Kevin Mandia has "kicked the hornet's nest." Now, he's waiting to see what the consequences might be.

Mandia's computer security firm, Mandiant Corp., issued a blockbuster report nine days ago accusing the Chinese military of supporting hacker attacks into perhaps thousands of U.S. businesses.

Accusations of nation-state-sponsored hacking are nothing new, but Mandiant provided the most specific and detailed account of computer espionage that the security world has seen to this point. In it, the firm chronicled 141 attacks and even produced a short video allowing observers to watch an attack unfold in real time.

Mandia said his researchers have spent years observing hackers operating from inside an office building in Shanghai as they repeatedly raided his U.S. clients' computer systems, stealing intellectual property.  Now, his small company of 300 awaits the consequences. He expects cyber-retribution. Already, he said Thursday in an exclusive interview with NBC News, someone has tried to "spear phish" his employees, sending booby-trapped emails designed to give the attacker control of Mandiant computer systems.  Also, within hours of the report, Mandia said, Chinese officials scrambled to hide their tracks, changing registration information for websites listed in the report and taking computers allegedly used in the attacks offline.

Mandia agreed to be interviewed  after presenting at the RSA computer security conference in San Francisco, an annual gathering of more than 20,000 experts from around the world. Mandia's speech was a hot ticket; he spoke to a packed audience who applauded several times when he explained that it was time for a U.S. firm to publicly connect the dots and directly accuse the Chinese government of sponsoring attacks on U.S. firms.

So far, the Chinese government has publicly dismissed the report, saying it provides no evidence of state-sponsored attacks. And on Thursday, the Chinese Defense Ministry pushed back, saying that Chinese defense websites are routinely attacked -- 144,000 times monthly -- by computer intruders, many of them based in the U.S.

Long theorized and discussed in hushed, speculative terms, state-sponsored cyberwarfare is now openly discussed at security gatherings like RSA.  The 2009 Stuxnet attack on Iranian nuclear facilities, believed to have been orchestrated by U.S. and Israeli experts, was perhaps the first public blow in the increasingly cold cyberwar, but even that attack had its origins in research conducted years earlier. Researchers from Symantec Corp . released a paper this week at RSA saying they have found the first version of Stuxnet dates back to 2005, and that it was designed with even broader attack capabilities.

China's alleged hacking and stealing of U.S. corporate secrets will have serious impacts on the American economy, Mandia said, which is why he felt it was time to make public accusations and "kick the hornet's nest."

"The goal is for the Chinese to get somewhere faster economically. ... They may have shortcut 10 years out of their economic cycle," he said. "... We're going to see the impact emerging. ... It may cause job loss, it may cause loss of (intellectual property), it may cause trade tariffs, it may cause diplomatic headaches."

Watch the rest of the Kevin Mandia interview by clicking “play” above.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• Facebook, real world data brokers team up to pick online ads for you
• One latte away from millions? Don't bank on it, author says
• ID theft on the rise again: 12.6 million victims in 2012, study shows

The offline and online data collection worlds are about to collide as never before. Facebook will soon announce partnerships with Axciom, Epsilon and Datalogix, three real-world data marketing giants with access to billions of pieces of information about Americans’ shopping habits, according to a person familiar with the deal.

Follow @RedTapeChron

Facebook will not share its users' data with these firms, said the source, speaking on condition of anonymity. Instead, it will allow advertising clients to enlist the help of offline data to deliver targeted Facebook advertising, the source said.  A supermarket loyalty card user, for example, might see Facebook ads that reflect their grocery-buying habits.

Facebook will use added security features to make sure data doesn't flow between it and the database firms, and that matches will be made using a technique that makes individual consumers blind to the companies involved, the source said.  The source requested anonymity because she was not authorized to speak on the record about the deal.

Still, the marriage of real-world and virtual databases has some privacy advocates nervous.

“There needs to be limits on Facebook's growing use of outside data broker information so its users can be targeted by marketers," said Jeff Chester of the Center for Digital Democracy.  "Companies like Acxiom, etc., contain vast stores of details about us, including online and offline information."

