Corporate sneakiness. Government waste. Technology run amok. Outright scams. Our effort to unmask these 21st Century headaches and offer solutions that save you time and money.

Five percent of U.S. consumers have an error on their credit report that "could lead to them paying more for products such as auto loans and insurance," the Federal Trade Commission said Monday, as it issued a long-awaited study of credit report accuracy. 

Follow @RedTapeChron

“These are eye-opening numbers for American consumers,” said Howard Shelanski, director of the FTC’s Bureau of Economics.  “The results of this first-of-its-kind study make it clear that consumers should check their credit reports regularly.  If they don’t, they are potentially putting their pocketbooks at risk.”

The trade group for the nation's credit reporting agencies issued a swift response challenging the agency’s interpretation, saying the study shows credit reports are "highly accurate."

"The study also showed that 95 percent of consumers are unaffected by errors in their credit report," the Consumer Data Industry Association said in a statement.

The FTC study, eight years in the making, also tracked consumers as they tried to fix or dispute errors in their credit reports. More than one in 10 who did this saw their credit score change as a result.

The study was ordered by Congress in 2003, when it passed the Fair and Accurate Credit Transaction Act. The FTC followed 1,001 consumers as they tried to navigate the credit report system and to fix mistakes in their reports.

Among other things, the study found:

*26 percent of consumers in the study identified a "potentially material error";

*21 percent managed to obtain a modification of an error;

*Roughly half of that group experienced a change in credit score;

*Most of those credit score changes were minor, with roughly half resulting in swings of 20 points or less;

*The most important finding of all: For 52 of individuals studied, "the resulting increase was such that their credit risk tier decreased," meaning they were likely to get cheaper loan rates.

Consumer groups responding to the study said it indicates a need for reform of the credit reporting industry.

“It’s unconscionable that 40 million American have errors in their credit reports, and that 10 million have errors grave enough to cause them to be denied or charged more for credit or insurance or even be denied a job,” said Chi Chi Wu, staff attorney at the National Consumer Law Center. 

Studies of credit report errors have been conducted before, but they have produced confusing results. Many errors are not material — a misspelled street name for example.  And errors are not the real problem — lower credit scores that cost consumers when they try to get loans are. Credit bureaus are required by law to quickly fix mistakes, but there have long been allegations that the dispute process is difficult and stacked against consumers. The FTC report attempts to address that, too.

Of the 262 consumers in the study who disputed information they said was inaccurate:

*37 percent said all their concerns were addressed;

*42 percent said their report had been modified, but there were still errors on their report;

*21 percent said they were unsuccessful in getting their reports modified.

The report did not attempt to establish the veracity of the consumers' disputes.

Credit expert John Ulzheimer, who formerly worked with Fair Isaac, which invented the credit score, and is now president of Consumer Education at SmartCredit.com, said he felt both the FTC and the credit industry trade group were "embellishing" their claims about the results of the study, but he, too, found the FTC data troubling.

"I'd side with the FTC that the results are more disturbing than they are confirming credit files are accurate," he said. He suggested taking the dispute results with "a grain of salt" because the errors claimed by consumers were not independently confirmed.

FTC Chairman Jon Leibowitz told CBS News, which first reported the study’s findings on “60 Minutes,” that the results were "highly troubling. ... It's a pretty high error rate."

The credit industry began fighting back even before the “60 Minutes” segment aired. It issued a press release Sunday afternoon, and several employees of Experian spent the evening sending tweets to Twitter users who attacked the industry.

"It's easy to selectively hype snippets from the FTC study to sensationalize the issue," Stuart Pratt, consumer data industry spokesman, said in the release. "But the number important to consumers is the one they ignored – that only 2.2% of credit reports contain material errors."

The industry and FTC numbers differ because they describe slightly different things: The FTC says 5 percent of consumers are impacted by a serious credit report error, while the industry derives its 2.2 percent figure from the fact that consumers have three different major credit reports, and often errors appear on only one or two of those.

The industry also disagrees that errors are hard to fix.

"The notion that it is difficult to dispute an error is just wrong.  It is irresponsible to suggest to consumers that they might as well not take action when they have a question about their credit report," Pratt said.

Experian public relations officials repeatedly sent out this message last night: "If you ever spot an error on your credit report, please report here http://t.co/5nncPpfP Avg dispute time is 14 days."

It also sent users to the Experian website to read about the firm's policies

"Experian’s Commitment to Data Integrity, Customer Service and Consumer Education http://t.co/kejlxpQYvia @ExperianNews"

Some Twitter users complained about Tweet campaign:

"@Experian_US so (you are) responding (to) tweets from US but resolving life changing disputes from Chile and India!Priorities please!!!" wrote @elizabethforma.

As the Red Tape Chronicles and other outlets have reported, consumers disputes are often sent overseas for consideration, and workers in places like India and Chile only have a few moments to consider each dispute.

An Experian official who was sending out Tweets would not agree to be interviewed by NBC News; she directed questions to Pratt at the industry group.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter 

AP Photo/The Jersey Journal

FBI agents enter Raja Jewelers in Jersey City, N.J., on Tuesday, investigating what a criminal indictment describes as an international credit card fraud ring.

In an indictment that reads like an instruction manual for nearly every type of identity theft and credit card fraud yet invented, prosecutors alleged on Tuesday that more than a dozen crooks ran roughshod over America's credit system for six years, stealing hundreds of millions of dollars and living like kings.

Follow @RedTapeChron

The techniques deployed by the crime ring ran the gamut, from child ID theft to setting up fake stores to process credit card payments, says the indictment, which was unsealed on Tuesday. It alleges that suspects created so-called “synthetic identities,” in which invented Social Security numbers were used to create fake credit reports that enabled them to borrow huge sums; faked utility payment histories to fool credit bureaus;  designated  themselves as "authorized users" of real victim's identities; and minted real and fake merchant credit card processing accounts to trick banks into depositing large sums of cash into bank accounts they controlled. In one case, they even used a 6-year-old's Social Security number to get credit, it said. 

With the proceeds of the scheme, they bought luxury cars, electronics, spa treatments, and millions of dollars in gold, the indictment said. Authorities found $68,000 in cash hidden inside the kitchen oven of one suspect, it said.

“This elaborate network utilized thousands of false identities, fraudulent bank accounts, fake companies and collusive merchants to defraud financial institutions of hundreds of millions of dollars in order to facilitate extravagant lifestyles they could otherwise not afford,” David Velazquez, FBI  acting special agent in charge, said  in a statement.

A set of jewelry stores in Jersey City, N.J., just across the Hudson River from New York City, was at the center of the fraud, according to the indictment. False charges were run through the stores’ merchant credit card processing accounts, allowing the criminals to turn fake IDs and fraudulent credit cards into cash.  Jewelry stores, which routinely process high-priced transactions, are perfect for such a fraud.

According to the indictment, the extent of the brazen operation and its support network was staggering.  There were 7,000 fake identities created in all, and 25,000 fake credit cards, it said. To fool banks and credit bureaus, 1,800 fake "drop box" snail mail addresses were used, so criminals could accept real mail -- such as utility bills -- and make them part of the scheme, it said.

