A U.S. Secret Service memo obtained by MSNBC.com indicates that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN codes. (Will Burgess / Reuters file)

Researchers who work for an Israeli computer security company say they have discovered a fundamental weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks – a flaw that they say could undermine the entire debit card system.

The U.S. Secret Service is investigating the matter, and MSNBC.com obtained a memo compiled by the agency that indicates that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic.

The report has ignited a debate within the banking industry, with many financial industry experts downplaying the seriousness of the flaw and outside experts divided on its implications. But there is no disputing the impact that such a hack would have if successful.

Using the methods outlined by the researchers, a hacker could siphon off thousands of PIN codes and compromise hundreds of banks, said Odelia Moshe Ostrovsky, one of the report's authors. Criminals could then print phony debit cards and simultaneously withdraw vast amounts of cash using ATMs around the world, she said. The paper was co-authored by Omer Berkman, a researcher at The Academic College of Tel Aviv-Yaffo

Automated Teller Machines and point of sale debit card sales are a massive part of the global economy. In the U.S. alone, ATMs perform about 8 billion transactions every year and dispense $600 billion in cash, according to a study released earlier this year by Dove Consulting. Volume of retail store PIN-based debit card transactions is even higher.

Word of the apparent security flaw first surfaced two weeks ago, when the PIN-hacked paper was published, \\stating that it would be possible for someone with access to the ATM network to attack the special computers that transmit bank account numbers and PIN codes, called hardware security modules.

When consumers enter their personal identification numbers, or PINs, into an ATM, the PIN and account number must travel through several computers on a special network before they arrive at their home bank for verification. The data is encrypted immediately after it's entered at the ATM into what is known as a PIN block, then sent on its way.

Rarely does the transmission go directly to a consumer's bank. Instead, it is handed off several times on a banking network run by several third parties. Each time a bank passes the data along, it goes through a switch that contains the hardware security module and the PIN block is unscrambled and then rescrambled. It is at these intermediate points where hackers could trick the machines into divulging PINs, the researchers said.

"We show in these attacks that using only (a single) function we can reveal the content of every PIN block as if it's not encrypted," said Ostrovsky.

PINs thought to be unassailable in transit
The attack theory is significant because it has long been considered impossible to access PINs as they are traveling through the ATM network without the encryption key used by the card-issuing bank. But the ARX report said issuer keys are not necessary because computers along the network can be tricked into revealing PINs through a series of electronic queries that would enable criminals to make educated guesses about – and possibly break -- the encryption code.

ARX sells hardware security modules to ATM networks, but Ostrovsky said its machines also are vulnerable to the attacks because they must communicate with other ATM network computers using the flawed protocols.

Ostrovsky said her company shared the research with the Visa credit card association's risk management team and other U.S. financial industry security experts six months ago, and recommended systemwide ATM network changes. But U.S. banks weren't reacting fast enough to the risk, she said, so ARX decided to go public with its information and two weeks ago published a paper titled "The Unbearable Lightness of PIN cracking," which is now available on the Internet (in Adobe Acrobat format).

Kim Bruce, a spokeswoman for the Secret Service, confirmed that the agency had been in contact with ARX to discuss the paper's findings, but declined to provide additional detail.

Visa: Attack 'highly unlikely'
A spokeswoman for Visa, which owns part of the ATM network and helps write security standards for it, confirmed that the flaws described in the paper are real, but said the threats they pose are minimal.

"This research paper addresses an area that has been known for some time to the payments industry," said Rosetta Jones. "There are a range of standard security measures in place within member institutions and processors -- including limited access to databases and segregation of duties – that make this kind of attack highly unlikely. Through these layers of security, Visa and our member financial institutions are working to prevent the kinds of attacks theorized in the paper."

She also said there is no evidence the attacks outlined by ARX have been attempted by criminals.
"We are not aware of any instance where this kind of attack has actually occurred, and there is no link between the attack outlined in this paper and any recent data compromises," she said.
It is clear, however, that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN traffic.

Russian Web sites indicate organized attacks
Russian-language Web sites are abuzz with discussions about ATM network attacks, including discussion of the Israeli report, according to data gathered by the Secret Service and viewed by MSNBC.com.

"In the fall of 2005 work for everyone was so successful because an employee of one of America's processors sold a database of material that went through its processing center," wrote a hacker who belongs to an online gang called Mazafaka, according to an English translation of a Russian Web site compiled by the Secret Service. "This material was then successfully exploited by our carder friends. The consequences of this deal could even be monitored on CNN, as well as in our own work (this applies to cashers). You may have noticed that after this event, ATMs more and more frequently give 'transaction declined' notices or give a small sum on the first transaction and then block the card."

