Cultura RF / Getty Images stock

A woman checks her phone while at the computer.

Are gadgets making us dumber? Two new studies suggest they might be. One found that people who are interrupted by technology score 20 percent lower on a standard cognition test. A second demonstrated that some students, even when on their best behavior, can't concentrate on homework for more than two minutes without distracting themselves by using social media or writing an email.

Interruptions are the scourge of modern life. Our days and nights are full of gadgets that ping, buzz and beep their way into our attention, taking us away from whatever we are doing.

We've known for a while that distractions hurt productivity at work. Depressing research by Gloria Mark at the University of California, Irvine, says that typical office workers only get 11 continuous minutes to work on a task before interruption. With smartphones reaching near ubiquity, the problem of tech-driven multitasking — juggling daily tasks with email, text messages, social media etc — is coming to a head.

Multitasking has been  the subject of popular debate, but among neuroscientists, there is very little of that. Brain researchers say that what many people call multitasking should really be called “rapid toggling” between tasks, as the brain focuses quickly on one topic, then switches to another, and another.  As all economics students know, switching is not free. It involves "switching costs" — in this case, the time it takes to re-immerse your mind in one topic or another.

Researchers say only the simplest of tasks are candidates for multitasking, and all but one of those tasks must involve automaticity. If you are good at folding laundry, you can probably fold laundry and watch TV at the same time, for example.

Overestimated abilities
Despite this concern among brain scientists, many people overestimate their ability to multitask, such as the college student who thinks he can text and listen to a lecture simultaneously. He cannot, says brain expert Annie Murphy Paul, who writes "The Brilliant Blog."

"Multitasking while doing academic work — which is very, very common among young people — leads to spottier, shallower, less flexible learning," Paul warned in a recent column.

The two studies mentioned above underscore this point. 

In the first, Alessandro Acquisti and Eyal Peer at Carnegie Mellon University's Human Computer Interaction lab recruited 136 college students to take a standard test of cognitive abilities, and invented a controlled method of distraction. Test-takers were interrupted via instant message, which they were told contained important additional instructions, during the exam.

(The research was conducted in concert with research for The Plateau Effect, a book I recently co-authored with Hugh Thompson.)

The interrupted group answered correctly 20 percent less often than members of a control group.

The Carnegie Mellon test might seem a bit contrived, however, because the control group was pretty unrealistic. It's hard to find a group of college students who could take a test without being interrupted by gadgets.

Larry Rosen, a professor at California State University-Dominguez Hills, published a study in the May issue of Computers in Human Behavior that attempted to quantify how often students of all ages are distracted by technology while studying. Even under ideal circumstances, the results were dismal.

Rosen's observers followed 263 students into their normal study environments — bedroom, library, den — and told them to work on an important school assignment for 15 minutes. Even knowing they were being watched, the students couldn't resist texting or using social media. So-called "on-task" behavior started declining at about the two minute mark, and overall, only 65 percent of the time was used on schoolwork.

"We really assumed we set up a situation where people would try to impress us," said Rosen, an expert in the psychology of technology. "Frankly, I was appalled at how quickly they became distracted."

'Problem built into the brain'
The two studies, published closely together, generated strong reaction, particularly from students.

"Yes, we text in class, but if my grade in that class is and A or a B I don’t see why it’s a problem," wrote one student to Paul.

It's a big problem for both students and adults, Paul counters, for plenty of reasons. Assignments inevitably take longer when learners split their time between tasks, she says. All that task-switching wears out the brain and makes learners more tired and less competent. Most important, several studies have shown that information learned while partially distracted is often quickly forgotten, so the learning is tragically shallow.

The key to transferring new information from the brain's short-term to long-term memory is a process called "encoding." Without deep concentration, encoding is unlikely to occur, explained Nicholas Carr in his book “The Shallows: What the Internet is Doing to Our Brains.” 

So Paul is among a group of researchers who worry that the digital divide is not about the gadget haves and have nots, but rather about those who can resist the constant distracting tug of technology and those who cannot. She compares it to the famous marshmallow test, which shows that children who can delay eating one marshmallow for 10 or 15 minutes on the promise of gaining a second one are the most likely to succeed later in life. In a new "marshmallow" test, educators or employers might test to see how long people can resist "a blinking inbox or a buzzing phone."

"There are those people who think that multitasking is simply the way life is now and we should be focusing on getting better at it ... that we are a bunch of old fogies who don't understand," Paul said. "But scientifically, there is no evidence for that. There are fundamental biological limits to what the brain can pay attention to. This is a problem built into the brain."

Follow Bob Sullivan on Facebook or Twitter.

Prepaid debit cards, long synonymous with frustrating or even exploitative fees, are suddenly a pretty good deal. In fact, artfully deployed, a prepaid card can be used without any fees at all, and serve as a real substitute for a checking account.

It should come as no surprise, however, that there is still plenty of small print to worry about.

It would have been unthinkable a few years ago to put the words "good deal" and "prepaid card" in the same sentence. Called "general purpose reloadable cards" by the industry, prepaid debit cards that allow repeated deposits have always come with a laundry list of traps designed to grab $2-$3 at time from unsuspecting card holders: fees for loading, fees for withdrawing, fees for checking balances, fees for doing nothing. (A story in 2009 recounted an ordeal where a consumer was charged $2.95 when his transaction was declined (he claimed there were sufficient funds in his account), then was charged $1.95 when he called to complain.)

But banks are easing off some of those fees thanks to a number of factors — competition being chief among them. Large banks like Chase have jumped into the prepaid market, creating sizable networks for cardholders to enjoy fee-free ATM withdrawals.  Walmart's aggressive steps into the market have helped consumers, too — card holders can deposit money onto cards at ubiquitous Walmart stores for free.

"We are seeing new entrants to the market with some pretty compelling offers," said Greg McBride of Bankrate.com, which recently issued a report about the turnaround in the prepaid debit market. "Over time, this will marginalize the higher-cost offerings that have characterized the prepaid marketplace so far."

That marketplace is expanding, even when some other parts of the plastic card market are shrinking, according to a report from bank consultancy Mercator Group. Gift card purchases dropped slightly from 2011-2012, but reloadable cards that act as pseudo checking accounts were purchased by 14 percent of U.S. consumers in 2012, up from 12 percent in 2011, the Mercator report said. The Consumer Financial Protection Bureau says $57 billion was loaded onto reloadable cards last year.

Even consumer advocates have noticed the kinder, gentler nature of the reloadable cards, and some even think they are a real alternative for the 10 million U.S. adults who currently don't have a checking or savings account.

"There has been tremendous price compression. We look at the fee schedules for these cards, and it isn't that horrible," said Jennifer Tescher, CEO of the Center for Financial Services Innovation. "We feel like these products are headed in the right direction, that (prepaid cards are) becoming a mainstream product. I am quite excited about the possibilities."

Transparency spurs growth
New prepaid cards come with a long list of benefits once limited to checking account users. Consumers can direct-deposit paychecks onto the cards (and in many cases, avoid monthly fees by doing so). The cards allow holders to make Internet purchases. They can sign up for online banking and pay bills online with the cards. In some cases, they can even write paper checks using the accounts.

McBride links growth in the market to a growing transparency about costs. In the past, consumers were often forced to buy the cards at grocery stores or other retail outlets without being able to see a full list of quirk fees which were sometimes only available online. But newer card issuers have adopted simplified, single monthly fee structures that are winning over consumers.

"The transparency of that one monthly fee is pretty compelling. You can easily quantify what the cost is going to be," McBride said.  Even more compelling — that monthly fee may very well be less than the fee on a low-balance, entry-level, traditional checking account. For example, Bankrate's survey of 24 prepaid card issuers found that 15 had monthly fees ranging from $3-$10. Bank of America's entry-level checking account can cost $12 monthly. (In both cases, monthly fees can be avoided via direct deposit and other ways).

Prepaid debit cards are not a replacement for traditional checking accounts. Most critically, prepaid cards enjoy none of the standard federal consumer protections that credit and debit cards do. There are no refunds for fraud, for example, and there are no dispute resolution requirements. As a result, Internet message boards are full of consumers who complain that money has been stolen or is missing from their card balance, and who say they have no recourse.

Because of the lack of federal protections, prepaid debit card payments are similar to wire transfers — once the money is sent, it's gone — and Internet criminals have taken notice. Cards like the popular Green Dot have become a frequent, and powerfully elusive, way for Net criminals to steal from consumers. Nigerian scammers, for example, no longer need to trick a mark into visiting a Western Union and wiring money overseas. Many now trick victims into buying a Green Dot card instead, and sharing the secret payment code online. The Better Business Bureau, and NBC News' ConsumerMan, issued a warning about this recently.

Consumers also complain about poor customer service when they call to dispute deductions, or when they complain about missing money.

But it appears general purpose reloadable cards are here to stay. They have become popular with government agencies that disburse funds — such as unemployment benefits or tax refunds. Loading a card is safer and cheaper than mailing checks. And while they have a reputation for servicing consumers who are blocked from traditional banking, a growing number of middle-class consumers are using the cards. A report issued last year by the Aite Group says 34 percent of users hold college degrees, and one-third earn more than $45,000 annually.

Red Tape wrestling tips
People use pre-paid debit cards in two very different ways — they should be different products — and it's important to understand the distinction before buying a card.

Short-term purchasers use them as gift cards: To give a college graduate $100 to spend how he or she likes, for example. The card will be used and discarded. For that use, pick a card with low activation fees, even if it has a higher monthly fee. Just advise the recipient to use it quickly. Another slice of consumers use prepaid cards to spend at special events like vacations. They fall into the same category. 

On the other hand, consumers who plan to use prepaid cards as a checking account substitute, and who plan to take advantage of a card's full slate of options — frequent ATM withdrawals, check deposits, etc. — should pay more attention to monthly fees when buying a card. 

Many of these fees are not obvious from the card packaging, so it's worth doing a little research online to pick the best card for your purpose. Consumers Union warns consumers to consider the following potential costs:

• Activation or initiation fees
• Monthly fees
• Point-of-sale transaction fees
• Cash-withdrawal fees
• Balance-inquiry fees
• Fees to receive a paper statement
• Fees to call customer service
• Bill-payment fees
• Fees to add, or “load,” funds
• Dormancy fees for not using your card
• Fees to get your remaining funds back when closing the account
• Overdraft, or “shortage,” fees

Related: 

'Like a drug:' Payday loan users hooked on quick-cash cycle

Follow Bob Sullivan on Facebook or Twitter.

LivingSocial's customer database has been hacked, impacting the website's 50 million customers. The firm began sending emails to customers Friday afternoon telling them they would have to change their site passwords.

"We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue," LivingSocial CEO Tim O'Shaughnessy said in an email to employees that was provided to NBC News by a company spokesman.

The memo said that customer credit card information was not stolen — it was stored in a separate database. And while the hacker stole customer passwords, they were encrypted and "salted," or scrambled.

In the memo, O'Shaughnessy included the text of the customer email. "Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one," read the email.

The company advised consumers who used their LivingSocial password at other sites to change the password at those sites, also.

The firm expects its customer service phone lines to be deluged, so O'Shaughnessy warned that he may decide to temporarily suspend telephone customer service. "We will be devoting all available resources to our Web-based servicing," he added.

O'Shaughnessy's message to employees concluded:

I apologize for the formality of this note, which the circumstances demand. We need to do the right thing for our customers who place their trust in us, and that is why we’re taking the steps described and going above and beyond what’s required. We’ll all need to work incredibly hard over the coming days and weeks to validate that faith and trust.

When Zappos.com had a similar incident last year impacting its 24 million customers, it also turned off customer service telephone lines temporarily.

The LivingSocial attack is among the largest ever, doubling the size of that Zappos attack, but still smaller than several other high-profile hacks, such as the 2011 attack on Sony's Playstation network, which impacted nearly 100 million users. Because the LivingSocial attack doesn't involve financial information, it doesn't rank among the most significant hacks, however.

Amazon is a part-owner of LivingSocial. A LivingSocial representative confirmed that Amazon accounts were not affected by the breach.

Follow Bob Sullivan on Facebook or Twitter.

Symantec Corp.

This pop-up screen appears to come from the FBI.

Computer users around the globe are being hit by a new kind of virus that freezes their computer and accuses them of committing heinous crimes, like distributing child porn. The threats sound real enough that victims are coughing up $200 to pay a "fine," and virus writer gangs are netting millions, security firms say.

The message that flashes across infected computer screens sounds downright scary:

"You have been viewing or distributing child porn ... violating article 202 of the Criminal Code of the United States of America," says one version, allegedly sent by the FBI. A virus victim supplied the message to NBC News.

In each case, the accusation appears on a pop-up screen while the virus simultaneously disables the computer. The message often shows the user's IP address and city, and sometimes, recent websites visited by the victim.  The most alarming version activates the victim’s webcam, takes his or her picture, and displays it on the warning.

"They are saying, 'we know who you are, where you are, and what you were doing,'" said John Harrison, a security researcher with Symantec. "They attempt to scare the heck out of you."

The victim is then offered an option: pay a fine within 72 hours, and the charges will be dropped, while the computer will be restored. 