The FBI estimates the fraud netted a total of $200 million, but because some conspirators have not yet been arrested and the investigation is ongoing, it expects that figure to rise. Money was sent around the world, to Canada, Pakistan, India, China and Japan. While the operations centered on the New York metropolitan area, with 13 individuals arrested in New York, New Jersey, and Pennsylvania, the scam actually touched 28 U.S. states, according to the indictment.

Babar Qureshi, who is the accused ringleader, made a single wire transfer of $500,000 recently, the indictment alleges, and a total of $1 million flowed through his accounts during the operation. The FBI says it has identified 169 bank accounts through which $60 million in proceeds flowed -- most ultimately withdrawn in cash.

The general technique the criminals allegedly used is not new, or novel, and is sometimes called a "bust-out" scheme. In the indictment, the U.S. Attorney's Office calls it "make up, pump up and run up." Here’s how it works: Criminals gain control of a real or invented credit identity, but don't use it for fraud right away. Instead, they patiently pay bills or otherwise build up the creditworthiness over  time. Then, when the account is "primed" so that potential creditors are convinced it is legit and their fraud-fighting software lets its guard down, a large fraud is committed.

Justice.gov

A chart in the federal indictment breaks down the various identities authorities say were linked to suspects arrested in the fraud ring.

There’s a lesson in these allegations for victims of credit card account number theft -- smart criminals don't commit fraud immediately after stealing account numbers. If your account number is compromised, don't believe you are in the clear just because there's no fraud in the first few months.

Merchant accounts -- credit card transaction processing accounts that businesses use to accept credit cards and get paid -- are particularly valuable to criminals.  The biggest barrier credit fraudsters have is turning data into cash.  It's risky to purchase items with stolen credit cards, or to attempt ATM cash withdrawals, as that creates a paper trail and perhaps a surveillance video record. But by working with a merchant account, criminals can pretend they are processing legitimate transactions and automatically have the payments deposited directly into their checking accounts.  The criminals can go from stolen account numbers to cash in a fully electronic transaction. There's still a paper trail, but that's why these criminals maintained an extensive network of fake IDs, the government alleges – so they could hide behind layers of false identities when setting up the merchant accounts.  Jewelry store accounts, with their high-ticket purchases, would be particularly useful in this kind of crime.

The 18 defendants charged in the indictment -- including five  who are still at large -- range in age from 31 to 74. Four of the suspects live in Iselin, N.J., about 45 minutes south of New York City. One is in Philadelphia. The rest are scattered among New York City and nearby suburbs..

Attorney Angelo Servidio, representing defendant Tarsem Lal, said his client was free on bail, and wanted to remind people that his client is innocent until proven guilty.

"They are all presumed innocent. There are a lot of people involved in or alleged to be involved in this case," he said. "From what I can see, this case (may have) been under investigation since 2008, so there are going to be a lot of documents to sift through."
Servidio said he hadn't seen any of the evidence against his client yet.

"Other than his connection with a jewelry store, I don't know what evidence they have," he said.

NBC News was unable to immediately Qureshi's lawyer.

The bank fraud count with which the defendants are charged is punishable by a maximum of 30 years in prison and a fine of $1 million.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

CLARIFICATION: This story was updated Feb. 1 with additional information about Kathy Sandy’s Work Number disclosure report.

The Equifax credit reporting agency, with the aid of thousands of human resource departments around the country, has assembled what may be the most powerful and thorough private database of Americans’ personal information ever created, containing 190 million employment and salary records covering more than one-third of U.S. adults.

Follow @RedTapeChron

Some of the information in the little-known database, created through an Equifax-owned company called The Work Number, is sold to debt collectors, financial service companies and other entities.

"It's the biggest privacy breach in our time, and it’s legal and no one knows it’s going on," said Robert Mather, who runs a small employment background company named Pre-Employ.com. "It's like a secret CIA."

Despite all the information Americans now share on social media and websites, and all the data we know companies collect on us, one piece of information is still sacred to most people: their salaries. After all, who would post their salary as a status update on Facebook or in a tweet?

But salary information is also for sale by Equifax through The Work Number. Its database is so detailed that it contains week-by-week paystub information dating back years for many individuals, as well as other kinds of human resources-related information, such as health care provider, whether someone has dental insurance and if they’ve ever filed an unemployment claim. In 2009, Equifax said the data covered 30 percent of the U.S. working population, and it now says The Work Number is adding 12 million records annually.

How does Equifax obtain this sensitive and secret information? With the willing aid of thousands of U.S. businesses, including many of the Fortune 500. Government agencies -- representing 85 percent of the federal civilian population, including workers at the Department of Defense, according to Equifax -- and schools also work with The Work Number. Many of them let Equifax tap directly into their data so the credit bureau can always have the latest employment information. In fact, these organizations actually pay Equifax for the privilege of giving away their employees' personal information.

Equifax turns around and sells some of this data to third parties, including debt collectors and other financial services companies. 

Equifax declined to be interviewed, but in an emailed statement to NBCNews.com, it confirmed that it shares "employment data" with debt collectors and others, and said it does so in compliance with Fair Credit Reporting Act guidelines. 

"In all cases, these entities must have a permissible purpose to request employment information," Equifax spokesman Timothy Klein said. 

He also said consumers give these third parties the right to access the data "at the time of application" for credit.

"A consumer grants verifiers (creditors) and their assigned debt collectors the right to verify employment should the consumer default on their account," he said. 

Data for debt collectors
Companies sign up for The Work Number because it gives them an easy way to outsource employment verification of former workers. Firms hate taking these calls, which usually come when a former employee is applying for a new job, because they are a costly distraction for human resources departments and open the firm up to lawsuits if someone says something disparaging about the former employee. So they contract with The WorkNumber, which automates the process. In exchange, firms upload their human resources data to The Work Number, which was part of an independent St.Louis-based firm named TALX until it was acquired by Equifax in 2007 for $1.4 billion.

The Work Number offers consumers some benefits. It provides an easy way for prospective landlords to verify an applicant's income, for example. Consumers tell the Work Number they want a one-time access code, which they then give to a landlord so he or she can verify that the potential tenant can really afford the apartment.

But The Work Number serves dual purposes. It’s also a massive database that Equifax monetizes in a variety of ways, despite the reassuring-sounding messages found all over TheWorkNumber.com.

"Can just anyone get my income information from The Work Number?" reads one passage. Answer: "No. You have to give someone authorization to get your income information from the service."

Employers who sign up for the service go to great pains to reassure workers that their data is safe and secret. Columbia University, when it explained to employees it was transitioning to The Work Number, posted this on the school's website:

"You are the only person who can authorize access to your salary information."

But Kathy Sandy of Sommerville, N.J. was surprised to find that a debt collector had accessed information from her report two years ago, something she learned only when she obtained her "consumer disclosure" from The Work Number. Because the data is considered a credit report, consumers are entitled to one free report every year. The report shows what data the report contains, and what entities have seen it.

Sandy's Work Number report, which she shared with NBC News, is 22 pages long -- an amazingly detailed history of every paycheck she had received for years. The first page of the report lists "verifiers who have requested your data in the past 24 months." On the list is "Pressler and Pressler," a law firm that specializes in debt collection. The firm had sued her in small claims court over a credit card debt that she says she was already repaying. It is not clear from Sandy’s report what employment data was shared with Pressler and Pressler; Equifax says it does not provide salary information to debt collectors, but it does provide other information.

