For years computer security experts have been preaching that users should never share the same password across their connected lives -- at online banking sites, at Amazon, on their Web mail services, even on their cell phones.

Apparently, most people ignore that advice.

A new study by security firm Trusteer found that 73 percent of Web users take their online banking password and use it at other Web sites.  And about half of all consumers utilize the same password and user name at online banking sites and other sites.

"I must say I was very surprised," said Amit Klein, chief technology officer of Trusteer. "It is surprisingly sad that such a large portion of users use their banking credentials at other sites. ... It exposes those users to attacks that would otherwise be impossible. I thought that people would take banking credentials more seriously, but it turns out that in this digital age, this is not the reality."

---

When consumers use the same password across multiple sites, hacking becomes trivially easy. If a criminal breaks into a smaller Web site -- say a site created by a local grocery store -- and grabs a cache of passwords, their next step is always the major banking Web sites.  When you consider that 40 percent of U.S. consumers' checking accounts are tied up in the four largest banks, odds are good that the stolen credentials will work for in one of them.

Password overlap also creates an easy end run around sophisticated banking security technology, which is only as strong as the weakest site where the password is used. Banks might enforce strong password creation requirements, for example. But if a consumer uses a bank password at a poorly defended small site, a hacker can break into the small site, steal the log-in information and essentially crack the bank's high-tech system.

"This is something that should be of huge concern both to banks and to users," said Klein.

Trusteer unearthed the data through use of its Rapport security software, which is designed to warn users when they are about to enter a critical banking password into a site where it doesn't belong -- a phishing site, for example. The tool was used to examine the behavior of 4 million computer users during a 12-month period. During that span, the firm found that 73 percent used their online banking password on at least one non-financial Web site.

And it didn't help much when the banks enforced strict password controls. When a bank allowed consumers to pick a user ID, 65 percent used it on other sites. When a bank assigned a customer ID, 42 percent used it at other sites and 42 percent used both the ID and the password on at least one other site. 

'They don't think it's worth the trade off'
Last year, analyst firm Gartner released a survey that reported similar results. It said two-thirds of consumers use the same one or two passwords across all Web sites they access.

But Avivah Litan, who directed the Gartner survey, said that choice might not be as unreasonable -- or as unsafe -- as it seems.

"They are making a choice for convenience over security," she said. "They are using a cost-benefit equation ... and they don't want to try to remember 10 different passwords for everything they do. They don't think the trade-off is worth it, honestly."

While password sharing isn't a safe practice, Litan said, complicating your life with multiple passwords isn't exactly a cure-all.

"The truth is criminals steal your passwords lots of ways, such as recording keystrokes, and if they do that, it doesn't matter whether your password is 15 characters and unique or 7 characters and the same for every site. People have figured this out," she said.

Using multiple passwords is a good idea, but Litan said it is important that consumers understand the risks that remain even if strong passwords are used.

"It is another lock on the door but a lock that is easily picked," she said. "Still, it's always better to put as many blocks in the road you can."

Large banks don't rely on simple user/password combinations to identify users anymore, she added.  Numerous technologies are used to prevent fraud through a strategy called "layered security."  Device fingerprinting of PCs is a key tool, she said. Web sites tag computer hardware by monitoring unique characteristics, such as exact processor speed or time and date settings. Sites that use device fingerprinting see fraud rates drop 15 to 20 percent, she said.

Banks also look for suspicious behavior, such as attempted transfers to unusual accounts. Another hacker giveaway: clicks through Web sites that occur at high speed, showing an automated PC -- and not a person -- is attempting a transaction.  Humans take, on average, about 10 seconds before they click "confirm payment."  Computers controlled by hackers racing through stolen login accounts barely wait at all.

"That's best-of-breed security," Litan said.  "If you as a bank are relying on passwords for security then you have a poor security system."

RED TAPE WRESTLING TIPS
It should be comforting to know that your user ID and password are not all that stands between a hacker and your money. Still, that's no reason to let your guard down. Your banking passwords should be handled with great care, and shouldn't be shared with other Web sites.

And remember, many Web firms that store your critical personal information do not use best-of-breed security on their back end -- meaning you are still at risk.  A criminal who stole your Facebook credentials could easily wreak havoc with your life, so protect those accounts, too.

Klein concedes that the vast majority of computer users will never create unique user/password combinations for all their sites. As a more practical goal, he recommends maintaining three "families" of passwords -- one for critical financial sites, a second for sites that store your personal information, and a third for generic log-ins.

"And you don't want to mix those passwords," he said.

Become a Red Tape Chronicles Facebook fan and follow RedTapeChron on Twitter.

Why does Twitter work inside Iran even after other Internet services have been disrupted?  The key feature enabling it to evade government censorship, some observers say, is something that might otherwise be considered Twitter's Achilles' heel.

Unlike Facebook, and most other social networking sites, Twitter users don't need to visit Twitter.com to use the service. In the business world, that's a terrible idea. Twitter has no way to promise potential advertisers that its enormous audience will ever see ads placed on the site.

Instead, Twitter has a completely open architecture that allows users to both send and receive messages on a variety of platforms -- cell phones, Blackberries and, of course, other Web sites.  This openness is proving to be particularly effective at avoiding government interference.

