Security Concerns Reported On Apple’s Latest Music Software.

I have a love-hate relationship with Apple and their products. I love the iPhone. My wife has one and we use it constantly when we’re out and about as our “internet on the go” – searching for restaurants and cheap gas, checking weather and news reports and so on. But I hate the touch screen for typing. My fingers aren’t that big, but I still cannot manage to type even a few words without misspellings. (Needless to say, my personal phone is a Blackberry.)

I love my iPod. It holds tons of music, is easy to use and there are so many accessories that expand its versatility. My favorite is a wireless remote from Scosche Industries that lets me leave it in my pocket when I’m skiing, but still control everything. But why am I authorized to use only 5 computers? Between my wife, kids and me we have six machines at home (three are Macs) and I have another one at work.  And how hard would it be to program the device to let me move or delete a song from a playlist?

I love iTunes. It has a simple user interface and updating songs to my iPod is relatively easy. Shopping for music through the store is also a breeze. But I hate not being able easily to share music between devices or computers as I could if they were mp3’s or some other format. I also hate that (until recently) every time Apple upgrades their software, QuickTime resets all of my audio and video settings, requiring several minutes of tedious clicking around to get it all back to where it should be.

And that brings me to Ping, Apple’s new social networking service for music fans. According to Apple, you can follow favorite artists and friends and discover the music “they’re talking about, listening to and downloading.” So what could be wrong with that?

When I first saw the information on Ping (pushed to me through an Apple email and upgrade announcement) I was curious. But being busy, I didn’t have time to study much of what it was about or how to set it up. And at the moment, I’m glad I waited. PC World just posted two articles questioning the security of the new service on their Security and Privacy blog.

Apparently the biggest problem for Ping users is what is known as “comment spam,” where users add replies to postings. They have been flooding the boards with solicitations and scams. These may be offers for merchandise offering free or low cost electronics like iPads, surveys and the like. Many of these will contain links to products and services you don’t want or need (I’m sure you know what I’m talking about), or worse, infect your computer with viruses or spyware. The best advice as always: USE EXTREME CAUTION before clicking on any links anywhere to be certain that they are from a trusted source. According to security experts at Sophos, Apple is now manually deleting content that it deems offensive or in violation of its terms of use and suspending the users’ accounts. But given the number of iTunes accounts and the likely flood of users to the new Ping service, that might be like trying to empty a bathtub with a teaspoon . . .with the water still running.

There are two other problems that could give rise to security issues. First, using Ping may expose your email address to the world. According to PC World: “Ping lets you approve people who want to follow you, or turn off following altogether. If someone turns on follower-approval, they’ll be able to see your e-mail address.” So if you’re not careful to limit who has access to you on Ping, you may be in for a nasty surprise in your inbox.

Next, according to PC World, when you sign up for Ping, you are required to provide a user name. iTunes apparently inserts the name that is on your billing records, but if you change that to some nickname, then iTunes assumes you also want to change your billing name and updates that also. It seems rather peculiar that the software would assume that the nickname you choose for their social network would be what you want to use for billing purposes.  They ought to at least ask for confirmation.

I’m not entirely sure I see the value in a social networking experience built exclusively around my musical interests. I have enough trouble already keeping up with Twitter, LinkedIn and my other social networks, so this doesn’t seem like it should be a priority. One thing is certain – at this early stage, I’ll wait a bit for them to work out the kinks.

If anyone is using Ping or has thoughts on the service, please leave comments.

Do you change your own oil? Most of us are capable of performing this simple maintenance on our vehicles, but we choose not to. After all, it is messy work, requires a few specialized tools, and disposing of used oil can be a hassle. To boot, the cost of an oil change at the local service station, specialty stores like Direct Tire or Pep Boys and even the dealerships is relatively modest.

So what’s the connection with identity theft? Identity theft is a big problem that is affecting more and more people each year. At a minimum, the problem creates a great deal of aggravation and considerable worry. At worst, it can cause debilitating harm to your credit, making it difficult or impossible to buy a car, rent an apartment, refinance your home or even get a job.

To combat this problem, many companies such as LifeLock, TrustedID, IdentityGuard, ID Watchdog and others offer services that they claim are designed to help you prevent, identify and correct any problems that may arise due to identity theft. They claim to do this through a multi-faceted approach that includes removing your name from pre-approved credit card mailing lists, providing annual copies of your credit reports and searching the web for potential indicators that your identity has been compromised. And then when a problem occurs, they provide counseling and guidance on how to repair the damage.