Symantec Corp

In this version of the scam, the virus activates the victim's webcam and displays an image from it on the screen, making the warning even more unnerving

The malicious software is so cleverly crafted that it comes with 30 to 40 versions packed inside. It displays in the appropriate language for victims — English, Spanish, Russian, etc. — and invokes the local federal authorities. A U.S. victim might get a notice from the FBI's Internet Crime Complaint Center, while a Canadian victim gets one from the Royal Canadian Mounted Police.

The message is fake, of course — and even those who pay the "fine" still have a broken computer. But victims worldwide are falling for it. Harrison said for one version he tracked, roughly 3 percent of victims actually paid up. The criminals behind that virus netted $5 million, Symantec estimates.

With results like that, other virus gangs have been quick to copy the profitable formula. Symantec believes that gangs who spent the past couple of years making money tricking consumers into paying for fake antivirus software have all taken up the fake criminal charges and fine scam.

"So many of these folks have jumped on the bandwagon," Harrison said. "They have really transitioned into this."

The general technique is called ransomware — a virus disables the computer, allegedly holding it hostage until a ransom is paid — and it's not new. But the clever combination of an abrupt interruption, the localization trick, and the severity of the accusation catches many victims unaware, and they let their guard down enough to pay the fine.

There are no hard numbers on the frequency of ransomware, but there's plenty of anecdotal evidence it's on the rise. In February, Europol busted a multi-national crime ring involving a Russian programmer arrested in the United Arab Emirates, and 10 others arrested in Madrid, Spain. There were victims across 30 countries.  Authorities in Spain said 700,000 Spaniards had contacted the government asking for help after becoming infected.

The agency issued another warning about the scam on April 11.

“Fraudsters are deploying extortion techniques using Europol's identity and logo to con EU citizens out of money,” the warning says. “Variations of this con, using the identities of other international and European agencies, are also in circulation.”

It's possible the problem is even worse than security firms realize, because many victims may not be reporting the infection, Harrison said.

"If you were at work and there was a message on your screen that said you were viewing child porn, would you run to get your IT department?" he said.

Most victims pick up the virus by visiting booby-trapped web pages that surreptitiously install software on victims' machines through "drive-by” download, or by downloading free software from disreputable sites.  In fact, some variations of the virus accuse victims of violating copyright law, knowing that is likely true.

Victims shouldn't pay the fine, Harrison said, but they should know that various software tools — including free tools available at Symantec — can rid their machines of the virus.

Follow Bob Sullivan on Facebook or Twitter.

A stock market and a nation already on edge was temporarily knocked off its axis on Tuesday by a single fake tweet. 

Following a hack attack, the Associated Press' verified Twitter account posted "an erroneous tweet" claiming that two explosions occurred in the White House and that President Barack Obama is injured. Moments later, the @AP Twitter account — with nearly 2 million followers — was suspended.

"That's a bogus tweet," an AP spokesperson initially told NBC News, a statement that was repeated by the company's corporate communications account. Though the false tweet disappeared, the false message continued to exist on the service in over 4,000 retweets.

The chart of the Dow Jones industrial average just after 1 p.m. may as well have been a chart of America's heartbeat -- stopped for a moment, again, by seemingly horrific information. The Dow lost more than 140 points almost instantly, before recovering five minutes later.

It's incredible what a single 12-word lie can do.

"We're in an environment where we're sensitive to any news that sounds like terrorism," said Art Hogan of Lazard Capital Markets.  "That makes it that much more believable. That's the tricky part. When something like AP gets hacked, it becomes reality for a period of time, until it's not."

The market's reaction hints at the our collective fragility right now.  In the past, carefully crafted fake press releases or other Internet disinformation has been able to influence individual stocks both up or down.

But a single Tweet sinking the market?  It's just the latest sign that lies now spread on the Internet as fast as computer viruses, and can have just as much impact. Like the false rumors that spread like wildfire during the Boston bombing aftermath, or Hurricane Sandy before that, Twitter's surge to mainstream popularity — it now boasts 140 million U.S. accounts — has made it an incredible source of on-the-spot information, but also the world's most powerful rumor-mongering tool.

"You wonder who did it and whether it was done on purpose. It certainly was an instant implosion," said Art Cashin, director of floor operations for UBS Financial Services, who watched the minutes of bedlam on the floor of the NYSE. Cashin said the reaction was especially dramatic because it said the president was injured.

If you define the term "hacking" loosely, you might consider that whoever wrote the fake tweet hacked not only AP's account, but the entire Wall Street trading system. The trades which sank the market Tuesday were almost certainly initiated by automated trading programs designed to profit by fast-twitch reacting to good or bad news.

The combination of a jittery public, automated trading, and a worldwide rumor tool was toxic for the markets.

"That goes to show you how algorithms read headlines and create these automatic orders — you don't even have time to react as a human being," said Kenny Polcari of O'Neil Securities. "I'd imagine the (Security and Exchange Commission) is going to look into how this happened. It's not about banning computers, but it's about protection and securing our markets."

It's also about figuring out how to handle a world where the firewall between seemingly disconnected systems like Twitter and brokerage servers is really only 91 characters long, particularly a world where skepticism’s classic grains of salt seem to be in short supply.

CNBC's JeeYeon Park, Patti Domm and John Melloy contributed to this story.

Related: AP Twitter account hacked, posts false White House scare

Nicolas Asfouri / AFP - Getty Images

A woman checks her smartphone in this file image.

If you use your personal smartphone or tablet to read work email, your company may have to seize the device some day, and you may not get it back for months.

Employees armed with a battery of smartphones and other gadgets they own are casually connecting to work email and other employer servers. It's a less-than-ideal security arrangement that technology pros call BYOD — bring your own device.

Now, lawyers are warning there's an unforeseen consequence of BYOD. If a company is involved in litigation — civil or criminal — personal cellphones that were used for work email or other company activity are liable to be confiscated and examined for evidence during discovery or investigation.

It's a possibility even technology pros rarely consider, said Michael R. Overly, a technology law expert in Los Angeles.

"You would be very surprised to hear that even extremely sophisticated business people seem shocked when they learn their personal phone, including email, GPS data, photos ... may be subject to review in litigation involving their employer," Overly said.

BYOD is a worldwide reality and a dramatic shift in the way companies outfit their employees with work tools. Cisco Systems Inc. released a report earlier this year saying 42 percent of all "knowledge workers" own the smartphones they use for work, and two-thirds of companies expect the employee-owned device phenomenon to increase.

Hidden cost
The convenience is hard to ignore, as is the personal touch — workers love picking their own phones — but of course, cost savings is the real driving force. Increasingly, companies are requiring workers to supply their own gadgets at their own cost, the way a restaurant might require waiters to purchase their own uniforms.

Even if companies reimburse those employees, there can be a big hidden cost for workers — the possibility of losing their phone for days or months while their company combs through it for data relevant to legal action.

“People’s lives revolve around their phone, and they are going to become more and more of a target in litigation,” Overly said. “Employees really do need to understand that .”

Giri Sreenivas, a mobile phone security expert at Boston-area firm Rapid7, warned discovery requirements can extend far beyond email stored on smartphones.

"Text messages and cellphone records might be subject to discovery, too, even if you never connected to company email," he said.  "If lawyers believe the device was used for work purposes, it can be (taken).”

Race to keep up
How could firms gain the right to rummage through the most personal items on worker’s phones — pictures, texts, social media accounts?  In many cases, it’s not a right, it’s a duty, says Overly. When a company is sued, and required to produce documents as part of a discovery process, it must make a good-faith effort to retrieve data — wherever it may be. That includes employee-owned gadgets. 

In fact, Overly says he was part of a case recently where a judge sanctioned a company for a discovery violation because it failed to search BYOD devices during discovery. He declined to name the case.

Companies are racing to keep up with the trend — trying to set policies, inform workers of their rights, and superimpose BYOD rules over arrangements that organically evolved within their workplaces. Increasingly, companies are requiring workers to sign agreements that alert them to the potential of personal gadget seizure, Overly said.

Christopher Dahl runs a Seattle-based firm that specializes in digital document retrieval for lawyers called Lighthouse eDiscovery. While he says industry discussion is dominated by talk of BYOD discovery, he said gadget seizure has not become common — yet.

"We see mobile devices infrequently. We only had one come in last month," Dahl said. "It's typically pretty rare where the company can't get the same information from another location. Companies will have to disclose that the information is on that second location (the smartphone) but typically don't have to dig into that second place."  

Red Tape wrestling tips
Workers wary of having their personal phone nabbed can carry two phones – one personal and one for work – but even that’s not fool-proof. An occasional connection from the personal phone to work email can make the phone subject to discovery. Going this route requires diligent work and personal separation.

"The No. 1 thing you can do to ensure your device is not subject to seizure is to remove any sort of company account ... and then inform the company it's been removed," said Sreenivas.

Dahl warned about accidental blending of personal and work data through a seemingly innocent USB charge connection that leads to accidental synching of data. 

There may be a technology solution to this problem in the future. The newest Blackberry phone claims to create a work data-personal data divide, which has the potential to limit the searches that might be conducted by company lawyers

Follow Bob Sullivan on Facebook or Twitter.

Cellphone users annoyed by costly text spam or unexpected fees have hope: The Federal Trade Commission filed its first ever case against so-called "mobile crammers" on Wednesday.

In a complaint filed in a Georgia federal court, the FTC is alleging that Wise Media sent consumers text message spam and signed them up for $9.99-per-month "premium" text services with horoscopes, flirting tips and other unwanted information.

The FTC is seeking a permanent injunction against the company's alleged unfair trade practices and a freeze of the company's assets.

"Wise Media and its operators have taken advantage of the fact that consumers may not expect their mobile phone bills to contain charges from third parties and that Wise Media’s charges appear on bills in an abbreviated manner that does not always clearly designate the company as the source of the charge," the FTC said in its statement. "As a result, many consumers didn’t notice or understand the charges and paid the bills."

Complaints against Wise Media began to appear online as early as April of 2012. The firm is not accredited by the Better Business Bureau, thought its Atlanta office has received 26 complaints since last year — nearly all billing related — though it says those complaints have been “closed.”

Attempts to contact Wise Media were unsuccessful. Callers who dialed its Atlanta phone number on Wednesday heard a message saying the number had been changed to an unlisted number.

The FTC says Wise Media has been hard to reach in the past.

"The Commission alleges that Wise Media went to great lengths to hide its contact information from consumers. When consumers victimized by the scam were able to find a phone number for Wise Media, its call center employees frequently promised refunds that were never provided," it said.

Cramming is a decade-old trick to place third-party charges on consumers' telephone bills without their knowledge. Despite Congressional hearings on the issue, which is among U.S. consumers' biggest beefs, telecom providers continue to have trouble stopping crammers.

A report by Sen. Jay Rockefeller's office in 2011 found that consumers lose $2 billion annually to cramming.

Mobile phone cramming is relatively new, however. As consumer phone bills become more confusing, and as smartphones become more powerful, the risks to consumers have grown quickly. NBC News recently described cell phone attacks that could cost consumers thousands of dollars and net criminals millions.

Cramming doesn't require hacking, however.  It can be as simple as a third party company telling a telecom provider to add the charge to a consumer's bill. While telecom providers say they require third-party firms to get consumers' consent, consumers often complain that doesn't occur.

“As more and more consumers move to mobile phones, scammers have adapted to this new technology, and the Commission will continue its efforts to protect consumers from their unlawful practices,” said FTC Chairwoman Edith Ramirez.

Red Tape wrestling tips
Consumers who receive an unexpected text message — such as notification that they've won a contest — should ignore the message and carefully check the following month's bills for unwanted charges.  They can also look up the number at a website called SMS Watchdog, which tracks potential mobile phone spam. Consumers should also consider calling their cell service provider and turning off “premium text message” services.

Follow Bob Sullivan on Facebook or Twitter.

Banks knocked offline, day after day - on Thursday, it was WellsFargo.com's turn. A digital skirmish between two European firms that grew so large it slowed Internet traffic worldwide. If it feels like the Net has been fragile lately, there’s a good reason: Computer criminals are launching more powerful attacks and are gaining the upper hand.

Security firms have been relatively successful in recent years countering denial of service attacks — criminal assaults that overwhelm websites with fake traffic to make them unreachable, the equivalent of speed-dialing a friend's phone repeatedly so no other calls can get through — with software designed to separate real traffic from fake, or simply by purchasing bigger Internet pipes that can absorb the requests.

But the equation is changing dramatically as criminals have learned how to use the Internet against itself.

Among the Web’s dirty little secrets: Economics strongly favor the criminals. They hijack bandwidth used for normal Web operations, concentrate it and aim it at a target. The more money that firms invest in bandwidth to protect against traffic floods, the more bandwidth crooks can steal and use to attack. Worse yet, the bigger the pipes going into hijacked computers, the fewer computers criminals must control to succeed in an attack. 

An attack that might have required 10,000 compromised computers in past years can now be accomplished with 100. That means the costs for the criminals is going down, while security costs are going up. 