In another exchange cited in the Secret Service memo, a hacker offers to pay for databases of encrypted PINs, which theoretically should be useless someone had discovered a way to translate the data into valid PINs. In still another post, one claims to have recovered account data by "hijacking" hardware security modules.

Industry downplays the threat
Nessa Feddis, a spokeswoman for the American Bankers Association, also downplayed the scenario outlined by the Israelis and the overall hacking threat, saying that while PINs "are always going to be a target," the ABA is "not aware of any ability to undo the encryption."

A spokesman for First Data Corp., which owns the STAR network, one of the largest ATM processing networks, said the company would not comment on the research paper.

Other bank security groups also downplayed the threat.

Catherine Allen CEO of the Financial Services Roundtable's BITS organization, a consortium of security experts from the nation's top 100 financial institutions, said the risk suggested by the PIN-hacking paper is minimal because U.S. banks have already addressed the security concerns.

But banking analyst Avivah Litan, an industry consultant with security firm Gartner, said banks aren't reacting strongly enough to the report.

"This is nothing short of startling," she said. "No one is paying attention to this and I don't know why. It undermines the whole premise of ATM security."

How the attacks would work
The attacks described in the ARX paper could not be conducted remotely over the Internet. They would require a criminal to be on the same local network as the hardware security module. Because ATM switches are heavily guarded and monitored, such access is unlikely, argued a BITS representative, who spoke on condition of anonymity.

But such ATM switches can be located anywhere in the world, Ostrovsky countered. That creates a "weakest link" vulnerability in which one poorly guarded switch could theoretically be used to compromise every bank whose debit cards have flowed through that switch, she said.

Each switch contains a hardware security module, which is a simple computer in a tamper-proof box designed to perform a few PIN-related functions, beginning with decrypting and encrypting. But the boxes also contain other small programs, or functions, which allow the machines to change a customer's PIN or calculate other PIN-related values. Most ATM switches don't need these tools; however, they are often available by default.

This unnecessary software is exploited in some of the attacks described by the paper, which recommends that switch operators turn off the unnecessary functions. But even that's not enough, Ostrovsky said. The one essential function of a switch -- encrypting and decrypting, a process known as "translate" -- is all an attacker needs to trick the machine into divulging PINs, a hack that would put nearly every ATM switch at risk, she said.

"This is not an attack on a certain configuration or installation. This is an attack on the protocol itself. It must be updated," Ostrovsky said.

There are competing protocols, or PIN block formats, in use in the ATM network, and each machine must support all those formats, she explained. In one version, the 16-digit PIN block contains two formatting characters, four PIN characters, and 10 additional slots with information about the customer's account number. That's the standard used in the U.S. Another standard combines the formatting characters and PIN characters with random digits, and sends the account number separately.

The translate function not only assists in encrypting – it also allows the machine to translate the PIN block from one format to another. This allows an attacker to take advantage of the weaknesses of both, creating"least-common denominator" vulnerability, Ostrovsky said.

The BITS representative who spoke on condition of anonymity conceded such attacks are feasible, but called the risk "very, very, very, very remote." He added that bank robbers have much easier ways of stealing money than complicated PIN prediction tactics.

Litan is not so sure. She said the research paper undermines the basic premise of ATM network security – the idea that only a computer loaded with the encryption key created by the issuing bank can reveal a PIN.

"The premise was 'It doesn't matter what happens along the path,' so even people who could access the PIN blocks couldn't do anything with them," she said. "This blows that out of the water."

'A worrisome thing'
Michael McKay, an independent consultant who helped design Hewlett Packard's hardware security module, called Atalla, described the ARX attack was "a worrisome thing, a real concern."

"It's commonly thought that there are some organized crime groups have made concerted efforts on this," he said. "So we believe there have been people who've cracked parts of the system."

Ross Anderson, a cryptologist expert at the University of Cambridge in the United Kingdom who has written several papers on ATM security, called the research paper "a fairly big deal."