"I found out debt collectors can access this information, which is strange," Sandy said. "I assumed with The Work Number, for that information, you had to have a (passcode) … but they got in, and got it somehow without my consent."

In brochures where Equifax advertises sale of the data, it's not shy about the source.

"The Work Number specializes in employment and income verification. It's direct from the source: the employer. It's current, as of the last pay period. It's delivered quickly -- on demand," says one brochure, titled "Portfolio Monitoring."

In his statement to NBC News, Klein confirmed that "pay rate" information is shared with third parties, including "mortgage, auto and other financial services credit grantors," as authorized under the Fair Credit Reporting Act.

He denied that salary information is sold to debt collectors, however.

"Debt/Collection agencies may request employment information -- which may be nothing more than verifying that a consumer is working where they say they are – if it qualifies under permissible purpose," he wrote. "Collections agencies are not provided salary information."

That contradicts an assertion made recently by Equifax CEO Richard Smith in 2009, when he talked about how detailed The Work Number data is.

"With FirstSearch and TALX we can provide information about a debtor’s location, income and employment," said Smith in an interview published on NYSE Magazine’s website, referring to The Work Number’s former parent company. "That can help prioritize which accounts to pursue first. If they’re employed, that business has a better shot at collecting what is owed to them."

Klein said Smith misspoke when describing TALX’s services, and reiterated that salary information on consumers is not sold to debt collectors.

'Unbelievably scary'
With or without the income data, The Work Number data is incredibly valuable to debt collectors -- and it may come as a surprise to many workers that their employers, directly or unwittingly, help debt collectors.

Equifax markets The Work Number specifically to student loan issuers. In another brochure on the firm's website, Equifax brags that The Work Number makes debt collectors' jobs easier.

"The Work Number produced a 5.5 percent lift in Right Party Contact and a 7.3 percent lift in Collections Resolution versus current skip-trace methods," the "case study" brochure says.

Equifax’s resale of The Work Number data doesn’t stop there. It also offers "portfolio monitoring" to financial firms who might want to market their products to consumers … or to get early warning on someone who might soon land in financial trouble. It calls this "proactive managing of risk." 

"The Work Number is part of our employment and income verification service. It provides continual track of changes to your customer or client portfolio, delivered on demand per your schedule," it says. "Simply submit a portfolio of customer or client accounts and The Work Number does the rest. ... Using The Work Number to stay abreast of employment changes can expand your ability to mitigate risk while maximizing product and service potential."

Mather has been in the employer data business for more than 20 years, and he says that if Americans suspected their employers were giving away their personal information to a credit bureau, they'd be shocked.

"The story here is how (The Work Number) is getting this information," he said. "When people find out, no respectable employer will continue to do this."

Larry Ponemon is a privacy expert who operates The Ponemon Institute, a consulting firm. He said he’d never heard of companies selling employer data to debt collectors.

"Are you joking? Oh my god, I'm shocked," Ponemon said when the business was described to him. "This is unbelievably scary. I consider payroll information very sensitive and private." In studies he's conducted, salary data is always among the information consumers say is most private.

"If the public knew about this, there would be such outrage," he said. "It's just ... really depressing."

Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse, had heard of The Work Number, but only because some consumers have complained to his agency that the data in its database is inaccurate. Some workers find that when they try to use the information for employment verification, their titles are outdated or otherwise misrepresent their work history, which can be embarrassing for a job applicant.

When told that the data is sold to third parties, he said he was under the impression the data was not shared.

"I think it is something that would be offensive to many people. One typically considers salary information to be shared by your employer just with IRS," he said. 

A glance at the language on The Work Number's website suggested to Stephens that the firm is legally within its rights to share the information, however.

"You get into the 'permissible purpose' doctrine," he said. "Debt collectors have a permissible purpose to look at your credit information. It was my impression that the data was only being given out when employees released it."

'Secret' process?
Data brokers are under heightened scrutiny in Washington, D.C., lately. There are two separate congressional investigations of the industry, and the Federal Trade Commission announced in December that it had begun an inquiry into how brokers obtain their information. Equifax received an inquiry letter from the FTC, but only for the data broker portion of its business involving non-financial data, such as criminal background records and address information.

Credit reporting agencies, such as The Work Number, are distinct from data brokers and are governed by special rules. Ironically, those special rules may open the door for Equifax -- and the credit-reporting side of its business -- to resell the salary information, says Katrina Blodgett, a lawyer with the Federal Trade Commission. She is one the agency’s experts on the Fair Credit Reporting Act. 

The FTC filed a case against TALX and Equifax in 2008 for allegedly failing to provide employers with sufficient notice about their disclosure responsibilities under the Fair Credit Reporting Act. Equifax admitted no wrongdoing and paid a small fine.  

Blodgett said the Fair Credit Reporting Act and subsequent updates give consumers specific legal rights, such as the ability to dispute errors in credit reports. But it also creates permissible purposes for access, including giving financial service companies the right to review credit reports of consumers they do business with. 

"It’s not as easy as it should be to say whether debt collectors can get your consumer reports, because it depends on the circumstance," she said, adding that she believed Equifax could have the right to sell the salary information to debt collectors because it is part of a credit report.

Much attention has been paid to the use of credit reports by human resource departments in recent years, and Congress gave job applicants special rights when a credit report is used during the job interview process. The reverse isn’t true, however, Blodgett pointed out.

"There are special restrictions on how credit reports can be used in hiring decisions, but there are no special restrictions on how employment reports (such as salary information) is used for non-employment purposes," she said.

She said she wasn’t surprised that Equifax is selling the information in The Work Number.

"They are a credit bureau. They sell credit information to lenders," she said.

Mather wants the sale of employee information halted. His firm also performs third-party employment verification, but he does not resell the data he collects.

"I strongly believe there is no reason to resell employee information to debt collectors without the permission of the employer and employee," he said. "This 'secret' process needs to stop. I hope eventually a simple law is passed making it required to get the permission of the employee BEFORE his information is resold. It simply should NOT be used for any other purpose except for employment purposes without permission. In my view, it is a betrayal of trust."

Consumers who want to see what information The Work Number has on their employment history can visit this page on the TheWorkNumber.com. While reports are available online, consumers may have to fill out a form and mail it to The Work Number in some cases.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• Telecom firms can't say how 'crammed' charges were billed to unused phone
• Proposed 'privacy tax' would penalize firms that profit from consumers' info
• Net users fall for fake online lovers all the time, victims advocate says

Despite years of investigations, congressional hearings and promises from the telecommunications industry, phone bill “cramming” --  the addition of usually small third-party charges without a subscriber's consent -- remains a major consumer headache.

Brett Strauss can attest to that. He purchased an AT&T cellphone for his business that wasn't used for months, but somehow accrued more than $300 in charges for unwanted third-party services that were crammed onto his bill during that period. 

Both AT&T and the third-party firm behind the charges, Los Angeles-based GoLiveMobile, said that they require a strict sign-up process they call "double opt-in," meaning consumers must twice confirm they authorize a charge to their service.

But Mark Siegel, spokesman for AT&T, confirmed Strauss’ phone had been dormant when the charges appeared. How those charges ended up on his bill remains a mystery.

Strauss said he has about 12 phones for his employees, and this one wasn’t needed. "The phone has sat in a drawer all this time having never been used," he said. "This makes the cramming issue all the more interesting. How do you cram an unused phone?"