"You can connect to Twitter without going through Twitter's front door," said Jonathan Zittrain, a Harvard law school professor who runs Herdict.org, which tracks censorship efforts worldwide.  "These services run interference between you and Twitter."

---

Because nearly all of Iran connects to the Internet through a single government-run provider, TCI, it's relatively easy for the government to control Web access. So far, Iranian officials have not shut down the pipe.  But over the weekend, it appeared that Web traffic into and out of Iran was substantially slowed -- perhaps intentionally, through a government "throttling" effort.

Zittrain said Iran also deploys filters to cut off access to Facebook.com and some politically oriented Web sites.

But Twitter keeps right on humming, as evidenced by thousands of messages apparently being sent from inside Iran.  Some of them are fakes -- and the importance of Twitter in organizing protests in the country is likely overstated: BusinessWeek.com reported that there are only about 8,600 Twitter users whose profiles indicate they are from Iran, citing the Toronto-based firm Sysomos.

Still Twitter's robustness in the face of hostility is impressive. How does it work?

Twitter users theoretically have an infinite number of channels to view each other's posts and send their own. In fact, you don't even have to be a Twitter member to read along at a site like TwitterFall.com, which continuously streams one 140-character post after another.

That makes filtering Twitter.com a useless tactic for would-be censors.

Those trying to evade Web censorship have long used proxy servers as ad-hoc intermediaries, or relays, to connect to the Internet.  A cat-and-mouse game ensues: Governments quickly add such proxy servers to their list of blocked sites, new proxies emerge, they are blocked, and so on.

Zittrain said Twitter is not fundamentally different from the proxy server model.

Alternative sites like TwitterFall.com simply act as a relay. They are harder to shut down, however, because the use of intermediary services is part of every Twitter user's experience.  While setting up proxy servers can be a technical hurdle for many Web users, Twitter users do it all the time. If one Twitter service isn't working, switching to another is easy.

In fact, Twitter use doesn't even require an Internet connection.  The service can be used with cell phone SMS text messages.

"Twitter is more naturally resistant because it doesn't require any intervention from users. It's much more welcoming of proxies," Zittrain said. "It's just so easy to capture a Twitter stream."

Indeed, the 19-year-old inventors of TwitterFall.com say they had their service up and running in a couple of hours.

Of course, shutting down the entire Internet would cut into Twitter access, but that step is probably too Draconian for Iranian authorities.  And cutting off text message service -- as the Iranian government apparently did last weekend, immediately after the election -- would still leave more than 20 million Iranians with Web connections and the ability to find Twitter streams. Zittrain said the Iranian government could try to individually eliminate all the services that relay Twitter messages. But in that case, the mouse would appear to have the upper hand.

"My sense is that the authorities have their hands full," he said. Should Iran turn off access to the top 10 Twitter alternatives, users might have some trouble, Zittrain said. But he thinks a Twitter shutdown would be difficult -- because it really is just as easy to set up a new Twitter feed as it is to shut one down. "The cycles we're looking at are measured in hours, not days or weeks. There is furious improvisation going on."

The headline for voting technology 2008 might be this: Back where we started. Back to paper ballots, that is.

For the first time since touch-screen voting was invented, use of the high-tech voting machines has declined sharply. On Nov. 4, the majority of Americans will be filling out their ballots using old-fashioned paper and No. 2 pencils.

---

But it's been a long-strange trip back to the beginning. The gyrations of America's voting rituals began with hanging chads in 2000. Then came the Help America Vote Act of 2002, which set aside $3 billion to upgrade America's antiquated ballot system. Then came the gold rush towards space-aged, touch screen electronic voting systems. Next, computer scientists uncovered multiple security flaws in electronic vote machines, with the controversy culminating in an HBO film called "Hacking Democracy."

That was enough for election officials in California, Florida, Maryland, and several other states that have placed their pricey touch-screen machines in moth balls. Most have returned to a system that relies -- at least in part -- on pencils.

According to Election Data Services, nearly 10 million fewer ballots will be cast on electronic voting systems this year than in 2006. Then, 38 percent of the electorate was registered in districts that used touch-screen systems; today, only 33 percent do.

"When you think of the alternatives, you could go with flawed machines or just shift people off of them and encourage people to go back to old-fashioned methods," said security researcher Herbert Thompson of People Security, a critic of some electronic voting systems.

The retreat from technology, however, shouldn't be overstated. While 56 percent Americans live in a district where voters will fill out paper ballots on Nov. 4, those ballots will be counted by optical scan readers – a system that is a hybrid between paper and computers.

Optical scanning machines have won the day, at least in 2008. Since 2006, 86 districts have changed voting systems -- all moving to optical readers. But Kimball Brace of Election Data Systems states that, despite the current trend, touch-screen systems have not fallen completely out of favor.

"This isn't a settled question. … It all depends on what happens," he said. "If we have a close election and or have problems that highlight a certain type of machine, that could have significant impact on what we end up doing in the future."

Problems with touch-screen systems -- known in the industry as DRE or direct-recording electronic machines -- are well documented. A series of confrontations between computer security researchers and voting machine manufacturers left a grey cloud over their ability to ward off hackers. Private manufacturers like Diebold have repeatedly refused to turn over their proprietary software for inspection and audits by academics.