Pam Erlichman, spokeswoman for Datalogix, confirmed in an e-mail that her firm “is participating” in a new advertising partnership with Facebook, but directed additional questions to Facebook. Axciom also referred all questions about the deal to Facebook. Epsilon did not immediately respond to requests for information about the deal, which was first reported in AdAge. A spokeswoman for Facebook said she would not comment on the report.

Data brokers Acxiom, Epsilon and Datalogix already use their vast records -- which include e-mail lists, grocery store shopping habits, and much more -- to send highly targeted junk mail and other kinds of advertisements to consumers. Increasingly, these firms have tried to sell their market intelligence online. In a recent brochure, Datalogix  makes its case for merging the two worlds:

"Why are offline transactions relevant online? Because they’re a more predictive indicator of intent rather than banner ad clicks. Too often, marketers view click-throughs as response data. But a click-through is not a sale," it says.

This isn't the first time Facebook has partnered with Datalogix; the social media firm announced last fall that it was conducting research with Datalogix to show that Facebook ads actually encouraged offline purchases.  Through that arrangement, Datalogix is tracking groups of Facebook users who were also in its database to see if those who saw certain kinds of Facebook ads were motivated to make later purchases at grocery stores. Facebook was unable to identify individual consumer purchases through the research , the firm said at the time, but was able to see if ads were, in aggregate, effective in getting shoppers to buy grocery items.

Here’s how the data sharing will work, according to the source: Epsilon, Datalogix and Axciom will upload lists of customers to Facebook, tagged through email addresses or phone numbers. Facebook will then find matches among its users, and create what it calls “custom audiences.” These can be narrowly focused –18- to 24-year-olds in California who drink cola, for example.  Then, these audiences can be targeted with precise softdrink ads.

Facebook will not know the identity of these consumers, however, because the data it receives from its partners will be scrambled, or “hashed,” preserving their privacy.  No data will change hands, said the source.

Rainey Reitman, a privacy expert with the Electronic Frontier Foundation, did a deep dive through the data that was shared between Datalogix and Facebook last fall.

Reitman said that on the surface, she saw no new privacy issues raised from extending the Facebook-Datalogix partnership, as long as Facebook continued to insure that user information wasn't flowing out of the company to its new partners.

"Facebook is holding onto its data quite carefully," she said. "It has a financial interest in doing so ... and that should help protect users' privacy."  She was concerned that loyalty card users might be surprised to find their information can find its way into a Facebook advertising formula, however.

Another privacy expert, Larry Ponemon of research firm The Ponemon Institute, said he didn't think privacy issues were inevitable in the deal -- "more-targeted ads could be a good thing for users," he said. But he cautioned that regulators and consumers should be very skeptical of any broad link-ups between online, and offline data, as they have in the past.

"This is what got DoubleClick in trouble with Abacus Direct," Ponemon said, pointing to the now-infamous advertising deal struck in 1999 that was eventually scuttled because regulators concerned about the ad network's ability to track users through cyberspace and in the real world through technology. "What's changed? Perhaps Facebook will never have custody of the data the way they are doing it, they are one or two steps removed, but how does that affect the privacy issue?" 

Ponemon says that consumer expectation is often the forgotten element in attacks on privacy, and he's concerned about that happening if Facebook has access -- however obscured -- to grocery store loyalty card records or similar data.

"When a person signs up at Giant so they can get milk at market price, they are not thinking that information is now going to be linked to their Facebook account," he said. "It seems like there's this trend to have mega-databases, and all these things working together in constant harmony, but the problem we have is we haven't thought through the potential privacy risks."

The main concern, he said, is that mega-data collectors like Facebook and Axciom could join forces and build "the ultimate dossier" on consumers.

"Could this lead to the disintegration of our privacy rights, or is it just another creative way of serving an ad?  We'll have to see in the details," he said. 

Chester, from the Center for Digital Democracy, said it was important for consumers to know their rights when such databases are shared, adding that is also is important for consumers to be given ample opportunity to opt out of the sharing.

“Companies like Facebook want to pool more information together to essentially enable it to know what its users are doing on their mobile phones, such as when shopping,” he said.  “(Privacy advocates) believe that Facebook users should have the power to decide what information can be used to profile and target them--especially when it comes from these powerful storehouses containing what we do, who we are.”

Users can opt out of Datalogix online digital advertising by visiting the firm’s privacy page and clicking under the section labeled “Choice.”

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• 'Privacy tax' creator makes his case, says software is 'eating the world'
• Death of the price tag: Stolen from us too soon
• FTC: 5 percent of credit reports contain 'serious' errors that cost consumers

Helaine Olen has begun an important discussion in the world of money: Is anybody's advice worth paying for?

The author's new book, “Pound Foolish: Exposing the Dark Side of the Personal Finance Industry,” has rattled quite a few cages since it was published in January. It's also gotten a lot of attention, including glowing praise from The Economist. We sat down with Olen at our studio in 30 Rockefeller Plaza recently. (You can watch the interview by clicking “play” above.)

Follow @RedTapeChron

Olen points out the folly of simplistic mass-market advice, such as the notion that forgoing a latte every day will make one a millionaire by retirement. She's an equal-opportunity critic, poking fun at everyone from late-night TV stock pickers, to financial gurus who make millions writing books, to newspaper business reporters who have no credentials for doling out advice.

In fact, that's how Olen started her career -- writing "Money Makeover" columns for the Los Angeles Times, where she matched up eager consumers with even more eager finance wizards, and described the advice that was doled out. Ten years on, these stories still gnawed at Olen, as she wondered if the consumers were genuinely helped by the advice. Her book's most telling moments detail meetings with these sympathetic characters, who unsurprisingly have not fared better after hearing the normally high-priced money wisdom.

Olen gets some cheap laughs by going back in time and showing mistakes made by financial prognosticators -- citing Suze Orman's advice to her fans that real estate was the best investment. But something more nefarious is at play in American culture, Olen says, when the myth of the latte millionaire persists. The subtle message from many financial gurus is that consumers simply have to suck it up a little, ditch the extravagances and everything will be fine. That's just not true, she argues.

"We believe very deeply in this country in the myth of Horatio Alger, which is ... this idea that we can do it all by ourselves," she said. "And that's just not true." Harsh economic realities, such as skyrocketing housing and health care costs, play a bigger role in our financial future than our ability to skip pricey coffee, Olen says.

It's undeniable that much personal finance advice is overly simplistic. But it's also undeniable that Americans are terrible at math, and many don't want to take even the simplest steps at improving their financial futures. So it may not be fair to criticize those who give simple advice to consumers who seem to want it. And behavioral economists have produced research for years showing that financial education doesn't do much good anyway, because people tend to take the path of least resistance when making decisions on 401(k)s, mortgages and so on. They prefer nudges from companies and governments, such as automated enrollment in the most beneficial retirement plans. 

What's the harm if financial gurus provide that nudge of inspiration to pay down debt or build up savings for someone who otherwise might not act? Olen didn't have a good answer. Still, her critique is eye-opening, particularly when readers are confronted with tale after tale of advice gone bad. 

Taken as a whole, “Pound Foolish” is a good reminder that you are as qualified as anyone else to control your financial future. As the saying goes, if you want something done right, you should do it yourself. You'll be saving a lot of money in the process, too.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

 ID theft on the rise again: 12.6 million victims in 2012, study shows

'Privacy tax' creator makes his case, says software is 'eating the world'

Death of the price tag: Stolen from us too soon

Identity theft is on the rise again, says a new industry-sponsored study, reversing a promising two-year trend. 

Follow @RedTapeChron

Some 12.6 million Americans were victimized by ID theft in 2012, the second-highest total since the Federal Trade Commission began counting victims in 2003  and roughly 1 million more than 2011, according to the survey by Javelin Strategy and Research. The record – 13.9 million victims – was set in 2009.  

The criminals made off with $3 billion more than in 2011, as well.  Overall, slightly more than 1 in 20 consumers -- 5.26 percent -- were victims last year, the survey found.

A large portion of the increase was driven by "dramatic jumps" in more-serious forms of ID theft, such as new account fraud, where a criminal uses a victim's personal information to open new credit cards or other kinds of loans. New account fraud jumped 50 percent last year, according to the report, with the total fraud loss doubling year over year to just under $10 billion

"I don't think (the data) shows that banks are losing control," said Jim Van Dyke, author of the study, when asked about the significance of the new data. "But it's really wise to look at where we haven't gotten anything under control, and that's new account fraud."

The news comes amid a cascade of hacker stories this week, giving the impression computer criminals are gaining the upper hand on many fronts.  Agents working on behalf of the Chinese army have successfully attacked dozens of U.S. companies, according to a report issued Tuesday by U.S. security firm Mandiant.  Large U.S. media companies have also fought off Chinese hackers, and not always successfully, according to several reports. Burger King and Jeep suffered embarrassing Twitter account takeovers. And both Twitter and Facebook have had to announce in recent weeks that they had been hacked.

Javelin's data is based on telephone surveys of U.S. adults, with consumers self-reporting details of their ID theft to survey takers and results extrapolated from their answers. The precision of such data can be questioned, but Javelin has used the same techniques for eight years, making year-to-year observations informative. The same technique was used by the FTC in 2003 when it initially reported the size of the identity theft problem as required by Congress.

The survey was sponsored by CitiGroup, Visa, and Intersections LLC, which provides identity theft prevention services to consumers.  Van Dyke says the sponsors were not involved in tabulation, analysis or reporting of the results.

Bank security analyst Avivah Litan of the security consultant firm Gartner, who has run her own ID theft victim surveys in the past, said the Javelin survey's results are consistent with what she's heard from bank security officials.

"Even in an age of cyberespionage and advanced targeted attacks, good old-fashioned consumer identity theft continues to escalate," Litan said. "It's highly unfortunate that even after all this time and effort by banks regulators high tech entrepreneurs and law enforcement that the bad guys are still coming out ahead. It's high time that we put more intelligent efforts into winning this cyberwar, whether it’s against amateur identity thieves or foreign infiltrators."

Other interesting findings from the Javelin report:

*Consumers who received "breach" notifications from companies indicating their personal data had been compromised were much more likely than others to be victims of ID theft.  And that trend is rising. In 2011, 1 in 5 recipients were victims; and last year, the likelihood increased to 1 in 4. 

*Fraud victims living below the poverty line were more than twice as likely to know their imposter personally -- so-called "familiar fraud" -- than wealthier consumers. The survey found that 29 percent of poor victims knew their imposter vs. 12 percent of those living above the poverty line.

*It's important to note that despite the rise in new account fraud, simple credit card fraud still accounts for about two-thirds of all ID theft. Those victims had a relatively easy time fixing the problem, reporting an average of 11 hours of disruption. On the other hand, 51 percent of victims of "account-takeover fraud," which allows criminals to withdraw funds from existing checking accounts and run similar schemes, said their lives were "severely impacted" and they spent an average of 37 hours resolving their frauds.

Van Dyke also pointed out there are hidden victims in ID theft, in addition to banks and consumers who lose money.  Among consumers who were victims of fraud, 15 percent said they reacted by avoiding online retailers, and half of that group specifically avoided small retailers. Only 8 percent of that group said they avoided large merchants after a fraud.

"Small online merchants are really being singled out," he said.  In other words, they are hit both by fraud, and by lost sales due to the impression of risk created by fraud. "Consumers are very sympathetic to small merchants, but when you see this lack of trust play out, it underscores how significant the problem is and how important it is that we deal with it.”

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

More from Red Tape Chronicles:

• 'Privacy tax' creator makes his case, says software is 'eating the world'
• Death of the price tag: Stolen from us too soon
• FTC: 5 percent of credit reports contain 'serious' errors that cost consumers

Antoine Duhamel / www.archi-photo.fr

Nicolas Colin

If you aren’t paying for the product, you are the product.

Internet users know this implicitly; there are no free apps, no free search engines. Instead, users trade their information in exchange for some service, vaguely aware that the company’s side of the bargain is free access to data it can turn into profit.  Some consumers get angry at the notion they provide free labor and raw materials to some of the world’s largest and richest companies, but Nicolas Colin thinks people should be a whole lot angrier. In fact, he believes that “software is eating the world.”

Colin, a tax inspector for the Ministry of the Economy and Finance in France, believes that corporations have turned the Digital Age into a massive tax haven which dwarfs anything high-priced accountants have ever pulled off in places like the Cayman Islands. His beef: Corporations don’t pay a penny in taxes on all that free labor.  In other words, not only are you are the product, but you’re also paying for all the roads, fiber-optic lines and airports that digitally dependent corporations need to get rich.

Colin caused a stir last month when he co-authored a report for the French government recommending what some have called a “privacy tax” – essentially a mechanism to punish companies that profit from misuse of consumer data. The idea of a new tax based on something seemingly so vague went over like a lead balloon in many quarters.

Follow @RedTapeChron

But Colin’s idea is far broader, and has wide multinational implications. He wants to change the fundamentals of how taxes are levied, a step every bit as radical as the invention of income or sales taxes. 

He wants to tax data.

While new taxes aren’t exactly popular these days, the Red Tape Chronicles decided to hear him out.

Colin’s proposal begins with the notion that, like it or not, we are all part of the supply chain now.

“What we do leaves traces, generates data. This data can be leveraged to create value,” he told NBC News during an extended interview via email. "If you want to create value, you can either hire employees, contract on the market or design an application that will attract millions of users and will turn their activity into economic value -- make them part of the supply chain.”

In a strange reversal of fortune resulting from this new business model, Colin said, labor now happens in rich, giant Western nations while profits are counted in smaller, tax-friendly places. 

With millions of unpaid laborers around the world helping to make your product, the notion of place has become less and less important in terms of taxation, he argues

“Digital technology has moved value creation from inside the factory to the customers' hands and brains,” he said. “Value is now co-created by companies and the people who use their applications. This has consequences on corporate tax, because it changes the geography of value creation. It's not where the factories are anymore, it's where the users are.  … Many authors have written on this phenomenon. Each has his own phrase to describe it : Web 2.0, co-creation, crowdsourcing, peer production, distributed capitalism, wikinomics, etc. But there's really one reality: In the digital economy, users create part of the value alongside employees, contractors, capital, and companies' assets.”

Governments can’t tax worker income, or levy company payroll taxes, when the “workers” aren’t paid. And they can’t charge sales taxes for products which are given away for free.  The situation creates quite a dilemma for taxation authorities, and it will ultimately have devastating consequences for society, Colin predicts.

“Tax base erosion will happen in each sector disrupted by the digital economy,” he said. “Yesterday it was advertising, entertainment, retail, travel. Tomorrow it will be banking, health care, cars, telecommunications, manufacturing, higher education. The law must change quickly, because software is eating the world.”

So what is to be done? Rich nations must negotiate and agree on a new concept of “permanent establishment” which defines where companies operate and therefore are subject to taxation, he argues. 

His basic notion: “There should be a permanent establishment wherever a company collects data to fuel a service provided on the same territory.”

The French proposal comes amid growing frustration among French lawmakers with their inability to collect taxes from large, digital companies like Google, which generated $2 billion in advertising in France last year but paid almost no taxes there. France has already tried an ill-fated “link tax” in an attempt to support local publishers who fear they are losing money because of the search engine’s free links. 

Google issued a statement last month saying it was researching the French proposal.  Google did not immediately respond to requests for more information about its tax payments in France or about Colin’s proposal.

But last week, CEO Eric Schmidt wrote a blog post describing two new France -friendly Google initiatives.

“Today I announced … two new initiatives to help stimulate innovation and increase revenues for French publishers,” he wrote. “First, Google has agreed to create a … Digital Publishing Innovation Fund to help support transformative digital publishing initiatives for French readers. Second, Google will deepen our partnership with French publishers to help increase their online revenues using our advertising technology.”

Not quite the radical shift in taxation policy Colin and his supporters are looking for. He makes a forceful case for the inequity of free, and untaxed, labor online. 

“You can replace employees and contractors with users of an application, and these users work for pleasure, not for money,” he said.  “So it's free -- well, almost free, because the marginal cost of a user is practically equal to zero in the digital economy. … Using those applications, French people contribute to profits made by foreign companies, yet those companies don't pay the taxes necessary to cover the public expenses that help fuel this value creation.”

He pointed to a popular speech made by Sen. Elizabeth Warren, D-Mass., during her campaign, making the case that companies benefit from tax-funded infrastructure, but aren’t paying their fair share.

“Individuals become active users if they are educated, equipped, covered by social insurances, and massively connected, and all of this costs money to the government,” he said.

While such a new tax regime involves a massive shift in the notion of taxation – from location of production to location of data collection -- the shift wouldn’t be unprecedented.  He cited the creation of progressive income tax early in the last century, and the implementation of the value-added tax in the 1950s, as similar shifts.

The European valued-added tax – or VAT -- requires companies to pay taxes every time they take any kind of raw material and turn it into a product that can be sold at a higher price. Data taxation grows logically from this idea, Colin believes.  With data collection, under Colin’s scheme, companies “create value” when they turn consumers’ information into a product that can be sold. Taxing data really means taxing creation of this new value, he says.

“The French are very proud to have invented the VAT in the ‘50s. Today it's the most neutral tax, the most widely accepted by both individuals and corporations, and the one that raises the most revenue for governments,” Colin said. 

He acknowledged that Americans, who have long resisted VAT taxes, will probably receive the idea of digital-age tax change with strong skepticism. But he argues that 20^th century taxes distort the market and hurt the economy.

“Sometimes, new taxes are good for business when they help pay down the debt and balance the budget, and above all when they replace outdated taxes that distort the market instead of supporting growth and job creation,” he argued.

The privacy tax, which Colin suggested implementing as an intermediate step, has been roundly criticized, beyond the notion that any new tax is a bad idea: Critics have said it would be nearly impossible to manage, would force government bodies to make rulings on very technical matters, and that its collection could itself represent a privacy violation.  But Colin argues there is already general consensus in the computer security world on best practices with consumer data. Such a tax would properly align incentives in the marketplace, the way a carbon tax might create incentives for companies to take better care of the environment.

“What we recommend is to tax companies' behavior that is not in the interest of their users and not in the interest of innovation and growth,” he said.  “The French tax on non-compliant data collection behavior can really be compared to a carbon tax: In both cases, it creates an incentive for companies to change their behavior in the public's interest -- less pollution, more data protection, user empowerment and more innovation through smart disclosure.”

And while changing an entire tax regime would require international treaties, Colin argued that France could unilaterally impose privacy taxes on firms operating within its borders.

“There is no way companies can avoid it, because that would mean closing the service for users based in France,” he said. “Is Google ready to stop operating its search engine in France? Or Facebook ready to close 20 million accounts?” 

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter

Five percent of U.S. consumers have an error on their credit report that "could lead to them paying more for products such as auto loans and insurance," the Federal Trade Commission said Monday, as it issued a long-awaited study of credit report accuracy. 

Follow @RedTapeChron

“These are eye-opening numbers for American consumers,” said Howard Shelanski, director of the FTC’s Bureau of Economics.  “The results of this first-of-its-kind study make it clear that consumers should check their credit reports regularly.  If they don’t, they are potentially putting their pocketbooks at risk.”

The trade group for the nation's credit reporting agencies issued a swift response challenging the agency’s interpretation, saying the study shows credit reports are "highly accurate."

"The study also showed that 95 percent of consumers are unaffected by errors in their credit report," the Consumer Data Industry Association said in a statement.

The FTC study, eight years in the making, also tracked consumers as they tried to fix or dispute errors in their credit reports. More than one in 10 who did this saw their credit score change as a result.

The study was ordered by Congress in 2003, when it passed the Fair and Accurate Credit Transaction Act. The FTC followed 1,001 consumers as they tried to navigate the credit report system and to fix mistakes in their reports.

Among other things, the study found:

*26 percent of consumers in the study identified a "potentially material error";

*21 percent managed to obtain a modification of an error;

*Roughly half of that group experienced a change in credit score;

*Most of those credit score changes were minor, with roughly half resulting in swings of 20 points or less;

*The most important finding of all: For 52 of individuals studied, "the resulting increase was such that their credit risk tier decreased," meaning they were likely to get cheaper loan rates.

Consumer groups responding to the study said it indicates a need for reform of the credit reporting industry.

“It’s unconscionable that 40 million American have errors in their credit reports, and that 10 million have errors grave enough to cause them to be denied or charged more for credit or insurance or even be denied a job,” said Chi Chi Wu, staff attorney at the National Consumer Law Center. 

Studies of credit report errors have been conducted before, but they have produced confusing results. Many errors are not material — a misspelled street name for example.  And errors are not the real problem — lower credit scores that cost consumers when they try to get loans are. Credit bureaus are required by law to quickly fix mistakes, but there have long been allegations that the dispute process is difficult and stacked against consumers. The FTC report attempts to address that, too.

Of the 262 consumers in the study who disputed information they said was inaccurate:

*37 percent said all their concerns were addressed;

*42 percent said their report had been modified, but there were still errors on their report;

*21 percent said they were unsuccessful in getting their reports modified.

The report did not attempt to establish the veracity of the consumers' disputes.

Credit expert John Ulzheimer, who formerly worked with Fair Isaac, which invented the credit score, and is now president of Consumer Education at SmartCredit.com, said he felt both the FTC and the credit industry trade group were "embellishing" their claims about the results of the study, but he, too, found the FTC data troubling.

"I'd side with the FTC that the results are more disturbing than they are confirming credit files are accurate," he said. He suggested taking the dispute results with "a grain of salt" because the errors claimed by consumers were not independently confirmed.

FTC Chairman Jon Leibowitz told CBS News, which first reported the study’s findings on “60 Minutes,” that the results were "highly troubling. ... It's a pretty high error rate."

The credit industry began fighting back even before the “60 Minutes” segment aired. It issued a press release Sunday afternoon, and several employees of Experian spent the evening sending tweets to Twitter users who attacked the industry.

"It's easy to selectively hype snippets from the FTC study to sensationalize the issue," Stuart Pratt, consumer data industry spokesman, said in the release. "But the number important to consumers is the one they ignored – that only 2.2% of credit reports contain material errors."

The industry and FTC numbers differ because they describe slightly different things: The FTC says 5 percent of consumers are impacted by a serious credit report error, while the industry derives its 2.2 percent figure from the fact that consumers have three different major credit reports, and often errors appear on only one or two of those.

The industry also disagrees that errors are hard to fix.

"The notion that it is difficult to dispute an error is just wrong.  It is irresponsible to suggest to consumers that they might as well not take action when they have a question about their credit report," Pratt said.

Experian public relations officials repeatedly sent out this message last night: "If you ever spot an error on your credit report, please report here http://t.co/5nncPpfP Avg dispute time is 14 days."

It also sent users to the Experian website to read about the firm's policies

"Experian’s Commitment to Data Integrity, Customer Service and Consumer Education http://t.co/kejlxpQYvia @ExperianNews"

Some Twitter users complained about Tweet campaign:

"@Experian_US so (you are) responding (to) tweets from US but resolving life changing disputes from Chile and India!Priorities please!!!" wrote @elizabethforma.

As the Red Tape Chronicles and other outlets have reported, consumers disputes are often sent overseas for consideration, and workers in places like India and Chile only have a few moments to consider each dispute.

An Experian official who was sending out Tweets would not agree to be interviewed by NBC News; she directed questions to Pratt at the industry group.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter 

AP Photo/The Jersey Journal

FBI agents enter Raja Jewelers in Jersey City, N.J., on Tuesday, investigating what a criminal indictment describes as an international credit card fraud ring.

In an indictment that reads like an instruction manual for nearly every type of identity theft and credit card fraud yet invented, prosecutors alleged on Tuesday that more than a dozen crooks ran roughshod over America's credit system for six years, stealing hundreds of millions of dollars and living like kings.

Follow @RedTapeChron

The techniques deployed by the crime ring ran the gamut, from child ID theft to setting up fake stores to process credit card payments, says the indictment, which was unsealed on Tuesday. It alleges that suspects created so-called “synthetic identities,” in which invented Social Security numbers were used to create fake credit reports that enabled them to borrow huge sums; faked utility payment histories to fool credit bureaus;  designated  themselves as "authorized users" of real victim's identities; and minted real and fake merchant credit card processing accounts to trick banks into depositing large sums of cash into bank accounts they controlled. In one case, they even used a 6-year-old's Social Security number to get credit, it said. 

With the proceeds of the scheme, they bought luxury cars, electronics, spa treatments, and millions of dollars in gold, the indictment said. Authorities found $68,000 in cash hidden inside the kitchen oven of one suspect, it said.

“This elaborate network utilized thousands of false identities, fraudulent bank accounts, fake companies and collusive merchants to defraud financial institutions of hundreds of millions of dollars in order to facilitate extravagant lifestyles they could otherwise not afford,” David Velazquez, FBI  acting special agent in charge, said  in a statement.

A set of jewelry stores in Jersey City, N.J., just across the Hudson River from New York City, was at the center of the fraud, according to the indictment. False charges were run through the stores’ merchant credit card processing accounts, allowing the criminals to turn fake IDs and fraudulent credit cards into cash.  Jewelry stores, which routinely process high-priced transactions, are perfect for such a fraud.

According to the indictment, the extent of the brazen operation and its support network was staggering.  There were 7,000 fake identities created in all, and 25,000 fake credit cards, it said. To fool banks and credit bureaus, 1,800 fake "drop box" snail mail addresses were used, so criminals could accept real mail -- such as utility bills -- and make them part of the scheme, it said.

The FBI estimates the fraud netted a total of $200 million, but because some conspirators have not yet been arrested and the investigation is ongoing, it expects that figure to rise. Money was sent around the world, to Canada, Pakistan, India, China and Japan. While the operations centered on the New York metropolitan area, with 13 individuals arrested in New York, New Jersey, and Pennsylvania, the scam actually touched 28 U.S. states, according to the indictment.

Babar Qureshi, who is the accused ringleader, made a single wire transfer of $500,000 recently, the indictment alleges, and a total of $1 million flowed through his accounts during the operation. The FBI says it has identified 169 bank accounts through which $60 million in proceeds flowed -- most ultimately withdrawn in cash.

The general technique the criminals allegedly used is not new, or novel, and is sometimes called a "bust-out" scheme. In the indictment, the U.S. Attorney's Office calls it "make up, pump up and run up." Here’s how it works: Criminals gain control of a real or invented credit identity, but don't use it for fraud right away. Instead, they patiently pay bills or otherwise build up the creditworthiness over  time. Then, when the account is "primed" so that potential creditors are convinced it is legit and their fraud-fighting software lets its guard down, a large fraud is committed.

Justice.gov

A chart in the federal indictment breaks down the various identities authorities say were linked to suspects arrested in the fraud ring.

There’s a lesson in these allegations for victims of credit card account number theft -- smart criminals don't commit fraud immediately after stealing account numbers. If your account number is compromised, don't believe you are in the clear just because there's no fraud in the first few months.

Merchant accounts -- credit card transaction processing accounts that businesses use to accept credit cards and get paid -- are particularly valuable to criminals.  The biggest barrier credit fraudsters have is turning data into cash.  It's risky to purchase items with stolen credit cards, or to attempt ATM cash withdrawals, as that creates a paper trail and perhaps a surveillance video record. But by working with a merchant account, criminals can pretend they are processing legitimate transactions and automatically have the payments deposited directly into their checking accounts.  The criminals can go from stolen account numbers to cash in a fully electronic transaction. There's still a paper trail, but that's why these criminals maintained an extensive network of fake IDs, the government alleges – so they could hide behind layers of false identities when setting up the merchant accounts.  Jewelry store accounts, with their high-ticket purchases, would be particularly useful in this kind of crime.

The 18 defendants charged in the indictment -- including five  who are still at large -- range in age from 31 to 74. Four of the suspects live in Iselin, N.J., about 45 minutes south of New York City. One is in Philadelphia. The rest are scattered among New York City and nearby suburbs..

Attorney Angelo Servidio, representing defendant Tarsem Lal, said his client was free on bail, and wanted to remind people that his client is innocent until proven guilty.

"They are all presumed innocent. There are a lot of people involved in or alleged to be involved in this case," he said. "From what I can see, this case (may have) been under investigation since 2008, so there are going to be a lot of documents to sift through."
Servidio said he hadn't seen any of the evidence against his client yet.

"Other than his connection with a jewelry store, I don't know what evidence they have," he said.

NBC News was unable to immediately Qureshi's lawyer.

The bank fraud count with which the defendants are charged is punishable by a maximum of 30 years in prison and a fine of $1 million.

* Follow Bob Sullivan on Facebook.

* Follow Bob Sullivan on Twitter