school's computer network, putting the data of 97,000 users at risk, according to the Sun-Sentinel.
The school shut down the system when it discovered the cyber break-in last month and switched to a more secure system, officials said. It was unclear how the intruder got into the network, what data was exposed, or if any of it was stolen.
The U.S. government, meanwhile, is dealing with a breach of its own. The travel reservations and expense reimbursement Web site, Govtrip.com, used by numerous agencies and operated by defense contractor Northrop Grumman, was found to be redirecting visitors to a malicious Web site last week, according to NetworkWorld.
The redirected Web site delivered malicious software to the computers, but it was unclear exactly what the software did. The travel site was still down as of Friday afternoon.
To critics, cloud computing can't be trusted because you aren't in control of the data outside your network.
But if that's the case, then how secure are the data and collocation centers that corporations contract with to host their data?
"It does come down to vetting the practices of the provider and making sure they meet the standards you want for your business," Phil Hochmuth, a senior analyst at Yankee Group, said Monday, the eve of Cloud Computing Innovation Day in Santa Clara, Calif.
Companies like Salesforce.com, Amazon.com, and Google have built businesses around serving up on-demand services to enterprises that would rather pay a service provider than buy hardware and hire staff to manage their databases. However, handing over the data is still a cause for concern among many corporations.
"What are they doing to the data? Is it persistently encrypted? Are there access controls in place? Do you get to monitor who they hire and who cleans the data centers at night?" said Phil Dunkelberger, chief executive of PGP Corp. in relaying the concerns on peoples' minds about cloud computing.
How secure is the data? "It's one of the first questions we get, especially from enterprises," said Adam Selipsky, vice president of product management and developer relations for Amazon Web Services.
Securing the data is key to a cloud service provider's business, Selipsky said. "We can afford to devote resources to it that, quite frankly, most of our customers can't," he added.
"Cloud computing can be as secure, if not more secure, than the traditional environment," said Eran Feigenbaum, director of security for Google Apps. "Most organizations really struggle, whether they want to admit it or not, securing their networks."
Feigenbaum points to data breaches that hit the headlines, such as the one that exposed credit card information held by payment processor Heartland recently.
Then there are the statistics that show that one-third of breaches result from stolen or lost laptops and other devices and from employees accidentally exposing data on the Internet, with nearly 16 percent due to insider theft.
"Cloud computing can fix some of these issues," Feigenbaum said.
Not only can Google apply patches more quickly than most enterprises to plug holes in software, but the Google Apps Premier edition offers the ability to protect data in transit by encrypting it in the pipe between Google and the user's desktop, as well as offer control over who can access the data, he said.
Cloud service providers are held to high standards, must offer evidence of security certifications, and are subject to inspections by auditors, placing them under much higher scrutiny than typical in-house security teams, according to Peter Coffee, director of platform research at Salesforce.com.
Most data theft results from someone authorized to access the data doing so improperly or handling the data carelessly, he said. With cloud-based services, when a user logs out, the browser cache can be set to flush automatically, leaving nothing on the desktop to be lost or stolen, and logs can show who did what to which data, he added.
"This is inherently safer than the typical client-server model of downloading data that remains on the end-user device, and is far more secure than distributing data as e-mail attachments whose subsequent use and transmittal are largely uncontrolled," Coffee wrote in an e-mail reply to questions.
The security concern with cloud computing is a cultural issue, said Rebecca Wettemann, a vice president at Nucleus Research.
"The question is would I rather be at a huge data center where a vendor is contractually required to keep my data secure or would I rather rely on my staff to do it properly?" Wettemann said. "You need to trust that your vendor will manage your data."
So far, there haven't been any significant security breaches with an on-demand services vendor, she said. And people are getting used to the idea of being able to access their data anytime and from anywhere because it is out on the Internet, she added.
There have also been precursors to cloud computing that people are familiar with, such as the evolution of answering machines to voice mail services, said Peter Evans, director of security strategy and technology integration at IBM Security Systems.
"It is as much an emotional thing as anything," Evans said. "When my data is on my server in my building, there is a good gut feeling about that. When it's out in the ether, how do I know it's protected?"
Microsoft is listed fifth in the Top 10 list of the worst spam service ISPs compiled by Spamhaus.org.
Spammers are advertising links to sites that "peddle fake pharmacy products, porn, and Nigerian 419 scams" on Microsoft's Live.com and Livefilestore.com sites because they know that the Microsoft sites won't get blocked by antispam groups, writes Brian Krebs on his Security Fix Blog at the Washington Post.
Spamhaus has been alerting Microsoft to the problem for some time, but to no avail, Richard Cox, Spamhaus' chief information officer, told Krebs. Other security companies, including McAfee and Marshal, have also been warning about increases in spam and scams on Microsoft-hosted sites.
A Microsoft spokesman responded to a request for comment with this e-mailed statement:
Spam and other abuse scenarios are not Microsoft-specific. Microsoft offers Windows Live, a suite of software and services that provides opportunities for customers to post and share their own content through Windows Live Hotmail, Windows Live Spaces, Windows Live SkyDrive, and other free services. As such, spammers have multiple avenues to target consumers with malicious activities. We take protecting our customers' security and privacy seriously and are continually working to improve their experiences while making industry-leading progress to mitigate such attacks through both oversight and technology advancements. Using Windows Live services for spam is explicitly prohibited by the terms of service, and Windows Live accounts that are found to be used by spammers are aggressively removed.
Interestingly, Verizon.com is listed at No. 9.
Microsoft's Live.com and Livefilestore.com are riddled with spam and online scams, Spamhaus.org says.
(Credit: Spamhaus.org)
A new report (PDF) from Secunia is raising awareness about the need to patch vulnerabilities and block malware from desktops.
The report found that "security vendors do not focus on vulnerabilities." And while Symantec Norton Internet Security 2009 bests the 11 other suites tested, Secunia found that Symantec "detected a mere 64 out of 300 exploits, or less than one-fourth, leaving 236 exploits undetected." Overall the dozen products all received an "F" on the report.
The Secunia test departed from the traditional testing done by organizations such as AV-test.org and AV-comparatives.org, which use collections of malware to demonstrate the on-demand and heuristic capabilities of the security products. Secunia used exploits--not viruses and worms--to demonstrate the need for users to patch vulnerabilities as well as have a good firewall, antivirus, and other anti-malware protection. The company said exploits are what criminals are most likely to use these days, and faulted the tested security vendors who said their products could protect against any threat.
Secunia did single out one product, Kaspersky Internet Security, as providing a vulnerability scanner, yet Kaspersky also did poorly on the test.
But Alex Eckelberry of Sunbelt Software criticized Secunia's report as being a "useless test." And others, too, have criticized the metholodgy used.
There is a move within the security industry to standardize malware testing. The newly formed Anti-Malware Testing Standards Organization states that there is a "global need for improvement in the objectivity, quality, and relevance of anti-malware testing methodologies." The group is currently soliciting opinions on two papers, one for testing best practices and the other for fundamental principals for malware testing.
Updated 2:50 p.m. PDT with comments from security researcher Rich Mogull.
Three weeks after the disclosure of a serious flaw within the Domain Name System (DNS), Apple has yet to patch its MAC OS X operating system, but the company may be able to look to a third party in defense.
In a posting to an Internet newsgroup on Monday, Paul Vixie of the Internet Systems Consortium (ISC) acknowledged that the Berkeley Internet Name Domain (BIND) DNS Server's recent -P1 releases may be unstable for some users. The BIND DNS Server is used on the vast majority of name serving machines on the Internet and provides an openly redistributable reference implementation of the major components of the Domain Name System.
Vixie, one of the researchers briefed in advance of the DNS flaw disclosure by Dan Kaminsky, said that once ISC learned of the problem, it began work immediately on a patch.
However, "during the development cycle we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second. Given the limited time frame and associated risks we chose to finish the patches ASAP and accelerate our work on the next point releases that would address the high-volume server performance concerns."
Vixie underscored that having the DNS patch was more important than worrying about slow server problems. He said that ISC will be releasing versions of 9.3.5-P2, 9.4.2-P2, and 9.5.0-P2 at the end of this week.
Separately, security researcher Rich Mogull of Securosis.com echoed that having a DNS patch was better than not having one.
In a blog last week co-authored with Glenn Fleishman, Mogull commented on Apple's lack of a patch. He wrote: "Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date."
In an e-mail to CNET News, Mogull said "Apple may be stuck between a rock and a hard place on this one, but they've chosen the worst possible option--remaining silent."
He went on to say that we don't know how the BIND instability affects the Mac OS X Server.
"If it were unstable, my recommendation would be to make a preliminary patch available that those using it as a recursive DNS server can apply. With an active exploit, no patch at all is not a viable option and places customers at high risk. Let the customers make their own risk decision."
Mogull suggests that those savvy with compiling code could still install their own version of 9.5.0-P1 to a Mac OS X Server or "reconfigure those servers to forward DNS requests to alternative platforms, such as BIND on Linux or Unix, or Microsoft servers, until Apple issues a patch."
Current attacks in the wild only affect DNS caching on Web servers, said Mogull in his blog, so desktop MAC OS X users need not be concerned just yet.
Apple had no comment to a request from CNET News regarding the status of a Mac OS X DNS patch.
- prev
- 1
- next
