Corporate sneakiness. Government waste. Technology run amok. Outright scams. Our effort to unmask these 21st Century headaches and offer solutions that save you time and money.

Cultura RF / Getty Images stock

A woman checks her phone while at the computer.

Are gadgets making us dumber? Two new studies suggest they might be. One found that people who are interrupted by technology score 20 percent lower on a standard cognition test. A second demonstrated that some students, even when on their best behavior, can't concentrate on homework for more than two minutes without distracting themselves by using social media or writing an email.

Interruptions are the scourge of modern life. Our days and nights are full of gadgets that ping, buzz and beep their way into our attention, taking us away from whatever we are doing.

We've known for a while that distractions hurt productivity at work. Depressing research by Gloria Mark at the University of California, Irvine, says that typical office workers only get 11 continuous minutes to work on a task before interruption. With smartphones reaching near ubiquity, the problem of tech-driven multitasking — juggling daily tasks with email, text messages, social media etc — is coming to a head.

Multitasking has been  the subject of popular debate, but among neuroscientists, there is very little of that. Brain researchers say that what many people call multitasking should really be called “rapid toggling” between tasks, as the brain focuses quickly on one topic, then switches to another, and another.  As all economics students know, switching is not free. It involves "switching costs" — in this case, the time it takes to re-immerse your mind in one topic or another.

Researchers say only the simplest of tasks are candidates for multitasking, and all but one of those tasks must involve automaticity. If you are good at folding laundry, you can probably fold laundry and watch TV at the same time, for example.

Overestimated abilities
Despite this concern among brain scientists, many people overestimate their ability to multitask, such as the college student who thinks he can text and listen to a lecture simultaneously. He cannot, says brain expert Annie Murphy Paul, who writes "The Brilliant Blog."

"Multitasking while doing academic work — which is very, very common among young people — leads to spottier, shallower, less flexible learning," Paul warned in a recent column.

The two studies mentioned above underscore this point. 

In the first, Alessandro Acquisti and Eyal Peer at Carnegie Mellon University's Human Computer Interaction lab recruited 136 college students to take a standard test of cognitive abilities, and invented a controlled method of distraction. Test-takers were interrupted via instant message, which they were told contained important additional instructions, during the exam.

(The research was conducted in concert with research for The Plateau Effect, a book I recently co-authored with Hugh Thompson.)

The interrupted group answered correctly 20 percent less often than members of a control group.

The Carnegie Mellon test might seem a bit contrived, however, because the control group was pretty unrealistic. It's hard to find a group of college students who could take a test without being interrupted by gadgets.

Larry Rosen, a professor at California State University-Dominguez Hills, published a study in the May issue of Computers in Human Behavior that attempted to quantify how often students of all ages are distracted by technology while studying. Even under ideal circumstances, the results were dismal.

Rosen's observers followed 263 students into their normal study environments — bedroom, library, den — and told them to work on an important school assignment for 15 minutes. Even knowing they were being watched, the students couldn't resist texting or using social media. So-called "on-task" behavior started declining at about the two minute mark, and overall, only 65 percent of the time was used on schoolwork.

"We really assumed we set up a situation where people would try to impress us," said Rosen, an expert in the psychology of technology. "Frankly, I was appalled at how quickly they became distracted."

'Problem built into the brain'
The two studies, published closely together, generated strong reaction, particularly from students.

"Yes, we text in class, but if my grade in that class is and A or a B I don’t see why it’s a problem," wrote one student to Paul.

It's a big problem for both students and adults, Paul counters, for plenty of reasons. Assignments inevitably take longer when learners split their time between tasks, she says. All that task-switching wears out the brain and makes learners more tired and less competent. Most important, several studies have shown that information learned while partially distracted is often quickly forgotten, so the learning is tragically shallow.

The key to transferring new information from the brain's short-term to long-term memory is a process called "encoding." Without deep concentration, encoding is unlikely to occur, explained Nicholas Carr in his book “The Shallows: What the Internet is Doing to Our Brains.” 

So Paul is among a group of researchers who worry that the digital divide is not about the gadget haves and have nots, but rather about those who can resist the constant distracting tug of technology and those who cannot. She compares it to the famous marshmallow test, which shows that children who can delay eating one marshmallow for 10 or 15 minutes on the promise of gaining a second one are the most likely to succeed later in life. In a new "marshmallow" test, educators or employers might test to see how long people can resist "a blinking inbox or a buzzing phone."

"There are those people who think that multitasking is simply the way life is now and we should be focusing on getting better at it ... that we are a bunch of old fogies who don't understand," Paul said. "But scientifically, there is no evidence for that. There are fundamental biological limits to what the brain can pay attention to. This is a problem built into the brain."

Follow Bob Sullivan on Facebook or Twitter.

Prepaid debit cards, long synonymous with frustrating or even exploitative fees, are suddenly a pretty good deal. In fact, artfully deployed, a prepaid card can be used without any fees at all, and serve as a real substitute for a checking account.

It should come as no surprise, however, that there is still plenty of small print to worry about.