But he noted that previous research also has demonstrated widespread vulnerabilities in the ATM PIN system. He cited a paper he co-wrote with student Mike Bond in 2001 that showed that many supposedly tamper-proof cryptographic systems can be fooled into divulging information by sending them confusing commands. (Acrobat). Another paper authored by Bond, showed that a would-be ATM hacker could use flaws in the way banks generate PINs that could reduce the number of average guesses required to mathematically discover a PIN from 5,000 to as few as 15. (Acrobat)

"Customers can't rely on bank assurances that 'our systems are secure,'" Anderson said.

Banks hit by a successful attack like the one described by the Israeli researchers may not even know the origin of the theft, Ostrovsky said. An insider would simply steal the PINs, create associated fake debit account cards, and steal money from ATMs around the world. Consumers who complained that money was missing from their accounts might be met with skepticism, she said.

Consumers should watch their accounts for any signs of suspicious activity, but other than that there isn't much they can do in response to this research, McKay said.

Bank industry officials point out that the attacks must be carried out by someone with direct access to an ATM switch, limiting the potential for abuse. But Litan said the limitation is hardly reassuring.

"It's not much comfort that they have to be on the inside," she said. "As we've already seen, it's easy for criminals to open up their own ATM network. And banks do have insiders with flaws."

After Thanksgiving dinner last week, perhaps some in your clan snuck off to organize sales circulars and plot their Black Friday shopping route. It is an American tradition, that Friday after Thanksgiving being the heaviest – and loopiest -- shopping day of the year. And with retailers like CompUSA opening their doors even before Thanksgiving was over -- at 9 p.m. on turkey night -- Black Friday is the real deal.

On the other hand, Cyber Monday – the Monday after Thanksgiving said to be the busiest online shopping day of the year -- is a myth. Procrastinators rule the day when it comes to online shopping, and the day when most of them click-shop for presents actually falls in the middle of December, just about the last day they can expect their gifts to arrive in time for Christmas.

At this time last year, I started to see story after story talking about Cyber Monday. As the tech reporter, I was embarrassed to admit I had no idea what people were talking about -- and talking about as if everybody knew what they were talking about.

The storyline was this: Just like the offline world, online holiday shoppers stampede right after digesting their Thanksgiving turkey. The first work day after Thanksgiving, that Monday, was declared Cyber Monday by the National Retail Federation. Somehow -- it's not clear where this began -- the day became synonymous with the busiest e-shopping day of the year. (The National Retail Federation says its only responsible for the name, not the claim that it is the busiest day. We incorrectly attributed the claim to the association in an earlier version of this column). Whoever did, it was repeated so often that many people assumed it must be true.

It was not and is not.

CyberSource Corp., based in Mountain View, Calif., helps processes electronic credit card payments for many major online retailers, including CompUSA, JC Penney and Blue Nile. The company says that one of every eight dollars spent online flows through its payment system, so it has a pretty good sense of e-shopping volume. And according to Cybersource, the busiest shopping day on the Web has occurred on a Monday in the middle of December for six straight years.

"This rule of thumb has held up for six years," he said. "It's always the Monday closest to Christmas with (at least) seven days left for shipping," said Doug Schwegman, director of market and customer intelligence for CyberSource.

Don't get me wrong, Web shoppers have been busy. In fact, so many showed up this weekend that Wal-mart.com was temporarily knocked off-line. Nielsen/NetRatings, which measures Internet traffic, said about 12 percent more Web shoppers went online on Black Friday this year then last year, a modest but respectable increase. But trying to create a connection between Black Friday and Cyber Monday is just a marketing creation.

This year, Cybersource predicts Dec. 18 will be the magic day. That might not be good news for e-tailers, who will be jamming up UPS and FedEx trucks right up to the last minute.

And that's the reason you just might be tempted to sneak off to a few Web sites this week and get in some early shopping. Anxious retailers see the writing on the wall and are battling procrastination with discounts for early shopping, such as free shipping.

"During the last two years, merchants have made more efforts to encourage people to shop earlier," Schwegman said. "They don't want the logistics nightmare."

That work is paying off. While shopping does spike on all Mondays between Thanksgiving and Christmas, the spike is only on the order of 10 percent to 20 percent over previous weeks. Many online shoppers are planners who like to finish gift-buying early, Schwegman said. Of all the purchases made between Nov. 1 and Christmas Eve, about half take place before Thanksgiving, and half after -- suggesting a rather even-keeled online shopping season.

Contrast that with Black Friday, when shoppers begin lining up the night before and generally behave like thirsty desert-walkers who've just spotted an oasis. There really is no equivalent stampede online.