To most consumers, cramming is a mystery. The root of the problems dates back to the original breakup of the AT&T telephone monopoly in the 1980s, which required the telephone giant to allow third-parties to use their equipment and offer alternative services, such as long distance.  Rogue operators quickly learned they could trick AT&T and other phone providers into signing up consumers for services they didn’t want, and “cram” these onto their bills. Cramming has since been a thorn in the side of consumers, first targeting those with land-lines, when tack-on services like unnecessary voice mail were often snuck onto bills. It has seen resurgence in the age of cellphones and smartphones, as crammed charges are easily intermingled with legitimate third-party fees, creating even more consumer confusion.

The charges may be small -- usually $9.99 or less at a time -- but they add up to big money. A report issued by Sen. Jay Rockefeller, D-W.Va.,  in 2011 found that consumers lose $2 billion annually to unwanted third-party phone charges, and big telecom firms earned $650 million from 2006-2011 as their cut from companies that crammed consumers. 

Last year, the Federal Communications Commission adopted new rules aimed at curbing cramming, but the agency stopped short of banning the practice.

Arguments about cramming often devolve into a he-said, she-said affair, with telecom firms saying consumers agreed to the charge and consumers denying they did so. 

That's why the Strauss case is interesting.  AT&T doesn't disagree with his contention that the phone was unused, yet it still maintains that it requires third-party firms to utilize a double-opt in process. How could that be?

Follow @RedTapeChron

"We do require the double opt-in process I described to you, but that's not to say it's impossible for a customer to get, say, a text message from a third party that does not follow this process," said Siegel, the AT&T spokesman.

The double-opt in process, as Siegel described it, involves a consumer texting a service to sign up, then receiving an initial acknowledgement text with a PIN code that must be sent back to the firm before billing is initiated.

"It's not possible for (third-party firms) to magically appear and to start to bill you," he said. "Someone had to order (services) in some way, even if was just by accident."

He added that AT&T is very strict about which third-party firms it allows into its system.

"The only way we will agree to have third-party billing with a company is if they agree to use this double opt-in process," he said. "Ultimately, since this appears on our bill, we need to deal with it."

For its part, GoLiveMobile said in an email that it would not comment on Strauss' situation, but that it follows strict sign-up procedures.

“While we do not comment on individual customer cases, GoLive! has procedures and policies that exceed industry best practices, including in keeping with guidelines of the Mobile Marketing Association, its cell carrier partners, and various third-party auditing firms focused on consumer protection," said the statement, which the author asked be attributed to a company spokesperson. "Any and all customers must go through a double opt-in feature, where customers must be in physical possession of their mobile device and accept the industry-approved terms and conditions of the program, including all relevant charges and fees twice before any program is activated."

Strauss said none of that happened. He hadn't heard of GoLiveMobile until he found a series of charges on his cellphone bill for a service named MoZoot, which is provided by GoLiveMobile. MoZoot lets users ask questions and get answers via text message. 

"I never once contacted these folks as Google does just fine answering my questions," Strauss said.

There are numerous other complaints about MoZoot published by consumers online. 

The FCC said in 2011 that as many as 20 million U.S. consumers are hit annually by cramming. Crammers rely on consumers not scanning their bills diligently and not noticing the small charges they insert for many months – if at all. If they do notice them, they are often stuck in a Catch-22 -- the telecom carrier will refer them to the third-party firm to request a credit. The third-party firm will often refuse to give credit for more than 30 or 60 days.

To its credit, AT&T refunded all Strauss' money -- a total of $318 -- directly after he called to complain. 

In its statement to NBC News, GoLiveMobile said it has a liberal refund policy.

"While the industry standard is to grant a refund for a maximum of 60-90 days, we go above and beyond this policy to grant refunds for the complete lifetime of any sign-up," it said. 

Strauss was also given the chance to lock his cellphone account against any future third-party charges. He wondered why such a block wasn't enabled in the first place.

"Why does AT&T only install the security (block) after you complain, even though they know clearly that this is a big problem?" he said.

The new FCC rules require that firms give consumers the opportunity to block their phones against third-party charges, but they do not require firms to set the block by default, and most don't.

"There is a very high demand from our customers for third-party billing,” said AT&T’s Siegel. “ That's not a surprise given the growth in apps, music downloads, and so on. This is something that our customers really want, because it's convenient."

AT&T also sends regular, helpful text messages to consumers warning them that they are being billed for a third-party service and including a link to challenge the bill if necessary at http://att.com/mobilepurchases .  In fact, one such warning led Strauss to check his bill more closely and discover the GoLiveMobile charges.

"That's the larger issue," Siegel said. "You need to check your bills carefully and if you see (an unwanted) charge get in touch with us right away."

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• Proposed 'privacy tax' would penalize firms that profit from consumers' info
• Net users fall for fake online lovers all the time, victims advocate says
• A shock in the dark: Flashlight app tracks your location

A groundbreaking new “privacy tax” could stem companies’ abuse of consumer privacy, argues a report commissioned by the French government.

Follow @RedTapeChron

The proposal, detailed in a report issued by the French Ministry of Finance on Friday, has been compared to a carbon tax designed to dissuade polluters, as envisioned at the Kyoto conference in 1997 that set global emissions caps.

The French study recommends that companies which misuse or fail to protect consumers' data would have to pay a punitive new tax, with the rate rising along with the severity of the misstep. It also provides incentives to firms that exceed current regulations to protect consumers' information. 

The idea has met with both curiosity and pessimism.

“It's a very revolutionary and interesting proposal, but it would be hugely difficult in France, let alone around the world, to implement," said Winston Maxwell, a privacy lawyer based in France. Maxwell wrote about the proposal for at the Chronicle of Data Protection blog, published by his law firm, Hogan Lovells.

Sin taxes have long been used to discourage behaviors that governments deem legal but undesirable -- tobacco taxes, for example. The report itself compares this new privacy tax to the concept of a carbon tax, which grew out of the 1997 Kyoto Protocol on climate change. Carbon taxes and credits are included in the agreement as a means creating market pressures to incentivize companies to reduce greenhouse emissions.

The report argues that Google and other companies acquire consumers' personal information essentially for free, and use it to make a profit. This creation of value creates the authority to tax, the report argues.

"The report’s authors analogize the tracking of personal behavior on the Internet to the creation of value using unpaid labor provided by Internet users in France," Maxwell said. 

The idea of the privacy tax arrives as French authorities have publicly bemoaned their inability to effectively tax technology companies like Google.  But the report says revenue collection is secondary to protecting consumers.

Larry Ponemon, a privacy expert who runs The Ponemon Institute, called the French approach novel and compared personal information to a natural resource.

"Right now, companies are benefitting from their ability to exploit people's privacy, the way some companies exploit the environment and make money," he said. "Right now they can get and use that information, essentially for free."

There are myriad problems with creation of a privacy tax, however.  It's hard to imagine a government agency could adequately rule which companies were effectively protecting privacy and which were exploiting it.  Doing so might itself involve a privacy invasion, Maxwell noted.

"The tax administration may have to use invasive technology to monitor what firms are doing on the Internet and determine if a tax is due. Ironically, the technology itself could pose a threat to privacy," he said.