It would have been unthinkable a few years ago to put the words "good deal" and "prepaid card" in the same sentence. Called "general purpose reloadable cards" by the industry, prepaid debit cards that allow repeated deposits have always come with a laundry list of traps designed to grab $2-$3 at time from unsuspecting card holders: fees for loading, fees for withdrawing, fees for checking balances, fees for doing nothing. (A story in 2009 recounted an ordeal where a consumer was charged $2.95 when his transaction was declined (he claimed there were sufficient funds in his account), then was charged $1.95 when he called to complain.)

But banks are easing off some of those fees thanks to a number of factors — competition being chief among them. Large banks like Chase have jumped into the prepaid market, creating sizable networks for cardholders to enjoy fee-free ATM withdrawals.  Walmart's aggressive steps into the market have helped consumers, too — card holders can deposit money onto cards at ubiquitous Walmart stores for free.

"We are seeing new entrants to the market with some pretty compelling offers," said Greg McBride of Bankrate.com, which recently issued a report about the turnaround in the prepaid debit market. "Over time, this will marginalize the higher-cost offerings that have characterized the prepaid marketplace so far."

That marketplace is expanding, even when some other parts of the plastic card market are shrinking, according to a report from bank consultancy Mercator Group. Gift card purchases dropped slightly from 2011-2012, but reloadable cards that act as pseudo checking accounts were purchased by 14 percent of U.S. consumers in 2012, up from 12 percent in 2011, the Mercator report said. The Consumer Financial Protection Bureau says $57 billion was loaded onto reloadable cards last year.

Even consumer advocates have noticed the kinder, gentler nature of the reloadable cards, and some even think they are a real alternative for the 10 million U.S. adults who currently don't have a checking or savings account.

"There has been tremendous price compression. We look at the fee schedules for these cards, and it isn't that horrible," said Jennifer Tescher, CEO of the Center for Financial Services Innovation. "We feel like these products are headed in the right direction, that (prepaid cards are) becoming a mainstream product. I am quite excited about the possibilities."

Transparency spurs growth
New prepaid cards come with a long list of benefits once limited to checking account users. Consumers can direct-deposit paychecks onto the cards (and in many cases, avoid monthly fees by doing so). The cards allow holders to make Internet purchases. They can sign up for online banking and pay bills online with the cards. In some cases, they can even write paper checks using the accounts.

McBride links growth in the market to a growing transparency about costs. In the past, consumers were often forced to buy the cards at grocery stores or other retail outlets without being able to see a full list of quirk fees which were sometimes only available online. But newer card issuers have adopted simplified, single monthly fee structures that are winning over consumers.

"The transparency of that one monthly fee is pretty compelling. You can easily quantify what the cost is going to be," McBride said.  Even more compelling — that monthly fee may very well be less than the fee on a low-balance, entry-level, traditional checking account. For example, Bankrate's survey of 24 prepaid card issuers found that 15 had monthly fees ranging from $3-$10. Bank of America's entry-level checking account can cost $12 monthly. (In both cases, monthly fees can be avoided via direct deposit and other ways).

Prepaid debit cards are not a replacement for traditional checking accounts. Most critically, prepaid cards enjoy none of the standard federal consumer protections that credit and debit cards do. There are no refunds for fraud, for example, and there are no dispute resolution requirements. As a result, Internet message boards are full of consumers who complain that money has been stolen or is missing from their card balance, and who say they have no recourse.

Because of the lack of federal protections, prepaid debit card payments are similar to wire transfers — once the money is sent, it's gone — and Internet criminals have taken notice. Cards like the popular Green Dot have become a frequent, and powerfully elusive, way for Net criminals to steal from consumers. Nigerian scammers, for example, no longer need to trick a mark into visiting a Western Union and wiring money overseas. Many now trick victims into buying a Green Dot card instead, and sharing the secret payment code online. The Better Business Bureau, and NBC News' ConsumerMan, issued a warning about this recently.

Consumers also complain about poor customer service when they call to dispute deductions, or when they complain about missing money.

But it appears general purpose reloadable cards are here to stay. They have become popular with government agencies that disburse funds — such as unemployment benefits or tax refunds. Loading a card is safer and cheaper than mailing checks. And while they have a reputation for servicing consumers who are blocked from traditional banking, a growing number of middle-class consumers are using the cards. A report issued last year by the Aite Group says 34 percent of users hold college degrees, and one-third earn more than $45,000 annually.

Red Tape wrestling tips
People use pre-paid debit cards in two very different ways — they should be different products — and it's important to understand the distinction before buying a card.

Short-term purchasers use them as gift cards: To give a college graduate $100 to spend how he or she likes, for example. The card will be used and discarded. For that use, pick a card with low activation fees, even if it has a higher monthly fee. Just advise the recipient to use it quickly. Another slice of consumers use prepaid cards to spend at special events like vacations. They fall into the same category. 

On the other hand, consumers who plan to use prepaid cards as a checking account substitute, and who plan to take advantage of a card's full slate of options — frequent ATM withdrawals, check deposits, etc. — should pay more attention to monthly fees when buying a card. 

Many of these fees are not obvious from the card packaging, so it's worth doing a little research online to pick the best card for your purpose. Consumers Union warns consumers to consider the following potential costs:

• Activation or initiation fees
• Monthly fees
• Point-of-sale transaction fees
• Cash-withdrawal fees
• Balance-inquiry fees
• Fees to receive a paper statement
• Fees to call customer service
• Bill-payment fees
• Fees to add, or “load,” funds
• Dormancy fees for not using your card
• Fees to get your remaining funds back when closing the account
• Overdraft, or “shortage,” fees

Related: 

'Like a drug:' Payday loan users hooked on quick-cash cycle

Follow Bob Sullivan on Facebook or Twitter.