Until recently I was not very much in favor of identity theft protection services. After all, many of the features offered by these services are items that anyone can easily accomplish on their own, just like changing your oil. For instance, under federal law, consumers are entitled to receive a copy of their credit report from each of the three major credit bureaus once each year. Likewise, anyone can sign up at www.optoutprescreen.com to limit unwanted credit and insurance offers. And much of the information needed to repair credit damage is readily available on line (The FTC has extensive information available here). So why then should anyone pay on the order of $100 or so each year when they can do this all for free?

The reality is that we are busy people. Or we’re not perfectly organized. Or we just don’t trust that we are going to dot all the i’s and cross all the t’s. Just as with the convenience of the oil change services, there is clearly a place for these identity protection companies even if all they are doing is something that we can do ourselves.

However, before engaging in such a service, be certain that you know exactly what you are getting and what you are not. For instance, many people may mistakenly think that the “million dollar” guarantees offered by these services will pay them money to cover substantial loss of income or provide other compensation if they are forced to pay higher interest rates on mortgages or car loans due to damaged credit. Read the fine print very carefully – in many cases, they do not make any direct payments to the consumers except possibly to reimburse certain limited expenses. To the extent that any significant money might be paid, it is primarily for lawyers and other professionals who they hire to clear your name. Lost income, if it is covered, is very limited (i.e. only for the time off work spent fixing your identity).

More important, the insurance may not even be available unless you can show that your loss was due to a failure of the service and not some other cause. Identity theft is tricky business and there are many ways that thieves can get hold of your information. The protection services cannot possibly stop all of the leaks, so unless it is their fault that you have a problem, their insurance may not be available to help you fix the problem.

What are you doing to protect your identity? Have you used one of these services? Has it been of any value? Do you have questions about identity theft? Please fill out a comment or send me a note.

There are many ways in which landlords can cross the line and get into serious trouble with their tenants, but perhaps the easiest is by misappropriating their security deposit. The security deposit belongs to the tenant, not the landlord. Period. End of story.

Yes, the landlord may be entitled to retain the security deposit at a later time, but only after jumping through several very important technical hurdles. Until then, hands off!

The Massachusetts statute governing residential security deposits is chapter 186, section 15B. It is long and confusing. Nevertheless, the statute carries heavy penalties. A landlord who mishandles a tenant’s deposit, even by mistake, may be obligated to reimburse the tenant for three times the deposit, plus attorney’s fees, plus any court costs incurred.

The basic principal is to avoid any co-mingling of the security deposit with other money. The trouble often begins when the landlord first receives the deposit. In essence, the landlord becomes a trustee of the tenant’s money. Since the deposit must be kept separate from other money, the tenant should not give a single check that combines the security deposit with any other payments. The security deposit should be paid with a separate check or money order. Payment should be made directly to the security deposit account and not to the landlord. Accepting cash for the security deposit is ill-advised since there is no way to distinguish between cash belonging to the landlord and that of the tenant. It doesn’t matter that the cash is later deposited in a separate account – the violation has already occurred.

Once accepted, the money must be placed in a separate bank account that is properly labeled as a security deposit account. In the event that the landlord becomes subject to claims of creditors, the tenants’ money must be held in an account that is clearly identified as escrow funds that do not belong to the landlord. The money may be placed in an account with other security deposits as long as the account is properly labeled and contains none of the landlord’s money.

Another common mistake by landlords is keeping any last month’s rent in the same account as the security deposit. Unlike the security deposit, last month’s rent is money that does belong to the landlord – it is simply rent that was paid in advance. So putting it in the same account with the security deposit would result in co-mingling and would be a violation of the statute.

The security deposit needs to stay in the account until the end of the tenancy. The only exception is if the tenant does not pay the rent. Here is another trap for the unwary landlord. The landlord may not deduct rent from the security deposit if the tenant has withheld paying rent for a valid reason. However, tenants often do not tell the landlord immediately why they are withholding their rent. So a landlord who is quick to withdraw funds from the account without verifying the reason for the lack of payment may be in for a nasty surprise later.

Of course, the primary purpose of the deposit is to protect the landlord in case of unpaid rent or damage beyond reasonable wear and tear. In order for the landlord to apply the security deposit, he or she must have taken several other important steps designed to protect the tenants before the deposit can be applied. These include providing a statutory “Statement of Condition” and detailed receipt at the outset of the tenancy, notification of the bank account where the money is held, paying annual interest, and providing a sworn statement itemizing any damages that are being claimed, together with evidence of the repair or cleaning costs.

