Turning hijacked computers into cash is still hard work for most computer criminals.  They've got to trick the infected PC into sending spam, then trick a recipient into buying a useless product -- or they have to steal online banking passwords, log onto a victim's account, bypass the bank's money transfer fraud controls, and so on.

It's much easier to just demand cash directly from infected users -- a crime that's the Internet's equivalent of kidnapping.

"Give me all your money or your computer gets it-" is the basic proposition.

The technique was dubbed "ransomware" many years ago by computer virus researchers, and is not new.  What is new is the explosion of ransomware, thanks to the evolution of ever-more-believable tactics during recent months.

---

In December, the FBI issued a warning about a broader category of malicious programs called "rogueware." These programs appear on users' machines and claim to find viruses, then offer to clean them for $50.  Rogueware looks so realistic -- complete with Windows-like dialog boxes and scary warnings -- that Web users were tricked into sending $150 million to criminals last year, the FBI says.

The new ransomware is similar, but far more aggressive.  Once a computer is infected with it, the program does more than recommend a software purchase –it simply won't let users continue to use their PC until they pay up.

Luis Corrons Granel, a researcher at Panda Security, said use of ransomware by criminals is exploding -- 25 percent of all rogueware in the past quarter involved a family of intimidating products named "TotalAntivirus." It demands that users pay $50 for two years, $79 for a lifetime license.

"The increase (in ransomware) has been really significant," Granel said. A single family of ransomware programs called "Total Security" made up one-quarter of all rogueware programs detected during the past three months, he said.

To an average user, most rogueware would be indistinguishable from other standard antivirus products.  They look like fully functional software, showing Windows-like screens for firewall settings, file scanning, and every other tab you'd expect from standard antivirus products. "Total Security" even lets users choose their language -- English, Spanish, and German are offered.

The switch to ransomware by the bad guys makes sense, says Peter Cassidy, spokesman for the Anti-Phishing Working Group -- because computer criminals are refining their programming methods, and getting more aggressive about taking people's money.
 

"Instead of trying to fool people and getting one out of 1,000 to pay, what they're doing now is just locking up the PC and telling them they have to pay," he said.  "It's a really violent approach, really nasty."

There might be one silver lining to the rise of ransomware, Cassidy said.

"It's not in that gray area of selling people useless crap," he said.  "It's clearly criminal, and extortion does get the attention of law enforcement officials."

As is customary, computer criminals are fusing this new attack with successful, older methods, said John Harrison, a security researcher at Symantec Corp. In one recent example, criminals first engaged in search engine "poisoning," so their booby-trapped Web sites would rate high in Google searches about Haiti's earthquake. Visitors who clicked were tricked into downloading the ransomware software; and then were confronted with extortion demands.

"That's their distribution model," Harrison said -. "They used to do it subtly, but now they are doing it much more brazenly."

In some versions, users will see a message that says, "Google recommends you install this," or "Microsoft recommends you turn this feature on- … then, they take over your computer and all of a sudden it looks like you have 900 viruses," he said.

The latest flavor of ransomware, described on Jan. 8 by security firm F-Secure, doesn't disable all software, but it does something just as debilitating -- it encrypts all the files on a victim's computer, and forces them to pay for decryption.  The program, which calls itself Data Doctor 2010, costs $89.

RED TAPE WRESTLING TIPS
In some cases, researchers say, paying the ransom does work, at least initially. Still, it's a terrible idea to pay. On a grand scale, you've just subsidized a criminal. But there are far more practical concerns -- why would you trust the author of ransomware with your credit card number?  Perhaps you think you'd never do this, but remember, the FBI says rogueware writers have made $150 million, so someone is paying up.

If an unexpected antivirus dialog box lands on your computer screen, close the window immediately by clicking on the 'x' in the upper-right hand corner.  Don't use the "OK/Cancel" buttons in the window -- criminals often reprogram these.

You may or may not be infected anyway -- it's possible you are already the victim of a "drive-by download" that doesn't require user interaction. So run an antivirus scan, if you can.

If the rogue software has actually taken over your computer, physically disconnect it from the Internet to avoid having your personal information sent back to the criminal. Then go to a different computer to search for solutions. Type in the name of the rogue software and search for information on well-known antivirus Web sites. Many antivirus firms offer free cleaners you can download or place onto a USB memory stick, and run on your infected computer.

But maintain healthy suspicion at all times. Ransomware authors have gone so far as to create fake software reviews about their products and place them around the Internet, even stealing logos from reputable technology publications, says Harrison.

"The idea is you search for information about the program and this turns up, and you figure it's ok so you install it," he said.  "Some of this is soft sell, some is very hard sell."

As always, it's never a good idea to follow links in e-mails when heading to Web sites – it takes an extra moment, but always click into your browser's address bar and manually type the address.

 

For nine months, Deb Franklin said, she did exactly what JP Morgan Chase and President Barack Obama told her to do. She made her mortgage payments on time, delivered via Western Union, after they were reduced from $1,433 to $1,233 through Obama's Making Home Affordable program. After three payments, the mortgage relief was supposed to become permanent, but a maddening string of paperwork headaches landed her in limbo. Then, on the day after Christmas, a "bomb dropped" on her life.

A letter from a law firm representing Chase said the bank had begun foreclosure proceedings against her.

"It was devastating, just devastating," Franklin said. "I ended up on the couch shaking so badly that my husband started piling blankets on me saying, 'Are you OK?' And I told him, 'I'm not cold, I'm scared.' "

---

The Franklins are exactly the kind of family the Making Home Affordable program was designed to rescue. They were trying to hang on to their primary home, had enough income to make significant monthly payments and their home's value was still within shouting distance of their mortgage balance. Home values in rural Airville, Pa. -- just across the Maryland border, near Baltimore -- never exploded like those in America's big cities, so market value of their modest split-level hadn't fallen far.

But instead of hope and help, the Franklins say their 10-month odyssey through the Making Home Affordable program raised their mortgage balance from $187,000 to $207,000, ruined their credit score, leading to cancellation of their credit cards, and now -- despite making all their payments -- put them on the brink of losing their home.

Franklin has been told by bank representatives that the foreclosure notice was sent in error, but she doesn't buy it. On a single day in early January, she says, one Chase representative told her that the loan modification plan had been denied, another said it was approved and a third told her the foreclosure had been "suspended."

"I check my county auctions every Monday to make sure my house isn't on there," she said. "I don't believe anything they say anymore."

Some 4 million American homeowners qualify for the Making Home Affordable program, and around 850,000 of them have been offered lower payments on a trial basis, according to the Treasury Department.  Enrollees see their mortgage payments reduced to 31 percent of their income through interest rate reductions, fee waivers and lengthening of mortgage terms.  Entrants are told that if they make three "temporary" modification payments on time, they will qualify for permanent relief. But as of December, only 66,000 had seen their mortgage permanently modified – a number dwarfed by the 2.8 million foreclosures completed last year.

Until the lower loan payments are made permanent, banks are entitled to continue with foreclosure proceedings.