LivingSocial's customer database has been hacked, impacting the website's 50 million customers. The firm began sending emails to customers Friday afternoon telling them they would have to change their site passwords.

"We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue," LivingSocial CEO Tim O'Shaughnessy said in an email to employees that was provided to NBC News by a company spokesman.

The memo said that customer credit card information was not stolen — it was stored in a separate database. And while the hacker stole customer passwords, they were encrypted and "salted," or scrambled.

In the memo, O'Shaughnessy included the text of the customer email. "Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one," read the email.

The company advised consumers who used their LivingSocial password at other sites to change the password at those sites, also.

The firm expects its customer service phone lines to be deluged, so O'Shaughnessy warned that he may decide to temporarily suspend telephone customer service. "We will be devoting all available resources to our Web-based servicing," he added.

O'Shaughnessy's message to employees concluded:

I apologize for the formality of this note, which the circumstances demand. We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.

When Zappos.com had a similar incident last year impacting its 24 million customers, it also turned off customer service telephone lines temporarily.

The LivingSocial attack is among the largest ever, doubling the size of that Zappos attack, but still smaller than several other high-profile hacks, such as the 2011 attack on Sony's Playstation network, which impacted nearly 100 million users. Because the LivingSocial attack doesn't involve financial information, it doesn't rank among the most significant hacks, however.

Amazon is a part-owner of LivingSocial. A LivingSocial representative confirmed that Amazon accounts were not affected by the breach.

Follow Bob Sullivan on Facebook or Twitter.

Symantec Corp.

This pop-up screen appears to come from the FBI.

Computer users around the globe are being hit by a new kind of virus that freezes their computer and accuses them of committing heinous crimes, like distributing child porn. The threats sound real enough that victims are coughing up $200 to pay a "fine," and virus writer gangs are netting millions, security firms say.

The message that flashes across infected computer screens sounds downright scary:

"You have been viewing or distributing child porn ... violating article 202 of the Criminal Code of the United States of America," says one version, allegedly sent by the FBI. A virus victim supplied the message to NBC News.

In each case, the accusation appears on a pop-up screen while the virus simultaneously disables the computer. The message often shows the user's IP address and city, and sometimes, recent websites visited by the victim.  The most alarming version activates the victim’s webcam, takes his or her picture, and displays it on the warning.

"They are saying, 'we know who you are, where you are, and what you were doing,'" said John Harrison, a security researcher with Symantec. "They attempt to scare the heck out of you."

The victim is then offered an option: pay a fine within 72 hours, and the charges will be dropped, while the computer will be restored. 

Symantec Corp

In this version of the scam, the virus activates the victim's webcam and displays an image from it on the screen, making the warning even more unnerving

The malicious software is so cleverly crafted that it comes with 30 to 40 versions packed inside. It displays in the appropriate language for victims — English, Spanish, Russian, etc. — and invokes the local federal authorities. A U.S. victim might get a notice from the FBI's Internet Crime Complaint Center, while a Canadian victim gets one from the Royal Canadian Mounted Police.

The message is fake, of course — and even those who pay the "fine" still have a broken computer. But victims worldwide are falling for it. Harrison said for one version he tracked, roughly 3 percent of victims actually paid up. The criminals behind that virus netted $5 million, Symantec estimates.

With results like that, other virus gangs have been quick to copy the profitable formula. Symantec believes that gangs who spent the past couple of years making money tricking consumers into paying for fake antivirus software have all taken up the fake criminal charges and fine scam.

"So many of these folks have jumped on the bandwagon," Harrison said. "They have really transitioned into this."

The general technique is called ransomware — a virus disables the computer, allegedly holding it hostage until a ransom is paid — and it's not new. But the clever combination of an abrupt interruption, the localization trick, and the severity of the accusation catches many victims unaware, and they let their guard down enough to pay the fine.

There are no hard numbers on the frequency of ransomware, but there's plenty of anecdotal evidence it's on the rise. In February, Europol busted a multi-national crime ring involving a Russian programmer arrested in the United Arab Emirates, and 10 others arrested in Madrid, Spain. There were victims across 30 countries.  Authorities in Spain said 700,000 Spaniards had contacted the government asking for help after becoming infected.

The agency issued another warning about the scam on April 11.

“Fraudsters are deploying extortion techniques using Europol's identity and logo to con EU citizens out of money,” the warning says. “Variations of this con, using the identities of other international and European agencies, are also in circulation.”

It's possible the problem is even worse than security firms realize, because many victims may not be reporting the infection, Harrison said.

"If you were at work and there was a message on your screen that said you were viewing child porn, would you run to get your IT department?" he said.

Most victims pick up the virus by visiting booby-trapped web pages that surreptitiously install software on victims' machines through "drive-by” download, or by downloading free software from disreputable sites.  In fact, some variations of the virus accuse victims of violating copyright law, knowing that is likely true.

Victims shouldn't pay the fine, Harrison said, but they should know that various software tools — including free tools available at Symantec — can rid their machines of the virus.