Meanwhile, charges of "vote-switching" at polling places continue. In West Virginia, a handful of early voters claimed this month that their votes had been switched from one candidate to another by touch-screen machines. Some voters caught the error, but others told local newspapers they believe their vote was cast for the wrong person.

Brace said that human error, rather than conspiracy, is likely to blame. Anyone with a touch-screen phone is familiar with the ritual of recalibration that follows a series of misclicks. Also, screens can register touches by hanging sleeves or other incidental contact. Finally, anyone who's ever used an ATM has likely discovered the difficulty of using the machine from an incorrect angle; it's easy to hit the wrong button if you are too tall or too short.

Pencils make mistakes, too
No voting system is perfect, Brace said. And those who worked hard to discredit touch-screen systems may end up lamenting the end result. Paper and pencil, for example, are hardly infallible.

"There are problems with optical scanners, most notably American voters," he said. "They seem to know how to foul up a ballot, particularly when the ballot is piece of paper." Some might circle the candidates they prefer rather than fill in a box, for example, he said.

Thompson, the e-voting critic, also sees problems with paper. Each time a system become popular, he said, it faces greater likelihood of problems.

"These are what we call 'scale-oriented' problems in computer science," Thompson said. "This increased burden on paper increases the chance for a problem."

Complicating matters further for voters is the unprecedented change that's taken place inside the voting booth. No matter what technology is used to cast ballots, change always introduces errors, Brace said. More than 40 percent of voters will encounter a new voting tool this season, given that many voters only cast ballots during presidential election years.

"History shows us that the greatest likelihood of election errors occurs the first time a jurisdiction changes voting systems," Brace said. "While many of these jurisdictions have tested out their procedures in the past four years, it's the voters themselves -- both newly registered and those that haven't voted since 2004 -- that could cause problems this November."

According to an Associated Press survey, 108 voting districts have switched from touch-screen to paper and optical ballots since the last election.

The benefits of touch screen
Brace laments the fall of touch-screen machines, because he says they can do some things better than any other voting technology. They are particularly adept at providing foreign-language ballots or accessible ballots for the blind, for example. And when programmed properly, they can make overvotes -- when a voter accidentally picks two candidates for one office -- impossible. And they provide quick vote tallies.

In larger districts using optical scan readers, the tally machines are generally available right at the polling place, allowing voters to leave with a "receipt" of their ballot and providing near-instant counting when polls close. But in smaller, rural districts, the ballots must be hand-carried to a central optical scanner, which delays the counting.

Barring some surprise event – such as a poor performance by optical scanners – Brace believes touch-screens will slowly disappear from voting booths around the country.

Counties that wanted Help America Vote Act money had to buy new systems by 2006. Many purchased touch-screen systems without fully examining them and are now warehousing the machines, Thompson said.

Without upgrades, there won't be a market for them, but touch-screen machines are unlikely to be fixed any time soon. The federal money that fueled their popularity is gone.

"These problems can be addressed but you need the investment money, and now the manufacturers have no incentive to fix them because there is no money," Thompson said.

CAMBRIDGE, Mass. -- For years, The Amazing Randi sat next to Johnny Carson performing magic tricks on The Tonight Show. But last week, James Randi was holding court for a very different audience -- an invitation-only collection of three dozen computer security experts at MIT's famed Stata Center near Boston. There, in what might be called the hall of fame for hacking, Randi couldn't stop himself from pulling gags. But when he wasn't bending spoons, making things disappear, or stroking his foot-long white beard and wizened chin, Randi revealed secrets about the art of deception.

"Many times," he confessed, "Magicians don't really know why their tricks work. They just work."

Put another way: Charlatans don't bother creating detailed schemes for deception. They just have a feel for what fools people.

On the other hand, the scientists who are working hard to make computers, airports, cities, and everything else safe for us often aren't endowed with this same feeling. They study problems, write papers, review their code, and write sophisticated cryptographic schemes. Then, with heavy hearts, they walk through rows of cubicles at American companies and see Post-It notes tacked onto computer screens with passwords.

---

At the first ever "Security and Human Behavior"conference last week, many of the world's top minds in computer science gathered to address this paradox. Their self-assessment was refreshingly honest and direct.

"In a field that has been marked by great human achievement during the past several decades, our branch of it can only be called a failure," conceded Matt Blaze, a computer science professor at the University of Pennsylvania, eliciting nervous laughter.

He wasn't really kidding. Despite remarkable advances in technology, most consumers are using the exact same clumsy security procedures they have for decades. And many feel even less secure.
In the meantime, the charlatans have continued to hone their deception skills. And they've enjoyed remarkable success at mucking things up. A trivial trick such as phishing e-mails – look-alike notes designed to steal personal information which appear to come from banks -- has wreaked havoc with companies and consumers alike for years.

That's why this ad hoc geeky group invited a magician, an architect, a photographer, a philosopher, several economists, a few psychologists and about a dozen other experts in behavioral studies to come give them an education in how people think. This high-powered collection of computer scientists humbly arrived at MIT asking for help, in an effort to get a better feel for the people they are trying to protect.