It should not be a surprise that the busiest e-shopping day is basically the deadline day for Christmas gift buyers. But the fact that it always falls on a Monday is not quite as easily explained. Schwegman theorized that online shoppers spend their weekends outside and don't want to be working on their computers; or that they spend their weekend shopping in brick-and-mortar stores, and then go online at work on Monday to look for the best prices and execute their purchases.

I have a slightly more cynical view. Monday is easily the work week's most depressing day. Doesn't it make sense that e-tail therapy would also be heaviest on Mondays?

Now, time to get back to shopping … I mean work.

Three years ago, MSNBC.com intentionally answered spam advertisements for cheap mortgage loans to see what would happen. Very soon, we received offers from a host of mortgage brokers, including household brands like Ameriquest and Quicken Loans, proving that spam is big business.

Now, we've proven something else: Spam never dies.

Recently, I received yet another solicitation in response to the spam I answered -- a full three years after the fact. In this case, I got a phone call from someone who was half-way around the globe asking if I was interested in refinancing my mortgage.

I knew the origin of the call because I answered the spam with a special name I'd borrowed by one of my childhood baseball heroes, and entered a rarely used spare phone line as the call-back number. The caller rang this spare line, and asked for my hero.

The telemarketer could barely speak English. But when I expressed even the slightest interest in talking, he transferred me to a supervisor, after explaining that he was "new on the job."

When quizzed, the supervisor said she worked for a marketing association in the outskirts of Los Angeles. My caller ID showed the call originating in northern Virginia. But neither of those was accurate. The call actually came from Mumbai, India, I would later discover.

The supervisor wouldn't tell me much about herself or her company, not even her first name. She said she had gotten my telephone number from public records, which are filed with every house purchase. That was a lie, of course, since she had called an office telephone line.

She asked for some very basic information – my house value, my loan amount and my interest rate. But then she was very eager to transfer my call again, despite my repeated questions about her company. Eventually, I agreed. In a bit of reportorial luck, she accidentally conferenced me in when making the transfer. I played dumb and listened in on their dialog.

Pursuing 'India leads'

Ray Herndon, the man who took the call, was irritated. It was late afternoon, probably too late to start on a new deal, he said. After putting up a bit of a complaint, he agreed to take the call.

"Mr. Hunter," he greeted me. "So I see your home is worth ...."

Herdon said he was a senior loan officer with Pacific Equity Services, a mortgage broker in Vancouver, Wash. I immediately asked Herndon how he'd gotten my phone number; he was honest with me.

"We call these 'India leads,'" he told me. Employees at a call center in India place the calls and then, when a consumer answers, they are transferred to loan officers in the U.S.

When I complained, Herdon referred me to company CEO Rod Santic.

Santic was also honest with me. He said he pays $24 for each "live transfer" of a potential customer.

"It's like reverse telemarketing," he said. Instead of paying his own employees to place hundreds of cold phone calls, Santic pays a company in Mumbai, India, for every potential customer they can successfully transfer to one of his loan officers.

"I don't know where (the leads) come from. I know it's pretty dark and bleak back there," he said.

The mortgage lead business is notoriously murky and cutthroat. Three years ago, when MSNBC.com answered its first spam, we found that mortgage companies paid about $10 apiece for our information. Those e-mail leads are only worth about $4 now, Santic said. Meanwhile, live transfer leads can cost as much as $100. Even so, the quality of those leads is often terrible, he said.

Thanks to the Do Not Call list, the number of consumers who can be cold-called and turned into a business deal is ever-shrinking.

But even if you are on the Do Not Call list, as our experience shows that one momentary lapse of reason, one spam you answer, or even one mortgage refinancing advertisement you click on, could make you the subject of unsolicited marketing pitches for years. You're better off avoiding such pitches all together.

Consumer protection has taken it on the chin during the recent Republican rule, often shoved aside in the interest of laissez-faire economics. As a result, we've seem anomalies like 30 percent credit card interest rates, virtually no enforcement of truth in advertising laws, the growth of powerful data collection companies, very little protection against identity theft, and so on.

One might assume that last week's election results and the dramatic shift toward Democratic influence might signal a shift in favor of consumers and away from big business. But that might be a bit optimistic. Consumer protection advocates have mixed, wait-and-see feelings about the upcoming 110th Congress. Here's a look at Red Tape-related legislative work that the new Congress might face.