Follow Bob Sullivan on Facebook or Twitter.

A stock market and a nation already on edge was temporarily knocked off its axis on Tuesday by a single fake tweet. 

Following a hack attack, the Associated Press' verified Twitter account posted "an erroneous tweet" claiming that two explosions occurred in the White House and that President Barack Obama is injured. Moments later, the @AP Twitter account — with nearly 2 million followers — was suspended.

"That's a bogus tweet," an AP spokesperson initially told NBC News, a statement that was repeated by the company's corporate communications account. Though the false tweet disappeared, the false message continued to exist on the service in over 4,000 retweets.

The chart of the Dow Jones industrial average just after 1 p.m. may as well have been a chart of America's heartbeat -- stopped for a moment, again, by seemingly horrific information. The Dow lost more than 140 points almost instantly, before recovering five minutes later.

It's incredible what a single 12-word lie can do.

"We're in an environment where we're sensitive to any news that sounds like terrorism," said Art Hogan of Lazard Capital Markets.  "That makes it that much more believable. That's the tricky part. When something like AP gets hacked, it becomes reality for a period of time, until it's not."

The market's reaction hints at the our collective fragility right now.  In the past, carefully crafted fake press releases or other Internet disinformation has been able to influence individual stocks both up or down.

But a single Tweet sinking the market?  It's just the latest sign that lies now spread on the Internet as fast as computer viruses, and can have just as much impact. Like the false rumors that spread like wildfire during the Boston bombing aftermath, or Hurricane Sandy before that, Twitter's surge to mainstream popularity — it now boasts 140 million U.S. accounts — has made it an incredible source of on-the-spot information, but also the world's most powerful rumor-mongering tool.

"You wonder who did it and whether it was done on purpose. It certainly was an instant implosion," said Art Cashin, director of floor operations for UBS Financial Services, who watched the minutes of bedlam on the floor of the NYSE. Cashin said the reaction was especially dramatic because it said the president was injured.

If you define the term "hacking" loosely, you might consider that whoever wrote the fake tweet hacked not only AP's account, but the entire Wall Street trading system. The trades which sank the market Tuesday were almost certainly initiated by automated trading programs designed to profit by fast-twitch reacting to good or bad news.

The combination of a jittery public, automated trading, and a worldwide rumor tool was toxic for the markets.

"That goes to show you how algorithms read headlines and create these automatic orders — you don't even have time to react as a human being," said Kenny Polcari of O'Neil Securities. "I'd imagine the (Security and Exchange Commission) is going to look into how this happened. It's not about banning computers, but it's about protection and securing our markets."

It's also about figuring out how to handle a world where the firewall between seemingly disconnected systems like Twitter and brokerage servers is really only 91 characters long, particularly a world where skepticism’s classic grains of salt seem to be in short supply.

CNBC's JeeYeon Park, Patti Domm and John Melloy contributed to this story.

Related: AP Twitter account hacked, posts false White House scare

Nicolas Asfouri / AFP - Getty Images

A woman checks her smartphone in this file image.

If you use your personal smartphone or tablet to read work email, your company may have to seize the device some day, and you may not get it back for months.

Employees armed with a battery of smartphones and other gadgets they own are casually connecting to work email and other employer servers. It's a less-than-ideal security arrangement that technology pros call BYOD — bring your own device.

Now, lawyers are warning there's an unforeseen consequence of BYOD. If a company is involved in litigation — civil or criminal — personal cellphones that were used for work email or other company activity are liable to be confiscated and examined for evidence during discovery or investigation.

It's a possibility even technology pros rarely consider, said Michael R. Overly, a technology law expert in Los Angeles.

"You would be very surprised to hear that even extremely sophisticated business people seem shocked when they learn their personal phone, including email, GPS data, photos ... may be subject to review in litigation involving their employer," Overly said.

BYOD is a worldwide reality and a dramatic shift in the way companies outfit their employees with work tools. Cisco Systems Inc. released a report earlier this year saying 42 percent of all "knowledge workers" own the smartphones they use for work, and two-thirds of companies expect the employee-owned device phenomenon to increase.

Hidden cost
The convenience is hard to ignore, as is the personal touch — workers love picking their own phones — but of course, cost savings is the real driving force. Increasingly, companies are requiring workers to supply their own gadgets at their own cost, the way a restaurant might require waiters to purchase their own uniforms.

Even if companies reimburse those employees, there can be a big hidden cost for workers — the possibility of losing their phone for days or months while their company combs through it for data relevant to legal action.

“People’s lives revolve around their phone, and they are going to become more and more of a target in litigation,” Overly said. “Employees really do need to understand that .”

Giri Sreenivas, a mobile phone security expert at Boston-area firm Rapid7, warned discovery requirements can extend far beyond email stored on smartphones.

"Text messages and cellphone records might be subject to discovery, too, even if you never connected to company email," he said.  "If lawyers believe the device was used for work purposes, it can be (taken).”

Race to keep up
How could firms gain the right to rummage through the most personal items on worker’s phones — pictures, texts, social media accounts?  In many cases, it’s not a right, it’s a duty, says Overly. When a company is sued, and required to produce documents as part of a discovery process, it must make a good-faith effort to retrieve data — wherever it may be. That includes employee-owned gadgets. 