Conceding the many issues with implementation, the report recommends that initially, the government would tax firms that track Internet users in France.

Christopher Wolf, also a lawyer at Hogan Lovells, said he knows of no similar proposal in the U.S., but Ponemon said he's heard privacy advocates discuss the idea informally.

Privacy regulations in Europe are far more consumer friendly than in the U.S. For example, in Europe, personal information is considered property that is owned by the consumer and lent to companies for temporary use; firms must destroy such information in a timely manner.  In the U.S., firms own the data they collect.

While generally supportive of the French proposal, Ponemon cautioned that it would be both ineffective and damaging to France if the nation tried to unilaterally impose such a tax.  

"If you were to stop Google, you would be stopping an economic engine that's had a major effect on economy of a country," he said.  

Even consumers might protest such a privacy tax, and the idea behind it, he said. Why should government benefit from what is deemed an abuse of consumers’ personal information?  

"People will think the individuals should benefit, not the government. They'll want to be paid directly," he said.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• A shock in the dark: Flashlight app tracks your location
• 'Red October' is latest super cyberspace virus, firm says
• Court overturns ruling that required 'copy editing' of Yelp criticism

How could someone be fooled by a fake girlfriend for months? That was the obvious question after startling revelations that Notre Dame football star Manti Te’o’s girlfriend and her heart-tugging tale of leukemia and death were fraudulent.

Follow @RedTapeChron

Barb Sluppick watched the news, and the reaction it caused, with great interest. She has counseled thousands of men and women who've been scammed by fake lovers during the past decade as operator of the victim assistance website RomanceScams.org. She has a simple message for those who think Te'o's version of events is impossible to believe.

"Not only is possible, it happens all the time," Sluppick said. Victims have flown to Nigeria to meet fake lovers, they've taken out second mortgages on their homes to send money. "Te'o wouldn't even be the first football player to fall for it." 

It seems there's a lot of money in fake love.

RomanceScams is a network of former victims who offer counseling to those embroiled in various version of this common Internet scheme. The site has 19,000 active members. Many victims won't fess up how much they've lost, but among those who do, she counts $15.2 million.

As details of Te'o's situation emerged, Sluppick had an immediate reaction.

"I thought, ‘It has all the earmarks of a romance scam.’ One catastrophe after another. In this case, a car accident, followed by cancer," she said. Those items heighten emotional interest, she said, and also prime a victim for fraud – usually a request for money.

Details about Te'o's story are still hard to come by, and it's possible he was a party to the hoax. And there is no evidence that anyone asked Te'o for money or tried to defraud him, so it's incorrect to label his situation as a romance scam.

But Sluppick wants people to know that Internet users do stupid things for love all the time.

"Oh god, yes, it happens every day to people you would never dream of it happing to -- doctors, lawyers, CEOs of companies," said Sluppick, who founded the group in 2002 after almost becoming a victim herself.   

A few other seemingly incredible details of Te'o's story didn't surprise Sluppick.

"The fact the he said he met her, and he hadn't. I've seen that happen before, where a victim says he's met the person, but it turns out, they never met," Sluppick said. "Often, the lover is too embarrassed to say they've never met face to face When someone meets a lover online, and they are telling others about the relationship, the first thing people ask is, 'Have you met in person?' So the victim just says 'yes.' "

Men are also ideal targets because they tend to keep quiet out of humiliation after they are scammed, she said.

"When men are scammed, they tend to internalize it, unlike women, who tend to share it with friends and hash it out over and over," she said. The effect is heightened if there's an element of homophobia present, she added. "If (a male victim) finds out a male was playing the part of the female, they don't want anyone to think they were playing kissy face with another man. So they keep quiet."

Despite public and private warnings, this most old-fashioned crime continues.  Boy meets girl -- or the reverse -- girl seduces boy, girl asks boy for money.  The crime is so persistent that in November, the U.S. Army Criminal Investigation Command issued its third warning about romance scams.

"Special Agents from the U.S. Army Criminal Investigation Command are once again warning Internet users worldwide to be extra vigilant and not to fall prey to internet scams or impersonation fraud - especially scams promising true love … (that) only end up breaking hearts and bank accounts," said the warning, which focused on women who fall for scammers pretending to me U.S. servicemembers overseas. “We cannot stress enough that people need to stop sending money to persons they meet on the Internet. ... If someone asked you out on a first date and before they picked you up they asked you for $3,000 to fix their car to come get you, many people would find that very suspicious and certainly would not give them the money.  This is the same thing, except over the Internet.”

Online lover scams are effective because men and women looking for love tend to be vulnerable, Sluppick, said. The Internet provides a massive pool of targets, and it's easy to fabricate identities. In some cases, that's not even illegal.Would-be scammers learn a lot about their victim’s hopes and dreams, and then work hard to become their love fantasy.

"If the woman wants three kids and a house in the country, the scammer says 'I want that, too,'" she said. "They are very good at what they do.”

Victims don’t even have to be looking for love, Sluppick stressed.

“You don't even have to be on a dating site. Much of this now starts on Facebook, or Twitter, or just some other forum,” she said.

You don’t even have to be involved in the online romance to be a victim. Love scammers often steal pictures from third parties on dating sites and use those to persuade targets they are attractive.

"All it takes is a right-click, and you too could be a victim of romance scams," she said. "There's a lot of good looking people out there who get used for this."

Often, the saddest element of the tragedy is family members who can't talk the victim out of their fake love affair, Sluppick said.  She's working with the family of an 80-year-old woman right now who's already lost $80,000, but her family cannot persuade her to stop sending the scammer money. In fact, scammers typically try to isolate their marks from loved ones, with comments like, "They just don't want you to be happy,’" Sluppick said.

The best way to avoid being a victim of an Internet romance scam  is to geographically limit your love interests, Sluppick said, and arrange for a safe, public, face-to-face meeting early onin the courtship.  But one other important tool for stopping scammers is largely out of her control.

"People need to realize that this does happen,” she said. “...I've had people who didn't meet, or even video chat, with their supposed lover for two or three years. When people think it can't happen, that makes it easier for the scammers."

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• A shock in the dark: Flashlight app tracks your location
• 'Red October' is latest super cyberspace virus, firm says
• Court overturns ruling that required 'copy editing' of Yelp criticism

Nightly News

It may be cruel to create a fake online persona and trick someone into falling in love with you, but it's probably not illegal, according to digital law expert Bradley Shear. 

Follow @RedTapeChron

The Manti Te'o fake girlfriend saga has brought the issue of online impersonation to the forefront again.

While several states have passed laws making online impersonation of another person expressly illegal, those laws don't apply to invented persons, says Shear.

"If this was purely a game, it would be very difficult to prosecute," Shear said.

California's law, for example, expressly states that it is illegal to impersonate an "actual person."

Of course, much is still unknown about the Te'o case, and it's possible a crime was committed. Some reports suggest the photo used by the  fake girlfriend, who went by the name Lennay Kekua, depicts a real person who did not give permission for its use. That would likely amount to criminal online impersonation, Shear said, particularly if -- as has been reported -- she lives in California, or one of the other 11 states that have online impersonation laws.

Also, if intent to defraud Te'o could be proven -- perhaps an intention to fraudulently elicit money to help pay supposed medical bills or somehow blackmail him after he signed an NFL contract -- that would clearly be illegal.