Robert Manning, author of "Credit Card Nation" and maker of the documentary "In Debt We Trust," is pessimistic that the incoming Congress will have the courage to address the issue of high credit card interest rates. Outside of possible limitations on universal default -- the crazy practice that allows credit card issuers to raise your rate if you are late paying some other, unrelated bill -- Manning doesn't think there will be any significant consumer debt laws introduced in advance of the next presidential campaign.

"There isn't a senior member of Congress willing to become a lightning rod on this issue who has a secure enough position to incur the wrath of the financial services industry," he said. "It's a sad story."

Consumers Union legal expert Gail Hillebrand is a bit more positive. She notes that Sen. Christopher Dodd , D-Conn., who is expected to chair the Senate Banking Committee, has introduced consumer-friendly credit card legislation in the past and may look favorably on new credit laws.

"I think credit card issues will be in play," she said. "Every year we see good reform bills introduced and never moved. ... It's time to do something about credit cards."

Bankruptcy, Net Neutrality
Consumers shouldn't anticipate the unwinding of the bankruptcy bill, however. That law made it easier for lenders to collect debts and harder for consumers to erase them, even under the most trying circumstances, such as devastating medical bills. After all, even Sen. Hillary Clinton, D-N.Y., declined to vote against it the first time, choosing instead to abstain.

Democrats may decide to take on Net Neutrality, one of several tech-related issues left twisting in the wind by Republicans. Last session, Democrats tended to support the idea of neutrality as it was presented in the various upgrades to the omnibus telcommunications bill Congress considered last year, but it's not clear what neutrality will look like in any new legislation, or if Democrats will maintain their support for it as the majority party.

Telecommunications firms like Sprint want to charge heavy users extra fees, but Web sites like Craigslist and Google want none of that. Telcom bills in both the House and Senate stalled half-way through the legislative process in the last session. Democrats will have to decide if, and how to support Net neutraility legislation, which some say will determine the future of the Internet as much as any law Congress could pass.

That includes extension of the Internet as a tax-free zone, another measure the Democrat-controlled Congress is likely to face.

Data leaks, pretexting, check-clearing
Hillebrand also hopes Democrats will be able to push through data breach notification legislation, a law that might be called "The ChoicePoint Bill." Since the string of lost data stories that began in 2005, about a dozen laws have been proposed to force companies to disclose data losses to consumers. But most would actually have eased the burden placed on companies by state laws, and none was enacted.

A law that would have made it illegal to lie in order to obtain someone else's phone records, a practice called pretexting, also stalled in the last session, despite overwhelming, non-partisan agreement on the issue. While Congress was debating, the infamous Hewlett Packard spying scandal unfolded before the public, underscoring the need for anti-pretexting legislation.

PrivacyToday.com publisher Rob Douglas said he hopes the new Congress will take quick action on that. "We need finality on this issue," he said.

There are a number of other consumer-friendly issues Hillebrand hopes will get an airing in the new Democratic Congress, including mundane but critical issue of check clearing times. Banks can still take up to five days to clear a check and release funds available to depositors, even though the advent of Check 21 (The Check Clearing for the 21st Century Act) allowed banks to clear funds for themselves much more quickly.

"It's been 16 years since the period (consumers had to wait) was shortened," she said. "Everything else has speeded up during that time." A Federal Reserve study on the issue of check clearing is due in February, and Hillebrand expects action soon after.

Identity theft protection, privacy
The new Congress also may revisit laws that would help consumers deal with identity theft. A proposed federal law that would give ID theft victims the right to freeze their credit reports stalled in the last Congress, in large part because it, too, offered reduced protections compared to several state laws and wasn't supported by consumer agencies.

Consumer advocates would welcome a new provision that didn't interfere with state laws, and would be similarly enthusiastic if Congress was to review the Fair and Accurate Credit Transaction Act of 2004, which updated the Fair Credit Reporting Act. That law also preempted several state ID theft protection laws. Hillebrand, however, is skeptical that Democrats are willing to open that Pandora's box.

Douglas is also skeptical that Democrats will attempt to take on the larger issue of privacy -- perhaps through a comprehensive updating of the 1974 Privacy Act. Two Democrats -- Rep. Ed Markey of Massachusetts and Sen. Bill Nelson of Florida -- have been among the most vocal privacy advocates in Congress, but both are expected to support piecemeal solutions, such as the anti-pretexting legislation, or legal clarifications regarding Bush administration surveillance strategies like warrantless wiretapping, he said.

Still, Douglas is hopeful that the change in Washington might bring welcome progress on privacy-related issues that had otherwise hit a dead end.