"The problem is, this is an asymmetric war, an arms race we can't win because they are using our resources against us," said Rodney Joffe, senior technologist at Internet infrastructure company Neustar, which helps companies fight denial of service attacks. "That's why building larger highways won't help. They just make use of our resources."

Wells Fargo told NBC News that some of those resources were used to knock it offline for part of the day Thursday.
“We’re seen an unusually high volume of website and mobile traffic which we believe is a denial of service attack,” the firm said in a statement.

'Not really much we can do'
Last week, a European denial of service incident that targeted spam-fighting organization Spamhaus and its Internet providers involved an incredibly focused attack that stormed the service with one of the largest measured attacks in history. There is debate about how much the rest of the Internet suffered as a result of the attack — in truth, the impact was imperceptible to most — but it would be a mistake to overlook it.  Experts expect copycats soon.

The Spamhaus attack used a technique that’s more than 10 years old. Domain name servers that run the guts of the Internet were tricked into sending a flood of traffic at Spamhaus. Hijacked computers with disguised, or spoofed, return addresses asked the DNS servers for long lists of data — specifically, to resolve website addresses — which were reflected and sent by the servers to Spamhaus servers.  Exploiting about 1,000 misconfigured DNS servers was enough to generate a record-sized attack. A group devoted to fixing such misconfigured machines says there are 25 million of them on the Web, ready to be exploited.

DNS attacks haven’t been top priority in recent years, partly because servers didn't need large amounts of bandwidth to do their relatively simple everyday tasks of matching numerical Internet addresses with common website names. Today, many are linked with high-capacity pipes, making them newly attractive takeover targets for hackers.

The bank attacks work differently. The group behind them — which calls itself al Qassam — uses an army of thousands of compromised computers called a botnet in coordinated actions to attack banks.  But al Qassam holds an advantage: A single compromised home PC, connected to the Internet with high bandwidth, can generate 100 times the malicious traffic as a similar computer five or 10 years ago.

"There's not really much we can do about that," said Michael Smith, director of the customer security incident response team at Akamai Technologies Inc., which provides website performance optimization and security for some of the companies targeted in the attacks. "Speeds are going to get faster."

Changing tires on a moving bus
Aaron Rudger, a spokesman for Internet traffic measurement firm Keynote, notes that denial of service attacks rarely escalate beyond a major annoyance for companies or consumers. Traffic after the Spamhaus attack was back to normal within a few hours as packets found other routes to their destinations.  Consumers who need access to their bank accounts can use the telephone, or in some cases, even mobile phone apps when a bank’s website is down.

“You can't really kill the Internet,” Rudger said. "The Internet in general is inherently very resilient.”

There are ways to fix the denial of service attack problem, but they are expensive and would require fundamentally changing the protocols that govern the way the Internet works. And it would all have to happen without interrupting Internet service.

“It’s akin to changing the tires on a bus moving 60 mph,” Joffe said. “We have to rethink the entire thing.” Proposed new rules would make it impossible to use fake return addresses, for example, but Internet service providers around the globe would have to agree to the changes.

Avivah Litan, a banking security analyst with consultancy Gartner Group, said that an even more radical change might be necessary, because there’s really no way to get rid of the criminals.

“We might have to put the banks on a private Internet,” she said. “Because we are not going to get rid of the people attacking the banks ... You might think the only way it's going to end is if we take them down, but they are like Al Qaeda, totally distributed. In fact they are 1,000 times more distributed.”

Follow Bob Sullivan on Facebook or Twitter.

Related:

• Cyberattack on banks signal urgent need for security bill, lawmakers say
• Bank website attacks reach new high: 249 hours offline in past six weeks

Keynote Systems

The chart above shows the availability of major U.S. bank websites during the past year. Data points below the top indicated less than 100 percent availability. Descending fever lines indicate severe outages; many are blamed on denial of service attacks.

Major U.S. bank websites have been offline a total of 249 hours in the past six weeks, perhaps the clearest indication yet that American companies are prime targets in an unrelenting, global cyber conflict. The heavier-than-usual outages are the result of a remarkable, sustained attack that began seven months ago and repeatedly knocks banks offline for hours at a time, frustrating consumers and bank security professionals alike.

"Literally, these banks are just in war rooms, sitting at controls trying to stop (the attacks)," said Avivah Litan, a bank security analyst with Gartner Group, a consulting firm. “The frightening thing is (the attackers) are not using as much resources as they have on call. The attacks could be bigger."

The denial of service reports were hardly noteworthy at first, hidden in the wake of news that U.S. embassies were under siege during the week of September 11, 2012. But in short order, Bank of America, Wells Fargo, PNC and a number of other banks suffered hours-long website outages. A group calling itself Izz ad-Din al-Qassam Cyber Fighters released an anonymous statement saying it was attacking banks in sympathy with real-world protestors who were reacting to an anti-Islam film that had been posted online.

Seven months later, the group is still taunting the U.S. financial system, with notice almost daily from another bank that had to apologize for letting down its customers. American Express and Wells Fargo issued statements last week saying they suffered outages. Even with advance notice, the biggest financial institutions in the world can’t seem to stop them.

No one interviewed for this story believes that a perceived insult over a Web movie is the attackers' motivation, as the al Qassam messaging has stated. Though some considered that it might be the work of attention-seeking teen-aged hackers, they would likely have grown bored, or run out of resources, long ago.

In the fall, national security officials speaking on background told several media outlets, including NBC News, that they suspected the Iranian government was behind the attacks. It seems certain that an organized group, with both a political motive and the ability to fund the operation, is to blame.

Keynote Systems, which provided the compilation of bank outages exclusively to NBC News, measures website availability by checking sites every five minutes and logging the results. It works with major banks to set up "dummy" accounts so its computers can log in and make sure online banking services are available, and constantly checks the largest 15 U.S. banks. Websites go offline for a variety of reasons — late-night software upgrades, for example — and some outages are to be expected, said Aaron Rudger, a Keynote spokesman.

Still, 249 hours during a six-week period (ending March 31) is significant, indicating those bank websites were unavailable for about 2 percent of the time during that stretch. For comparison, during the same six weeks a year ago, the same bank websites were down 140 hours. Keynote has no way of knowing why a site is unavailable, but Rudger was comfortable inferring that the so-called al-Qassam attacks were responsible for most of the increase.

Rodney Joffe issued chilling advice to banks preparing for an al Qassam-style attack last fall: Prepare a sincere-sounding apology, he said at the time. Given the volume of apologies since then, he turned out to be right.

"It goes on and on and on ... It's like they are kicking sand in someone's face, reminding people that they are there," said Joffe, who is senior technologist at Internet infrastructure company Neustar, which helps companies fight denial of service attacks. "You just have to ask yourself, 'Why?' (The attackers) just seem to enjoy being able to say 'On an ongoing basis, we can make life uncomfortable for your banking industry.'"

Not everyone thinks the bank site outages are such a big deal.

Michael Smith, director of the customer security incident response team at Akamai Technologies Inc., which provides website performance optimization and security for some of the companies targeted in the attacks, points out that customers have plenty of other ways to manage their money, and the outages haven't amounted to much more than an irritant.

More importantly, he says al Qassam has begun targeting smaller banks and other kinds of websites as larger banks become more successful at fending off their attacks or shortening the outages. The attackers also took a hiatus for part of February — Smith says to invent new attack techniques, probably — and have ceased tipping off targets ahead of time with weekly press releases.

"We aren't seeing as many notifications that sites are down as we were. The impact just is not as dramatic as it was," Smith said. "They are changing tactics and trying to generate more attention, more press."

Joffe says this is part of their strategy.

"The bad guys here are using just enough of their firepower to achieve their objectives and not more," Joffe says. "They are creating a disruption to the banking industry. ... We already know if they wanted to make it bigger attack, they could, but it seems pretty clear that's not their intention."

Follow Bob Sullivan on Facebook or Twitter.

More from Red Tape Chronicles:

• Celebrity hackers stole data from AnnualCreditReport.com, Equifax says
• Google pays $7 million to settle 'Wi-Spy' case filed by states
• Why consumer agency must go, and why it should be saved

The Consumer Financial Protection Bureau (CFPB) made its database of complaints against mortgage issuers, student loan firms, credit bureaus and other kinds of lenders available to the public for the first time on Thursday. 

The database covers 90,000 complaints with more than 1 million data points covering 450 companies.

The CFPB spreadsheet allows consumers to find the most complained-about banks in highly specific categories. For example, Capital One received the most complaints about credit cards, and Bank of America received the most complaints about traditional adjustable-rate mortgages.

It's important to note that the data isn't normalized and that banks with more customers receive more complaints.

Data can be sorted at the bureau's website by state or company. It can also be downloaded for free and used in privately developed applications. 

The agency's complaint database was released on a limited scale last year, and included only 19,000 credit card-related complaints. Thursday's announcement represents a large expansion of publicly available data. 

The bureau hopes consumers can use the information to make more informed choices about banks they do business with. "By sharing these complaints with the public, we are creating greater transparency in consumer financial products and services,” said CFPB Director Richard Cordray. “The database is good for consumers and it is also good for honest businesses."

Complaints are listed in the CFPB database only after the company responds to the complaint or after they have had the complaint for 15 days. Records include the type of complaint, the consumer's ZIP code, the company, and the resolution. Consumers' names and other personal information are not shared.

Among student loans and mortgages, about two-thirds of the complaints involve consumers who are having trouble repaying their loans, according to an analysis provided by the CFPB of complaints filed through February. Many of the mortgage complaints reflect consumers' paperwork-related frustrations when attempting loan modifications. 

Nearly three-quarters of the 6,700 complaints filed against credit bureaus involve inaccurate information. Credit card complaints are more scattered, with billing disputes making up 15 percent. A common gripe, the bureau says: Consumers don't realize they have to dispute a suspicious item on their credit card bills within 60 days.

In a blog post that accompanied the release of the data, CFPB official Scott Pluta said he hoped consumers would be creative and find new ways to examine and use the data.

"From infographics to iPhone apps, we’ve seen people do amazing things with the credit card complaint data that was available before today," Pluta said. "We encourage the public, including consumers, analysts, data scientists, civic hackers and companies that serve consumers, to analyze, augment, and build on the information in the database to develop ways for consumers to use the complaint data or mash it up with other public data sets to reveal potential trends."

The bureau plans to expand the data to other complaint categories in the future, he added.

Follow Bob Sullivan on Facebook or Twitter

More from Red Tape Chronicles:

• Celebrity hackers stole data from AnnualCreditReport.com, Equifax says
• Google pays $7 million to settle 'Wi-Spy' case filed by states
• Why consumer agency must go, and why it should be saved

Devastating cellphone hacks that hijack your most personal gadget and rob you of privacy and money have long been forecast. But even as smartphone users in Asia are beginning to suffer exploding bills and emptied bank accounts at the hands of hackers, U.S. users largely remain safe and blissfully unaware of the gathering threat.

Not for long. 

Criminals have been probing the systems that protect U.S. smartphone users for years, searching for the right combination of programming tricks and social engineering that would allow them to sneak onto users' phones. Recently, one hacker group hit the jackpot.

They took a year-old mobile virus named NotCompatible, which allows hackers to take complete control of a phone, and posted the malicious code on websites. Then they sent out enticing spam emails with links to the booby-trapped sites. The emails were all the more tempting because they appeared to come from friends or others on the recipients’ contact list.  Victims who clicked on the link from their phones and downloaded the file surrendered control of their Android phones to the criminals. Security firm Lookout says 10,000 customers per day are still being tricked to click on the bogus link and landing on the booby-trapped pages, and virtually all of them are in the U.S.

Tim Strazzere, Lookout’s lead research and response engineer, said the sudden "staggering increase" in detection of the of the NotCompatible, which initially appeared one year ago, shows that the marriage of spam and mobile malware might be a recipe for real trouble.

"This Android malware is unique," he said. "It's exactly the same scheme and end game as before, but it's just being circulated through different means. And it's working."

U.S. smartphone users have been spared much grief from mobile malware so far for a variety of reasons. Chief among them: Most users get their apps from a centralized and safe source. Apple keeps tight controls on its App Store, so malware writers are largely ignoring that platform. And while Google's Play Store for Android is not as tightly controlled, criminals haven't had much luck sneaking infected software onto that platform, either.  That leaves hackers with time-consuming, clumsy methods, such as tricking users to visit a rogue website and electing to install an app.

Android attackers in other parts of the world have an easier time. In China, for example, it's hard to access Google's Play store, so consumers often get their apps from websites. That means rogue apps on random websites raise less suspicion.

But Strazzere warns that the criminals behind NotCompatible have found a way to make U.S. users almost as vulnerable as those in Asia – a direct email invitation from a friend to install what turns out to be a bogus app.

Those who might dismiss this scenario should beware: Last month, when a report by Mandiant Corp. alleged that hundreds of U.S. companies had been hacked by an arm of the Chinese military, the initial method of attack was almost the same -- a "spear-phishing" email that appears to come from a co-worker or friend, sent to entice the recipient into clicking on a virus-laden link.

Smartphone users might fear that a criminal with access to their devices might destroy all their data, "brick" the phone or prank call all their contacts. But the real nightmare from a hacked phone is much more subtle, and can be much more expensive, than having to replace a phone.