Famed cryptogrpahy experts Bruce Schneier, now of British Telecom, and Ross Anderson, a U.K. proferssor, assembled the small group -- including the magician -- as a way of getting at new answers to old problems.
"Many real attacks on information systems exploit psychology more than technology," Schneier says. "Security design is by nature psychological, yet many systems ignore this."

MIT's Stata Center, designed by Frank Gehry, has impossible towers and absurdly bright colors, and wouldn't look out of place in a Dr. Seuss book. Its hallways are full of plaques memorializing the greatest pranks ever pulled by MIT students - the security squad car that somehow made it onto the top of the campus rotunda, for example. The car actually sits high up on a ledge in the middle of the building's center hall (Forget the rotunda stunt, how did it get there?).

This hall of pranks seemed the perfect place to discuss the failures of technology -- and technologists -- in the modern age.

Bad guys have better people skills
Criminals usually don't bother learning all the ins and out of the technology they exploit -- they simply learn enough to be dangerous. But they spend endless hours understanding the people they plan to fool. Hackers long ago learned a short cut, what they call social engineering: Why spend years trying to hack into a bank when you can just ask an account holder to give you their name and password?

The technologists, on the other hand, tend to fight this battle with one hand tied behind their back. They generally spend most of their time studying technology, learning all its nooks and crannies from the ground up. They write careful research papers following the strict rules of scientific method. They must spend endless hours defend their findings against all comers, and they can't hurt anyone while conducting studies. They know the technology well, but they have little time to sit around understanding how people work.

But all that is starting to change, say some in this group of security researchers turned amateur psychologists. Several years ago, a quiet alliance was formed between behavioral economists – who study why people make irrational choices – and security professionals. Scientists and economists began writing papers together and sharing research costs. With last week's MIT meeting, the computer folks cast a much wider net in their search for answers.

Security, Schneier told the gathering, is "both a feeling and a reality," and both are important. Local police, for example, fight both crime and the perception of crime. Failure in either area can have serious consequences. Regardless of actual crime data, crime fighting is useless if residents of a town don't feel safe.

Pedophelia and the "License to Hug"
To that end, researcher Jean Camp at the Indiana University points out that people can easily assess risk when there are physical clues. People have a natural aversion to dark, empty parking lots for example, but there's no correlation to these kinds of physical clues online. That tends to keep older users from feeling safe while surfing. Camp studies this trust problem with residents at a nearby nursing home. She has created a large glowing box which sits next to a computer screen that turns green when fellow residents recommend a site is safe, and red when it's risky. Seniors find the large, obvious signal, reassuring, she said, and they are more likely to take advantage of the Internet to stay in touch with family.

But the battle to make people feel secure can sometimes feels like a losing cause. Frank Furendi, a noted British author on the subject of Risk and Fear, described what he calls a growing "hysteria" on the subject of pedophilia in the U.K. By next year, he said, one-third of all British citizens will have been subject to police checks. As a result, some parents won't let their children play with kids of parents who haven't been checked. He describes the problem in a new pamphlet, "License to Hug."

"Now we're not worried about pedophiles, we're worried about people who haven't been police checked," he said. "In response to an insecurity, we've created more sources of insecurity."

Often, Furendi noted, it's much easier for governments to create the appearance of security than the reality of security.

Among the fresh ideas discussed at MIT: computers might be too friendly. Our natural risk sensors do a good job of telling us when something physically dangerous is nearby (like a hungry bear), but do a terrible job of warning us about cyber-danger. Meanwhile, software makers have gone to great pains to make computers user-friendly. Perhaps that's a mistake, said Nicholas Humphrey of the London School of Economics. Occasionally, some healthy fear might help online, Humphrey said. Forget small padlocks on e-commerce sites – how about a large shark abruptly appearing on the screen to stoke primal fears?

Security fire drills called for
Privacy expert Alessandro Acquisti of Carnegie Mellon University brought a similar concept from the area of learning science -- the idea of the "teachable moment." Employees rarely read and digest memos about security with great zest and eagerness, he notes. But giving them the equivalent of a security fire drill can immediately change behavior.

Imagine, for example, if once each month or so your company's IT department send a legitimate-looking e-mail with a faux virus attached. Employees who "fall" for the e-mail would get a slightly embarrassing reminder not to click on unexpected e-mail attachments. In some more critical circumstances, failure in such random tests could impact an employees' annual review or raise. In a controlled test, Acquisti said, computer users were far more likely to learn safe computing behavior from this kind of random testing than traditional memos and warnings.

Not so easy to 'Fix the World'
After two days with 35 intense presentations each followed raucous question and answer sessions, things got strikingly quiet during the last panel, called "How Do We Fix the World." The topic of security ranges from keeping the family digital photos safe to keeping terrorists off airplanes. It also has no end-point. Terrorism researchers are plagued by the troubling question: "When will we know we've won the war on terror?" Security researchers face the same rhetorical problem.

But Aquisiti said he is hopeful this first-ever meeting will spur more interdisciplinary discussions. There was even talk of a "dating service," for researchers from different area to help them find each other ("I'm an economist studying the cost of antivirus software looking for a psychologist who is an expert in primal fear of predators.") Aquisiti was even hopeful a new field of study might be born. He struggled a bit to name it, however.