"My hope is that these issues may get a fresh look...that we get a fresh set of eyes on these issues," Douglas said.

The Florida state attorney general's office has opened an investigation into potentially misleading advertising by FreeCreditReport.com.

The Web site, owned by credit bureau Experian Group Ltd, offers consumers a chance to obtain their credit reports and credit score by signing up for a paid subscription service.

In response to a public record inquiry by MSNBC.com, the office of Florida Attorney General Charlie Crist issued a statement indicating it had opened an investigation to determine whether Experian has violated Florida's Deceptive and Unfair Trade Practices Act.

The investigation will cover several entities owned by Experian, including Consumerinfo.com, Inc., Experian Consumer Direct; Qspace, Inc.; Iplace, Inc.; and the Web sites Consumerinfo.com; Creditexpert.com; and Creditmatters.com.

The inquiry will examine allegations of the firm's "failure to adequately disclose negative option enrollment ... deceptive advertising, misleading domain name, and failure to honor cancellations," the agency says on its Web site. The investigtation involves a potential civil -- not a criminal -- case, and the opening of the investigation does not constitute proof of wrongdoing.

Neither the attorney general's office nor Experian immediately responded to requests for comment.

In September, MSNBC.com investigated FreeCreditReport.com's advertising strategies, which include a late-night television campaign urging consumers to get their free credit report at FreeCreditReport.com. The ads don't disclose fees associated with obtaining the report, but end simply with a disclaimer saying that credit reports can only be obtained "with enrollment in Triple Advantage."

Starting in 2004, Congress mandated that the nation's three credit bureaus open a Web site where consumers could obtain their credit reports for free, once each year. That site is AnnualCreditReport.com. Concerns have been raised that consumers can easily confuse FreeCreditReport.com, Experian's for-profit site, with the government-mandated AnnualCreditReport.com.

This not the first time FreeCreditReport.com has run into trouble with regulators. In August 2005, Experian settled charges leveled by the Federal Trade Commission that it purposely "misled consumers about their association with the annual free credit report program," the FTC said.

Experian admitted no wrongdoing when settling the charges, but agreed to refund consumers and surrender about $1 million in "ill-gotten gains," according to the FTC. It also agreed to change marketing strategies.

How do you make small print large enough for consumers to see?

That's the challenge facing those of us who take sick pleasure in reading through the fine print, then warning off friends about companies' devious ways with tiny type. It's a big challenge. The really important stuff (how much things actually cost) is often buried under a mountain of verbiage or hidden at the very edge of the margins. And often, consumers have only a few seconds to glance at a burdensome contract with a sneaky fee bomb hidden inside, set to go off in a month or two. In these situations, where buyers are trapped in what I call a "captive" situation, it seems there is little hope of spotting the small print.

Unless you know where to look. This video will show you where.

Today, we're experimenting with a new way to help you find hidden fees -- something we're calling "The Gotcha Room." With the help of three-dimensional graphics, we're taking a 22-page cell phone bill and pulling out exactly the line you need to look for to find the latest cell phone "Gotcha."

Earlier this year, we reported on cell phone upgrade fees and tapped into a seething mass of frustration. Close to 1,100 of you wrote in to complain. Then, we offered a series of strategies aimed at getting you your money back from cell phone companies if you feel you've been charged unfairly.

Still, telling you about sneaky fees is one thing: Showing you is another. So today we'll show you where we found a cell phone upgrade fee on Washington D.C. resident Julie-Ann Klein's cell phone bill. After watching the video, it is hoped you'll know where to look. Click here to watch it.

The graphics wizardry comes courtesy of NBC producer Andy Gross, editor Von Brunson and graphic artist Corey Hall.

If you like The Gotcha Room, feel free to suggest other small print we can magnify for you.

Internet users who fell for phishing e-mails in the past year lost five times as much money as victims in the preceding 12 months and are far less likely to recover the stolen funds, according to a survey released Thursday by the Gartner security firm.

"People kept saying this problem will become manageable, but what surprises me is it's getting worse," said Gartner analyst Avivah Litan, who estimated that the phishers used personal data obtained through phony e-mails to steal $2.8 billion during the past several years.

Phishing, which emerged as a major Internet concern several years ago, involves a criminal creating an e-mail that masquerades as official correspondence from a name-brand bank or Web site. But the message is really a ruse designed to persuade recipients to click on a link in the e-mail, visit a Web page controlled by the criminal, and dupe consumers into divulging personal information.