A prosecutor might consider making a case built on the argument that a hoaxer sought to inflict emotional harm against Te'o, but that would be a challenge, Shear said. Such a case would likely end up in a civil court, but even there, Te'o's lawyers would face an uphill battle.

"The bottom line is, what does harm mean? Could it mean emotional harm? It's possible, but in general, I think something more would be needed," he said. “It's very difficult to prove emotional harm."

Fake social media accounts enjoy wide First Amendment protection, Shear said, because the U.S. Supreme Court has long history of protecting parodies through the years.

In fact, lying in general enjoys strong Constitutional protection. Last year, the Supreme Court struck down the 2005 Stolen Valor Act, which made it illegal to sell or wear fake military medals.  The high court found the law violated the First Amendment.

"The whole key here is that there [are] major First Amendment problems with making parody or fake accounts against the law," he said.

Fake online accounts have consistently created thorny issues in digital law. They were a major element in the tragic suicide death of 13-year-old Megan Meier, who killed herself in 2006 after an adult neighbor posed as a teenage boy and taunted her.  Prosecutors in that case had trouble finding criminal charges that fit the case, so Missouri lawmakers passed an anti-cyberbullying law which, among other things, banned impersonation or anonymously causing emotional distress.  

Assuming a case like Te’o’s occurred in Missouri, it’s possible the hoaxster might be liable for criminal charges if the fake account was created expressly to upset someone. The law was designed to protect children, however, and parts of it have already been struck down by the Missouri Supreme Court.

Plus, it's hard to imagine a prosecutor bringing a case saying that a Notre Dame linebacker was cyberbullied.

"At the end of the day, in general, most of what’s going on (with fake online personas) is constitutionally protected," Shear said. "It's too hard to legislate this. That's why education of young people is so important."

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• A shock in the dark: Flashlight app tracks your location
• 'Red October' is latest super cyberspace virus, firm says
• Court overturns ruling that required 'copy editing' of Yelp criticism

The element of surprise causes hard feelings when it comes to privacy violations, and mobile phone apps are ambushing consumers far too often, according to researchers at Carnegie Mellon University.

Follow @RedTapeChron

Researchers at the school's Human-Computer Interaction Institute studied both the data gathered by the 100 most popular programs in Google's Android app store, and how surprised users were when told what the apps were doing.  On Tuesday they released a list of the 10 worst offenders in terms of transparency.

Almost no one was surprised that Google Maps accessed location information, for example, but respondents had a strong negative reaction when they learned that the “Brightest Flashlight” app tracked their location, said Jason Hong, an associate professor at school.

“There's no sensible reason why a flashlight app would need your location," Hong said. "That was the biggest surprise to people -- 95 percent were surprised it used location data."

Of the top 100 Android apps, 56 collected location information, device identifiers and/or contact lists, according to the university’s research. Users, however, often had no idea such data was being collected or how it might be used. For example, 58 percent of those asked about an app that collected device IDs were unaware that they could be used for marketing purposes; another 55 percent said the same about GPS location data.  

It turns out that data collection and surprise is a toxic combination for users. 

Using both elements, Hong and Professor Norman Sadeh created a list of the 10 worst privacy offenders – apps that collected data and surprised users. The list wasn’t ranked, though Hong said the flashlight app registered the most surprise. The list wasn’t ranked, though Hong said the flashlight app registered the most surprise.

The full list, along with the potentially controversial data collected by each, according to the researchers:

• Brightest Flashlight (device ID, location)

• Toss It game (device ID, location)

• Angry Birds game (device ID, location)

• Talking Tom virtual pet (device ID)

• Backgrounds HD Wallpapers (device ID, contacts)

• Dictionary.com (device ID, location)

• Mouse Trap game (device ID)

• Horoscope (device ID, location)

• Shazam music (device ID, location)

• Pandora Internet Radio (device ID, contacts)

An email sent to the contact address at BrightestFlashlight.com wasn't returned. The website lists no contact phone number. 

One intriguing, and promising, element of the research surrounds the notion of expectation and disclosure, said Hong.  Many consumers registered less frustration about data collection when researchers explained to consumers precisely why it was necessary, or how the information was used.

 For example, Dictionary.com's collection of location information allows the app to offer a fun feature: words others nearby are searching for. That explanation made users much less likely to feel like their privacy had been violated, Hong said.

"Universally, every time we gave an explanation, people were more comfortable with the app.  That shows how important disclosures can be," he said.  “It's important to emphasize that privacy policies don't work. Transparency is good, but we need to find right way of doing it.”

The more unusual data collection might be, the more important prominent disclosure becomes, the study found.  For example, the Backgrounds wallpaper app’s access of contact information allows users to change their phone's screen appearance when a call or text comes in from a specific contact. But many users were unaware why contact access would be needed.

"We could create better privacy based on people's expectations," Hong said.  "For many apps, the way the data is being used isn't obvious."

Users who download Android apps are shown a box which indicates what kind of data the app might collect, but multiple studies show that users merely ignore the disclosure, just as they do with website privacy policies.

But even for those who read carefully, mere disclosure that data is collected isn't enough, said Sadeh, the Carnegie Mellon professor.

"When you look at the fundamental issue, it's about informing users and giving them an option," he said. "You need to say more to users than, 'I need permission to collect this.' You need to tell them what you will do with what you collect. ... When you communicate, you put people at ease."

Mobile apps on all platforms fail to give users this critical "how-will-my-data-be-used" information, Sadeh said, but he said app developers weren't the only ones to blame.

"The platforms invite developers to collect more information than you would like," he said. "And the developers can hide behind what the app store offers (for disclosure options).  They can say, 'Hey, there's no way for me to offer more.'  It's up to these marketplaces to make an effort to convey more information."

The research, which is ongoing, is funded by the National Science Foundation, Google and the Army Research Office.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• 'Red October' is latest super cyberspace virus, firm says
• Court overturns ruling that required 'copy editing' of Yelp criticism
• Make this mistake when refinancing mortgage and you'll lose thousands

A Russian computer security firm says it has uncovered a new, far-ranging cyberspying campaign that targets government secrets. The firm, Kaspersky Labs, has tantalizing named the malicious software behind the attack "Red October," a nod to the famous Tom Clancy novel.

Follow @RedTapeChron

Red October has been attempting to steal critical, secret documents since at least 2007, Kaspersky said in a report posted to its website Monday.  It's designed to defeat a common encryption scheme that's used by NATO and government agencies, Kaspersky says. It's also capable of stealing data from mobile phones, and has a "resurrection" module that allows the program to reinstall itself even if detected and removed.

"During the past five years, a high-level cyber-espionage campaign has successfully infiltrated computer networks at diplomatic, governmental and scientific research organizations, gathering data and intelligence from mobile devices, computer systems and network equipment," Kaspersky says in its report.

Kaspersky, which claims to have found several similar cyberattacks over the past two years, didn't identify the original source of its discovery, or the identity of organizations infected by the program. The firm said it is working the US-CERT, the cybersecurity arm of the U.S. government, and other national cyber-defense teams to continue its investigation and to help mitigate the attacks.

Kaspersky has made a name for itself by disclosing a series of programs that appear to be part of focused cyberattacks against government entities, beginning with the infamous Flame virus, allegedly designed to attack computers inside Iran.