"Hmm…Perhaps the behavioral psychology of privacy and security," he said.

Or perhaps, they could just call it magic.

LendingTree has told its customers that former employees helped unauthorized mortgage lenders hack into its systems and steal customer information from 2006 to 2008.

The incident reveals just how aggressive the mortgage loan business was during the height of the housing boom, and also raises fears for consumers who share their information with companies that help them shop around for the best deal. And it highlights what experts say is an often overlooked source of data theft -- the inside job.

According to a letter sent to customers recently, former LendingTree LLC employees shared "confidential passwords" with lenders, who in turn used the login information to "access LendingTree's customer loan request forms."

---

The forms contained critical personal data, including names, addresses, Social Security numbers, income and employment information. The company said the lenders did not use the information to commit identity theft or fraud, but simply to "market their own mortgage loans to ... customers."

In connection with the incident, LendingTree, based in Charlotte, N.C., has filed lawsuits against three small California-based home loan companies.

A LendingTree spokeswoman said the company was not granting interviews to discuss the data theft. She would not say how many customers were affected nor how much data was stolen, but instead supplied a copy of the customer letter sent by the firm.

While LendingTree says in the letter it has no reason to suspect its consumers are at heightened risk for identity theft, it did suggest consumers obtain a free credit report and file a fraud alert with the nation's credit bureaus.

Upon learning of the security breach, LendingTree says, it "promptly enhanced the security of our system."

Given that data was accessed from 2006 to early 2008, it can be inferred that passwords used by former employees remained operational for months or even years after their employment was terminated, generally considered poor security practice, said identity theft expert Rob Douglas, editor of InsideIDTheft.info.

"This plays into everybody's fear that this happens all the time," Douglas said. "When consumers share their information with companies, they assume it ends up in other companies' hands."

One victim who received the LendingTree letter -- but who requested anonymity -- was annoyed that LendingTree offered no compensation for the trouble.

"Rather than offer a free credit report they suggest that I use my annual free credit report," the consumer said, referring to the once-per-year free peek that consumers get at their report by visiting AnnualCreditReport.com.

In its letter, LendingTree includes a pamphlet called "Guide to Protecting Your Credit and Identity." Consumers who obtain their credit report and see anything suspicious are told to "contact the credit bureau."

Consumers who visit LendingTree expect their personal information to be shared with other companies. They are hoping LendingTree will help them find a mortgage firm with the best rate, and expect several companies to "bid" for the right to supply their home loan.

But in this incident, loan applications were viewed by unauthorized lenders, who used the information to market their own loan products, LendingTree said.

"We suggest that you remain vigilant by reviewing account statements and monitoring your credit reports for the next 24 months," the letter says.

It was good to see the Hannaford Bros. grocery chain step forward Monday and admit it was the retailer that had suffered a credit card and debit card hacker attack. Criminals had access to account numbers from Dec. 7 to March 10, and stole a whopping 4.2 million credit and debit card numbers while they were transmitted for authorization, the company said. (see full story)

The company's announcement came only hours after the Massachusetts Bankers Association issued a statement indicating that it had been warned about a leak at a "major retailer" by Visa and MasterCard, while complaining that the credit card associations wouldn't reveal the name of the store chain. An initial version of this column offered the same lament.

The card associations routinely keep such information a secret, and banks are getting tired of that. You should be, too

---

"Releasing the name of the retailer would make all of our lives easier and safer," Daniel J. Forte, the association's CEO, said said before Hannaford was identified as target of the data theft. "Customers who didn't shop there would be put at ease, and banks could do more efficient investigations to better protect

Credit card users are often the last to know when a criminal has access to their data. That's because it usually falls to the affected banks to decide which consumers – if any -- to tell.

Even when the name of the retailer is made public, disclosure takes place in fits and starts. The infamous TJ Maxx data leak, which ultimately was determined to have affected nearly 50 million account numbers, occurred in December 2006. The company announced the leak one month later, but only recently did it begin notifying individual consumers.

In other data leaks, disclosure of the impacted retailer can take months. Sometimes, the name is never revealed.

"Consumers always want to know where the breach took place. That's one of the first things affected consumers ask their banks, right after 'will I get my money back?'" said Avivah Litan, a bank security analyst at consulting firm Gartner. "They ... have a right to know. After all it's their money and their time that is involved, and it may influence their future purchasing decisions."

One reason that credit card associations maintain a policy of not naming retailers involved in data leaks is that the fault might lie with the store's credit card processing firm or somewhere else along the data chain.

Chris Monteiro, a spokesman for MasterCard, the MasterCard spokesman, said that the credit card association also cannot release the information because it is "the subject of an ongoing law enforcement investigation."

Banks, on the other hand, are increasingly calling for early disclosure of data leakers, says Litan.

"The banks obviously want to be able to inform their cardholders where the breach took place, so that consumers don't blame their bank for the theft," she said.

Credit card associations like Visa and MasterCard are often the first to notice when a large block of account numbers is stolen, because they see the fraud pattern before the merchant. Consumers could benefit from early warning -- particularly debit card holders, who may find their checking accounts drained by thieves.

In either case, consumers are entitled to prompt refunds of money taken by account number thieves, and have zero liability for fraudulent charges made by credit card crooks.