You've probably been aware of phishing for several years now, and yet the irritating spammed fraud messages keep coming. There's a good reason: They still work and are becoming even more lucrative.
Despite dogged efforts by technology firms and financial institutions, phishers seem to be staying one step ahead.

Twice as many consumers reported receiving at least one phishing e-mail in the 12 months ending Aug. 30, 2006, compared to the previous year, the survey found. And twice as many said they clicked on a link in a phisher e-mail during the past year.

But Litan's most troubling finding is that the average loss per victim nearly quintupled since Gartner's last survey, from $257 per incident to $1,244.

Victims also are having a tougher time recovering their losses. In the 2004-2005 survey, 80 percent of victims said they were able to get refunds for the stolen money, most often from their banks. In the most recent period, that number plummeted to 54 percent.

New ruses

One reason for the decline is that phishers have moved away from posing as major banks in favor of more creative and elaborate e-mails, including fake sweepstakes messages. In one, a criminal tells recipients they have won the "Microsoft Sweepstakes Lottery International Programme." Clicking on the enclosed link sometimes prompts "winners" to send money to the criminal using an unprotected wire service or Internet payment mechanism, which don't have the same refund protections as credit card or online banking transactions.

There is some good news in Litan's report. The number of people who say they've lost money to phishers declined slightly -- albeit by an amount that's within her survey's margin of error of 3 percent.

Federal regulators have responded to the phishing problem, requiring this year that banks implement new security schemes to protect online banking customers. Bank of America was among the first to adopt procedures that go beyond a simple user name and password to gain access to online banking. Through its SiteKey initiative, consumers personalize their online bank homepage with a picture designed to help them identify the real bank site from any fake sites. Consumers must also answer additional personal questions, such as, "What high school did you graduate from?" before accessing their accounts.

But phishers are taking on that challenge. Last month, security firm Sestus Data Corp. reported on an elaborate look-alike e-mail designed to mimic Bank of America's SiteKey log-in screen. The link transported users who clicked on it to a Web page that asked them to enter the personal questions and answers they had previously entered.

Even with that information, criminals would have a hard time getting past Bank of America's log-in screen. But they would have a good head start.

Antivirus firm F-Secure also reported last month that phishing has not slowed down. It found a thriving aftermarket for look-alike domain names like "Bankofameruca.com" or "chasebank.ru" that it said were being purchased by "phishing gangs."

Financial institutions are still thrashing about trying to combat the problem, Litan said. Many call her firm for advice, flustered by the problem.

A difficult fix

"There is no easy way for them to solve it," she said. "Basically it requires them to tighten up the Internet and there is no easy way to do that."

There are two pieces to a phishing attack -- a lure and a trap. The lure, which is really just spam, comes in the form of a look-alike e-mail that implores recipients to click on an embedded link. Part two is a Web site controlled by a criminal that contains forms where consumers enter their personal information.

The attacks are effective because it's easy for e-mail and Web sites to masquerade as legitimate bank messages. In some cases, it's nearly impossible to tell the difference between the imposter and the real thing.

So far, attempts to slow the crime have largely focused on taking down phishing Web sites. Companies pay firms to scan the Internet for look-alike sites and have them removed as soon as possible. That's a challenge, given that many sites are hosted overseas, but there have been some successes.

Still, Litan said, the phishers are staying ahead in this game by time-sharing "botnets" of hacked computers and continually moving their Web sites around the Internet.

"Companies are putting in these detection services, spending all this money, but the attacks are still getting through," she said. "Phishers really know how to evade detection services. They are an elusive enemy."

Ultimately, she said, criminals will control so many hacked computers connected to the Internet that each phishing spam e-mail will have a link to its own unique Web site -- rendering takedown strategies completely ineffective.

Even the newest anti-phishing services, such as the detection feature included in new Web browsers, aren't terribly effective, Litan said. These work somewhat like antivirus or spam software, blocking known phishing e-mails from recipients' in boxes, a procedure called "blacklisting." The software has some ability to recognize new threats, too. But similar to antivirus software, it has trouble keeping up with fast-changing attacks.

Instead, Litan believes banks and Internet providers will ultimately have to rely more on some kind of "white-list" procedure, which positively identifies legitimate e-mail from banks and other institutions and labels everything else as suspicious.

That might sound severe, but Litan believes electronic commerce is suffering in the current environment. She said consumers report spending about $2 billion less online this year over fears about electronic fraud.