Vikram Thakur, a researcher at Symantec Corp., studied one mobile phone hacker who turned compromised devices into an estimated $1 million annually.

“We found a mobile phone botnet, which had … maybe 200,000 cellphones which were compromised and in control of just this one person," he said. "(He) was able to send text messages, make these phones view videos, which were in turn giving him money; and he was doing so about 25,000 times a day."

Cellphone hackers don't do anything to call attention to themselves. Instead, their programs are designed to run in complete silence, in the background.  And they cover their tracks. There's no log of calls placed to dicey overseas numbers, no evidence of text messages sent that can run up a monthly bill.

“Your phone bill might have extra data usage toward the end of the month,” Strazzere said.  "That might be the only way you'd know."

Hackers around the world have clearly trained their attention on the fertile ground of phone hacking. Kaspersky Labs, another security firm, says there has been "explosive growth," and offers numbers to back that up. In January 2011, it counted only eight new malicious mobile malware programs. At the end of 2012, it counted 6,300 such programs monthly.

Nearly all of that activity has until now targeted overseas users, sometimes with devastating results. A program aptly named "BillShocker" by researchers infected 620,000 users earlier this year, mostly in China, and ran up hefty bills through premium text message services.

Mobile malware writers are also developing hybrid threats designed to counterattack online banking security systems.  In one sophisticated attack, criminals hacked both a victim's computer and cellphone, then lurked until an online banking transaction was initiated on the PC. When the bank sent a so-called "out of band" text message as a security confirmation, the criminals intercepted them and approved the transactions. A malicious program named Eurograbber is blamed for stealing $47 million from 30,000 bank accounts this way, according to a report by security firm F-Secure.

Those victims were in Europe, but now there are other indications that mobile hackers are circling the waters, aggressively looking for more ways into the U.S. market.  

Computer security expert Brian Krebs reported earlier this month on his blog that criminals are selling authorized Google Play developer accounts on underground bulletin boards.  A developer account would theoretically give a criminal the ability to post rogue software onto the Google Play store.

NotCompatible is a little less ambitious. Its main goal is to control a smartphone and turn it into a "proxy" device for overseas criminals, so they could pretend they were ordering expensive merchandise from within the U.S.  Because many online sellers use geographic location to filter out fraud, and many trust cellphone location information, a hacked phone can be a perfect tool for foiling fraud-fighting software.

"Companies block transactions when someone in Romania is trying to buy concert tickets in the U.S., for example," said Strazzere.  "NotCompatible allows them to hide where they are coming from ... gives them a little more mobility based on where they want to come from. With a hacked cell phone, they will look like they are where the endpoint is."

Strazzere sees the blended threat – part virus, part spam – as ushering a new style of cellphone attacks, just as such blended threats gave hackers the upper hand in the personal computer world during the last decade.

“This shows the progression of malware authors and what they are doing to experiment,” he said.  It also shows impressive coordination in attacks. “It’s still a new space for them. But they are figuring things out.”

Follow Bob Sullivan on Facebook or Twitter

More from Red Tape Chronicles:

• Celebrity hackers stole data from AnnualCreditReport.com, Equifax says
• Google pays $7 million to settle 'Wi-Spy' case filed by states
• Why consumer agency must go, and why it should be saved

Paul Sakuma / AP, file

Signs advertising bad credit auto loans, in this 2008 file photo.

You probably know you have a credit score, and that score dictates much of your financial future. You might know you have three credit scores, thanks to aggressive advertising from companies that sell access to them.

However, those hardly scratch the surface of the collection of credit scores lenders might use to judge you.  There are, most likely, dozens of scores that might control your ability to get a mortgage, buy a car or obtain insurance.  

Banks often use their own scores, tweaked versions of the FICO score that began the credit score craze. Auto lenders also have their own scores. So do car insurers. And old scores, based on old formulas, are still in use by many lenders.  U.S. consumers may have 50 different credit scores -- or more -- that could impact their ability to borrow money, and that number is rising, experts say.

"The idea of there being a one true credit score, well that's just not accurate," said Michael Schreiber, editor in chief at Credit.Com, a consumer advice website.

John Ulzheimer, a credit score expert who formerly worked for FICO score inventor Fair Isaac Corp., produced a detailed infographic for CreditSesame.com in September which detailed 49 different scores based on the FICO. He has found another five or six since them. And that number doesn't include competitors like Vantage Score, invented by the credit bureaus in an attempt to cut out Fair Isaac, or other proprietary kinds of credit scores. 

"Getting your actual credit score is a like game of roulette at this point," said Ulzheimer, now president of consumer education at SmartCredit.com. "Getting the wrong number can be overwhelming to a consumer. The lender is using one score but you don't know which score."

There are also exotic credit-based scores, such as a "revenue score," which predicts how much interest revenue a credit card holder will generate; a bankruptcy score indicating the likelihood someone will file for legal relief of debts; and a collection score that helps debt collectors prioritize their efforts.

Credit scores were once held completely in secret by the credit industry, but are more available to the public today. Credit monitoring services include them with monthly subscriptions. Fair Isaac, the inventor of the credit score, sells FICO scores at MyFico.com. Wells Fargo gives them away to consumers who walk in and ask about new accounts. Credit.com gives away a free score to site visitors. But with more scores being invented all the time, it's hard to say what consumers are looking at when they receive a credit score.

"It does irk people when they find out there's a very different number they get from one scoring model to another," said Gerri Detweiler, scoring expert at Credit.com. "People wonder, 'What good is it to check my score if the score banks see is different?'"

If any credit score provider implies consumers are getting a comprehensive view of their creditworthiness by ordering three credit scores -- based on their three credit reports at Equifax, Trans Union, and Experian -- that's misleading, Detweiler said. It's also misleading for any firm to suggest their score is the one used by most lenders.

Ulzheimer think so, too.

"If you go to MyFico and you get a score, that is the same brand of score that lenders are using predominantly," said Ulzheimer. "Going past that is an embellishment. … MyFico does sell you a FICO score, but it may not be the same FICO score that lenders use."

In fact, many banks have their own scores, which sprinkle their own criteria into the complex algorithm.  Car loan issuers, for example, often choose to weigh previous car loan payment history higher than other lenders, Detweiler said.

The proliferation of scores is partly the result of continuous updates to scoring formulas that are expensive for financial institutions to adopt, Ulzheimer said. 

"Scores are really nothing more than generations of software," he said. "Think of how many generations of Microsoft software are out there, for example.  Every year, there's something new that's a little better but kind of does the same thing.  Scoring systems are like that."

For example: Last week, the group behind the Vantage scoring system announced VantageScore 3.0. It has some consumer-friendly features, such as ignoring collections accounts that have been paid off (such accounts generally lower a consumer's FICO score), and providing exceptions for consumers who don't pay bills because of natural disasters like Hurricane Sandy. But firms may continue to use VantageScore 2.0 for a long time.

"A large bank that didn't want to update its systems could force providers to keep old scoring systems going for years," Ulzheimer said.

Given the proliferation of scores, should consumers even bother trying to see one of their credit scores?  Absolutely, says Detweiler. She says any score will offer a helpful reference point.

"Don't focus so much on the number as much as what direction you are moving," she says. "The number will give you some information about what areas of your financial life you need to work on.  But if there is a drop, you will know something significant has happened."

The number itself doesn't matter as much as how a consumer compares to the general population, she said. Armed with this information, consumers should be able to ensure they are getting a fair interest rate when borrowing money for a home or a car or applying for a credit card.  Consumers who rank near the top of a scoring scale should get a bank's best rate.

Because she thinks consumers should track their score over time, Detweiler says it's important to stick with the same score than trying to compare a free score doled out by a bank with another score purchased from a website.

Ulzheimer said it's fruitless and frustrating for consumers to obsessively follow their credit scores as they pop up and down, given that lenders see different scores anyway. He recommends "managing" to your credit report instead of your credit score, since the report is at the heart of all score formulas.

"What's constant across all scores is that doing the right thing will lead to a better score across the board,” he said. “If you pay your bills on time, your scores will go up. So worry about that. Managing to three credit reports is easier than trying to manage all those credit scores. ...Consumers have to let go of that, because the number of scores will continue to get larger, not smaller."

That's not to suggest variations among credit scores aren't important. In September, the Consumer Financial Protection Bureau published a study of credit scores revealing that variations among different scoring models could impact as consumer's borrowing costs about 20 percent of the time.

The study recommended that firms that sell credit scores "should make consumers aware that the scores consumers purchase could vary, sometimes substantially, from the scores used by creditors."

The best way to avoid paying too much for credit because of a credit score variation is to shop around. Never take the auto dealer's word for it that they've gotten you the best deal on your car loan.  The variations matter less with mortgages, where banks usually get three credit scores and throw out the lowest and higher score.

Detweiler said for personal sanity, consumers should avoid treating credit scores the way they treated SAT scores in high school, or grade point averages in college.

"Don't get too hung up on a number," she said.  "You know the serenity prayer? There are some things you have control over, and some you don't. Take care of the things you can control, like paying your bills, and the score will take care of itself." 

Follow Bob Sullivan on Facebook or Twitter

More from Red Tape Chronicles:

• Celebrity hackers stole data from AnnualCreditReport.com, Equifax says
• Google pays $7 million to settle 'Wi-Spy' case filed by states
• Why consumer agency must go, and why it should be saved

The Equifax credit bureau confirmed Tuesday that criminals have stolen credit reports from AnnualCreditReport.com, the website designed to allow consumers free access to their own credit reports.

Follow @RedTapeChron

The theft  suggests criminals have outfoxed AnnualCreditReport.com’s defenses, potentially giving them access to potentially 200 million Americans’ credit reports. According to the Consumer Financial Protection Bureau, 16 million consumers use AnnualCreditReport.com annually.

The nation's three largest credit bureaus -- Equifax, Experian and TransUnion -- were required by federal legislation passed in 2003 to offer consumers one free credit report every year. The three jointly operate AnnualCreditReport.com to fulfill that obligation.

Entertainment news website TMZ first reported Monday that highly detailed personal information on international celebrities and political figures – including Jay-Z, Beyonce, Attorney General Eric Holder and Hillary Clinton – had been published on a website, and that the FBI was investigating. The same website identified in that report published additional data on Tuesday, including details about first lady Michelle Obama and Vice President Joe Biden, leading to a flurry of interest in the source of the data.  Later Tuesday, Equifax confirmed that some of the data associated with those identity thefts had been stolen from AnnualCreditReport.com.

"Equifax can confirm that fraudulent and unauthorized access to four consumer credit reports has occurred through the AnnualCreditReport.com channel, a free public service that allows all consumers to get annual access to their credit report," the company said in a statement.  "Our initial investigation shows the perpetrators had the (personal information) of the individuals whose files were accessed and were therefore able to pass the required authentication measures in place. We have launched a full investigation into this matter and we are also working closely with law enforcement authorities on this matter."

The statement did not identify which credit reports had been accessed through the website or explain why more than four reports had been published on the website. 

TransUnion and Experian also confirmed unauthorized persons had managed to access the credit report data.

"TransUnion’s systems were not hacked or compromised in any way," the firm said in a statement to CNBC. "The sophisticated perpetrators of these fraudulent activities had considerable amounts of information about the victims, including Social Security numbers and other sensitive, personal identifying information that enabled them to successfully impersonate the victims over the Internet in order to illegally and fraudulently access their credit reports. TransUnion is taking steps to assist the individuals affected to help minimize any potential impact. We are conducting our own internal investigation and working closely with law enforcement."

Experian also said its systems weren't hacked, adding that "this looks to be an isolated situation."

Consumers who attempt to obtain their credit reports from AnnualCreditReport.com must answer a series of authentication questions. Many of these are what's known as "out-of-wallet" questions -- questions that a criminal who had stolen a wallet couldn't answer -- such as, "which bank holds your mortgage" or "which of these former addresses are valid."

That means the criminals who stole the credit reports probably had access to a host of personal information about their targets, allowing them to successfully answer the authentication questions. Some of that data can be purchased from other online data brokers, culled from web pages or even determined through guesswork and the process of elimination.

The Federal Trade Commission regulated the creation of AnnualCreditReport.com and its security procedures. 

FTC spokesman Jay Mayfield said the data theft serves as another reminder to consumers that they should protect their personal information, but said the agency still recommends that consumers visit AnnualCreditReport.com or call the credit bureaus to get a free copy of their credit report every year. He would not comment specifically about the theft of the celebrity credit reports, or about the security of AnnualCreditReport.com

Consumers who hear that AnnualCreditReport.com has been compromised might be dissuaded from using the site in the future, and perhaps paying another third-party firm for their credit reports. Doing so would not enhance their security, however.  The data available at AnnualCreditReport.com could be accessed by criminals, even if the consumer never asks for it.

Issues with the authentication procedures at credit report websites have been raised in the past. Last year, security analyst Dan Clements of CloudEyez.com gave NBCNews.com a tour of websites that sell stolen credit reports. Several of the stolen credit reports viewed at the time indicated they'd been taken from AnnualCreditReport.com or other third-party websites that charge a fee for access to credit reports.