RED TAPE WRESTLING TIPS
Sometimes when data is stolen or missing, it's not clear whether ID thieves actually have control of it. Not so in this case; Hannaford told the Associated Press it's aware of 1,800 cases of fraud related to the data theft.

Consumers simply have to challenge fraudulent charges with their credit card companies. Those who lose money in their checking accounts to fraudulent debit card transactions must get refunds from their banks withing 10 days, according to federal banking regulations.

Meanwhile, it's always a good idea to use online banking services to check account balances every few days and make sure nothing is out of whack. If there is, the sooner your report the problem the better.

Some e-mail and Google users might not feel quite so lucky right now. Search engine spam is the latest technique for getting unwanted online advertisements in front of Internet users' eyes, and it appears to be an overnight success. The key to this new trick, researchers say, is outwitting Google's "I'm Feeling Lucky" feature.

With traditional spam finally losing traction among e-mail users, spammers have stepped up their pace of innovation. Last year, they adopted new techniques like image spam, .pdf spam and even audio spam. These disappeared as quickly as they came. But starting in January, spammers began flooding inboxes with a new kind of spam that uses a much simpler form of deception. In the body of these e-mails, recipients see what looks like a link to Google search results -- and in fact, that's what it is. There's trouble, however, on the other side of that link.

---

The attack combines two tactics. First, spammers game Google so the Web site they want recipients to visit ranks at the top of the search engine results. Second, they alter the URL pasted in e-mails so users who click on the link go directly to the top result via Google's "I'm Feeling Lucky" feature – bypassing a stop at Google's Web site.

Here's what one of the specially crafted URLs looks like:

The technique apparently works. One-fourth of all spam sent in January was "search engine spam," according to e-mail security firm MessageLabs.

Spam filter software often works by blacklisting domains that are known haunts for spammers, or by directing e-mail with links to those domains into junk mail folders. But these tools can't filter out every e-mail with a Google link -- that would send too many legitimate e-mails to the trash.

"When you first hear this is you think, 'What an easy way to (get around) blacklists,'" said Mark Sunner, chief technology officer of MessageLabs. "It is indicative of the back and forth security firms have with bad guys."

Sunner said the firm detected virtually no search engine spam in December, but has seen a huge spike since New Year's Day.

Officials at security firm Symantec first saw evidence of the Google spam trick in November, but it wasn't widely exploited until last week, when use of the technique doubled almost overnight, said Doug Bowers, director of anti-abuse engineering.

"This is the next iteration of something we've seen for a while, this approach of hiding in spam a link to something that looks legitimate," Bowers said. Consumers have largely become immune to suspicious-looking Web links in e-mail, Bowers said, but a link to Google has an air of authenticity.

"For these kinds of attacks, the more mainstream you can be, the better. And you can't get any more mainstream than Google," he said.

Google says it's got a fix
A Google spokeswoman who asked not to be named said the company has seen "I'm Feeling Lucky" attacks, but added that help is on the way.

"Google began deploying a fix that should block most of these 'I'm Feeling Lucky' redirects, and we will work to reduce such issues in the future," she wrote in an e-mail.

While MessageLabs says hackers have tried similar techniques with other search engines, Google is the principal target.

So far, the search engine attacks are limited to annoying spam, according to Symantec. But officials there are worried that the technique will be used by criminals to trick users into installing viruses on their machines.

Google is already fighting other sinister tactics employed by virus writers. Late last year, criminals developed "Google poisoning," which tricks the search engine into displaying links to virus-laden Web sites.

Google has countered by displaying a warning to users in its search results, and in some cases, preventing users from clicking on links to infected sites.

RED TAPE WRESTLING TIPS

Be skeptical about links that appear in your e-mail. Only on rare occasions would someone send you a link to Google search results, and that should be obvious from the context: "Hey, look at all the places that link to Alan Boyle's excellent Cosmic Log science blog": http://www.google.com/search?hl=en&q=%22cosmic+log%22+alan+boyle

Otherwise, ignore such links in e-mail. And of course, you can always re-create the search manually by typing in the search term in Google on your own. You might still get the same spammy results, but at least you'll get a preview of them on the Google search results page.

You can't click on what you can't see. Symantec's Bowers suggests using a spam filter that keeps such tricky e-mails out of your inbox in the first place.

From the moment U.S. top cybercop Richard Clarke uttered the words "digital Pearl Harbor" in 2000, the technology world has been engaged in bitter debate: Could hackers really cause as much chaos with computers as terrorists armed with bombs and guns? Or are security experts simply spreading fear and trying to sell products when they talk about cyber attacks?

The discussion had died down until recently, owing to the fact that no digital Pearl Harbor ever occurred.

But then came reports late last year that Chinese nationals were actively attacking computers run by the U.S. government and private British companies, all of which were vehemently denied by the Chinese government.

Now security expert Alan Paller has fanned the flames, quoting a CIA agent as saying that hacker-profiteers had carried out the mother of all hack attacks -- taking power plants offline and extorting their owners for cash.

---

Paller, who is director of the SANS Institute computer security training firm, said he had no details of the attacks, except that they allegedly occurred in unidentified overseas cities.