More from John Schoen: Flaws plague foreclosure relief program

Franklin is one of many homeowners who have enrolled in the Home Affordable Modification Program (HAMP), offered as part of Making Home Affordable, who later compared their experiences through the Web site LoanSafe.org. They found that many of them had similar tales of lost paperwork, surprise foreclosure notices and ruined credit.  Msnbc.com reviewed about two dozen such stories involving virtually every major bank. Franklin, who shared an extensive diary of events she said she kept during her attempt to modify her mortgage, is typical.

"I don't know if President Obama knows what's going on," she said, adding that she recently sent a long fax message to the White House chronicling her Red Tape nightmare. "I don't know what else to do."

The Franklins hadn’t suffered significant loss of income during the recession. Rather, health problems and family emergencies pushed them to the brink of financial ruin, placing the home they’ve lived in since 1984 at risk. When their adult child had a near-fatal car accident in July 2008, they emptied their bank account to help him and his three children through the ordeal. Soon, their $1,433 monthly mortgage payments were overwhelming their budget, and they began to dip into their retirement savings. So Franklin was one of the first in line last March after President Obama announced the Making Home Affordable program.

She and her husband received a quick response after signing up March 2 on Chase's Web site. They were told to call the bank two weeks later. Then, when they filed a 37-page packet with Chase later that month, they were told their application was "in underwriting. " On April 22, they were told their modification was approved and a new payment of $1,233 was to be paid via Western Union beginning May 1.  If they managed to also complete payments on June 1 and July 1, their modification would be made permanent, Franklin said Chase employees told them.

The first sign of potential trouble came almost immediately.  On May 1, she said she was told during a phone call that her actual payment should have been $1,233.18 – so she was short 18 cents. If the 18 cents didn't arrive soon, her modification would be "canceled," she quoted the Chase employee as saying. She sent Chase a check for $1, to be safe, and on June 1 and July 1, she sent payment via Western Union for $1,234. Calls to Chase after each payment elicited the same response: "Everything is on track," Franklin said.

But in July, when the modification was to be made permanent, she said she was told that Chase's loan department was overwhelmed and that she would have to wait another 45 to 60 days. In the meantime, her log shows that Chase employees told her to keep making the temporary modified payments.

Things began to go south in August. She received a notice of default from the bank, which demanded $11,000 in late fees and unpaid mortgage payments to bring the loan current. A Chase operator told her to ignore the letter and to keep making modified payments.

Meanwhile, other parts of her financial life began to unravel.  Despite making the payments prescribed by Chase, the bank had reported her to the credit bureaus as having made only partial payments on her mortgage.  Her credit score plummeted from 660 to 444, and penalty credit card interest rates kicked in. In a short time, her cards rocketed from 8.99 and 14.99 percent to 29 percent.

"They did not tell us that would happen when we entered the program," she said. "For many people, their credit is destroyed. I know people who say they never would have entered the program if they knew that."

(A Treasury Department official told the New York Times recently that many early applicants to the Making Home Affordable program did see severe credit score hits of "30 to 100 points." But the official said that in November, banks developed a new way to report mortgage modification recipients to the credit bureaus that does not do as much damage to their credit scores.)

On Aug. 31, before making her next payment, Franklin called to check her status.  At this point, the operator said her paperwork was missing and told her to re-fax the entire 37-page application. She sent the documentation and submitted the payment.

On Sept. 29, she was told that her modification had been approved, but she still had to wait for some delayed paperwork -- perhaps another 30 to 60 days.

On Oct. 10, she received a letter from Chase telling her to call immediately because her modification was at risk.  When she called, she said, an operator told her that the letters were "computer generated," and she should "disregard" them.

When a letter arrived on Dec. 7 from Chase warning her that "although we received a payment on your loan, it was not sufficient to bring the loan current," she was given the same advice by a Chase operator: "Disregard those letters." She was reminded that stable income and stable payment history were the most important factors in modification decisions.

She was about to make her eighth trial payment when the nightmare letter arrived indicating foreclosure had begun.

"The law firm of Shapiro & DeNardo, LLC has been retained to initiate a lawsuit to foreclose the mortgage on your property," it read. It indicated her loan balance was now $213,362.41 – more than $20,000 larger than when she'd entered the HAMP program. When she called the law firm, she was told that $13,235 was required to bring the loan current.

A call to Chase shed little light on the situation.

"We were told the foreclosure process marches on even if you are in the modification," she said.

But an operator also told her that all her paperwork was in order, and she should receive her final modification within the week.  After a few more phone calls, a supervisor asked that she once again re-fax the application.

Two days later, a Chase operator who said he was in Florida called to say the modification had been denied, and demanded $13,235 to stop the foreclosure. A return call to Chase produced a different response: The family was approved for the permanent modification, the operator told her. A call to the lawyers' office confirmed that the foreclosure was suspended.

But as of Monday, the Franklins were still awaiting final paperwork, and assurance that they will be allowed to remain in their home of 26 years. The most recent information, she said, came from a Chase operator, who told her there would be no new information until Feb. 1. On that date, Franklin will make her 10th modified payment.

"This whole thing just doesn't seem like it makes sense," she said. "Everybody is into the big political story here, but I think people are too wrapped up in that to know what's really going on and try to deal with it."

In a statement to msnbc.com Chase apologized for “incorrectly sending a foreclosure notice.”

Chase spokesman Tom Kelly said that the firm processed many other modification applications quickly, and had ramped up quickly to deal with an "unprecedented volume of customers" seeking mortgage help. He said the firm offered 600,000 trial modifications and approved 120,000 during 2009. Meanwhile, it added 5,000 employees to an existing staff of 8,000 who work with delinquent borrowers, he said.

While Kelly declined to discuss most specifics of Franklin's case, the statement placed some of the blame for delay on the family.

"We set up the borrower's trial modification payment using information the customer provided," the statement read. "When we received the documentation, we learned that the family's income was significantly different.  As a result, we continue to review how we can best help the family."

So for now, Deb Franklin continues to scan the newspapers every week, making sure her home hasn't been put up for sale.  She had a scare on Monday.

"I checked the sheriff's sale this morning and my heart sank when I saw a home on our road listed for auction," she said.  "All I saw was the name of our road at first, but it was not us….Whew, dodged another one this week."

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

Arianna Huffington made waves recently when she went on national television calling on  consumers to dump their big banks and deposit all their money into local, community banks.  Huffington's site, HuffingtonPost.com, threw its weight behind a Web site designed to make breaking up with your bank a little easier -- MoveYourMoney.info. It includes a ZIP-code based locator to help consumers pick through the thousands of banks in the U.S. It even sports a short, cleverly edited video that juxtaposes the classic film "It's a Wonderful Life" with images from testy congressional hearings about the banking industry.

Driven largely by Huffington's media popularity, the site quickly gained traction. Huffington's appearances on MSNBC's Countdown and CNN's Larry King Live, among many others, had some observers calling MoveYourMoney a movement. One of Huffington's partners in the venture, Dennis Santiago of Institutional Risk Analytics, says visitors have searched for banks in more than 16,000 ZIP codes -- better than half the ZIP codes in the country.

It's far too early to tell if Huffington has done something that might genuinely take a bite out big banks -- real data probably won't be available for months.   But Huffington is tapping into frustration that has been building since 2008 banking collapse and bailout, say advocates for credit unions and smaller, community banks.

---

"It has been developing for the last several months," said Bill Hampel, chief economist of the Credit Union National Association. "Annual growth in credit union members had been very weak for the past several years...but during the first 11 months of 2009, our growth rate doubled." Credit unions added 2 million new consumers  during that stretch, Hampel said.

Karen Tyson, spokeswoman for the Independent Community Bankers Association, said her 5,000 member banks were experiencing similar, frustration-driven growth.

"Community banks have, since the onset of the financial crisis, gained new customers," she said.  

The American banking system appears to provide seemingly endless alternatives.There are 8,000 banks and 7,600 federally insured credit unions, according to the American Bankers Association.

"The good news is people have choice," said Nessa Feddis, spokeswoman for the American Bankers Association.  "There's lots of competition, and if people are dissatisfied they should look around and vote with their feet."

But most don't.  A tiny group of large banks dominate.  In 2009, four banks -- Citigroup, JPMorgan Chase, Bank of America and Wells Fargo -- held 39 percent of all deposits in FDIC-insured banks, according to Reuters.

The high concentration of account-holders -- combined with a low concentration of good will – certainly seems create the potential for a mass exodus. So why the need for a Huffington Post-prompted movement?

It turns out the breaking up with your bank is hard to do.

In 2008, the Federal Reserve published a study around what economists call "switching costs" -- the pain and suffering consumers must face when trying to leave one bank to join another.  The results were disturbing.  The study, by Fed senior economist Timothy Hannan, found it was incredibly difficult for consumers to get reliable information about the true costs of the new bank, for example, and described what a "bargains-then-rip-off" strategy to reel in customers and then exploit them.

The euphemistic  name for the strategy is a "two-period" model.   Period one is a free toaster.  Period two is cascading overdraft fees.

Even worse, the true costs and fees levied on account holders may not even be available to consumers until they've committed to the new bank. In many cases, fee schedules aren't listed on generic Web sites and  can only be viewed by account holders after they've logged in – so there is literally no way to comparison shop.

"There may be some lack of transparency with regard to pricing," acknowledged American Bankers Association chief economist Keith Leggett.

The switching costs become apparent when trying to extract your old bank's tentacles from your new financial life.  Today, most consumers use their checking account for a dozen different activities -- direct deposit of payroll checks, automated online bill payment of mortgages and auto loans, recurring debit card transactions, automatic savings plan deductions, credit card bill payment and so on.  Ending all these transactions, and starting the payments anew, is such a hassle that "inertia" often takes over, says Hampel.

"Changing where you have your checking account can be a royal pain in the neck," he said. "It's like if you lose a credit card and have to inform all those people you have a new one, only much worse than that."

To combat the switching cost problem, many credit unions have developed "switch kits" to grease the skids, including forms that help new consumers track the changes needed for all payments and deposits. Those may ease the pain a little, but ultimately getting a new bank means fighting through a lot of red tape.

Still, consumers should look past the hassle and find a bank or lending institution that suits their needs, says Leggett.

"Who you do banking with is very important.  It may be the most important financial relationship of your life, so you should do your homework," he said.

Leggett welcomed the discussion about switching to smaller banks and credit unions started by the Huffington Post, but he cautioned consumers against a "knee-jerk" reaction to it.

"In not every case is a credit union better than a bank with regard to pricing or fee structure," he said, saying that credit unions have also been guilty of charging annoying fees, just like big banks. "People have to realize when looking for a financial provider that they should always shop around and find a provider who offers the appropriate level of convenience.

Smaller banks and credit unions, he warned, will not provide the same "product mix" as larger banks, and are less likely to offer benefits for using multiple products – such as free checks or discounted loans.

But credit unions provide obvious benefits – in the form of better interest rates, both on loans and deposits, said Hampel.  According to Datatrac Corp., average credit union credit card rates are currently more than one full interest point lower, car loans are 1.5 percent lower, and one--year CD rates are 0.30 percent higher.  (Banks currently enjoy a small edge over credit unions in mortgage rates.)

Meanwhile, community banks offer something big banks find nearly impossible to compete with -- local ownership and the ability to talk with a familiar face in the event of unexpected financial hardship, said Tyson of the community bankers group.

"They always put customer service first, and doing right by the community first.  They will not give you a

loan purely to make a profit. And you're not going to be just a number," she said. "You'll be able to walk in the door and you can find the bank president, and know that he lives in your community. … It's a different sort of a custoimer relationship."

Like Huffington, Tyson sees the switching issue in a larger context.  Federal law provides for a nationwide "concentration cap" of 10 percent, meaning no one bank can control more than 10 percent of the U.S. deposit market.

Because of the banking collapse and resulting consolidation – leaving four banks with nearly 40 percent of deposits --  the cap is currently being threatened, leaving the U.S. financial system concentrated in too few hands, Tyson said. Through its "Fix Too Big to Fail" marketing campaign, the community bankers group is lobbying Congress to lower the cap and force large banks to divest some of their holdings.

"The only way to change the dynamic is to have legislation in place that makes it not as appealing to be … large institutions," she said.

RED TAPE WRESTLING TIPS
Marketing campaign and blog-initiated movement aside, it's always a good idea to review your financial relationships and see if you can get a better deal.  Consumers interested in investigating a move away from big banks should know it takes a bit of work, but there's plenty of help available online, and one or two lunch hours should do the trick. Here are some tips:

Rates aren't everything, and people matter. Leggett points out that many consumers are far too concerned with the published interest rate they'll earn on savings and checking accounts, and sometimes pick banks based on small differences.  Given that current rates are so low, earned interest should be of little concern at the moment; fee schedules are more significant. But even more important is the likelihood that the bank will treat you like a human being should anything go wrong; if, for example, you accidentally overdraw your account and land a series of overdraft fees.  Will a familiar teller help you, or will you end up stuck on a long voice mail tree?  We all make mistakes. It's hard to put a price tag on the reassurance that you'll be treated like a person, and not a criminal, when your turn comes.

Don't forget the middle child. Feddis points out that there is middle ground between the four huge banks and thousands of small banks -- what she calls "medium-sized" institutions.  They might offer the best of both worlds.

Beat the feared late fee:  The real fear over switching comes from the potential for a missed loan or credit card payment, or double payments that could lead to an overdraft. There are several ways to ease the transition between institutions, although all of them involve a little extra money.

The easiest thing to do is double up. Keep both accounts open and keep all your payments turned on until you can confirm that new payments have been received by the old payee.  This will require having a lot of extra money to spare. A variation involves paying with your new account a full 10 days earlier, giving you time to cancel scheduled payments from your old account. You'll still need the extra money in case a payment lands in limbo. In either case, it's good to set up overdraft protection on both accounts by linking the checking account to a credit card, savings account or line of credit, so there's backup if you screw up.

The simplest – but most time-consuming -- method is to open the new account without closing the old one, and then switching one bill payment one month at a time to the new account, making sure each one is set up properly before switching the next one.

If your credit card issuer has cut you off: Many consumers find they are losing available credit on their cards or losing their cards altogether.  This hurts their credit score.  Hampel said consumers thus spurned should still apply to a credit union for a new card and will likely get the account as long as their credit isn't severely damaged. Expect a lower credit limit than you're used to, however -- credit unions are much more stingy about credit card maximums.  That's a good thing, Leggett says:  that's partly why the bank credit credit card default rate is currently around 10 percent, while credit union rates are down near 2.5 percent.

Finding an alternative. While credit unions have certain limitations on membership, Leggett says that virtually all U.S. adults are eligible to join at least a few credit unions.  If you're stumped, try this credit union locator. To find a small bank, try this bank locator or use the Huffington Post tool, which lists only banks graded B or higher on Institutional Risk Analytics' scale.

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

What would a world without secrets look like? Thanks to Facebook, we may find out. 

Privacy experts continue to watch in wonder as hundreds of millions of adults around the globe do things online that they would never do in person. Facebook CEO Mark Zuckerberg created a stir recently when he offered a simple explanation: He suggested Web users now see privacy as quaint, and Facebook  is creating a new social norm.

If you look at the data, he's right.  According to researcher Larry Ponemon of The Ponemon Institute, Facebook has hypnotized even the most private people , an elite group he calls "privacy-centric." They make up only 8 percent of the population.  These folks won't even sign up for supermarket loyalty cards, but they will post pictures and tell stories on Facebook. In fact, they are so mesmerized that, untrue to their nature, they don't even spend more time tweaking their Facebook privacy settings than regular users.

 

---

"People want to believe they are safe," Ponemon said.  There's really no way to participate in Facebook without self-revelation – it's baked right into the product, he points out.  Without stepping forward, posting pictures, making your identity searchable, and so on, there is no payoff on Facebook.  Because of that, Facebook even trumps personal Web pages – people put pictures and stories on Facebook that they'd never post on their own blogs, he said.  "(People) like the tool, so they convince themselves there really isn't much risk."  

Privacy and behavioral economics expert Alessandro Acquisti, a professor at Carnegie Mellon University, agrees that Facebook seems to be eroding even skeptics' concerns about being overly exposed.  But he disagrees with Zuckerberg.   There's no new social norm, Acquisti said.  There's just a grand illusion.

Facebook has managed to convince users of something economists call an "illusion of control," Acquisti claims. Consumers who think they have power over the outcome of a transaction will naturally be overly self-confident.  The effect is most obvious in gambling, where a craps player might believe he or she can roll snake eyes just by tossing the dice a little softer, and thus bet a little more.  Human beings are easy to sucker into an "illusion of control."

The illusion at work
Here's how it works in the privacy realm: When consumers believe they can control what happens to their personal information, they don't fret about divulging it.  Facebook and other so-called Web 2.0 sites, Acquisti says, has given people a false sense of security about the availability of their personal information to others.

How? By standing by while consumers confuse two different privacy issues – divulging information, and controlling the information after it's divulged. Facebook users indeed have great control over what information they submit to the service - they have complete controls over what they post in their profile, for example (ignoring, for now, the imposter threat).   But they have little control over how the data will be used after it's posted to the site.  In a recent yet-to-be published paper on the subject, the distinction is described as control over publication vs. control over access.

"People seem to conflate he two issues, so on a psychological level they feel better because they feel they are in control," Acquisti  said. "They underestimate the risks of how the data will actually be used."  In an experiment, students who had few qualms offering up very personal information  -- such as how many sexual partners they had -- for a Facebook-like service showed far more reticence when told  random researchers would be creating a profile for them.  While the end result would be the same, the idea of a human handling the information - gave the students pause.  Acquisti and fellow researchers Laura Brandimarte and George Loewenstein attribute the cause to losing control over the actual act of sharing the information.

One other possible explanation, however, would be second thoughts because of human involvement.  One college technology professor I know asks students on the first day of class to stand in front and show their Facebook page on a large screen to the rest of the class. No one ever does. Students share things online they don't want to share in person.

Don't mean what they say?
Acquisti's "illusion of control" theory is one reason for Facebook users' seemingly incongruous behavior – so many say they are concerned with privacy, but fail to act as if they are concerned. This privacy paradox, however, is best understood through the simplest explanation.  Privacy transactions are notoriously difficult to judge.  The payoff from sharing a little information today is obvious; the punishment that may happen in the future is not.  Giving a supermarket your phone number today might net you a 50-cent coupon on a gallon of ice cream; that's an obvious benefit. But what is the cost?  Reams of junk mail in the future? A health insurance premium surcharge because your grocery store reveals your bad eating habits? It's nearly impossible to say.  And so it is with Facebook – a picture that looks like fun at 22 could be a career-killer at 32.  But people rarely make good choices about vague possibilities 10 years away.  If we did, there would be no French fry industry.

Sure, Facebook site settings offer some ways to manage who can see the information. But the settings are easy to evade or hack, and Facebook's terms of service can be changed at any time. Not long ago, Facebook friend pictures ended up in personal ads without the users' permission.  The ads were pulled, but they represent a small window into big possibilities.

But even if Facebook privacy settings were completely trustworthy, Acquisti argues that a fundamental usability problem skews the service – and all social networking tools - toward privacy-risky behavior.  Two years ago, he did research which showed that only 1 percent of Facebook users had even touched their privacy settings.   Facebook says that number has now grown to 20 percent, but still, there is an obvious flaw.  It's far easier to share than conceal. It is an order of magnitude easier to upload photos, for example, than it is to hide them from sets of potential viewers using privacy settings.  As a result, site users will always overshare.

"Technology has vastly enhanced our ability to disseminate information, but we still lack controls on how that information will be used," Acquisti said. "It's like we have made faster cars but have been much slower to develop new brakes."

Nothing to hide? Really? How about...
So what? So what if an ex-girlfriend will occasionally bump into a picture of you bumping and grinding your new beau?  What, really, is the harm?

Acquisti, like many psychologists, is convinced of the power of secrets – and he's not anxious to live in a world without them.

"I do believe that inside each of us is an innate need for privacy, and there is a need to share. Right now, technology is much better at making us reveal than helping us maintain privacy," he said.

The human need for privacy is real.  While some elements of privacy are relatively recent human developments, fundamental privacy needs have always existed. Nowhere on the planet do humans regularly make love in public, notes anthropologist Helen Fisher in a recent Psychology Today article.

No normal adult shares the same level of intimacy with their spouse, their friends, their colleagues, and strangers on the bus.  It's unhealthy – or just plain strange – to act otherwise, as anyone who's ever uttered the words "too much information" can attest.

Meanwhile, the ability to keep secrets is a natural part of maturation.  Children tell each other secrets to establish friendships.  Adults keep secrets to gain advantage in business dealings.  Journalists only gain the trust of sources by proving they can be trusted with secrets.  Corporations often count secrets – intellectual property – as their most valuable asset.

And yet, the message implicit in avid use of Facebook is the credo of the 30 percent of adults who are privacy complacent by Ponemon's scale – "I've got nothing to hide, so who cares?" 

Privacy researchers spare no time in conjuring up doomsday plots in an attempt to make people care. 

It's easy to imagine an Internet predator using details left by kids to attack them ("Hey, I went to Riverdale Middle School, too!  I'm sorry you are having a fight with your best friend…")

Even sharing seemingly harmless details could have some future consequence.

Telling the world that your favorite rock band is the Beatles or Coldplay might seem innocuous enough, but what happens when an employment background firm shows that Coldplay fans who also like 60s music tend to come late to work? No law prevents that.

A slightly less ominous effect of lost privacy, something called "price discrimination," is already a reality.  Retailers have run numerous tests to hone the fine art of overcharging people who say they like something. For example: die-hard Coldplay fans are almost certainly likely to pay more for a new album than casual fans.  Most won't notice when their music retailer of choice slips in a $1 or $2 fan premium.

Data mining for everyone
Until now, practicality has limited these kinds of scary possibilities, says Hugh Thompson, chief security strategist at People Security.  Pulling together that much disparate information left all around the Web was a chore only government agencies would attempt. But that's not true anymore. A host of new software programs aimed at small-time data mining are slowly becoming available. They scour the Web and create dossiers on target subjects in seconds.  One, named Maltego, even provides visualizations of data points that connect people and things online.

"The critical barrier is it hasn't been easy. It is now," he said.  "What was a 'data wasteland' is now the richest environment in human history for backgrounding people."

It's easy to see risks here. Few would argue with the need to keep medical conditions private, for example. Even exposed salary information, which sometimes is shared widely, can cause serious problems for the victim.  Those with high incomes become an easy target for criminals.

But Acquisti conjures up even more fundamental concerns about lazy attitudes towards privacy.  Information, he notes, is power.

"The minute someone knows something about you, they gain a measure of control over you," he says. This is obvious in the case of an affair: If someone learns about your secret lover, they can hold a wide measure of control over your future.  In a less obvious way, a future employer who knows that embarrassing Facebook photos from the past are hurting your job prospects can easily gain an upper hand in salary negotiations.

Worse still, the agency which might exercise that power someday might be a government, Acquisti notes.  It would not be hard to use Facebook to determine who voted for McCain or Obama in 2008, even who is Republican and who is a Democrat. Maybe that's okay; but if databases begin to erode the notion of secrets in politics, the election system could erode with it.  Secret ballots are essential to a functioning democracy. 

And perhaps the political threat won't come in the United States. Perhaps, someday soon, foreign governments will screen travelers based on political positions mined from social networks.

"I'm worried about control in the future," Acquisti said.  "I feel that we are more and more getting adjusted to the idea that so much of what was done in private in the past is now done in public.  I won't be surprised when corporations or governments make more and more claims on data.  We are doing things today that 40 years ago we would have reacted by rioting, but now it is business as usual. By accepting these deals now we are paving the way for even more in the future. That's why people who say they have nothing to hide…that argument is completely wrong."

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

 

 

 

Fake fundraising efforts for the Haiti disaster are spreading like wildfire on Facebook. Dozens of fan pages have been set up, urging users to join and promising a $1 donation for each member. One group this weekend attracted 1.5 million members before it was disabled.

Meanwhile, during the weekend, Facebook officials had to beat back a rumor that the firm had promised a $1 donation for every member that changed their status to include a message about Haiti.

"This status is being tracked, the owners of facebook have confirmed they will send $1 to the rescue fund for the Haiti earthquake disaster for everytime this is cut and paste as a status," read one form of the bogus claim. "You only have to leave it for a minimum of 1 hour. Lets all do our bit to help."

---

Facebook spokesman Barry Schnitt said the firm took aggressive steps to quell the rumor.  It posted a note on its blog on Saturday warning about the bogus message.

"Beware of scams and hoaxes and ensure that your donations for Haiti get to the right places," the social networking company wrote on its blog.   Contrary to a current meme, Facebook is not donating $1 for statuses, however we are sharing reputable resources via the "Other Pages" tab on the Global Disaster Relief on Facebook Page."

Later, Facebook began outright blocking the status update. When users come upon a page with the bogus update, a warning message pops up which says, "This message is fraudulent. For legitimate ways to help those in Haiti, please visit the disaster relief page."

The fake fan page fund-raisers had spread, seemingly, to all parts of the globe. Examples could be found claiming to be based in the United Kingdom, and in multiple languages. One Spanish group currently has 215,000 fans, for example.

"We'll look into the groups now," Schnitt said in response to an e-mail inquiry from msnbc.com.

It's not clear why a Facebook user would create the fake fan pages. It could be a mere prank designed to attract the maximum number of users -- Facebook is full of such efforts, like the "I bet Massachusetts can get 1 million fans before any other state does" page.

But such groups could easily be turned to more nefarious uses.  A spammer or hacker could harness  a large fan group to commit other scams.  Fan page administrators are able to contact each fan through status updates, providing a perfect platform for phishing or virus attacks.

The administrator of a group named "EVERY PERSON THAT JOINS WE WILL DONATE £1 TO HELP PEOPLE IN HAITI!" was a woman who identified herself as a college student at the University of Massachusetts in Amherst. The group had about 5,000 fans on Monday morning. When asked why she started the group, the woman said she hadn't, and initially denied being an admin. She said she signed up for the fan page "hoping that I can contribute or do something to help the people of Haiti." Shown the admin page for the group, she offered a different explanation.

"Just check(ed) and you're right. I don't even (know) how I became and admin. Honestly, I did not create this or monitor this," she wrote.

Computer security experts have long warned about what's now called "promiscuous friending" – the habit of many Facebook users to simply accept all friend requests. That opens the door for computer criminals to take advantage of trust relationships formed on the site. Hackers with friend access can post links to viruses on victims' walls, for example, or directly message the friends with Trojan horse e-mails.  Fan page administrators have slightly fewer capabilities, but it's still a bad idea to accept any unexpected fan, group, or friend requests.

Concerned users can easily donate money directly to the Red Cross.

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

Gregory Fayer opened an e-mail on Monday night that looked like it was from a fellow lawyer at Gipson Hoffman & Pancione. Instead, it was a message that placed Fayer and his firm in the middle of what might be the biggest international cyber-conflict to date.

This week, search engine giant Google disclosed that it had also been a victim of cyber-attacks from China, and has taken the bold step of threatening to shut down the Chinese version of its search engine.  On Thursday, computer security firm VeriSign said it had traced the Google attacks back to "to a single foreign entity consisting either of agents of the Chinese state or proxies thereof," and that 30 companies were targeted.

---

Fayer's law firm is likely one of those victims, as the technique used against it is similar to the Google attack.  The e-mail Fayer received was laced with a computer virus intended to allow the sender to spy on Fayer's computer; a blatant act of espionage, he said.  But Fayer wasn't terribly surprised. Last week, his firm filed a blockbuster lawsuit against the Chinese government on behalf of CyberSittter LLC, which makes parental control software.  CyberSitter says the Chinese stole its computer code while creating the infamous Green Dam censorship program, which was designed to be placed on every Chinese citizen's PC last year. After a backlash, the government decided to make installation optional.

"Our law firm was certainly on high alert because of the lawsuit," he said.  "This is somewhat to be expected when you file a high-profile lawsuit against the government of China."

Fayer said he couldn't share much information about the e-mail, as FBI officials are investigating the incident. But it was designed to look like part of a normal electronic chat with a colleague.

"I was the first recipient at the firm," he said. "But there have actually been three waves of these customized e-mails.They'd each been made to look like they had a different sender, and a different pretense for the links or attachments embedded in the e-mails." The cybercriminal was clearly moving down a list of potential contacts at the firm, looking for someone to take the bait, he said.

"The program was designed to go in and get information from our servers and computers and sent it back to the sender," he said.

Computer researchers call the technique "spear phishing."  Rather than flooding a firm with thousands of spam-like phishing e-mails hoping to dupe dozens of victims, the new technique involves very specific, targeted notes designed to fool one victim at a time – and then use that computer to spy on the target agency or steal data.

While Fayer could say little about the potential agent behind the attack, he said the firm assumed that "the timing of the e-mail attacks are not a coincidence."

No lawyers fell for the trick, Fayer said, and he did not believe any information had been stolen.

The alleged attacks from China are troubling on many fronts.  On Thursday, security firm McAfee released a report saying the program used to target U.S. firms involved a so-called "zero day" vulnerability -- one that was to this point unknown to the security community, and thus indefensible by anti-virus software. The flaw involved Microsoft's Internet Explorer, McAfee said. Microsoft says it is working quickly to provide a software patch.

But the malicious software attacks other software flaws too, McAfee said, adding this ominous note: "There very well may be other attack vectors that are not known to us at this time."

"These highly customized attacks known as advanced persistent threats were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior," wrote McAfee's George Kurtz in a blog post today.  "They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered - it is too late…All I can say is wow. The world has changed. Everyone's threat model now needs to be adapted to the new reality of these advanced persistent threats. In addition to worrying about Eastern European cybercriminals trying to siphon off credit card databases, you have to focus on protecting all of your core intellectual property."

Mark Rasch, former head of the Department of Justice computer crime unit, called the attacks "cyberwarfare," and said it was clearly an escalation of digital conflict between China and the U.S.

"At least it's an escalation of the rhetoric, and that's an escalation," he said. "War is the extension of politics by other means, and the Internet is the extension of politics, and this is a form of cyberwarfare."

While isolated examples of government-sponsored hacking have popped up through the years, Rasch – who now runs Bethesda, Md.-based security consulting firm FTI - says this week's incidents of alleged Chinese attacks are "new in the sense that they've been so  blatant," and apparently so widespread, ranging from attempts to read dissidents' e-mails to spying on a legal adversary.

"We've had attacks in the past but by and large they were done in a way that gave the country plausible deniability," said Rasch. "But this was different. This was fairly clearly a government-run operation."

China has yet to directly address the allegations. At a regular press briefing in Beijing on Thursday, Foreign Ministry spokeswoman Jiang Yu said only "The Chinese government administers the Internet according to law and we have explicit stipulations over what content can be spread on the Internet," according to the Bloomberg news service.

 

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

What Congress giveth, credit card companies are poised to take away.

In six weeks, the final major provisions of the Credit Card Accountability, Responsibility and Disclosure (CARD) Act will take effect.  The law prohibits many egregious tactics used by card issuers, such as retroactively raising interest rates on consumers' balances.  But issuers have reacted to the sweeping new consumer protection law by quickly inventing new egregious tactics, including raising rates and lowering credit limits on half of all U.S. cardholders.

And that may just be the beginning. Bill Hardekopf of Lowcards.com expects a series of new "gotchas" from card issuers in the year ahead, as they struggle to recover revenue lost to the CARD Act or the economic downturn.  Here are six new booby traps consumers should watch for this year.

---

1) More cards with annual fees

Today, only about 20 percent of credit cards come with annual fees, Hardekopf said, and consumers with good credit can easily avoid them. That will be less true this coming year. Already, Bank of America is surprising some existing customers by adding fees ranging from $29 to $99. 

Annual fees need not be so obvious, however.  Citibank is demanding $2,400 minimum annual spending from some customers -- otherwise, they face a $35 fee.

It's important to carefully watch your bill to see if an annual fee has been added, Hardekopf warns. Otherwise, you might pay the fee unknowingly.

Despite the expected onslaught of annual fees, Hardekopf says consumers should still be able to find annual fee-free cards.

"I believe the credit card industry is competitive enough to where there will be an issuer or issuers who will offer free cards," he said.

Consumers who are tagged with a new fee should seriously consider dumping the card and getting a new one. That should be done with care, however. Never close the old card without receiving a new one first, because closing the card will hurt your credit score and could prevent you from getting a new one.  Even closing it later will hurt your score, but probably not enough to exceed an unwanted $99 annual fee.

2) Fixed-rate cards changed to variable rates

It will be harder for banks to raise consumers' credit card rates once Feb. 22 rolls around. There is one loophole: Variable rates will still float up and down in line with the Prime Rate. Since bank rates have nowhere to go but up, variable rate card rates will definitely be going up.  Watch the mail for notice that your fixed-rate card is no longer fixed. If you don't like the change, consider switching to a new card – but follow the advice above.

3) Increases in interest rates

Many existing cardholders have already endured rate hikes; now, it's time for new cardholders to get hit. The CARD Act has no limits on the rates that consumers can be charged when applying for new credit cards.  Unable to raise rates on current customers, banks will target new customers with higher prices.  Why is this important? Consumers who feel jilted will be shopping around, and may not find options as many attractive alternatives as in the past.

4) Increases in existing fees

The CARD Act eliminated some fees, such as over-limit fees, but it did nothing to cap other fees. The best example so far: balance transfers between cards have typically been 3 percent for some time.  Last year, Bank of America hiked the fee to 4 percent and recently JP Morgan Chase raised its to 5 percent. Cash advance fees will likely follow suit, and late fees probably won't be far behind.

5) New fees

This is the most alarming area of all.

"Overall, I think fees is the big word for 2010," Hardekopf said. "There are people dreaming up fees right now that you and I have never heard of."

Card companies are taking tips from other industries in their fee-invention schemes, he said.  Some issuers are charging $1 a month for paper bills (imitating the cell phone industry). Fifth Third Bancorp recently added a $19 inactivity fee for customers who don't use their cards during a year. (Stockbrokers were the trail blazers on that one.

"Since fees represent such a cash cow for issuers, expect aggressive increases in existing fees as well as some brand new fees on your credit cards," he said.

6) Futzing with rewards

Decreasing the value of rewards points might not sound as harsh as a penalty fee, but it is.  Card issuers have myriad ways they can toy with rewards values, and many have begun doing so in earnest. Many miles cards now require more points for travel; some have added "tiers" that make travel more expensive, effectively devaluing the points. Other cuts are more obvious: Cash reward cards that lower their percentage rebate, for example. One of Hardekopf's personal cards now rebates only 1.25 percent of all purchases, down from 1.5 percent.

"I'm an avid user of credit cards. I put everything on my card just so we can get the cash back," he said. "This decrease in rewards is costing us money and I'm irritated."

Better or worse?

While the CARD Act contains many positive consumer protections, it's open for debate whether consumers will be better off after it takes effect than they were before, given the reaction by banks.  Hardekopf thinks there's not much room for debate.

"I think consumers are worse off than they were before," he said.  "Taken with what the issuers have done in response to the CARD ACT, I do think it has hurt more people than it helped."

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

What some call America's most notorious hidden fee is about to be dealt a serious blow, as new rules kick in that will eliminate many of the booby traps that lead to bank account overdraft fees.

Already, in advance of the Federal Reserve regulations coming in July, many banks are allowing consumers to opt out of the "courtesy" overdraft coverage and associated, cascading $35 fees.

---

But it should come as no surprise that there's a catch. In fact, there are lots of them. Topping the list: Consumers who opt out of overdraft protection now may find themselves in the worst of both worlds. Their transactions will be denied and they will face a $35 insufficient funds fee anyway.

"My card is being denied and checks are being returned, but the fee remains, " wrote Ginnie Logan, who banks at Elevations Credit Union in Colorado and recently opted out of what the organization calls courtesy pay. "Essentially the issue hasn't gotten any better. In fact, it has gotten worse."

Logan's sentiment would sting consumer advocate groups who spent years fighting high bank overdraft fees. Expect a new round of consumer frustration  this year as insufficient funds fees make a comeback and consumers try to understand why. We'll try to explain.

Much of the frustration with overdraft fees came from the element of surprise.  While most consumers understood the danger of writing a check that might send their account balance into the red, few realized that they could overspend their balance by swiping debit cards or withdrawing cash at ATMs. The new regulations are designed to end those surprises: Beginning in July, banks will not be able to honor the last two kinds of transactions charges and assess the overdraft fee unless those consumers have opted in to a overdraft protection program.

Bank of America, JP Morgan Chase and a number of other institutions already have announced that consumers may call and opt out of overdraft coverage now.  Most consumer advocates, including Consumers Union staff attorney Lauren Bowne, recommend that account holders immediately do so.

That, however, can lead to an unnerving conversation with your bank.  During a recent call to Bank of America, an msnbc.com reporter was told, "You may still incur overdraft charges in some cases," even after opting out. That's because lags between credit and debit transactions and the time they are posted to your account can still cause headaches.

It's possible, for example, that an online bill payment could be sent when a checking account balance is above zero, but not debited until later, after a series of other withdrawals have sent  the balance to zero.  That would still result in an overdraft fee, because the bank could not have known the "true" balance of the account would dip below zero when it initiated the e-payment.

In addition, there are numerous circumstances under which opting out would cause transactions to be denied, triggering an insufficient funds fee.

Wire transfers or checks would bounce the old fashioned way, for example. At Bank of America, the insufficient funds fee is $35 – same as the overdraft fee.

Still, the Bank of America operator gave assurances that opting out would eliminate the possibility of debit card purchases leading to overdraft fees.

That should reassure consumers who aren't so sure. Several have e-mailed msnbc.com recently suggesting they are still seeing overdraft fees related to debit card swipes after opting out.  The confusion is understandable, given the complexity of the systems involved. It doesn't help that Bank of America operators won't provide paper documentation of the procedure, its terms and conditions, or confirmation of the account change. The only way to confirm overdraft protection had been removed is to call after five days and ask another customer service representative to check, she said.

An operator at Logan's credit union gave a less black-and-white answer to the debit purchase/overdraft question.

"From what I've seen that's not happening," he said. "But it is possible."

 He described some potentially thorny time-lag situations. Not all merchants immediately process transactions -- many transmit transactions in batches every hour or two, for example --  so it would be possible for a consumer to swipe their debit card four or five times in different stores during a day before the bank realizes the account holder's balance had gone south of zero.

Consumers who use ATMs outside their own banks' network could also face this problem, as some ATMs perform what are called "stand-in" authorizations, and don't transmit transaction information until later in the day.  That could also result in an overdrawn account.

Still, he said such situations were extremely rare.

The American Bankers Association offered several warnings about this kind of confusion last year while arguing against overdraft reform. But Nessa Feddis, spokeswoman for the trade group, said much of the confusion should be cleared up by the time the new Fed rules kick in this summer.

"The rule is very consumer-oriented," she said. "... The Fed did a lot of testing and the rule forces banks to do things the way consumers would want them in each situation." After July, she said, banks will not be able to charge a fee because of a lag in batch transactions, for example, because the Fed decided that consumers could not be expected to know about merchant transmission procedures.

The new rules aren't perfect, however. Many consumers would want small debit card transactions or ATM withdrawals denied when their balance is at zero (saving a overdraft $35 fee), but prefer that checks be honored (since they would result in an insufficient funds fee anyway, and they would also lead to additional fees from the jilted merchant).  But many banks' systems can't handle such a split decision, Feddis said. Overdraft protection must either be on or off.

Consumers who misunderstand their overdraft protection has been removed may wind up bouncing a lot of checks.

"There are a lot of operational issues that still have to be solved," Feddis said.  "Some of these things will be resolved, but it might be through a different kind of product." One possibility: banks will offer incentives to customers to keep larger minimum balances in their accounts to avoid overdraft situations, she said.

Despite the confusion, and the "worst of both worlds" possibility, the Consumer Union's Bowne said she's sticking by her initial advice.

"Overall, I still think it is sound advice to opt-out of overdraft, when possible, as we wait for the rule to go into effect," she said.  "I cannot envision a scenario where a bank would charge a consumer for 'attempting' a debit or ATM transaction in which the consumer never completes the transaction. ... That being said, nothing much surprises me with respect to these bank practices and without seeing the actual terms and conditions from the different banks it is hard to be certain."

Red Tape Wrestling Tips
You should opt out of overdraft protection now if your bank allows it. The end goal here is to avoid overdrawing your checking account through debit purchases or ATM withdrawals. You never want to pay $40 for a $5 hamburger, as has happened to many people in recent years. But there are hazards.

If you have overdrawn your account in the past year, think before you opt out. A bounced check can have more far-reaching consequences than an overdraft fee.  You might end up in the ChexSystems database and lose check-writing privileges, for example.  So don't opt-out until you are ready to stay out of the red.

Consumers who live near a zero balance will find that so-called "account holds" placed on debit purchases by gas stations and some other businesses can cause headaches in a post-overdraft-fee world.  Holds, which exceed the transaction price, can freeze funds for days and cause confusing time lags. Be cautious using your debit card for purchases at firms that place holds.  One tip: If you must use debit, use a PIN instead of a signature. PIN-debit transactions generally are processed faster than signature-debits, so that will help you keep your account balance up to date.

When July comes, look for a mandatory notice from the bank about the new procedures. Don't fall for comes-ons advertising "courtesy" protection.  If you do nothing, you won't have it. And that's probably your best choice.

After you opt out, and the fed rule kicks in, when might you be hit with a fee?  When the bank has to "return" an attempted payment to you – a bounced check, for example, or an e-payment that can't be honored.

The safe way to protect yourself from overdrawing your checking account is to link it to other accounts – your savings account, a credit card, or even a line of credit. Everyone makes mistakes. Yours will be less costly if you borrow your own money through linked accounts than if you borrow the bank's money through a "courtesy."

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

Facial recognition software. Trace portal machines. The Total Information Awareness database. And now, body scanners.  All these new technologies have enjoyed their day in the sun, immediately following terrorist attacks, as a potential magic bullet to keep us safe while traveling.

But repeatedly, gadget defenses have shown themselves to be costly, flawed and difficult to implement. Meanwhile, they take precious resources away from tried and true counterterrorism measures, like hiring more highly trained airline screeners or additional State Department officials.

"Our reaction has been predictably irrational," complains Bruce Schneier, author of numerous books on security, including "Beyond Fear." "We're going to spend a lot of money and it won't make us safer."

---

Body scanners became an immediate focus of attention the days after the failed Christmas Day plot to bring down a Northwest jetliner. There are plans to more than triple the number of scanners in U.S. airports this year.  At $150,000 each, plus operations and maintenance costs, the machines represent a significant investment. David Schanzer, director of the Triangle Center on Terrorism and Homeland Security at Duke University, says U.S. officials should think long and hard before spending that kind of money on terrorism-fighting technology.

"There's never a discussion of trade-offs," Schanzer said. "...Everyone acts as if we can do everything. We can't. Public officials are often attracted to things that are visible, that they can point to and say, 'We're taking action to make you safer,' when instead they should be looking at the types of things that might give you more bang for your buck."

For example, he continued, “Extra staff in State Department consular offices reviewing visa applications, people going to more interagency meetings, placing more personnel in our embassies to work with the British government so when they deny a visa we know. ... These are unglamorous and can get lost in the budget. But they work."

Fighting terrorism and securing air travel involves tricky, nuanced discussions about resource allocation and risk.  But reasonable choices about risk are challenging in the emotionally charged atmosphere of terrorism, he said.

"We need to asses risk and look at limited resources and figure out where to most effectively deploy them," he said.

'Magical thinking'
Schanzer said that, because fighting terrorism is as much about perception as reality, there is some value in taking steps simply to reassure the public. 

"Measures make people feel more secure, maybe that is a part of Homeland Security," he said.

But Schneier said U.S. officials have fallen into the bad habit of encouraging "magical thinking," suggesting that security technologies can make the world substantially safer.

"I wish Barack Obama would get up on stage and treat us all like adults and say, 'We're doing our best but sometimes these things are going to get through, but we're not going to change our way of life,'" he said.  "But politically he can't do that. So instead he's going to respond to movie plot threats and we'll waste money. … It's very human that we fear stories, and the way to make people feel better is to secure against the story."

While body scanners are the technology du jour, it is unclear whether they would have stopped Umar Farouk Abdulmutallab's alleged plot.  A scanner may or may not have shown a suspicious lump in his underwear, revealing the bomb-making material he allegedly secreted there. But even if it did, an airport screener may not have noticed it or deemed it a threat.

Other existing technologies, such as the trace portal or "puffer" machine, may have also detected the presence of explosives on Abdulmutallab's skin or clothes.  Chemical swabbing -- more commonly used today -- might also have detected elements. But they can also be circumvented.

Regardless, the cat-and-mouse game of implementing technology and screening tactics to defeat already-used terrorist attack techniques is largely ineffective. After nearly 10 years of removing shoes while entering security lines, it is still highly doubtful another attacker will attempt a shoe bomb.  Explosives hid in body cavities will not be detected by new body scanners.

"All these strategies require that we guess the plot. Security that requires us to guess the plot correctly doesn't work," Schneier said.  "If we spend money on technology that protects against liquid explosives and they use solids then we've wasted our money.  If we spend money to protect the Olympics and they attack the Super Bowl we wasted our money. "

The sudden focus on body scanner technology is also misplaced, Schanzer said, because the attack technique used on Christmas Day wasn't new.

"Nothing changed the other day," he said. "We knew about the threat (of a passenger carrying an explosive combination of chemicals onto a plane). Everyone was aware this was a possibility and the potential path of attack and yet we were not devoting extraordinary new resources into full body scanners. What's changed is the perception of the threat."

List is ignored
While even expensive new technology may have been ineffective against the failed attack or similar future attacks, existing tools might produce better results, Schanzer said.  Abdulmutallab had left plenty of red flags in his wake, including his father's warning to U.S. officials. But that warning, and other intelligence, wasn't enough to place Abdulmutallab on the "no-fly" list that would have prevented him from boarding the plane to Detroit.  On Tuesday, President Obama placed the blame on a "failure to connect the dots." In the future, similar suspects will not be allowed to board flights headed for the U.S., he promised.

But Abdulmutallab was on a list – a government database called the Terrorist Identities Datamart Environment, or TIDE. While there may not have been enough information to permanently ban him from entering the U.S., clearly there was enough to flag him for additional, intense screening. It's unclear why all travelers in TIDE aren't always subjected to increased scrutiny, but lack of resources is a likely explanation. Atlantic magazine reported this week that the National Counterterrorism Center, which maintains the database, was slated for budget cuts in 2010 – and workers who maintain TIDE were slated for layoffs.

It's hard to understand the lack of added screening, given how easily the list might be narrowed on a daily basis, Schanzer said.

 "How many on that list have a visa? How many have international airline tickets? How many are paying in cash? There's lots of information out there," he said. "I don't think data mining is a dirty word to narrow down the people who present the greatest risk and should get far greater scrutiny. ... Doing so is far more effective them applying expensive technology to everyone."

In fact, Schneier argues, some steps taken since the Christmas attack have made U.S. travelers less safe.  Profiling large groups of people -- such as travelers from the 14 nations that are now subject to additional scrutiny -- creates a dangerous two-tiered security system.

"Once you profile, you invite the bad guys to get around the profile," he said. "When you create a hard way and an easy way through security, you invite the bad guys to figure out how to take the easy way."

In the end, while the Christmas Day plot failed, terrorists may ultimately gain if substantial money is wasted on new technologies and Americans are subjected to longer airport lines and more hassles.

"Even after he failed, he succeeded," Schneier said. "But if we didn't react with all this fear and panic, he would have failed even if he succeeded. Terrorism requires us to be accomplices. And we're really good at terrifying ourselves."

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.