"I'm selling super prime credit reports and scores which include all three bureaus and other information," bragged one advertisement on a credit reports for-sale site.

Most of the websites were hosted in the .su domain, assigned to the former Soviet Union. The recently celebrity credit reports are also hosted on a .su web site.

In one how-to posted on a hacker bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?"  But there's a critical flaw, the hacker said:

"Normally all ... of them will ask you the same question," the hacker wrote.

Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.

The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.

The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• Why consumer agency must go, and why it should be saved
• Study: Facebook users want more privacy, but are nudged toward less
• Stock market gains? Not if you sold everything during the recession

Paul J. Richards / AFP/Getty Images

A Google street view mapping and camera car cruises the streets of Washington, D.C.

Google has agreed to pay $7 million to settle a lawsuit filed by 37 states and the District of Columbia over the firm’s vacuuming of data from home Wi-Fi networks around the world. The settlement ends a long chain of U.S. government legal actions against Google in what has become known as the "Wi-Spy" scandal, but Google still faces numerous legal challenges in Europe and elsewhere.

Follow @RedTapeChron

Between 2008 and 2010, Google's Street View cars, designed to take detailed block-by-block pictures, had an added feature -- they collected data broadcast out of users' homes from unsecured Wi-Fi networks.  At the time, most home routers didn't come equipped with encryption by default, so the data haul was enormous, and raised numerous privacy issues.

Google has admitted its mistake, but maintained that the collection wasn't illegal because the data was collected from public locations and broadcast by the victims in plain text. Still, the episode has been embarrassing for the company, and it has repeatedly said it has implemented new procedures to prevent a similar episode.

The most disturbing part of the Wi-Spy scandal is that Google blames it on a rogue engineer, though according to an investigation conducted by the Federal Communications Commission, the engineer told others at the company about the data collection.  It's alarming to think about the privacy disasters that could be created by a rogue employee or group of employees who work inside a company with massive data collection power, like Google. The FCC fined Google $25,000 for allegedly obstructing its investigation, but took no further action against the company.

“Consumers have a right to protect their vital personal and financial information from improper and unwanted use by corporations like Google,” said New York Attorney General Schneiderman in a statement about the attorneys general settlement. “This settlement addresses privacy issues and protects the rights of people whose information was collected without their permission. My office will continue to hold corporations accountable for violating the rights of New Yorkers.” 

Google agreed to destroy the data as part of the settlement and to launch an employee privacy training program that it must continue for 10 years. 

"We work hard to get privacy right at Google. But in this case we didn't, which is why we quickly tightened up our systems to address the issue," Google said in a statement to NBC News. "The project leaders never wanted this data, and didn't use it or even look at it. We're pleased to have worked with Connecticut Attorney General George Jepsen and the other state attorneys general to reach this agreement."

The Electronic Privacy Information Center maintains a detailed list of legal actions in the Wi-Spy scandal, including links to details on ongoing investigations around the globe.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• Why consumer agency must go, and why it should be saved
• Study: Facebook users want more privacy, but are nudged toward less
• Stock market gains? Not if you sold everything during the recession

If the Consumer Financial Protection Bureau disappeared tomorrow, would anyone notice?

What is expected to be a contentious Senate Banking Committee confirmation hearing Tuesday for Rich Cordray, who has been temporarily leading the bureau, offers an opportunity to examine the need for a federal agency designed to protect consumers in their financial dealings. If confirmed, Cordray gets a five-year term, but he’s certain to face a major fight from Republicans, who say the bureau is ill-conceived. We spoke to one of the agency's biggest supporters and perhaps its fiercest opponent to get some perspective. But first, a little background:

Follow @RedTapeChron

Born out of the financial crisis, the first new federal consumer protection agency since the Depression, the CFPB has had a rocky start. Republicans railed against the idea but couldn't stop Democrats from passing the financial reform legislation that created it, so instead they blocked appointment of Cordray in 2011, effectively putting the bureau into limbo. President Barack Obama then used a recess appointment to seat Cordray, setting off a battle that is still going on.

The political dispute didn't stop the bureau from shooting out the gate, however. It its 15 months of existence, it has written a host of new rules for lenders, set up a huge public database of consumer complaints and generally irritated most of the financial industry.

Many in the banking industry are still hopeful they can dismantle the CFPB, unseat Cordray and potentially undo everything the bureau has accomplished with a single court victory.

A federal court ruling in January found that another recess appointment by Obama was improper, creating the possibility that it might agree with Republicans who argue Cordray’s recess appointment was illegitimate, too. Some opponents argue that would make everything the bureau has done since his appointment void.

Expect bickering

That legal battle is still in the future, but Tuesday's confirmation hearing serves as a proxy for the fight and another chance for political posturing by both sides. There will be plenty of "Your regulations are killing jobs" vs. "Do you want a repeat of the 2008 recession?" bickering.

The discussion has potential to be a little more elevated, however, as this time the CFPB has a track record to examine.  As far as federal agencies go, it's just  a baby. But as long as we're fighting about it, it’s worth asking what the CFPB has done to prove its worth. 

In one corner ...

Todd J. Zywicki, a law professor at George Mason University with expertise in bankruptcy and contracts, says the CFPB has become exactly the monster he predicted three years ago when Congress debated its creation.

"It's turned out to be an extremely political agency,” he said. “... It's turned out to be really aggressive and arrogant in the way it behaves.”

When one of Obama’s recess appointments was invalidated, the agency response was "typical,” he said.

"They said that ruling doesn't apply to us,” Zywicki said. “What that shows is an agency that is very arrogant and out of control.”

The CFPB has unusual power among federal agencies. Unlike the Federal Trade Commission, the Federal Communications Commission and other agencies which are run by members of a commission with mixed political affiliations, the CFPB has a single agency head. It also does not have to submit its annual budget for congressional review the way other regulators must.

"They've created an unaccountable super-regulator that can and has acted as a highly political agency," Zywicki said. "If the CFPB were to go away tomorrow, it would be a boon for consumers and the economy."

Zywicki's most specific concern about the agency before its creation was that it would hurt lenders, and therefore hurt  consumers who were trying to borrow money. That has happened, he said.

"Our concern from the beginning was that it would act in a manner that would restrict credit and hurt the economy," he said. "Look at its rules on qualifying for mortgages (which impose stricter requirements on borrowers). ... It's stifling innovation (by banks) and restricting consumer choices."

He also said that the agency's new rules are disproportionately impacting the nation's smaller banks, which have smaller legal staffs to deal with them.  

"Because of the massive regulatory burden it is imposing on the economy, (the agency) is promoting a consolidation of the banking industry" by burdening small banks, Zywicki said. He could not point to a bank that closed or was sold because of CFPB rules but said that smaller community banks across the country are consistently complaining about the rules.  "It's the overall effect of regulations," he said. "It's not just the CFPB, but it is piling on."

And in the other ...

Taking the opposing view is Ed Mierzwinski, consumer program director for the consumer advocacy agency Public Interest Research Group and a vocal supporter of the CFPB creation and of Cordray. He gives the agency an "A-minus" for its work so far and has no trouble rattling off a list of accomplishments in its short life. Among them, he said, the bureau has:

• Successfully brought enforcement cases against three large credit card issuers for allegedly unfairly "upselling" products such as credit card insurance, and returned $400 million to 6 million U.S. consumers after a settlement.
• Created new mortgage disclosure documents, promoted awareness among college students about school loan debt and launched a separate effort to protect soldiers and veterans from predatory lenders, all through its “Know Before You Owe” program.
• Become the first federal agency to supervise so-called “non-bank banks” and begun to focus on products such as payday loans, title loans and other non-traditional borrowing products, as well as private student lenders.
• Worked to increase transparency, including creation of a public disclosure website that lists consumer complaints and, unlike similar databases at other agencies, allows anyone to browse the complaints, including information on the companies targeted.  Agencies such as the Federal Trade Commission do not make complaints pubic.

"The CFPB data allows (observers) to rank the companies involved. No one wants to be No. 1 on that list," Mierzwinski said. Public shaming is an effective regulatory tool, he argued, one that hasn't been used by other agencies.

When asked about the theoretical possibility that the agency could disappear, Mierzwinski said consumers would lose the benefit of actions he expects in the next 15 months, specifically related to the CFPB's recently acquired new power to regulate credit bureaus and debt collectors.

"The FTC never had the tools to go after them,” he said. “... Now for the first time, a federal agency can go into the credit bureaus and debt collectors and say, 'Show me your books.'"

Mierzwinski said the FTC has never held the credit bureaus financially accountable for credit report errors and predicted CFPB enforcement would lead to more accurate credit reports.

In a more general way, he says enforcement actions and additional regulatory oversight help all consumers, even if they haven't received a refund check based on a bureau lawsuit.

"I'm convinced that many banks eliminated those kinds of practices," such as selling credit card insurance, after a CFPB lawsuit,” he said.  "So going forward, you will see fewer unfair offers from banks. ... If you have a mortgage, going forward your servicing rules will be fairer."

Mierzwinski’s chief argument for preserving the CFPB: All other banking regulators are charged with simultaneously protecting the safety and soundness of banks on one hand, while mandating fairness to consumers on the other. That's why, for example, excessive overdraft fees were allowed for years -- when regulators weighed the interests of making banks profitable against treating consumers fairly, they often chose the former. 

"They had a conflict of interest ... and often sided with bank safety over consumer protection," Mierzwinski said.

Zywicki, the CFPB critic, said he isn't fundamentally opposed to a consumer protection agency focused on financial products, but he says he believes evidence shows that Cordray's agency is acting recklessly.

"They made a political decision that the entire financial crisis was a consumer protection problem, ignoring evidence that there were other causes," he said. "I see no indication to date that they have a serious understanding of economics or unintended consequences. Sure, there are concerns about these products. People misuse mortgages. But their behavior to date raises questions about how seriously they take economic evidence."

He disagreed that payday and other non-traditional lenders had slipped through regulatory cracks before creation of the CFPB -- they were regulated at the state level, he noted. And even in this area, he said he was concerned about the new agency's actions against high-interest lenders. 

"The concern is the same, that they will blunder based on their belief in what's going on, rather than use sound economic science,” he said. “By over-regulating those products, they could drive them out of business and could end up hurting consumers. ... Before we had alternative lending products ... we had loan sharking. We could end up there again."

It works, or it doesn't

While Zywicki wouldn't mind a dismantling of the agency, his preference would be a radical restructuring, with Corday replaced by a slate of mixed-party commissioners with less power.

"The optimal solution is a more accountable, more reasonably constructed agency along the lines of the FTC," he said. "We've been doing independent regulatory agencies for a century, and we know what works."

But Mierzwinski said the housing bubble and the recession show that the system that was in place didn't work, and says he fears that a diluted CFPB wouldn’t be able to take firm action against the powerful financial services industry.

"We would lose … the one regulator that has protecting consumers as its only job," he said. "Payday lenders could run roughshod over American consumers again without the CFPB, and credit bureaus wouldn't be brought into line."

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

Facebook, real world data brokers team up to pick online ads for you

One latte away from millions? Don't bank on it, author says

ID theft on the rise again: 12.6 million victims in 2012, study shows

What impact will Facebook's new redesign have on users' privacy? It's far too soon to tell, but a study published this week by Carnegie-Mellon University suggests that prior design changes to the social media site have nudged users into sharing more information than they want to. 

The long-term study, which followed thousands of Facebook users and their privacy choices over seven years, found that users steadily shared less information with strangers over time. But it also found that they shared more with friends, which ultimately means they shared more with Facebook and third parties like app developers, which the researchers call "silent listeners."

Follow @RedTapeChron

"People are trying to reveal less publicly ... but in fact are disclosing more to these silent listeners," report author Alessandro Acquisti told NBC News, adding that the research is the first so-called “longitudinal study” to examine Facebook user behavior.

There was one sudden reversal in the trend toward more privacy-centric choices in 2009-10, during which users who had been sharing less suddenly began sharing more, the study found. The reversal corresponded to major changes in Facebook's design.

"These findings highlight the tension between privacy choices as expressions of individual subjective preferences, and the role of the environment in shaping those choices," the report says.

Facebook had an entirely different interpretation of the data produced by the researchers.

"Independent research has verified that the vast majority of the people on Facebook are engaging with and using our straightforward and powerful privacy tools, allowing them to control what they're sharing, and with whom they're sharing,” the firm said in a statement. It would not answer additional questions about the study on the record.

Acquisti, along with fellow authors Ralph Gross and Fred Stuzman, examined the public sharing habits of 5,000 Carnegie Mellon students between 2005-2011, focusing on how frequently they posted information that any stranger could see, such as birthday, high school, political affiliation, phone, address and interests. The trend lines on open sharing of personal information like birthday and political affiliation fell steadily over the course of the study. For example, those sharing birthday information sank from 86 percent to 13 percent. 

But for other items, public sharing ticked up in 2010. The percentage of those telling the world their hometown, for example, shrank steadily until 2010, when the percentage nearly tripled, from 13 percent to 33 percent.  Those sharing their high school, address, or the favorite music and movies jumped similarly.