"That's all money left on the table," she said, in addition to the money criminals are taking off the table for themselves.

There's a new reason to be concerned about an encounter with local police, whether you're a victim or a suspect.

In Ohio last month, a police department accidentally published intimate details about every person officers encountered during a single day, including Social Security Numbers, driver's license numbers and more.

A stray click led the Bowling Green, Ohio, Police Department to publish the wrong report to the agency's police blotter Web site on Oct. 21, according to operations Lt. Brad Biller. Instead of posting a sanitized blotter, with all the personal information redacted, the agency published what is known as an "end of day report."

That report includes birth dates, SSNs, race descriptions, license numbers and more on each of the nearly 200 people the cops had contact with that day. It also included extended narratives about each incident, written by the responding police officer.

"A dispatcher ran the wrong report and provided the wrong report to the technology people," Biller said. "We uploaded the wrong report."

Web surfer Ann Snowberger, who lives in Three Forks, Mont., alerted MSNBC.com to the error. She found it using Google while she was researching an individual whose name appeared in the report.

That person, whose name MSNBC.com agreed not to publish, had been given a warning on Oct. 21 because she had not properly displayed her front license plate.

"Much to my horror," Snowberger said. "I discovered that the Bowling Green Police department has published 52 pages (of the report) on the Internet."

By the time MSNBC.com searched for the report, it was no longer available on the Bowling Green Web site. The city only stores 7 days worth of reports on its site. But a cached version of the report was stored on Google's servers, and was accessible Friday afternoon. The cached version was removed after MSNBC.com contacted Google.

Inadvertent publication of Social Security Numbers on government Web sites is nothing new. Private information can often be found on county tax records, divorce or bankruptcy proceedings and other public documents published by local agencies.

U.S. privacy protections rank among the worst in the democratic world, a London-based privacy organization said Wednesday.

Privacy International ranked 36 nations around the globe, including all European Union nations and other major democracies, and determined that in categories such as enforcement of privacy laws, the U.S. is on par with countries like China, Russia and Malaysia.

Overall, the U.S. was determined to be an "extensive surveillance society," the second-lowest rating in the study, which is available at Privacy International's Web site.

The survey identified Malaysia, China and Russia as the world's lowest-ranked countries in terms of privacy. It ranked Germany and Canada as those that best protect the privacy of their citizens.

"The rankings establish for the first time that most of the world's most economically advanced countries have failed to protect the privacy rights of their citizens, while some of the newest and poorest democracies have become best protectors," wrote Privacy International director Simon Davies in announcing the report.

"This is damning evidence that privacy is being destroyed by the very nations that proclaim to respect our rights," he said. "It is clear that there is a systemic failure of legal mechanisms to protect us against the emerging surveillance society. Those responsible for protecting our rights have failed to do so ... Australia, Britain and the United States have not only performed abysmally but they are embracing surveillance at an alarming speed."

The rankings were based on the "Privacy and Human Rights: report, a 1,200-page survey of privacy experts conducted by Privacy International and the U.S.-based Electronic Privacy Information Center. The study has been published every year since 1997.

That study detailed numerous surveillance and privacy-infringing activities by governments and corporations around the globe. This year, for the first time, Privacy International used that report to compare nations in about a dozen categories and rank them. Categories included use of identity cards and biometrics, levels of workplace monitoring, law enforcement access to private data and communications interception.

Read MSNBC.com's special report "Privacy Lost"

Live vote: Does the U.S. do enough to protect Americans' privacy?

The U.S. fared poorly in multiple categories, including communications interceptions, workplace monitoring and transmission of data across international borders.

But the U.S. was not the worst-performing democracy in the study -- the United Kingdom was. It placed last among EU countries. Among EU nations, Germany, Belgium and Austria were at the top of the list.

Outside the EU, Canada, Argentina, and New Zealand took the first three spots.

Not all privacy experts embrace the study or its methodology.

Larry Ponemon of The Ponemon Institute, a privacy research firm, said the study failed to take into account other factors, such as the active war on terror being conducted in the U.S. and U.K. Other countries are not engaged in the same kind of balancing act involving privacy and security, he said.

"In New Zealand, (terrorism) doesn't enter into their radar screen," he said by phone from Auckland, N.Z. Ponemon also said comparing different countries was tricky business, with varying social and legal traditions making comparisons less scientifically valid, he said.

"They are trying to create a world standard even though people in different countries have different circumstances," he said. "It's like trying to have a different tax rate when there isn't a common currency."