Red October infections aren't widespread, the firm says -- only "several hundred" have been found so far.  But the virus isn't designed for high infection rates, but rather to spy on specific, high-value targets, it said. The highest infection rates were in Russia, Kazakhstan and Azerbaijan, Kaspersky said, suggesting Eastern Europe and former Soviet republics were the main targets of the virus writers. There were a handful of infections in Belgium, the U.S., and Switzerland, however, hinting that the virus writers might not be driven by geopolitics.

In fact, unlike Flame, Kaspersky said there is no evidence that a nation-state is behind the program, leading it to speculate that for-profit hackers were behind it.

"Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere," the firm said in a report.

The also firm said it saw no connection between the authors of Flame and Red October.

The program itself is a bit of a Frankenstein, borrowing code and attack strategies from earlier viruses. Spear-phishing emails -- specially crafted, booby-trapped emails designed to infect a single user -- opened the door to victims' machines, and were copied from attacks used against Tibetan activists, it said. Other code in the virus suggests the writers borrowed heavily from Chinese hackers, too. Vulnerabilities used to actually control the target machine were borrowed from Conficker, discovered in 2008, which remains one of the most widespread viruses over the past five years. Its origin has never been definitively determined, but many researchers speculate it was written by Ukrainians. But the program itself uses several Russian words, and Kaspersky believes its authors were Russian speakers. 

Also telling: When hackers get control of a target machine, and obtain a command prompt which can be used to issue commands, it is ordered to render Cyrillic fonts -- used in the alphabets of Russia and other languages in parts of the Balkans and Northern Eurasia.

That doesn't mean Red October was created by Russians, however.

Red October -- so named because of the Russian words discovered in the virus code -- has several other unique characteristics suggesting the authors were attempting a wide-ranging espionage campaign. For example, infected computers constantly searched for users connecting a smartphone, after which the virus would raid the device for useful information.

"Once connected, (Red October is instructed to) retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history," the report says.

The virus also searches constantly for connection of a USB thumb drive and, once detected, scans that device for files to steal, too.

Cyberwarfare, including digital espionage such as that allegedly carried out by Red October, has been long predicted by computer security experts. A number of high-profile discoveries recently appear to be confirming those predictions. The most famous is Stuxnet, discovered in June 2010, which targeted Iranian critical infrastructure and was ultimately attributed to Israeli and American programmers by the New York Times.  Kaspersky did not initially discover Stuxnet -- a small Belarusian firm is credited with that -- but it did issue the first detailed report on Stuxnet's capabilities.

H.D. Moore, chief security officer of security firm Rapid7 and creator of the popular security testing software Metasploit, told NBC News on Monday that he was able to independently confirm some of what Kaspersky said in its report, including identifying several so-called "command and control" servers used by Red October hackers to contact compromised machines.

This is not on the same level as the Flame virus," he said, "but it does some scary things."

Among the capabilities that interested Moore: Red October's ability to undelete files that had been deleted from USB drives.  That creates all sorts of potential nightmares for security professionals at high-security agencies. 

"We hadn't seen that before in malware," Moore said. “The threat is that USB drives are often shared between people, especially at conferences. Even if you take precautions to delete files and you trust the person you are sharing this with, this malware would be able to automatically recover deleted files and siphon them off without either party being aware.”

Other techniques in the virus show it was designed mainly "to gather as many documents as possible," rather than attempting to infiltrate a single machine or steal a single file. Given the wide net cast by Red October, which was hardly subtle, Moore said he was "surprised it got as far as it did" before being discovered. 

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• Court overturns ruling that required 'copy editing' of Yelp criticism
• Make this mistake when refinancing mortgage and you'll lose thousands
• Angry with Instagram? These 'invisible' data brokers sell your privacy daily

Columbia University

This small gadget can be attached to a single Cisco IP phone and turn an entire company's network into a sophisticated bugging device within seconds, researchers say.

High-tech telephones common on many workplace desks in the U.S. can be hacked and turned into eavesdropping devices, researchers at Columbia University have discovered.

The hack, demonstrated for NBC News, allows the researchers to turn on a telephone's microphone and listen in on conversations from anywhere around the globe. The only requirement, they say, is an Internet connection.

Doctoral candidate Ang Cui and Columbia Professor Sal Stolfo, who discovered the flaw while working on a grant from the U.S. Defense Department, say they can remotely order a hacked telephone to do anything they want and use software to hide their tracks.  For example, they said they could turn on a webcam on a phone equipped with one or instruct the phone's LED light to stay dark when the phone's microphone has been turned on, so an eavesdropping subject wouldn’t be alerted that their phone has been hacked.

The flaw involves software running on Cisco's popular Internet Protocol telephones. Cisco acknowledged the flaw in a statement to NBC News, but wouldn't say how many of its phones were impacted. In a blog post earlier this year, the company -- the leading IP phone maker, with about one-third of the market -- said it had just surpassed 50 million in phone sales. 

In a vulnerability announcement sent to paying customers in December, Cisco listed 15 phone models impacted by the problem.  

Follow @RedTapeChron

"You can imagine the implications of this," Stolfo said of the vulnerability. "Anything that is said behind closed doors isn't private, no matter how sensitive the conversation is. There is no privacy. How can you conduct business like that?"

Cisco's statement indicated that the company is working on a fix, and the firm told NBC News that it planned to issue a security bulletin next week. But Stolfo said he is "very worried about the speed with which Cisco is handling this."

In a demonstration of the phone hack at the Chaos Communications Conference Dec. 29 in Germany, Cui showed examples of Cisco phones being used in government and military applications, though he noted there is no way to know if those phones were vulnerable to the attack.

"On the dark side, these phones are sold worldwide,” Stolfo said. “Any government that would like to peer into the private lives of citizens could use this. This is a great opportunity to create a low-cost surveillance system that is already deployed. It's a monitoring infrastructure that's free, when you turn these into listening posts."

The research was conducted under a grant from the Defense Advanced Research Projects Agency (DARPA), an arm of the Defense Department devoted to computer security, and conducted at the Computer Science Department of Columbia University’s School of Engineering and Applied Science. The same lab caused a global stir in 2011 when it published a hack of Hewlett Packard printers.

“We consider this to be much more dangerous than the printer hack," Stolfo said, "because of what you can do with the phone."

In a demonstration conducted last week for NBC News, Cui showed how a small device pre-loaded with software and plugged into a port on the Cisco phone could rewrite the IP phone’s software within seconds. In the scenario he described, a would be hacker would need to access a phone for only a few moments – a phone on a secretary’s desk, for example – to conduct the attack.

Full technology and science coverage from NBC News

The Columbia lab focuses on so-called "embedded devices" -- computer chips in non-PC gadgets, such as televisions, thermostats or telephones. Increasingly, all these gadgets are networked and connected to the Internet, and therefore can be hacked remotely.

"These phones are really general purpose computers jammed into a plastic case that makes you think it's a phone," Cui said. "Just because it doesn't have a keyboard doesn't make it less of a computer.”

Cisco's IP phones -- and other models that use the same chipset -- are open to attack because they routinely connect to a central server looking for updated instructions, according to Cui.  That creates an avenue for a hacker to insert rogue code, he said.

The phones run a proprietary adaptation of the popular Unix operating system called CNU, but any programmer familiar with Unix could write code for the phone and tell it to perform any function, Cui said.

"The phones are listening to a network waiting for a command. They are actively saying, 'Does anybody have any code for me to run?'” said Stofo. 

In an initial statement to NBC News, Cisco said that all Cisco IP phones "feature a hard-wired light that will alert the user whenever the microphone is active," meaning it would warn any users that their phone’s microphone had been turned on.  But the Columbia researchers dispute that, and showed NBC News a hacked phone that showed no evidence the microphone had been activated while they were eavesdropping on a conversation. 

"There is no hard-wired light,” Cui said. “Everything is controlled by the software."

After viewing Cui's demonstration in Germany, Cisco issued an updated statement to NBC News backing away from its disagreement on the LED light issue, saying it "wasn't directly relevant."

But the researchers and Cisco still disagree about potential methods of attack.

Cisco said hackers would generally need physical access to a telephone in order to begin an attack, with rare exceptions.

"(Remote attack would require) the combination of authenticated remote access and non-default device settings," Cisco said. "No default account exists for remote authentication and devices configured for remote access must use administrator-configured credentials."

Stolfo said, however, that a hacker would need physical access to only a single phone on the network -- a receptionist's phone, for example, or a phone at the home or a remote worker -- to gain access to a company's entire phone network.

But he also maintained that there are multiple scenarios that would allow for a remote attack.

Escalation would be one way: An outsider could trick a worker into clicking on a virus-laden email attachment, infect the worker’s computer and then use that computer to attack a phone from inside a company’s network, he said.  But the researchers say other flaws exist that would allow the phone to be attacked directly from outside the company.

"It also works the other way," Cui added. "You could attack the network, and then attack a single person's phone. Say, the CEO, at home."

Officials at DARPA said they couldn't comment on specific research, but praised Columbia's work generally.

"DARPA's program is concerned ... with exploring what kinds of vulnerabilities are present in current systems so that we can determine architectural principles that will rule out such vulnerabilities in future systems," Dr. Howard Shrobe, DARPA Program Manager, said in a statement. "Computers often are at the core of many devices that most people do not think of as computers  (e.g.  phones, printers, power meters, cars and airplanes, for example) but which inherited the vulnerabilities of their embedded computer components.  These devices have enormous impact in our everyday lives and in our critical infrastructures and are therefore a core concern.”

Stolfo said it was critical to come forward with the Cisco flaw now because the company isn't working fast enough to fix it.

"What we're doing is trying to alert the manufacturer to not provide the opportunity to hackers to break into our phones," he said. "What we're asking them to do is like asking automakers to put seatbelts into cars to save lives." 

The researchers have not released their attack code, so would-be criminals cannot simply copy their work and attack Cisco phone systems today, and there is no evidence that a hacker has exploited this vulnerability in the real world. They do believe others will successfully -- and independently -- duplicate their research, however, placing Cisco is in a race with hackers, and Cui thinks it’s possible that has already happened.

"I'd be surprised if someone else hasn't already done this," Cui said.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• Court overturns ruling that required 'copy editing' of Yelp criticism
• Make this mistake when refinancing mortgage and you'll lose thousands
• Angry with Instagram? These 'invisible' data brokers sell your privacy daily
• From presidential candidate to paid mouthpiece, politicians cash in
• US bank websites again hit by hackers, who seem unstoppable
• Six ways merchants fill your credit card with unwanted 'grey charges'
• A smartphone bill under $50? Red Tape readers reveal their cell secrets

Free speech advocates have won the latest battle in the legal fight between critical web commenters and the businesses they target.

In a Dec. 28 decision that is only now being widely circulated, the Virginia Supreme Court ruled that a dissatisfied consumer's Yelp comments shouldn’t have been ordered removed from the web by a lower court.

Follow @RedTapeChron

The decision is the latest in a steady stream of court rulings that impact consumers who criticize businesses online; in this case, an appeal to First Amendment rights was successful.

Jane Perez was sued by contractor Christopher Dietz in Fairfax County, Va., after she wrote on Yelp that Dietz failed to deliver promised services and implied he might be responsible for jewelry missing from her house. In early December, a trial court ordered Perez to remove portions of her negative review, including references to the missing jewelry and to an earlier court ruling surrounding their dispute. That ruling gained national attention.

But the Virginia Supreme Court overruled the lower court, finding that "the preliminary injunction was not justified," removing restrictions on her original review and siding with Perez’ argument that the lower court’s decision represented unreasonable “prior restraint” of her right to free speech.

“The decision confirms the importance of not shutting down public discussion on the Internet just because someone doesn’t like what’s being talked about,” said Paul Alan Levy, an attorney for advocacy group Public Citizen, which filed Perez’s appeal to the supreme court. “Review sites like Yelp are vehicles for the free flow of ideas by helping consumers make informed decisions on how to spend their hard-earned dollars.”

The ruling does not mean that Perez has no legal responsibility for her comments, however –- the underlying case continues, and she could be liable for damages if Dietz proves in court that he was libeled. The court's ruling merely invalidates what Perez's trial attorney had earlier called judicial "copy-editing" of her Internet comments.

In its appeal to the injunction, Public Citizen argued that a court cannot forbid speech with an injunction simply to protect a business from bad publicity.

“Settled law … forbids preliminary injunctions to protect the reputation of a business as impermissible prior restraints,” the advocacy group wrote.

“Prior restraints on speech and publication are the most serious and least tolerable infringement on First Amendment rights,” it continued, citing a 1976 U.S. Supreme Court ruling.

That hasn’t stopped companies from trying, however. Weary of reputation-killing criticism on review sites like Yelp, some businesses have taken to suing consumers for libel, claiming damages through lost future customers. Such lawsuits are meeting with mixed results: An Oregon judge dismissed one lawsuit filed by a dentist earlier this year. Months earlier, a similar lawsuit filed by a church pastor was also dismissed. On the other hand, a case filed by a neurologist in Minnesota after negative comments was initially dismissed, but reinstated by a state appeals court earlier this year. And there are dozens of other ongoing cases -- many involving health care -- including one involving a  Chicago plastic surgeon suing former patients for $100,000 after they criticized his work online.

Still, the threat of a libel lawsuit has become a more common tactic by businesses trying to dissuade consumers from making critical comments in public forums. A Red Tape reader in Ohio complained last month that she was threatened with such a lawsuit after she placed a sign on her front lawn criticizing a home alarm company.

Levy, a lawyer with Public Citizen, said it’s important the discussion and criticism not be chilled by legal threats and that he was pleased with the Virginia Supreme Court’s ruling.

“This ruling means if you have a sound case for defamation, by all means, you can bring it, but you shouldn't expect to have (comments) taken off-line at first blush,” Levy said. “You have to show to the satisfaction of a jury that false statements have been made about you with malice or negligence.”

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter.

More from Red Tape Chronicles:

• Angry with Instagram? These 'invisible' data brokers sell your privacy daily
• From presidential candidate to paid mouthpiece, politicians cash in
• US bank websites again hit by hackers, who seem unstoppable
• Six ways merchants fill your credit card with unwanted 'grey charges'
• A smartphone bill under $50? Red Tape readers reveal their cell secrets
• Breezy Point teen raises $80k, raises spirits in devastated hometown
• Newest family budget killer? It's the $300 cellphone bill, readers say