The authors argue that Facebook's introduction of additional privacy controls during this time actually led to consumers oversharing. Facebook also introduced pages that could be “liked,” which were linked to users’ interests, schools and other information. Links to these pages were public, by default, increasing the amount of information users shared.

"Through the addition of highly granular privacy controls, Facebook argued that individuals would be better able to share information with audiences of their choice. However, Facebook's new privacy interface proved to be confusing to users, resulting in public retractions and updates by the company," the report said. “Changes implemented by Facebook … countered privacy-seeking behavior by arresting and in some cases inverting the trend.”

Carnegie Mellon University

Charts of user information disclosure.

The report’s main finding, however, is that there are two equal but opposite trends on Facebook – users trying to share less with strangers, but also sharing more with friends and, as a result, more with Facebook and its partners.

Information shared on Facebook with friends, but not with the general public, is also shared with Facebook, which may choose to release the information to law enforcement or other entities in the future, the authors argue. Such data is also shared with third-party app creators when they obtain a one-time consent from users.

“Users aren’t reminded every time they share something with friends that they might be sharing it with an app, too,” Acquisti said.

The data is also indirectly shared with advertisers. Firms that advertise on Facebook through programs such as its new “custom audiences” platform do not receive personally identifiable information about users, but can target groups of users with particular characteristics, such as new young mothers in California.

“The fact that advertisers don't get direct access to the data is some protection, but it does not change the reality that advertisers can indirectly get at you through the data you are revealing about yourself on Facebook,” Acquisti said. “Is your privacy violated only when someone gets your name and birthdate, or if they know you are pregnant and try to send you advertisements that use this information?”

Jules Polonetsky, director of the Future of Privacy Forum, a privacy-related think tank that is supported by corporations, said he saw more positive than negative in the Carnegie-Mellon report.

“I think the most interesting thing about the report is that it shows that Facebook started out as a very public place, and over time it evolved into a place where you primarily share things with your friends, and that's a good thing,” he said. 

He disagreed with the description of third-party app developers as “silent listeners,” noting that users give permissions to apps so they can automate tasks that they could do manually, such as finding out if a friend is playing “Worlds with Friends.” He also said that Facebook is doing a good job at keeping advertisers at arm’s length from the data it has on users, and the firm has learned that it doesn’t need to nudge users into oversharing to make them useful to advertisers.

“Ironically, the success of their advertising model may be dependent on more people doing more and more, and sharing more, but doing it privately,” he said. “The sweet spot Facebook has started finding is users don’t need to share things publicly for it to be able to monetize them in an advertising-supported network.”

The crux of the debate lies along this razor’s edge: Just how private is information shared privately with Facebook? And are users being induced to share more than they want to?

In previous studies, Acquisti’s research has shown that more granular privacy controls actually encourage users to share more information about themselves, and they can also distract users from noticing important privacy choices. He calls this the “paradox of control.”  

“I don’t want to say it’s a seduction, but you could call it a nudge,” he said. “…The consequence of providing granular control settings is that users become more comfortable with revealing more and more sensitive data. People focus when they are about to put up a new post on whether they want to share that with friends or friends of friends. But you don’t get the option to say, ‘I don’t want Facebook to see this, or I don’t want a third-party app to see this.’”

*Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

 Facebook, real world data brokers team up to pick online ads for you

One latte away from millions? Don't bank on it, author says

ID theft on the rise again: 12.6 million victims in 2012, study shows

Plenty of investors are celebrating as the Dow Industrial Average set a record on Tuesday … but some Americans aren’t invited to the party.

Families who were forced to raid their retirement savings during the recession because of unemployment lost more than the money they withdrew.

The Dow has more than doubled since the low point of the 2008 recession. But families like Jacquelyn and Chris Goss, both in their mid-40s, have missed out on all of that.

The Gosses, who live in Point Pleasant, N.J., aren't doing badly. But they aren't doing well, either. 

The couple has three children and a mortgage, and despite Chris's new job, the family still seems to run out of money before the end of every month.

"Compared to many couples our age we are very fortunate, but I am always kind of surprised that we are not further ahead or even remotely where we thought we would be by now," Jacquelyn said recently, writing to the Red Tape Chronicles to ask for help with her family's finances. 

Adding to their financial anxiety -- Chris was out of work last year, and they raided their retirement accounts to survive.

Staring at three potential college students and still paying off Jacquelyn's student loans, they have no idea how they can even start saving for their retirement.

"I can never understand why no matter how much you make … every raise, promotion … never seems to make a difference," she wrote. "As you can see, we could use some guidance."

Click play above to see their story, and discover some of the ways we discussed putting their family on more solid financial footing.

*Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• Facebook, real world data brokers team up to pick online ads for you
• One latte away from millions? Don't bank on it, author says
• ID theft on the rise again: 12.6 million victims in 2012, study shows

Desperate consumers who are out of borrowing options are using their automobiles as collateral and paying $3.5 billion a year in interest for the so-called "title loans," the Center for Responsible Lending said in a report issued this week.  The average loan is $950, and borrowers take on average 10 months to repay the loans, meaning they'll spend $2,140 to borrow the money, the report said.

The size of the title loan market is roughly equal to the size of the payday loan market, which has received far more attention from regulators, according to the report. Title loans are only allowed in roughly half of U.S. states, making the size of the market even more surprising, said report author Uriah King.

"The market size is comparable because of the sheer size of the title loans," said King, adding that title loans are, on average, roughly three times larger than payday loans: Some 7,730 lenders make $1.6 billion in title loans annually, the group estimates.

The consumer group estimated the size of the market, and drew other conclusions about title loans, based on loan-level data from a lender made public as the result a lawsuit filed against the industry.

Aggressive late-night television ads pitch title loans as a solution for consumers who find themselves needing short-term loans but can't use standard options, such as credit cards. Generally, consumers can borrow up to 26 percent of the assessed value of their car, which they must own free and clear. Loans are often issued at 25 percent interest per month: In other words, it costs $250 to borrow $1,000 for a month.  The risk, of course, is that borrowers can lose their cars to repossession if they default. Borrowers must often leave a copy of their car key with the lender to make repossession easy.

Another unique and concerning characteristic of title loans: Issuers often don't make any assessment of a borrower's ability to repay the loan.  In fact, some brag in advertisements that they don't run credit checks, and borrowers don't need to prove employment to obtain the loans. 

To lenders, there is almost no risk in the loans, because they are "completely collateralized," King said.  Borrowers are highly motivated to repay the loan because their automobiles are usually their most valuable piece of property – most borrowers are renters -- and cars are needed for transportation to work. 

Repossession, which costs an additional $300 to $400 in fees, means outstanding loans nearly always are repaid.

"This is a loan of virtually no risk," King said. "I heard one branch manager say these are 'all blue sky' loans, because as soon as one interest payment is made, the rest is all (profit)."

Title loans, like payday loans, have long fallen into a gray area for regulators because they are non-traditional, short-term lending products. Until the creation of the Consumer Financial Protection Bureau (CFPB), lenders did not have to answer to federal lending regulators and were governed only by state laws. When the CFPB was created, its regulatory powers were extended to such short-term loan instruments.

Payday lenders argue that annual percentage rates and other standard loan measures are unfairly applied to their product because consumers often borrow money for only a few weeks.  So expressing a $20 fee for a two-week $200 loan as having a 2000 percent APR, for example, doesn't fairly represent the true cost of the lending product, they say.

However, the Pew Center for the States reported recently that the average payday borrower takes five months to repay a loan, arguing that annual percentage interest rates are indeed relevant to assessing those loans. 

There is no such debate in title loans, however, King argues, because of the size of the loans.

"There's no way this loan is getting repaid in a month, it's just not going to happen," he said. "A lot of middle-class families would struggle to pay off a $1,200 loan (average interest plus principal) in a month." Instead, the loans typically are renewed each month for an average of 10 months, he said.

Calls and e-mails to the two top title loan issuers, Title Max and Loan Max, went unanswered. On its website, Title Max says it has more than 1,000 title lending stores across 12 states and provides car title loans to more than 2,000 people daily,

A chat operator for TitleMax said she would pass on NBC News' inquiry to officials at the company.

"I have done all that I can do. This is the sales chat, like I have stated before. Your best option would be to contact customer care all I can do is pass this information to them," said the operator, who identified herself as "Tiffany."  Calls to customer service went unanswered.

The title loan industry set up a trade group and political action committee, the American Association of Responsible Auto Lenders, several years ago to champion its product. The group's website is no longer functional, and calls to former board members went unanswered.  It did submit a public comment in 2011 to the Consumer Financial Protection Bureau, arguing against that agency's intentions to regulate the industry. A copy of the comment letter was provided to NBC News by the Center for Responsible Lending.

In the letter, the group argues that title loans are a good alternative for consumers who can't borrow money from other sources.

"Our customers prefer auto title loans to alternatives such as overdraft fees, bounced check fees or late fees that may also have negative credit consequences," said the association.

The letter claimed that 1 million consumers obtain title loans worth $6 billion annually, but also said the industry was substantially smaller than the payday loan business, which it pegged at $38 billion annually. The size of the payday loan industry is disputed because of how consumer groups and industry groups count recurring loans.

The association said the average title loan was under $1,000, and was typically repaid in six months. 

"Auto title loans are often the only legitimate option that individual and small business owners have, since in many cases their low credit scores would exclude  them from doing business with commercial banks and credit unions even if these institutions were willing to lend in the amounts typically sought by auto title borrowers," the association wrote.

It also argued that only 6 to 8 percent of cars used as title loan collateral are repossessed. The Center for Responsible Lending reported that nearly 17 percent of title loan customers face repossession fees. King said it has no way of knowing how many of those cars are ultimately repossessed.

"I'm actually surprised that repossessions aren't higher," King said.

The Center for Responsible Lending argues that title loan firms should be required to assess borrowers’ ability to repay before issuing loans, and that interest rates be capped at 36 percent.

 *Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• Facebook, real world data brokers team up to pick online ads for you
• One latte away from millions? Don't bank on it, author says
• ID theft on the rise again: 12.6 million victims in 2012, study shows

Kevin Mandia has "kicked the hornet's nest." Now, he's waiting to see what the consequences might be.

Mandia's computer security firm, Mandiant Corp., issued a blockbuster report nine days ago accusing the Chinese military of supporting hacker attacks into perhaps thousands of U.S. businesses.

Accusations of nation-state-sponsored hacking are nothing new, but Mandiant provided the most specific and detailed account of computer espionage that the security world has seen to this point. In it, the firm chronicled 141 attacks and even produced a short video allowing observers to watch an attack unfold in real time.

Mandia said his researchers have spent years observing hackers operating from inside an office building in Shanghai as they repeatedly raided his U.S. clients' computer systems, stealing intellectual property.  Now, his small company of 300 awaits the consequences. He expects cyber-retribution. Already, he said Thursday in an exclusive interview with NBC News, someone has tried to "spear phish" his employees, sending booby-trapped emails designed to give the attacker control of Mandiant computer systems.  Also, within hours of the report, Mandia said, Chinese officials scrambled to hide their tracks, changing registration information for websites listed in the report and taking computers allegedly used in the attacks offline.

Mandia agreed to be interviewed  after presenting at the RSA computer security conference in San Francisco, an annual gathering of more than 20,000 experts from around the world. Mandia's speech was a hot ticket; he spoke to a packed audience who applauded several times when he explained that it was time for a U.S. firm to publicly connect the dots and directly accuse the Chinese government of sponsoring attacks on U.S. firms.

So far, the Chinese government has publicly dismissed the report, saying it provides no evidence of state-sponsored attacks. And on Thursday, the Chinese Defense Ministry pushed back, saying that Chinese defense websites are routinely attacked -- 144,000 times monthly -- by computer intruders, many of them based in the U.S.

Long theorized and discussed in hushed, speculative terms, state-sponsored cyberwarfare is now openly discussed at security gatherings like RSA.  The 2009 Stuxnet attack on Iranian nuclear facilities, believed to have been orchestrated by U.S. and Israeli experts, was perhaps the first public blow in the increasingly cold cyberwar, but even that attack had its origins in research conducted years earlier. Researchers from Symantec Corp . released a paper this week at RSA saying they have found the first version of Stuxnet dates back to 2005, and that it was designed with even broader attack capabilities.

China's alleged hacking and stealing of U.S. corporate secrets will have serious impacts on the American economy, Mandia said, which is why he felt it was time to make public accusations and "kick the hornet's nest."

"The goal is for the Chinese to get somewhere faster economically. ... They may have shortcut 10 years out of their economic cycle," he said. "... We're going to see the impact emerging. ... It may cause job loss, it may cause loss of (intellectual property), it may cause trade tariffs, it may cause diplomatic headaches."

Watch the rest of the Kevin Mandia interview by clicking “play” above.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• Facebook, real world data brokers team up to pick online ads for you
• One latte away from millions? Don't bank on it, author says
• ID theft on the rise again: 12.6 million victims in 2012, study shows

The offline and online data collection worlds are about to collide as never before. Facebook will soon announce partnerships with Axciom, Epsilon and Datalogix, three real-world data marketing giants with access to billions of pieces of information about Americans’ shopping habits, according to a person familiar with the deal.