The bottom line for any residential landlord is to consult an attorney to be certain you understand your rights and obligations before accepting a security deposit. The modest cost for this advice will pale in comparison to the penalties that may be faced after the damage is done.

Are you a landlord or tenant? Do you have questions about housing or real estate investment? I would love to hear from you. Please click below to let me know any comments or concerns.

I recently had breakfast with my good friend, Cherie Hafford, and we talked about the Massachusetts Data Security Regulation and how much of a burden it creates, especially for small businesses (more on the Regulation here and here). The Regulation is supposed to be scalable – that is, the degree of compliance should be proportionate to the size of the business and its resources. But for small businesses, even the most stripped-down, basic plan will still require considerable time and money—time and money that most business owners simply do not have or will not spend.

The Regulation likely affects millions of businesses around the country and perhaps the world. Read literally, the law is not confined only to Massachusetts businesses; it applies to any business wherever located that has customers or employees in Massachusetts. So if a small crafts shop in Santa Fe accepts a check from a customer in Cambridge, the shop must implement a written information security policy, or WISP. And a gas station in Orlando that accepts a credit card from a tourist who lives in Quincy would have to comply with the Regulation even if they had no idea where the customer lived.

Did the state go too far? Setting aside the constitutional and enforcement challenges, was there perhaps a simpler way to achieve the goals that would not impose such a burden on small businesses that are already struggling?

Here are six ideas on how to fine tune the law to make compliance easier and achieve the same objectives:

1)      Many businesses that accept credit cards never store the account numbers. They simply swipe them in a POS device and hand the card back to the customer.  Why not make that activity compliant with the Regulation without the need for any written plan?

2)      Same thing with checks. Most businesses that accept checks want to get the money into their accounts as quickly as possible. How about a rule that says businesses are compliant if they deposit checks within two business days and keep the un-deposited checks under lock and key until they are deposited?

3)      Focus the regulations on the banks, credit card companies and the businesses that provide the POS devices and connections. Require that the data be locked down tightly and impose substantial penalties for a breach. The standards already exist – i.e. PCI (Payment Card Industry) standards.

4)      Businesses that have employees need to have their social security numbers on file for payroll, benefits and other purposes. Just as with checks, if they are kept under reasonable security and only employees with a need to know or see the information are permitted access, then this should be deemed to be in compliance without the need for any further written plan. The Regulation could set forth a simple plan that if adopted and followed will be deemed to be compliance.

5)      Work within the parameters of the Fair Credit Reporting Act to reinforce the rights of victims of identity theft. There are far fewer victims than there are businesses who need to protect the information from possible misuse.

6)      Do more to educate businesses about the various practices that reduce the risks of identity theft. For years, we have seen signs in restaurants telling employees to wash their hands before going back to work. Maybe there should be similar signs in the human resources and finance departments advocating safe practices with sensitive financial information?

Of course no matter what is done, there will still be dishonest people who will take advantage of a situation and cause harm to others. This is not to excuse careless or negligent business practices –enforcement should still require a reasonable degree of caution and vigilance. But the new Regulation ignores the practical reality of small business and imposes too many requirements that may be unnecessary.

Please share your own ideas on the Regulation by posting a comment below.

As I mentioned in my previous post, the new Renovation, Repair and Painting regulation (RRP) went into effect last week on Earth Day, April 22. The regulation is intended to help reduce the risk of lead poisoning by requiring special precautions when performing work on homes built before 1978. Property owners must hire EPA-certified contractors who have to completely seal off the areas where the work is performed (both interior and exterior), carefully remove all dust and debris, provide special handling and disposal of construction waste materials and take other steps to reduce the spread of lead-based materials that may be ingested or inhaled.

For most homeowners, the requirements are likely to be both burdensome and costly. The number of certified contractors is very small. While many more are seeking certification, classes are limited in size and scheduling. Contractors who obtain the certification will be in higher demand and will have a competitive advantage which will likely be reflected in higher prices when working on older properties. As well, even a simple project will require hundreds of dollars in added materials, training, disposal and time charges in order to assure compliance.

In an effort to ameliorate some of the challenges imposed by the regulation, the EPA had established an “opt-out” that would allow certain homeowners to be exempt from the regulation. Specifically, if there were no pregnant women or children under 6 years of age living at the premises, then the owners could sign a waiver that would permit them to opt-out of the new rules.

However, the opt-out has now been eliminated. Just as the new regulation took effect, the EPA also announced a revised regulation that eliminates the opt-out effective 60 days following publication with the Federal Register.

In many respects, the decision to remove the opt-out is probably a good one, particularly in densely populated communities. Work performed at one property can create dust and debris that may contaminate the ground or air near another where there may be children at risk. Even work done strictly within an interior space will result in dust and waste products that, when removed from the property, could also be a hazard if not handled properly. But what about properties that are far removed from their neighbors? Should the same rules apply? The EPA does not distinguish between apartments in the city and homes located on rural farm lands. Everyone must comply with the new rules.

Have you been affected by the new regulation? Do you know someone who has? Please share by leaving a comment below.

This year, Earth Day heralds a surprise for home owners who live in housing built before 1978. On April 22, the Renovation, Repair and Painting Law (RRP)  takes full effect, imposing new compliance burdens for any contractors who work in older homes, and higher costs for the owners. Any project that disturbs painted surfaces must be performed by a certified contractor following rigid procedures aimed at minimizing contamination from lead found in older paint.

Lead paint presents serious health hazards particularly for young children and infants. Small amounts of lead that are ingested or inhaled can impair brain development and cause other serious nervous system and other disorders. Use of lead paint in residential dwellings was banned in 1978, but homes built earlier are at risk of containing lead paint. Contractors who may disturb painted surfaces on older homes must be certified by the EPA in the safe handling of dust and debris that is generated by the work.

The regulations require that the areas affected by the work be completely sealed off and contained so that any dust or debris that may contain lead will not contaminate soil or spread through the air. After the work is completed, the worksite must be thoroughly cleaned and the waste generated must be properly stored and then removed from the site. This is no small task. Anyone who has lived through any renovations at their home knows how much dust is created and how difficult it can be to contain.

The new law is very comprehensive, although numerous challenges remain. One of them is insuring that contractors are aware of, and comply with, the new law. As of March 6, less than 2% of licensed contractors in Massachusetts had received the necessary certification to be in compliance.  Another is forcing homeowners to absorb the substantial added costs of work area containment. But perhaps topping the list is determining how exactly the EPA plans to carry out enforcement –with many recent regulations, there simply is not the necessary manpower or budget to insure that the law will be followed.

What are your thoughts about the new law? How will the new EPA rule affect you? Please share by leaving your comments.

As cyber-thief extraordinaire Alex Gonzalez is sentenced to twenty years in prison, I find it ironic that his brilliance is outweighed by his stupidity. Gonzalez pleaded guilty to the massive theft of credit card numbers by hacking into TJX, BJ’s and many other payment servers. Certainly some amount of talent was required to perform these acts. And yet he was caught because he couldn’t keep his mouth shut. He apparently left quite a trail of breadcrumbs on the Internet when he bragged about his conquests to friends on line.

While the new data security regulation in Massachusetts is designed to curtail this sort of sensational crime, the problem we face in trying to stop identity theft is lacking focus where perhaps it is needed most. Small businesses are considered significantly more vulnerable than any other segment. And to me this makes sense. I don’t imagine that the local hardware store, pizza shop or hair salon has too much security built around their employee records that are probably stuffed into an unlocked file cabinet in the back room. And their credit card processing and email are only as good as the bargain basement companies that have sold them the services.

Certainly the regulation is aimed at, and applies to, even these small businesses. It is a sweeping and comprehensive piece of legislation that will clamp down on all but the most determined of thieves—but only if it is followed. The problem lies in the difficulty of obtaining compliance. I’m guessing that most small business owners are not even aware of the regulation (at least those with whom I have spoken are not). And those that are aware of it will not likely take the time and spend the money needed to prepare and implement a WISP (written information security plan). I analogize this problem to the modesty panels in the public restroom – they cover up most of what might be seen, but there is a big gap at the bottom. Someone who wants to peek in certainly could. While it should not be necessary to hire a lawyer skilled in compliance issues to prepare and educate the store owner on their WISP, the reality is different.

I have some ideas on improvements that will help small businesses. Look for these in future articles.

I’d like to think that it’s common knowledge that credit card receipts can be a prime opportunity for identity theft. However, too many of us simply crumple the receipts and throw them in the trash without a care. If the receipt shows your full credit card number and expiration date, this is an invitation for a criminal to go on a shopping spree at your expense.

Federal law is intended to help protect against this problem. A few years ago, congress amended the Fair Credit Reporting Act 15 U.S.C. 1681 to require all merchants to truncate credit card numbers on the receipts that they give you at the register. This means that the receipt you receive should not show more than the last 5 digits of the card number. The remaining digits and the expiration date should be unreadable. Even if you threw out this receipt, it would be impossible for an identity thief to use the information.

Although this law went into effect in 2006, I occasionally receive receipts that are not in compliance.  These are usually the two-part variety – white on top and yellow below, but it can happen even on the type that print out two separate receipts at the time of purchase (one that you sign and return and the other you keep).

Earlier this month, I had the pleasure of taking my eldest son on the big college tour – 10 schools in five days. Visiting the schools and the time with my son were terrific; the lengthy drives and staying at a different hotel each night not so much. What was interesting was the receipt I received from one of the major hotel chains where we stayed outside of Washington, DC. To my surprise, this nationally recognized chain provided me with an illegal credit card receipt, showing my full card number and expiration date. Needless to say, I did not toss that one in the trash, but kept it until I got home and could shred it. But imagine how many patrons think nothing of it or simply tell the clerk to just throw it out?

I came to learn that hotels are apparently the biggest offenders when it comes to data security. Being a maven of sorts on the topic, I happened to see in the March 18 Wall Street Journal that data breaches are heaviest at hotels. According to their sources, 38% of breach investigations in 2009 involved hotels, twice as high as the next highest category. The culprit is typically the point of sale software used to accept payment, much of which is not compliant with Payment Card Industry (PCI) standards.

I have sent a complaint to the hotel chain. They are currently investigating my concern. Let’s see what happens.

I recently had the opportunity to talk with Nick Fishman, co-founder of EmployeeScreenIQ who interviewed me on the Massachusetts Data Security Regulations and what they mean to businesses. Here’s a copy of the interview. Check out the EmployeeScreen blog at http://blog.employeescreen.com/ to learn more about pre-employment screening and the comprehensive methods EmployeeScreenIQ uses to ensure thorough, accurate checks to meet global risk management needs of businesses.

EmployeeScreenIQ Podcast with Nick Fishman

In my previous article, I discussed the lack of guidance from the Attorney General on implementation and enforcement of the new Massachusetts data security regulation. The law is aimed at protecting residents from identity theft by requiring practically every business with employees or customers in the state to implement a written information security plan (WISP). I also began a list of common misunderstandings relating to the new regulation.  Here are a few more myths.

Myth 4 – “I have no employees. All payments are processed through a third party service. I never see or handle checks or credit cards so I am not required to have a WISP.” This is probably true. For instance, you could be an Ebay seller who works from home and takes payments only through Paypal. As long as you never have access to any Personal Information (PI), you would be exempt from the regulation.

But just a slight change to this scenario requires compliance. A financial planner works from her home and has no employees. Her function is to advise her clients on investments, but clients make their purchases directly from the central office. She never takes any payments directly. But she does receive applications for new accounts when she signs up new customers. The application has the client’s social security numbers and other identifying information. So even if she sends those immediately to the home office, she still has “access” to PI and thus will need to implement a security plan.

Myth 5 – “There are so many businesses that are subject to the law and most do not yet have a WISP. The attorney general will never know if we haven’t complied.” This may be true, but are you really willing to risk it? Penalties alone are up to $5000 per violation. You will also be obligated to pay any damages suffered by victims of identity theft. And what about the harm to your reputation? I doubt that the Attorney General or a court would have any sympathy for such a callous disregard for the law that is intentional and willful. On the other hand, a business that may have a security breach, but that can show that they were making a good faith effort to meet industry best practices will probably not be subject to the most severe penalties. According to Scott Schafer Director of the Consumer Protection Division of the Massachusetts Attorney General’s Office, the attorney general will be less likely to bring enforcement actions against businesses that can show that a breach was inadvertent and that they were striving to achieve industry best practices for data protection.

Myth 6 – “Our company has implemented state-of-the-art electronic security, including firewalls, antivirus, antimalware and email encryption. Our data is locked down tight and cannot be accessed without double password authentication. Surely we have fulfilled the requirements under the regulation.” This is false. These are certainly important steps toward compliance, but the requirements of the law are much more extensive. To begin with, the regulation applies to both electronic and paper records. As well, companies are required to conduct a review of existing systems and procedures and create and implement a comprehensive written information security plan (WISP).

Hopefully this list will help you understand the scope and breadth of the new regulation. If you have not yet started your compliance plan, the place to begin is a review of the regulation and consulting with your legal and technical advisors.