In fact, Overly says he was part of a case recently where a judge sanctioned a company for a discovery violation because it failed to search BYOD devices during discovery. He declined to name the case.

Companies are racing to keep up with the trend — trying to set policies, inform workers of their rights, and superimpose BYOD rules over arrangements that organically evolved within their workplaces. Increasingly, companies are requiring workers to sign agreements that alert them to the potential of personal gadget seizure, Overly said.

Christopher Dahl runs a Seattle-based firm that specializes in digital document retrieval for lawyers called Lighthouse eDiscovery. While he says industry discussion is dominated by talk of BYOD discovery, he said gadget seizure has not become common — yet.

"We see mobile devices infrequently. We only had one come in last month," Dahl said. "It's typically pretty rare where the company can't get the same information from another location. Companies will have to disclose that the information is on that second location (the smartphone) but typically don't have to dig into that second place."  

Red Tape wrestling tips
Workers wary of having their personal phone nabbed can carry two phones – one personal and one for work – but even that’s not fool-proof. An occasional connection from the personal phone to work email can make the phone subject to discovery. Going this route requires diligent work and personal separation.

"The No. 1 thing you can do to ensure your device is not subject to seizure is to remove any sort of company account ... and then inform the company it's been removed," said Sreenivas.

Dahl warned about accidental blending of personal and work data through a seemingly innocent USB charge connection that leads to accidental synching of data. 

There may be a technology solution to this problem in the future. The newest Blackberry phone claims to create a work data-personal data divide, which has the potential to limit the searches that might be conducted by company lawyers

Follow Bob Sullivan on Facebook or Twitter.

Cellphone users annoyed by costly text spam or unexpected fees have hope: The Federal Trade Commission filed its first ever case against so-called "mobile crammers" on Wednesday.

In a complaint filed in a Georgia federal court, the FTC is alleging that Wise Media sent consumers text message spam and signed them up for $9.99-per-month "premium" text services with horoscopes, flirting tips and other unwanted information.

The FTC is seeking a permanent injunction against the company's alleged unfair trade practices and a freeze of the company's assets.

"Wise Media and its operators have taken advantage of the fact that consumers may not expect their mobile phone bills to contain charges from third parties and that Wise Media’s charges appear on bills in an abbreviated manner that does not always clearly designate the company as the source of the charge," the FTC said in its statement. "As a result, many consumers didn’t notice or understand the charges and paid the bills."

Complaints against Wise Media began to appear online as early as April of 2012. The firm is not accredited by the Better Business Bureau, thought its Atlanta office has received 26 complaints since last year — nearly all billing related — though it says those complaints have been “closed.”

Attempts to contact Wise Media were unsuccessful. Callers who dialed its Atlanta phone number on Wednesday heard a message saying the number had been changed to an unlisted number.

The FTC says Wise Media has been hard to reach in the past.

"The Commission alleges that Wise Media went to great lengths to hide its contact information from consumers. When consumers victimized by the scam were able to find a phone number for Wise Media, its call center employees frequently promised refunds that were never provided," it said.

Cramming is a decade-old trick to place third-party charges on consumers' telephone bills without their knowledge. Despite Congressional hearings on the issue, which is among U.S. consumers' biggest beefs, telecom providers continue to have trouble stopping crammers.

A report by Sen. Jay Rockefeller's office in 2011 found that consumers lose $2 billion annually to cramming.

Mobile phone cramming is relatively new, however. As consumer phone bills become more confusing, and as smartphones become more powerful, the risks to consumers have grown quickly. NBC News recently described cell phone attacks that could cost consumers thousands of dollars and net criminals millions.

Cramming doesn't require hacking, however.  It can be as simple as a third party company telling a telecom provider to add the charge to a consumer's bill. While telecom providers say they require third-party firms to get consumers' consent, consumers often complain that doesn't occur.

“As more and more consumers move to mobile phones, scammers have adapted to this new technology, and the Commission will continue its efforts to protect consumers from their unlawful practices,” said FTC Chairwoman Edith Ramirez.

Red Tape wrestling tips
Consumers who receive an unexpected text message — such as notification that they've won a contest — should ignore the message and carefully check the following month's bills for unwanted charges.  They can also look up the number at a website called SMS Watchdog, which tracks potential mobile phone spam. Consumers should also consider calling their cell service provider and turning off “premium text message” services.

Follow Bob Sullivan on Facebook or Twitter.

Keynote Systems

The chart above shows the availability of major U.S. bank websites during the past year. Data points below the top indicated less than 100 percent availability. Descending fever lines indicate severe outages; many are blamed on denial of service attacks.

Major U.S. bank websites have been offline a total of 249 hours in the past six weeks, perhaps the clearest indication yet that American companies are prime targets in an unrelenting, global cyber conflict. The heavier-than-usual outages are the result of a remarkable, sustained attack that began seven months ago and repeatedly knocks banks offline for hours at a time, frustrating consumers and bank security professionals alike.

"Literally, these banks are just in war rooms, sitting at controls trying to stop (the attacks)," said Avivah Litan, a bank security analyst with Gartner Group, a consulting firm. “The frightening thing is (the attackers) are not using as much resources as they have on call. The attacks could be bigger."

The denial of service reports were hardly noteworthy at first, hidden in the wake of news that U.S. embassies were under siege during the week of September 11, 2012. But in short order, Bank of America, Wells Fargo, PNC and a number of other banks suffered hours-long website outages. A group calling itself Izz ad-Din al-Qassam Cyber Fighters released an anonymous statement saying it was attacking banks in sympathy with real-world protestors who were reacting to an anti-Islam film that had been posted online.

Seven months later, the group is still taunting the U.S. financial system, with notice almost daily from another bank that had to apologize for letting down its customers. American Express and Wells Fargo issued statements last week saying they suffered outages. Even with advance notice, the biggest financial institutions in the world can’t seem to stop them.

No one interviewed for this story believes that a perceived insult over a Web movie is the attackers' motivation, as the al Qassam messaging has stated. Though some considered that it might be the work of attention-seeking teen-aged hackers, they would likely have grown bored, or run out of resources, long ago.

In the fall, national security officials speaking on background told several media outlets, including NBC News, that they suspected the Iranian government was behind the attacks. It seems certain that an organized group, with both a political motive and the ability to fund the operation, is to blame.

Keynote Systems, which provided the compilation of bank outages exclusively to NBC News, measures website availability by checking sites every five minutes and logging the results. It works with major banks to set up "dummy" accounts so its computers can log in and make sure online banking services are available, and constantly checks the largest 15 U.S. banks. Websites go offline for a variety of reasons — late-night software upgrades, for example — and some outages are to be expected, said Aaron Rudger, a Keynote spokesman.

Still, 249 hours during a six-week period (ending March 31) is significant, indicating those bank websites were unavailable for about 2 percent of the time during that stretch. For comparison, during the same six weeks a year ago, the same bank websites were down 140 hours. Keynote has no way of knowing why a site is unavailable, but Rudger was comfortable inferring that the so-called al-Qassam attacks were responsible for most of the increase.

Rodney Joffe issued chilling advice to banks preparing for an al Qassam-style attack last fall: Prepare a sincere-sounding apology, he said at the time. Given the volume of apologies since then, he turned out to be right.

"It goes on and on and on ... It's like they are kicking sand in someone's face, reminding people that they are there," said Joffe, who is senior technologist at Internet infrastructure company Neustar, which helps companies fight denial of service attacks. "You just have to ask yourself, 'Why?' (The attackers) just seem to enjoy being able to say 'On an ongoing basis, we can make life uncomfortable for your banking industry.'"

Not everyone thinks the bank site outages are such a big deal.

Michael Smith, director of the customer security incident response team at Akamai Technologies Inc., which provides website performance optimization and security for some of the companies targeted in the attacks, points out that customers have plenty of other ways to manage their money, and the outages haven't amounted to much more than an irritant.

More importantly, he says al Qassam has begun targeting smaller banks and other kinds of websites as larger banks become more successful at fending off their attacks or shortening the outages. The attackers also took a hiatus for part of February — Smith says to invent new attack techniques, probably — and have ceased tipping off targets ahead of time with weekly press releases.

"We aren't seeing as many notifications that sites are down as we were. The impact just is not as dramatic as it was," Smith said. "They are changing tactics and trying to generate more attention, more press."

Joffe says this is part of their strategy.

"The bad guys here are using just enough of their firepower to achieve their objectives and not more," Joffe says. "They are creating a disruption to the banking industry. ... We already know if they wanted to make it bigger attack, they could, but it seems pretty clear that's not their intention."

Follow Bob Sullivan on Facebook or Twitter.

More from Red Tape Chronicles:

• Celebrity hackers stole data from AnnualCreditReport.com, Equifax says
• Google pays $7 million to settle 'Wi-Spy' case filed by states
• Why consumer agency must go, and why it should be saved

Devastating cellphone hacks that hijack your most personal gadget and rob you of privacy and money have long been forecast. But even as smartphone users in Asia are beginning to suffer exploding bills and emptied bank accounts at the hands of hackers, U.S. users largely remain safe and blissfully unaware of the gathering threat.

Not for long. 

Criminals have been probing the systems that protect U.S. smartphone users for years, searching for the right combination of programming tricks and social engineering that would allow them to sneak onto users' phones. Recently, one hacker group hit the jackpot.

They took a year-old mobile virus named NotCompatible, which allows hackers to take complete control of a phone, and posted the malicious code on websites. Then they sent out enticing spam emails with links to the booby-trapped sites. The emails were all the more tempting because they appeared to come from friends or others on the recipients’ contact list.  Victims who clicked on the link from their phones and downloaded the file surrendered control of their Android phones to the criminals. Security firm Lookout says 10,000 customers per day are still being tricked to click on the bogus link and landing on the booby-trapped pages, and virtually all of them are in the U.S.

Tim Strazzere, Lookout’s lead research and response engineer, said the sudden "staggering increase" in detection of the of the NotCompatible, which initially appeared one year ago, shows that the marriage of spam and mobile malware might be a recipe for real trouble.

"This Android malware is unique," he said. "It's exactly the same scheme and end game as before, but it's just being circulated through different means. And it's working."

U.S. smartphone users have been spared much grief from mobile malware so far for a variety of reasons. Chief among them: Most users get their apps from a centralized and safe source. Apple keeps tight controls on its App Store, so malware writers are largely ignoring that platform. And while Google's Play Store for Android is not as tightly controlled, criminals haven't had much luck sneaking infected software onto that platform, either.  That leaves hackers with time-consuming, clumsy methods, such as tricking users to visit a rogue website and electing to install an app.

Android attackers in other parts of the world have an easier time. In China, for example, it's hard to access Google's Play store, so consumers often get their apps from websites. That means rogue apps on random websites raise less suspicion.

But Strazzere warns that the criminals behind NotCompatible have found a way to make U.S. users almost as vulnerable as those in Asia – a direct email invitation from a friend to install what turns out to be a bogus app.

Those who might dismiss this scenario should beware: Last month, when a report by Mandiant Corp. alleged that hundreds of U.S. companies had been hacked by an arm of the Chinese military, the initial method of attack was almost the same -- a "spear-phishing" email that appears to come from a co-worker or friend, sent to entice the recipient into clicking on a virus-laden link.

Smartphone users might fear that a criminal with access to their devices might destroy all their data, "brick" the phone or prank call all their contacts. But the real nightmare from a hacked phone is much more subtle, and can be much more expensive, than having to replace a phone.

Vikram Thakur, a researcher at Symantec Corp., studied one mobile phone hacker who turned compromised devices into an estimated $1 million annually.

“We found a mobile phone botnet, which had … maybe 200,000 cellphones which were compromised and in control of just this one person," he said. "(He) was able to send text messages, make these phones view videos, which were in turn giving him money; and he was doing so about 25,000 times a day."

Cellphone hackers don't do anything to call attention to themselves. Instead, their programs are designed to run in complete silence, in the background.  And they cover their tracks. There's no log of calls placed to dicey overseas numbers, no evidence of text messages sent that can run up a monthly bill.

“Your phone bill might have extra data usage toward the end of the month,” Strazzere said.  "That might be the only way you'd know."

Hackers around the world have clearly trained their attention on the fertile ground of phone hacking. Kaspersky Labs, another security firm, says there has been "explosive growth," and offers numbers to back that up. In January 2011, it counted only eight new malicious mobile malware programs. At the end of 2012, it counted 6,300 such programs monthly.

Nearly all of that activity has until now targeted overseas users, sometimes with devastating results. A program aptly named "BillShocker" by researchers infected 620,000 users earlier this year, mostly in China, and ran up hefty bills through premium text message services.

Mobile malware writers are also developing hybrid threats designed to counterattack online banking security systems.  In one sophisticated attack, criminals hacked both a victim's computer and cellphone, then lurked until an online banking transaction was initiated on the PC. When the bank sent a so-called "out of band" text message as a security confirmation, the criminals intercepted them and approved the transactions. A malicious program named Eurograbber is blamed for stealing $47 million from 30,000 bank accounts this way, according to a report by security firm F-Secure.

Those victims were in Europe, but now there are other indications that mobile hackers are circling the waters, aggressively looking for more ways into the U.S. market.  

Computer security expert Brian Krebs reported earlier this month on his blog that criminals are selling authorized Google Play developer accounts on underground bulletin boards.  A developer account would theoretically give a criminal the ability to post rogue software onto the Google Play store.

NotCompatible is a little less ambitious. Its main goal is to control a smartphone and turn it into a "proxy" device for overseas criminals, so they could pretend they were ordering expensive merchandise from within the U.S.  Because many online sellers use geographic location to filter out fraud, and many trust cellphone location information, a hacked phone can be a perfect tool for foiling fraud-fighting software.

"Companies block transactions when someone in Romania is trying to buy concert tickets in the U.S., for example," said Strazzere.  "NotCompatible allows them to hide where they are coming from ... gives them a little more mobility based on where they want to come from. With a hacked cell phone, they will look like they are where the endpoint is."

Strazzere sees the blended threat – part virus, part spam – as ushering a new style of cellphone attacks, just as such blended threats gave hackers the upper hand in the personal computer world during the last decade.

“This shows the progression of malware authors and what they are doing to experiment,” he said.  It also shows impressive coordination in attacks. “It’s still a new space for them. But they are figuring things out.”

Follow Bob Sullivan on Facebook or Twitter

More from Red Tape Chronicles:

• Celebrity hackers stole data from AnnualCreditReport.com, Equifax says
• Google pays $7 million to settle 'Wi-Spy' case filed by states
• Why consumer agency must go, and why it should be saved

Paul Sakuma / AP, file

Signs advertising bad credit auto loans, in this 2008 file photo.

You probably know you have a credit score, and that score dictates much of your financial future. You might know you have three credit scores, thanks to aggressive advertising from companies that sell access to them.

However, those hardly scratch the surface of the collection of credit scores lenders might use to judge you.  There are, most likely, dozens of scores that might control your ability to get a mortgage, buy a car or obtain insurance.  

Banks often use their own scores, tweaked versions of the FICO score that began the credit score craze. Auto lenders also have their own scores. So do car insurers. And old scores, based on old formulas, are still in use by many lenders.  U.S. consumers may have 50 different credit scores -- or more -- that could impact their ability to borrow money, and that number is rising, experts say.

"The idea of there being a one true credit score, well that's just not accurate," said Michael Schreiber, editor in chief at Credit.Com, a consumer advice website.

John Ulzheimer, a credit score expert who formerly worked for FICO score inventor Fair Isaac Corp., produced a detailed infographic for CreditSesame.com in September which detailed 49 different scores based on the FICO. He has found another five or six since them. And that number doesn't include competitors like Vantage Score, invented by the credit bureaus in an attempt to cut out Fair Isaac, or other proprietary kinds of credit scores. 

"Getting your actual credit score is a like game of roulette at this point," said Ulzheimer, now president of consumer education at SmartCredit.com. "Getting the wrong number can be overwhelming to a consumer. The lender is using one score but you don't know which score."

There are also exotic credit-based scores, such as a "revenue score," which predicts how much interest revenue a credit card holder will generate; a bankruptcy score indicating the likelihood someone will file for legal relief of debts; and a collection score that helps debt collectors prioritize their efforts.

Credit scores were once held completely in secret by the credit industry, but are more available to the public today. Credit monitoring services include them with monthly subscriptions. Fair Isaac, the inventor of the credit score, sells FICO scores at MyFico.com. Wells Fargo gives them away to consumers who walk in and ask about new accounts. Credit.com gives away a free score to site visitors. But with more scores being invented all the time, it's hard to say what consumers are looking at when they receive a credit score.

"It does irk people when they find out there's a very different number they get from one scoring model to another," said Gerri Detweiler, scoring expert at Credit.com. "People wonder, 'What good is it to check my score if the score banks see is different?'"

If any credit score provider implies consumers are getting a comprehensive view of their creditworthiness by ordering three credit scores -- based on their three credit reports at Equifax, Trans Union, and Experian -- that's misleading, Detweiler said. It's also misleading for any firm to suggest their score is the one used by most lenders.

Ulzheimer think so, too.

"If you go to MyFico and you get a score, that is the same brand of score that lenders are using predominantly," said Ulzheimer. "Going past that is an embellishment. … MyFico does sell you a FICO score, but it may not be the same FICO score that lenders use."

In fact, many banks have their own scores, which sprinkle their own criteria into the complex algorithm.  Car loan issuers, for example, often choose to weigh previous car loan payment history higher than other lenders, Detweiler said.

The proliferation of scores is partly the result of continuous updates to scoring formulas that are expensive for financial institutions to adopt, Ulzheimer said. 

"Scores are really nothing more than generations of software," he said. "Think of how many generations of Microsoft software are out there, for example.  Every year, there's something new that's a little better but kind of does the same thing.  Scoring systems are like that."

For example: Last week, the group behind the Vantage scoring system announced VantageScore 3.0. It has some consumer-friendly features, such as ignoring collections accounts that have been paid off (such accounts generally lower a consumer's FICO score), and providing exceptions for consumers who don't pay bills because of natural disasters like Hurricane Sandy. But firms may continue to use VantageScore 2.0 for a long time.

"A large bank that didn't want to update its systems could force providers to keep old scoring systems going for years," Ulzheimer said.

Given the proliferation of scores, should consumers even bother trying to see one of their credit scores?  Absolutely, says Detweiler. She says any score will offer a helpful reference point.

"Don't focus so much on the number as much as what direction you are moving," she says. "The number will give you some information about what areas of your financial life you need to work on.  But if there is a drop, you will know something significant has happened."

The number itself doesn't matter as much as how a consumer compares to the general population, she said. Armed with this information, consumers should be able to ensure they are getting a fair interest rate when borrowing money for a home or a car or applying for a credit card.  Consumers who rank near the top of a scoring scale should get a bank's best rate.

Because she thinks consumers should track their score over time, Detweiler says it's important to stick with the same score than trying to compare a free score doled out by a bank with another score purchased from a website.

Ulzheimer said it's fruitless and frustrating for consumers to obsessively follow their credit scores as they pop up and down, given that lenders see different scores anyway. He recommends "managing" to your credit report instead of your credit score, since the report is at the heart of all score formulas.

"What's constant across all scores is that doing the right thing will lead to a better score across the board,” he said. “If you pay your bills on time, your scores will go up. So worry about that. Managing to three credit reports is easier than trying to manage all those credit scores. ...Consumers have to let go of that, because the number of scores will continue to get larger, not smaller."

That's not to suggest variations among credit scores aren't important. In September, the Consumer Financial Protection Bureau published a study of credit scores revealing that variations among different scoring models could impact as consumer's borrowing costs about 20 percent of the time.

The study recommended that firms that sell credit scores "should make consumers aware that the scores consumers purchase could vary, sometimes substantially, from the scores used by creditors."

The best way to avoid paying too much for credit because of a credit score variation is to shop around. Never take the auto dealer's word for it that they've gotten you the best deal on your car loan.  The variations matter less with mortgages, where banks usually get three credit scores and throw out the lowest and higher score.

Detweiler said for personal sanity, consumers should avoid treating credit scores the way they treated SAT scores in high school, or grade point averages in college.

"Don't get too hung up on a number," she said.  "You know the serenity prayer? There are some things you have control over, and some you don't. Take care of the things you can control, like paying your bills, and the score will take care of itself." 

Follow Bob Sullivan on Facebook or Twitter

More from Red Tape Chronicles:

• Celebrity hackers stole data from AnnualCreditReport.com, Equifax says
• Google pays $7 million to settle 'Wi-Spy' case filed by states
• Why consumer agency must go, and why it should be saved