Follow @RedTapeChron

Facebook will not share its users' data with these firms, said the source, speaking on condition of anonymity. Instead, it will allow advertising clients to enlist the help of offline data to deliver targeted Facebook advertising, the source said.  A supermarket loyalty card user, for example, might see Facebook ads that reflect their grocery-buying habits.

Facebook will use added security features to make sure data doesn't flow between it and the database firms, and that matches will be made using a technique that makes individual consumers blind to the companies involved, the source said.  The source requested anonymity because she was not authorized to speak on the record about the deal.

Still, the marriage of real-world and virtual databases has some privacy advocates nervous.

“There needs to be limits on Facebook's growing use of outside data broker information so its users can be targeted by marketers," said Jeff Chester of the Center for Digital Democracy.  "Companies like Acxiom, etc., contain vast stores of details about us, including online and offline information."

Pam Erlichman, spokeswoman for Datalogix, confirmed in an e-mail that her firm “is participating” in a new advertising partnership with Facebook, but directed additional questions to Facebook. Axciom also referred all questions about the deal to Facebook. Epsilon did not immediately respond to requests for information about the deal, which was first reported in AdAge. A spokeswoman for Facebook said she would not comment on the report.

Data brokers Acxiom, Epsilon and Datalogix already use their vast records -- which include e-mail lists, grocery store shopping habits, and much more -- to send highly targeted junk mail and other kinds of advertisements to consumers. Increasingly, these firms have tried to sell their market intelligence online. In a recent brochure, Datalogix  makes its case for merging the two worlds:

"Why are offline transactions relevant online? Because they’re a more predictive indicator of intent rather than banner ad clicks. Too often, marketers view click-throughs as response data. But a click-through is not a sale," it says.

This isn't the first time Facebook has partnered with Datalogix; the social media firm announced last fall that it was conducting research with Datalogix to show that Facebook ads actually encouraged offline purchases.  Through that arrangement, Datalogix is tracking groups of Facebook users who were also in its database to see if those who saw certain kinds of Facebook ads were motivated to make later purchases at grocery stores. Facebook was unable to identify individual consumer purchases through the research , the firm said at the time, but was able to see if ads were, in aggregate, effective in getting shoppers to buy grocery items.

Here’s how the data sharing will work, according to the source: Epsilon, Datalogix and Axciom will upload lists of customers to Facebook, tagged through email addresses or phone numbers. Facebook will then find matches among its users, and create what it calls “custom audiences.” These can be narrowly focused –18- to 24-year-olds in California who drink cola, for example.  Then, these audiences can be targeted with precise softdrink ads.

Facebook will not know the identity of these consumers, however, because the data it receives from its partners will be scrambled, or “hashed,” preserving their privacy.  No data will change hands, said the source.

Rainey Reitman, a privacy expert with the Electronic Frontier Foundation, did a deep dive through the data that was shared between Datalogix and Facebook last fall.

Reitman said that on the surface, she saw no new privacy issues raised from extending the Facebook-Datalogix partnership, as long as Facebook continued to insure that user information wasn't flowing out of the company to its new partners.

"Facebook is holding onto its data quite carefully," she said. "It has a financial interest in doing so ... and that should help protect users' privacy."  She was concerned that loyalty card users might be surprised to find their information can find its way into a Facebook advertising formula, however.

Another privacy expert, Larry Ponemon of research firm The Ponemon Institute, said he didn't think privacy issues were inevitable in the deal -- "more-targeted ads could be a good thing for users," he said. But he cautioned that regulators and consumers should be very skeptical of any broad link-ups between online, and offline data, as they have in the past.

"This is what got DoubleClick in trouble with Abacus Direct," Ponemon said, pointing to the now-infamous advertising deal struck in 1999 that was eventually scuttled because regulators concerned about the ad network's ability to track users through cyberspace and in the real world through technology. "What's changed? Perhaps Facebook will never have custody of the data the way they are doing it, they are one or two steps removed, but how does that affect the privacy issue?" 

Ponemon says that consumer expectation is often the forgotten element in attacks on privacy, and he's concerned about that happening if Facebook has access -- however obscured -- to grocery store loyalty card records or similar data.

"When a person signs up at Giant so they can get milk at market price, they are not thinking that information is now going to be linked to their Facebook account," he said. "It seems like there's this trend to have mega-databases, and all these things working together in constant harmony, but the problem we have is we haven't thought through the potential privacy risks."

The main concern, he said, is that mega-data collectors like Facebook and Axciom could join forces and build "the ultimate dossier" on consumers.

"Could this lead to the disintegration of our privacy rights, or is it just another creative way of serving an ad?  We'll have to see in the details," he said. 

Chester, from the Center for Digital Democracy, said it was important for consumers to know their rights when such databases are shared, adding that is also is important for consumers to be given ample opportunity to opt out of the sharing.

“Companies like Facebook want to pool more information together to essentially enable it to know what its users are doing on their mobile phones, such as when shopping,” he said.  “(Privacy advocates) believe that Facebook users should have the power to decide what information can be used to profile and target them--especially when it comes from these powerful storehouses containing what we do, who we are.”

Users can opt out of Datalogix online digital advertising by visiting the firm’s privacy page and clicking under the section labeled “Choice.”

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• 'Privacy tax' creator makes his case, says software is 'eating the world'
• Death of the price tag: Stolen from us too soon
• FTC: 5 percent of credit reports contain 'serious' errors that cost consumers

Helaine Olen has begun an important discussion in the world of money: Is anybody's advice worth paying for?

The author's new book, “Pound Foolish: Exposing the Dark Side of the Personal Finance Industry,” has rattled quite a few cages since it was published in January. It's also gotten a lot of attention, including glowing praise from The Economist. We sat down with Olen at our studio in 30 Rockefeller Plaza recently. (You can watch the interview by clicking “play” above.)

Follow @RedTapeChron

Olen points out the folly of simplistic mass-market advice, such as the notion that forgoing a latte every day will make one a millionaire by retirement. She's an equal-opportunity critic, poking fun at everyone from late-night TV stock pickers, to financial gurus who make millions writing books, to newspaper business reporters who have no credentials for doling out advice.

In fact, that's how Olen started her career -- writing "Money Makeover" columns for the Los Angeles Times, where she matched up eager consumers with even more eager finance wizards, and described the advice that was doled out. Ten years on, these stories still gnawed at Olen, as she wondered if the consumers were genuinely helped by the advice. Her book's most telling moments detail meetings with these sympathetic characters, who unsurprisingly have not fared better after hearing the normally high-priced money wisdom.

Olen gets some cheap laughs by going back in time and showing mistakes made by financial prognosticators -- citing Suze Orman's advice to her fans that real estate was the best investment. But something more nefarious is at play in American culture, Olen says, when the myth of the latte millionaire persists. The subtle message from many financial gurus is that consumers simply have to suck it up a little, ditch the extravagances and everything will be fine. That's just not true, she argues.

"We believe very deeply in this country in the myth of Horatio Alger, which is ... this idea that we can do it all by ourselves," she said. "And that's just not true." Harsh economic realities, such as skyrocketing housing and health care costs, play a bigger role in our financial future than our ability to skip pricey coffee, Olen says.

It's undeniable that much personal finance advice is overly simplistic. But it's also undeniable that Americans are terrible at math, and many don't want to take even the simplest steps at improving their financial futures. So it may not be fair to criticize those who give simple advice to consumers who seem to want it. And behavioral economists have produced research for years showing that financial education doesn't do much good anyway, because people tend to take the path of least resistance when making decisions on 401(k)s, mortgages and so on. They prefer nudges from companies and governments, such as automated enrollment in the most beneficial retirement plans. 

What's the harm if financial gurus provide that nudge of inspiration to pay down debt or build up savings for someone who otherwise might not act? Olen didn't have a good answer. Still, her critique is eye-opening, particularly when readers are confronted with tale after tale of advice gone bad. 

Taken as a whole, “Pound Foolish” is a good reminder that you are as qualified as anyone else to control your financial future. As the saying goes, if you want something done right, you should do it yourself. You'll be saving a lot of money in the process, too.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

 ID theft on the rise again: 12.6 million victims in 2012, study shows

'Privacy tax' creator makes his case, says software is 'eating the world'

Death of the price tag: Stolen from us too soon

Identity theft is on the rise again, says a new industry-sponsored study, reversing a promising two-year trend. 

Follow @RedTapeChron

Some 12.6 million Americans were victimized by ID theft in 2012, the second-highest total since the Federal Trade Commission began counting victims in 2003  and roughly 1 million more than 2011, according to the survey by Javelin Strategy and Research. The record – 13.9 million victims – was set in 2009.  

The criminals made off with $3 billion more than in 2011, as well.  Overall, slightly more than 1 in 20 consumers -- 5.26 percent -- were victims last year, the survey found.

A large portion of the increase was driven by "dramatic jumps" in more-serious forms of ID theft, such as new account fraud, where a criminal uses a victim's personal information to open new credit cards or other kinds of loans. New account fraud jumped 50 percent last year, according to the report, with the total fraud loss doubling year over year to just under $10 billion

"I don't think (the data) shows that banks are losing control," said Jim Van Dyke, author of the study, when asked about the significance of the new data. "But it's really wise to look at where we haven't gotten anything under control, and that's new account fraud."

The news comes amid a cascade of hacker stories this week, giving the impression computer criminals are gaining the upper hand on many fronts.  Agents working on behalf of the Chinese army have successfully attacked dozens of U.S. companies, according to a report issued Tuesday by U.S. security firm Mandiant.  Large U.S. media companies have also fought off Chinese hackers, and not always successfully, according to several reports. Burger King and Jeep suffered embarrassing Twitter account takeovers. And both Twitter and Facebook have had to announce in recent weeks that they had been hacked.

Javelin's data is based on telephone surveys of U.S. adults, with consumers self-reporting details of their ID theft to survey takers and results extrapolated from their answers. The precision of such data can be questioned, but Javelin has used the same techniques for eight years, making year-to-year observations informative. The same technique was used by the FTC in 2003 when it initially reported the size of the identity theft problem as required by Congress.

The survey was sponsored by CitiGroup, Visa, and Intersections LLC, which provides identity theft prevention services to consumers.  Van Dyke says the sponsors were not involved in tabulation, analysis or reporting of the results.

Bank security analyst Avivah Litan of the security consultant firm Gartner, who has run her own ID theft victim surveys in the past, said the Javelin survey's results are consistent with what she's heard from bank security officials.

"Even in an age of cyberespionage and advanced targeted attacks, good old-fashioned consumer identity theft continues to escalate," Litan said. "It's highly unfortunate that even after all this time and effort by banks regulators high tech entrepreneurs and law enforcement that the bad guys are still coming out ahead. It's high time that we put more intelligent efforts into winning this cyberwar, whether it’s against amateur identity thieves or foreign infiltrators."

Other interesting findings from the Javelin report:

*Consumers who received "breach" notifications from companies indicating their personal data had been compromised were much more likely than others to be victims of ID theft.  And that trend is rising. In 2011, 1 in 5 recipients were victims; and last year, the likelihood increased to 1 in 4. 

*Fraud victims living below the poverty line were more than twice as likely to know their imposter personally -- so-called "familiar fraud" -- than wealthier consumers. The survey found that 29 percent of poor victims knew their imposter vs. 12 percent of those living above the poverty line.

*It's important to note that despite the rise in new account fraud, simple credit card fraud still accounts for about two-thirds of all ID theft. Those victims had a relatively easy time fixing the problem, reporting an average of 11 hours of disruption. On the other hand, 51 percent of victims of "account-takeover fraud," which allows criminals to withdraw funds from existing checking accounts and run similar schemes, said their lives were "severely impacted" and they spent an average of 37 hours resolving their frauds.

Van Dyke also pointed out there are hidden victims in ID theft, in addition to banks and consumers who lose money.  Among consumers who were victims of fraud, 15 percent said they reacted by avoiding online retailers, and half of that group specifically avoided small retailers. Only 8 percent of that group said they avoided large merchants after a fraud.

"Small online merchants are really being singled out," he said.  In other words, they are hit both by fraud, and by lost sales due to the impression of risk created by fraud. "Consumers are very sympathetic to small merchants, but when you see this lack of trust play out, it underscores how significant the problem is and how important it is that we deal with it.”

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• 'Privacy tax' creator makes his case, says software is 'eating the world'
• Death of the price tag: Stolen from us too soon
• FTC: 5 percent of credit reports contain 'serious' errors that cost consumers

Antoine Duhamel / www.archi-photo.fr

Nicolas Colin

If you aren’t paying for the product, you are the product.

Internet users know this implicitly; there are no free apps, no free search engines. Instead, users trade their information in exchange for some service, vaguely aware that the company’s side of the bargain is free access to data it can turn into profit.  Some consumers get angry at the notion they provide free labor and raw materials to some of the world’s largest and richest companies, but Nicolas Colin thinks people should be a whole lot angrier. In fact, he believes that “software is eating the world.”