Here's precisely what the agent, CIA analyst Tom Donahue, said at a SANS training seminar for utility system security experts in New Orleans:

"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

Paller, who's also part of a task force devoted to shoring up power grid computer systems, rushed out an e-mail to reporters and to 185,000 security experts detailing the dramatic CIA statement.

A message from the CIA?

In an interview, Paller said that the CIA clearly wanted to get out the message that time is running out to secure U.S. power plants and other major critical infrastructure systems. A year ago, he noted, that same CIA agent had chastised him for talking in public about such sensitive national security issues.

"It means something that the man who got mad at me a year ago when I was talking about this said this in public," Paller said.

Paller said Americans should not dismiss the purported attacks as isolated, or the byproduct of low-budget computer security in a poor country.

"We have no reason to believe these plants have poorer security than ours,' he said.

The problem with Paller's story, according some cyberthreat skeptics, is there is no reason to believe it is true.

Rob Rosenberger, who runs Vmyths.com, a Web site devoted to debunking cybercrime rumors, said Paller's notice contained so few details about what might have happened that it isn't much more than an urban legend.

'Who did it? ... When did it occur?'

"SANS director confirms the CIA confirmed ... absolutely nothing," Rosenberger wrote in a stinging rebuke. "Who did it? Paller doesn't know. When did they do it? Paller doesn't know. Where did it occur? Paller doesn't know. Why did they do it? Paller doesn't know."

Asked about the dearth of information last week, Paller said the CIA has clamped up and is offering no additional information.

"It is very thin on data," he conceded. "But clearly (the CIA) thinks things need to be fixed for some reason."

The CIA, for its part, wouldn't offer additional comment on the reports, other than to confirm Donohue's quote as accurate.

But one thing is clear: We are in for another round of digital Pearl Harbor discussions.

The revival is at least partly grounded in reality: The big back-end computers that run power plants – known as SCADA systems, short for Supervisory Control And Data Acquisition – are increasingly linked to front-end business systems.

A decade ago, these systems were isolated and arcane, making them virtually impervious to outside hacker attack. But even with the increased scrutiny on homeland security after the Sept. 11 attacks, SCADA systems are increasingly connected to the outside world. That makes them a much easier mark for hackers.

The temptation of connectivity

The temptation to connect SCADA systems to the Internet is just too great, according to one Department of Homeland Security official, who spoke on condition of anonymity. Many utilities own plants spread over wide distances, making Web access important if they want to monitor their facilities remotely.

Since about 85 percent of utility computers are owned by private industry, there is constant pressure to implement cost-saving s like remote monitoring, the official said. But the more wired power plants are, the greater the risk.

Counterpane security expert Bruce Schneier says far too much is made of most cyberterror warnings.

"There's nothing like a vague unsubstantiated rumor to forestall reasoned discussion," he wrote on his blog, Schneier on Security. As for the CIA-sourced extortion plot, he wrote, "I'm more than a bit skeptical."

That doesn't mean the threat's not real, he added in an interview. And he's glad national infrastructure security is now getting extra attention, whatever the reason.

"Talk of cyberterrorism is often the just hype. But is getting the right things for the wrong reason good or bad?" he asked. "I like this kind of security to get more attention. ... The reality is these systems are vulnerable."

Critical infrastructure computers were getting more attention even before the recent rumors surfaced, said Will Pelgrin, director of the New York State Office of Cyber Security. A working group, including hundreds of professionals and the Idaho National Laboratory, is constantly probing utility systems for potential weaknesses. They've also developed security specifications and designed sample purchase orders to help smaller utility companies build security directly into their products.

Experts welcome the attention

Pelgrin wouldn't discuss the CIA report, but essentially echoed Schneier's point of view.

"Regardless of the fact or fiction we need to make sure these computers are secured," he said.

Just last week, The Federal Energy Regulatory Commission issued strict new guidelines for cybersecurity at power facilities. Some point to that news as possible motivation for the CIA to call out utility firms and call attention to the risks.

Regardless of the latest truth-or-hype debate, computer security experts have a delicate job to do, one not unlike dentists who warn about the ill-effects of infrequent checkups or mechanics who urge frequent oil changes.

Warnings of potential disasters can come across as fear-mongering -- until something genuinely bad happens, at which point it's too late to heed the advice. So those who issue such warnings about cybersecurity must walk a delicate line between talking about worst-case scenarios to motivate security improvements without sounding too melodramatic.

The phrase "digital Pearl Harbor," which once motivated the White House to create the position of national cyberczar, is now generally treated as a bad joke by security professionals.

But the best way to judge the success or failure of those experts trying to keep these power grid systems safe might be this: Years from now, when someone says digital Pearl Harbor, we will still be laughing?

Digital picture frames were one of the hit gifts this holiday season, but at least some consumers have ended up with an unwelcome extra present -- a computer virus.

Electronics retailer Best Buy acknowledged this weekend that some private label Insignia 10-inch digital frames it sold over the holiday season were contaminated with a unidentified virus. The frames have now been pulled from store shelves and the product discontinued, Best Buy said in a statement.

---

"While this is an older virus which is easily identified and removed by current anti -virus software, we are taking this situation seriously," the statement on the Insignia Web site read. "This situation is not characteristic of Insignia products. We have launched an investigation and will take the actions necessary to help ensure that a situation like this is not repeated."

Digital picture frames, which display digital photos without the need to print them or use a computer, are soaring in popularity. According to estimates by the research firm IDC, consumers bought about 1.7 million digital frames in 2006, about 5.6 million last year and will purchase nearly 10 million this year.

The infection was limited to the 10.4-inch version of the Insignia frames, with a model number of Number NS-DPF10A, Best Buy said. The firm did not identify the scope of the problem other than to say it impacted "a limited number" of the devices.

The problem was discovered in early January, but Best Buy didn't post a notice about it until Saturday because the firm was trying to "get a handle" on its inventory," said spokeswoman Nissa French.

The company has not directly contacted consumers who purchased the picture frame, French said. It will do that when it has developed a detailed solution. "We want to communicate everything at once, for the best customer experience," she said. She said that "fewer than two dozen" consumers had returned the devices to stores complaining about the virus.

Some might question the firm's delay in notifying consumers, who might still be able to avoid infecting their PCs. Only consumers who connect the gadget directly to a PC running the Windows operating system risk infection, Best Buy said. Even then, users with updated antivirus products would be protected. Consumers who only slipped memory cards into their picture frames are not at risk either, the company said.

It is not clear how the virus landed on the hardware, but the firm said the contamination occurred "during the manufacturing process." French could not say how many consumers have complained about infection.
Those who purchased or received the frames can call Insignia customer service at 877-467-4289 for more information.

"An Insignia representative will be available to answer questions about your digital picture frame and determine what actions are necessary to ensure your digital picture frame and computer are clean and fully functional," the firm said.

The incident highlights a new risk for gadget users, said Zulfikar Ramzan, a researcher with the security firm Symantec Corp. Any time a gadget with any kind of memory storage is connected to a PC, bad things can happen.

"The reality is that when you plug anything into your machine you run the risk that whatever files are on that device could be executed on your computer, and that could include a virus," he said.

Use of USB flash memory sticks raises the risks, he said, but any gadget can post a threat. "There are security issues and people have to understand the risks. From an attacker's standpoint, this is a great way to get onto your machines. "

While there are many possible explanations for the Insignia frame infection, Ramzan said a "rogue employee" was the most likely possibility.

But he also said that consumers who buy returned merchandise should be especially wary, as a gadget could be infected by the initial purchaser, and then returned to the store contaminated.

"You just never know," he said. "That's why it's important to have security software."

An earlier version of this story indicated that Best Buy spokeswoman Nissa French said "fewer than 2,000" picture frames had been returned by consumers; that has been corrected to read "fewer than two dozen."

Citibank is using the rather blunt instrument of lowering some customers' daily ATM cash withdrawal limits to fight a recent spate of cash machine fraud. The company said Thursday that the change impacts "a small population of customers" in New York City, but would not provide additional details.

It's not clear how much daily withdrawal limits were lowered, but the New York Daily News spoke with one consumer who said her limit had been cut in half.

---

"Though we can't provide details of ongoing security investigations, we are working closely with law enforcement on this matter," Citibank said in a statement to msnbc.com. "We continue to monitor our customer accounts for suspicious transactions and encourage customers who notice suspicious activity to call our customer service unit at the number on the back of their ATM cards."

Consumers who suffer fraud aren't liable for the losses, if they report the missing money in a timely fashion. Those who need extra cash can call Citibank and ask that their daily limits be raised.

But lower cash withdrawal limits may have a more serious impact in New York than elsewhere. Many New York City restaurants, for example, don't take credit cards, so customers often must scurry to ATMs in order to cover their bills.

This is at least the second time that Citibank has curtailed access to cash in response to a fraud outbreak. In March 2006, overseas travelers found they couldn't withdraw any money from ATMs in places like Canada or Russia. Later, it was revealed that criminals had managed to steal ATM card numbers and PIN codes from an outside source, prompting the abrupt security measure.

Citibank wouldn't answer questions about the incident that led to the recent limits on cash withdrawals. Spokesman Rob Julavits said the lower limits were imposed only on New York City consumers, but wouldn't explain why the fraud was geographically limited.

Doug Johnson, senior advisor for risk management policy at the American Bankers Association, said lowering daily withdrawal limits is a standard tool used by banks to fight fraud.

"Institutions, once they find fraud that's serious enough, they will take action. It's not unusual," he said.

He would not comment on the Citibank incident, but when asked if consumers in other parts of the country might be at risk, he said, "I wouldn't focus just on New York." He wouldn't provide specifics, saying only that banks around the country are constantly fighting ATM fraud.

'Consumers ... deserve more'
Avivah Litan, a bank security expert with consulting firm Gartner, said Citibank's strategy in dealing with this latest round of fraud -- limiting consumers' access to cash -- was disappointing.

"Consumers expect more both in terms of security and convenience and frankly, they deserve more," she said. "This will probably serve as a wake-up call to Citi to invest more in enterprise fraud detection and stronger card security systems. There are certainly good technical solutions that can detect fraud with a fairly high degree of confidence. ... The problem is banks like Citi don't typically invest in these solutions until they either have to in order to comply with regulations, or because they are getting hit hard with fraud losses or loss of consumer confidence."