Colin, a tax inspector for the Ministry of the Economy and Finance in France, believes that corporations have turned the Digital Age into a massive tax haven which dwarfs anything high-priced accountants have ever pulled off in places like the Cayman Islands. His beef: Corporations don’t pay a penny in taxes on all that free labor.  In other words, not only are you are the product, but you’re also paying for all the roads, fiber-optic lines and airports that digitally dependent corporations need to get rich.

Colin caused a stir last month when he co-authored a report for the French government recommending what some have called a “privacy tax” – essentially a mechanism to punish companies that profit from misuse of consumer data. The idea of a new tax based on something seemingly so vague went over like a lead balloon in many quarters.

Follow @RedTapeChron

But Colin’s idea is far broader, and has wide multinational implications. He wants to change the fundamentals of how taxes are levied, a step every bit as radical as the invention of income or sales taxes. 

He wants to tax data.

While new taxes aren’t exactly popular these days, the Red Tape Chronicles decided to hear him out.

Colin’s proposal begins with the notion that, like it or not, we are all part of the supply chain now.

“What we do leaves traces, generates data. This data can be leveraged to create value,” he told NBC News during an extended interview via email. "If you want to create value, you can either hire employees, contract on the market or design an application that will attract millions of users and will turn their activity into economic value -- make them part of the supply chain.”

In a strange reversal of fortune resulting from this new business model, Colin said, labor now happens in rich, giant Western nations while profits are counted in smaller, tax-friendly places. 

With millions of unpaid laborers around the world helping to make your product, the notion of place has become less and less important in terms of taxation, he argues

“Digital technology has moved value creation from inside the factory to the customers' hands and brains,” he said. “Value is now co-created by companies and the people who use their applications. This has consequences on corporate tax, because it changes the geography of value creation. It's not where the factories are anymore, it's where the users are.  … Many authors have written on this phenomenon. Each has his own phrase to describe it : Web 2.0, co-creation, crowdsourcing, peer production, distributed capitalism, wikinomics, etc. But there's really one reality: In the digital economy, users create part of the value alongside employees, contractors, capital, and companies' assets.”

Governments can’t tax worker income, or levy company payroll taxes, when the “workers” aren’t paid. And they can’t charge sales taxes for products which are given away for free.  The situation creates quite a dilemma for taxation authorities, and it will ultimately have devastating consequences for society, Colin predicts.

“Tax base erosion will happen in each sector disrupted by the digital economy,” he said. “Yesterday it was advertising, entertainment, retail, travel. Tomorrow it will be banking, health care, cars, telecommunications, manufacturing, higher education. The law must change quickly, because software is eating the world.”

So what is to be done? Rich nations must negotiate and agree on a new concept of “permanent establishment” which defines where companies operate and therefore are subject to taxation, he argues. 

His basic notion: “There should be a permanent establishment wherever a company collects data to fuel a service provided on the same territory.”

The French proposal comes amid growing frustration among French lawmakers with their inability to collect taxes from large, digital companies like Google, which generated $2 billion in advertising in France last year but paid almost no taxes there. France has already tried an ill-fated “link tax” in an attempt to support local publishers who fear they are losing money because of the search engine’s free links. 

Google issued a statement last month saying it was researching the French proposal.  Google did not immediately respond to requests for more information about its tax payments in France or about Colin’s proposal.

But last week, CEO Eric Schmidt wrote a blog post describing two new France -friendly Google initiatives.

“Today I announced … two new initiatives to help stimulate innovation and increase revenues for French publishers,” he wrote. “First, Google has agreed to create a … Digital Publishing Innovation Fund to help support transformative digital publishing initiatives for French readers. Second, Google will deepen our partnership with French publishers to help increase their online revenues using our advertising technology.”

Not quite the radical shift in taxation policy Colin and his supporters are looking for. He makes a forceful case for the inequity of free, and untaxed, labor online. 

“You can replace employees and contractors with users of an application, and these users work for pleasure, not for money,” he said.  “So it's free -- well, almost free, because the marginal cost of a user is practically equal to zero in the digital economy. … Using those applications, French people contribute to profits made by foreign companies, yet those companies don't pay the taxes necessary to cover the public expenses that help fuel this value creation.”

He pointed to a popular speech made by Sen. Elizabeth Warren, D-Mass., during her campaign, making the case that companies benefit from tax-funded infrastructure, but aren’t paying their fair share.

“Individuals become active users if they are educated, equipped, covered by social insurances, and massively connected, and all of this costs money to the government,” he said.

While such a new tax regime involves a massive shift in the notion of taxation – from location of production to location of data collection -- the shift wouldn’t be unprecedented.  He cited the creation of progressive income tax early in the last century, and the implementation of the value-added tax in the 1950s, as similar shifts.

The European valued-added tax – or VAT -- requires companies to pay taxes every time they take any kind of raw material and turn it into a product that can be sold at a higher price. Data taxation grows logically from this idea, Colin believes.  With data collection, under Colin’s scheme, companies “create value” when they turn consumers’ information into a product that can be sold. Taxing data really means taxing creation of this new value, he says.

“The French are very proud to have invented the VAT in the ‘50s. Today it's the most neutral tax, the most widely accepted by both individuals and corporations, and the one that raises the most revenue for governments,” Colin said. 

He acknowledged that Americans, who have long resisted VAT taxes, will probably receive the idea of digital-age tax change with strong skepticism. But he argues that 20^th century taxes distort the market and hurt the economy.

“Sometimes, new taxes are good for business when they help pay down the debt and balance the budget, and above all when they replace outdated taxes that distort the market instead of supporting growth and job creation,” he argued.

The privacy tax, which Colin suggested implementing as an intermediate step, has been roundly criticized, beyond the notion that any new tax is a bad idea: Critics have said it would be nearly impossible to manage, would force government bodies to make rulings on very technical matters, and that its collection could itself represent a privacy violation.  But Colin argues there is already general consensus in the computer security world on best practices with consumer data. Such a tax would properly align incentives in the marketplace, the way a carbon tax might create incentives for companies to take better care of the environment.

“What we recommend is to tax companies' behavior that is not in the interest of their users and not in the interest of innovation and growth,” he said.  “The French tax on non-compliant data collection behavior can really be compared to a carbon tax: In both cases, it creates an incentive for companies to change their behavior in the public's interest -- less pollution, more data protection, user empowerment and more innovation through smart disclosure.”

And while changing an entire tax regime would require international treaties, Colin argued that France could unilaterally impose privacy taxes on firms operating within its borders.

“There is no way companies can avoid it, because that would mean closing the service for users based in France,” he said. “Is Google ready to stop operating its search engine in France? Or Facebook ready to close 20 million accounts?” 

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

Price tags are as fundamental to a market economy as money. Yet they've become an endangered species in the 21st century American economy. Quick: Can you say how much you spent on your cellphone bill last month? Or pay television? I'm sure you can't say how much you paid in fees on your investments. 

Follow @RedTapeChron

And if you've been to a grocery store lately, you know that price tags have quite literally disappeared from most items, replaced by often-confusing shelf tags.

We've discussed this phenomenon before at Red Tape Chronicles, focusing on failed efforts by a 90-something-year-old consumer advocate named Esther Shapiro to save price tags in the state of Michigan.

We first met Esther here, and talked her about losing the argument and Michigan giving up on price tags here.

Why are clear price tags important? Without them, there is no competition. Consumers can't shop around and pick the best price, or make judgments about the best value. Sure, it can seem silly to complain about hunting around for prices on spaghetti sauce jars, and critics have a point when they talk about the waste of labor it involves.

But the real problem with slain price tags comes with newfangled subscription products, where consumers slowly but surely become numb to price, and where hidden fees, huge bills and bait-and-switch teaser pricing leave buyers utterly confused. This phenomenon obviously hurts consumers, but it hurts industry too -- with clear pricing, the best companies with the best products and the best value are rewarded over time. Without clear prices, companies that create the most confusion win, and honest companies slowly fade away. For an academic look at this phenomenon, read, "Shrouded Attributes, Consumer Myopia, and Information Suppression in Competitive Markets."

In our Red Tape Chronicles: Protection series, we decided to take a very different approach to communicating the problem of disappearing price tags; a whimsical animation, created with collaboration from artists at the School of Visual Arts in New York City. Click on the play button above to watch. We hope you'll find  it fun and persuasive.

The potential extinction of price tags threatens our economy and our way of life, as it did during the Recession of 2008, which was caused in part because folks didn't understand how much they were paying for their houses, and how much the borrowed money cost. It's time for a more focused discussion on this critical element of capitalism, and we hope we've begun that discussion here.

See the rest of the Red Tape Chronicles: Protection series

Five percent of U.S. consumers have an error on their credit report that "could lead to them paying more for products such as auto loans and insurance," the Federal Trade Commission said Monday, as it issued a long-awaited study of credit report accuracy. 

Follow @RedTapeChron

“These are eye-opening numbers for American consumers,” said Howard Shelanski, director of the FTC’s Bureau of Economics.  “The results of this first-of-its-kind study make it clear that consumers should check their credit reports regularly.  If they don’t, they are potentially putting their pocketbooks at risk.”

The trade group for the nation's credit reporting agencies issued a swift response challenging the agency’s interpretation, saying the study shows credit reports are "highly accurate."

"The study also showed that 95 percent of consumers are unaffected by errors in their credit report," the Consumer Data Industry Association said in a statement.

The FTC study, eight years in the making, also tracked consumers as they tried to fix or dispute errors in their credit reports. More than one in 10 who did this saw their credit score change as a result.

The study was ordered by Congress in 2003, when it passed the Fair and Accurate Credit Transaction Act. The FTC followed 1,001 consumers as they tried to navigate the credit report system and to fix mistakes in their reports.

Among other things, the study found:

*26 percent of consumers in the study identified a "potentially material error";

*21 percent managed to obtain a modification of an error;

*Roughly half of that group experienced a change in credit score;

*Most of those credit score changes were minor, with roughly half resulting in swings of 20 points or less;

*The most important finding of all: For 52 of individuals studied, "the resulting increase was such that their credit risk tier decreased," meaning they were likely to get cheaper loan rates.

Consumer groups responding to the study said it indicates a need for reform of the credit reporting industry.

“It’s unconscionable that 40 million American have errors in their credit reports, and that 10 million have errors grave enough to cause them to be denied or charged more for credit or insurance or even be denied a job,” said Chi Chi Wu, staff attorney at the National Consumer Law Center. 

Studies of credit report errors have been conducted before, but they have produced confusing results. Many errors are not material — a misspelled street name for example.  And errors are not the real problem — lower credit scores that cost consumers when they try to get loans are. Credit bureaus are required by law to quickly fix mistakes, but there have long been allegations that the dispute process is difficult and stacked against consumers. The FTC report attempts to address that, too.

Of the 262 consumers in the study who disputed information they said was inaccurate:

*37 percent said all their concerns were addressed;

*42 percent said their report had been modified, but there were still errors on their report;

*21 percent said they were unsuccessful in getting their reports modified.

The report did not attempt to establish the veracity of the consumers' disputes.

Credit expert John Ulzheimer, who formerly worked with Fair Isaac, which invented the credit score, and is now president of Consumer Education at SmartCredit.com, said he felt both the FTC and the credit industry trade group were "embellishing" their claims about the results of the study, but he, too, found the FTC data troubling.

"I'd side with the FTC that the results are more disturbing than they are confirming credit files are accurate," he said. He suggested taking the dispute results with "a grain of salt" because the errors claimed by consumers were not independently confirmed.

FTC Chairman Jon Leibowitz told CBS News, which first reported the study’s findings on “60 Minutes,” that the results were "highly troubling. ... It's a pretty high error rate."

The credit industry began fighting back even before the “60 Minutes” segment aired. It issued a press release Sunday afternoon, and several employees of Experian spent the evening sending tweets to Twitter users who attacked the industry.

"It's easy to selectively hype snippets from the FTC study to sensationalize the issue," Stuart Pratt, consumer data industry spokesman, said in the release. "But the number important to consumers is the one they ignored – that only 2.2% of credit reports contain material errors."

The industry and FTC numbers differ because they describe slightly different things: The FTC says 5 percent of consumers are impacted by a serious credit report error, while the industry derives its 2.2 percent figure from the fact that consumers have three different major credit reports, and often errors appear on only one or two of those.

The industry also disagrees that errors are hard to fix.

"The notion that it is difficult to dispute an error is just wrong.  It is irresponsible to suggest to consumers that they might as well not take action when they have a question about their credit report," Pratt said.

Experian public relations officials repeatedly sent out this message last night: "If you ever spot an error on your credit report, please report here http://t.co/5nncPpfP Avg dispute time is 14 days."

It also sent users to the Experian website to read about the firm's policies

"Experian’s Commitment to Data Integrity, Customer Service and Consumer Education http://t.co/kejlxpQYvia @ExperianNews"

Some Twitter users complained about Tweet campaign:

"@Experian_US so (you are) responding (to) tweets from US but resolving life changing disputes from Chile and India!Priorities please!!!" wrote @elizabethforma.

As the Red Tape Chronicles and other outlets have reported, consumers disputes are often sent overseas for consideration, and workers in places like India and Chile only have a few moments to consider each dispute.

An Experian official who was sending out Tweets would not agree to be interviewed by NBC News; she directed questions to Pratt at the industry group.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter