It is believed an Indian hacker succeeded in bypassing the security software and placing a Trojan virus on one of the firm's machines used for reservations.

The next time a staff member logged in, his or her username and password were collected, stored then put up for sale on a website operated by a branch of the Russian mafia.

The stolen data includes a range of private information such as home addresses, telephone numbers, credit card details and place of employment.

Best Western fixed the security breach on Friday after being alerted by a Sunday newspaper, which had discovered the crime.

Best Western is "investigating further" and has temporarily handed control of their systems to its American team.

If you visited an affected hotel, you may want to immediately freeze your credit report and call your bank for replacement cards.

Hackers steal details of millions of Best Western hotel guests [The Telegraph]
Indian behind major cyber-crime in UK [Press Trust of India]
(Photo: Getty)

"We didn't piece any of this together. We just taped it to hold it together. None of this has torn through at all," Amelia McBride said.

"You get the wrong people get a hold of this information, oh my gosh! They could have a heyday with this one box," Michelle McBride said.

"I was just in shock. I just couldn't believe that they're using shredded up checks as packing material," Amelia added.

The McBride's contacted the company that shipped and packed the peppers, WHH Ranch Company.

Owner Bill Hamzy says the family owned and operated business has been using shredded paper from the same Texas bank for years.

He says the McBride's are the first to notice the problem and one he will fix immediately.

It's great that WHH Ranch agreed to stop packing goods in shredded checks, but what sort of insanely reckless bank was handing them out to begin with?!

Packing material poses threat to customers of one Texas bank [KTKA] (Thanks to Aaron!)

• Carry On Valuables. Travel guru Peter Greenberg says there are two types of luggage: carry-on, and lost. Keep your valuables with you at all times.
• Don’t Need It? Don’t Bring It. Leave the nice diamond earrings and flashy bracelets at home.
• Pack Valuables In See-Through Bags. Put an extra layer between your valuables and crooked TSA wannabes so they don't have a reason to directly handle your rubies.
• Make Your Bag Screener Friendly. Beyond the clear bag, deter opportunistic thieves and secondary screenings by packing in layers so your bag will image cleanly.
• Don't Throw Loose Items Into Screening Bins. Stash your cellphone and keys in your bag before pushing it through the scanner.
• Don't Leave Your Bags Unattended. Is that your checked bag at the other end of the carousel with the Care Bears tag? Don't put down your carry-on to go look.
• Safes! Use safes wherever you go because they work.
• Trust Nobody. Don't believe tour guides who say it's safe to leave things unattended on a tour bus. It's not.

Amanda Hopkins used credit info from six customers to "make numerous purchases on their accounts" between October 2007 and April 2008. The local Fox affiliate says that Best Buy has issued the affected customers new cards and given them gift certificates.

"Las Cruces Best Buy Employee Accused Of Shopping With Customers' Credit Cards" [KFOXTV]
(Photo: Getty)

1. Enter all of the email addresses in the "BCC" or Blind Carbon Copy field.
2. DO NOT enter them in the "To" field.

(Photo: Getty)

Adam says:

I've been mulling this one over for awhile, and by "this one" I mean what I want to do about my experience last week on Virgin America's anniversary flight from JFK to LAX. I flew out on one of the first last year and had an awful experience, which involved a four hour delay and a MacBook Pro power adapter that melted on me, and received a free flight as an apology. I really didn't mind the delay or the melted power adapter. Chances are it wasn't their fault as Apple makes crappy adapters, and they handled the delay very well. One year later it seems they've forgotten how to operate as an airline that serves its customers to the point that I've decided any compensation on their part would be unsatisfactory. Well, that's not entirely true, but it would involve cash and lots of it. But really I'd rather they get a bit of bad press and hope they change their ways. They should be the best airline around.

I got on the plane around 11:00am on Friday, August 8th. I didn't get off the plane for a little more than ten hours later. When we boarded we had a 30-40 minute delay that one should be accustomed to if they've ever flown out of JFK before, but by the time it was our turn to leave one of the air conditioning units broke. So, we went back. They figured it would take about half an hour to fix but quickly realized it would take much longer. They informed us we'd be let back into the airport to hang out in comfort but the messages stopped and the pilot went radio silent. The flight crew didn't know what was going on and no one was let off the plane for a good hour and a half. Those who were finally let off were not let back on. The rest of us, who stayed, ended up waiting well into the afternoon when the plane took off five hours late.

Fine, delays happen. However, you'd think during the delays that someone from the flight crew would have the opportunity to stock the plane with food. Apparently they were only able to grab a few sandwiches and chips. Being a vegetarian I could only have the chips. My fault for my abnormal ethics, I suppose, but they were almost out of sandwiches when they got to my row. I was in row 10. By my estimation, half the plane went without food. To their credit, they did have plenty of water. For ten hours most of us didn't eat or had very little. I always bring a few snacks on board just in case there isn't much to eat but nothing to survive for an entire day. Luckily I did bring plenty of entertainment because their entertainment system was down as well. We never got the free movie we were promised. Supposedly we were given a $25 flight credit none of us will ever use, but I haven't bothered to check.

All of this I can deal with. I had no intention of complaining. The whole event, thus far, was almost a blessing in disguise as I wasn't looking forward to being in Los Angeles and by the time the flight was over I couldn't have felt more glad.

Then I got my luggage. One of my bags had been ripped open. It could have easily been unzipped, but it was ripped. I'm not going to speculate as to how it happened but only my Apple TV and some DVDs were missing from the bag. No clothing or other small items fell out, oddly enough, but I wasn't in the cargo bay of the plane so I can't say whether or not it was stolen or simply lost via bag damage during the trip. Either way, I wanted someone to check and see if it had fallen out on the plane. I walked into the bag office and Joyce greeted me, before I said anything, with "all I can do is file a courtesy claim."

Throughout our conversation she continued to tell me there was nothing she could do when all I asked is that she call baggage and make certain they hadn't found any stray items. After half an hour she finally called, but this was long after her numerous accusations that I was trying to defraud Virgin America by claiming they stole my items. To be fair, those are my words and not hers. What she said to me was that her experience can rule out the TSA and airport employees so the only possible option is that it was my fault.

I asked her why she thought it was okay to accuse me and not them. She said, "you want me to accuse the TSA of stealing from you?" I told her "no, I don't want you to accuse anyone at all," at which point she decided to start filling out my claim. Throughout the process she asked me the same questions repeatedly. Given this is the sort of thing you do to a criminal I pretty much assumed she wanted to make sure I remembered my answers, but maybe she was just a complete moron. I feel I should give her the benefit of the doubt there. I could go on endlessly with examples of why this woman was horrible and cruel for no good reason other than what joys one might assume her job can bring, but I would like to mention one more thing. When I let her know which items were missing and how much they cost she laughed at me. She actually laughed at me.

I had a nice cab driver. The cab was cheaper than expected. Those are my silver linings. That and the plane didn't crash nor was anything else of value stolen or lost. What a great day. Thanks Virgin America.

Hey, why not let the DOT know about your baggage complaint? They keep track of that sort of thing. The TSA has admitted that it has a problem with theft. You should give them a heads up as well. Finally, when your baggage seems tampered with, you should report it to the airport authorities so they can investigate. A spokesperson from Seattle-Tacoma International Airport once said: "We find that people often make a claim for an item to the airline, but never report it to the airport or the police, and then we don't know that a theft problem is developing."

(Photo: Maulleigh )

He writes:

OK, so here we go! On or about July 25th, I called Sprint to complete a simple ESN swap. And for those who might not be of the gifted mind to understand what that is, it's simply a Phone Swap...going from one phone to the other. Now keep in mind that I already own both phones.
A Motorola Razr-2 and a SANYO 8400.
That means that I previously purchased them, and have decided to swap between one and the other.

Now I am already expired as of May 1st, 2008.

So after deciding that the RAZR-2 was utter garbage that I could not stomach any longer, I called Sprint's NO Customer Service, and informed that rep that I'd like to perform an ESN swap. Now keep in mind that this unintelligent rep never asked if it was a new or already owned phone. Just said ok....and proceeded to ask for the information.

So...needless to say... I went from the Motorola RAZR-2 TO the Sanyo 8400, which Sprint no longer sells, so it's not a NEW phone!

Lo and behold, just a few days ago, I received a letter from Sprint in the mail that says: "Keeping you in the know"...you've recently made some changes...etc..yadda yadda yadda. And along with that, on the right side of the letter , I notice that My CONTRACT has been extended.

Now keep in mind, I am ALREADY EXPIRED AS OF: MAY 1, 2008! So, what this excellent, educated and "well-trained" Sprint rep did was, RENEW my agreement, without telling me, without asking pertinenet information to make a decision as to renew or NOT renew. Just went ahead and got themselves a nice fat commission that I'm sure Sprint won't do anything to reprimand her for!

Just keep them exployed and working tirelessly, renewing unknowing customers all the time to get themselves false commissions!

I've stuck with Sprint since 20000, defended them against all kinds of craziness and even gone thru it previously with their "well-trained"reps, and I still stayed, but this is the last and I MEAN THE LAST GAWD DAMN STRAW!

My Account Number is: XXXXXXX
My Phone Number is: XXX-XXX-XXXX

I have already been assigned a few different case numbers, of which I have yet to have ANY of them resolved. I am tired of waiting to speak with someone. As quick as it took to extend my contract is as quick as it should have taken for it to be rolled back, but of couse they never help, or the reps never know what the hell they are doing, except for: giving mis-information and extending contracts falsely!

I want this issue resolved and I want BOTH lines on my account to be without contract for this hassle. I want some type of compensation that clearly and truely says I am sorry, and not from someones mouth.

If not, then let me out without obligation, financial or otherwise and I'll take the business to a more Realiable CORPORATION who knows how to run a business, called Verizon, T-Mobile or AT&T!

And to think I canceled my AT&T line to bring that over to my Sprint account, just to take advantage of the old SERO offer.

The only problems with at&t WAS THAT THEIR PRICES WERE HIGH AS HELL. Other than that, they beat Sprint in terms of Customer Satisfaction every step of the way. TIP TO SPRINT: Get these ghetto, non-educated, can't read, add, or subtract, low life people out of your company!

Sprint shouldn't hesitate to dissolve the unilateral contract extension if you call the special hotline they created for Consumerist readers at: (703) 433-4401.

(Photo: The Consumerist)

I pulled out of the lot, turned left, and I wasn't more than 200 yards away when a cop comes up behind me, lights flashing. I knew I couldn't have been speeding so I was genuinely confused. He said the woman at the United Dairy Farmers said I drove off without paying for gas.

Here's Chris' full story:

I had an interesting experience on Friday and a life lesson I think is worth passing onto other readers. On Friday I stopped at a United Dairy Farmers (local Cincinnati convenience store/ice cream parlor) to fill up while gas is relatively cheap. I pulled up to the pump, swiped my card, filled up, and paused before printing the receipt. Usually those things just end up wadding up in my pocket or under the seats of the car, but what the hell, I hit yes anyway. I then went inside to get a soft drink.

"Anything else?" the cashier asked. I said no, paid in change, and went back to my car. I pulled out of the lot, turned left, and I wasn't more than 200 yards away when a cop comes up behind me, lights flashing. I knew I couldn't have been speeding so I was genuinely confused. He said the woman at the United Dairy Farmers said I drove off without paying for gas. I said that was incorrect, and he said "She said it was a silver car, and she pointed at yours." I do drive a silver car, but I had paid for gas, and wait! I told the officer I had my receipt, and he wrote down the details: Amount, pump number, last 4 of my credit card, and the time. I also pulled out the credit card I paid with and my license, just to verify everything was on the up and up. He was cool about it, apologized, and I was on my way.

Lesson here is to always print that receipt out. I rarely check it against my statements now that I don't fill up as often. But without that 3x1 strip of paper I would have had a totally different story to tell. Needless to say I won't be taking my business to United Dairy Farmers anymore - being falsely accused of theft is a dealbreaker.

(Photo: Getty)

U.S. charges 11 in theft of TJX customer data [Forbes]

I opened a box I received from FedEx and pulled out of a couple of DVDs and then saw what looked like a rusty lid of something. At first, I thought nothing of it, since you can get DVDs packaged in all kinds of weird shit. I thought it might have been a fake film canister of some sort or...something. In retrospect, it might have been the Limited Edition Paint Can "This Old House: The Complete Series." But when I pulled it out I saw it was what you're seeing up there: an authentic $4.99 rusty gallon can of Satinwood Interior Latex Flat Wall Paint. (And please don't mock the wallpaper, it came with the house.)

I called the sender of the package and said, "What's with sending me a can of paint?"

He said, "What the hell are you talking about: a can of paint?" And you can guess where the conversation went from there.

It took a while for John to track down someone from FedEx to investigate, but apparently they're on the case now:

Regardless, the claims process is supposed to be underway, and FedEx Claims was helpful when I got them on the line—after they inexplicably transferred me to somebody who worked somewhere else within the company and had no idea why I was suddenly on their phone and then...on the second call they transferred me into their internal phonemail system, where I was prompted for my mailbox number. But anyway, the third call was fine. Let's just see how they react to this.

"Indiana Jones and the Satinwood Latex Flat Wall Paint" [Needcoffee.com]

Here's Mark's story:

On Monday, July 28th I ordered a pizza from Papa John's Pizza. When the delivery driver showed up, he handed me my Visa slip to sign with an 'x' written next to the tip line. To me calling any kind of attention to the tip line on a credit card slip is akin to holding your hand out and asking 'where's my tip.' I didn't like the presumptive tip, and had already paid an almost $2.00 “delivery charge” so I wrote a line through the tip line, rewrote the total and signed the slip.

This morning while getting ready for work, my wife informs me that Papa John's Pizza had overcharged us by $6.42. Quite upset about Papa John's Pizza stealing six-and-a-half dollars from me, I immediately googled Papa John's Pizza corporate number. I was transferred to the finance department, and left a message expressing my extreme dissatisfaction. About 7 minutes later I got a call back from Papa John's Pizza and the gentleman asked for the details of the transaction, etc. After promising the difference would be reversed to my debit card, he said that “Papa John's takes this sort of complaint seriously.” To which of course I replied “Please do not 'take this seriously,' resolve the issue.” Then the Papa John's Pizza guy got all defensive and wanted to know why I was calling him a liar. Anyway he promised to have a 'field supervisor' look into the situation.

If my charge was off by a dollar, say because the person keying in the charge transposed a number, I may or may not have been so upset. I would have waited until the local Papa John's Pizza opened up and discussed the matter with local management. But I firmly believe that the delivery driver took it upon himself to give himself a 30% tip. I also wonder how many other people have been 'fleeced' by this driver.

I hope to email you with an update about how Papa John's Pizza refunded the difference and took steps to show me that I am a valued customer, but the day is still young.

Well, we're impressed that someone at Papa John's called him back as promised, and in less than 10 minutes—that sort of thing is far too rare with many companies, and makes us think that Papa John's actually means the phrase. But yeah, they might want to rethink using empty PR-speak if they want to reassure customers that employee theft is not tolerated. But you shouldn't blame your customers for being skeptical when they hear that phrase—there's a reason nobody believes it anymore.

(Photo: Getty)

"As soon as we became aware of the mailing error, we worked to determine the exact cause, and we have made changes to prevent it from happening again in the future," said a Blue Cross Blue Shield spokesperson.

BCBS's parent company also said that it is in "the process of removing all Social Security numbers from such future mailings." The state of Georgia is requiring the insurance company to notify all those whose information was compromised and offer them one year of credit monitoring. You know, at the rate these data breaches are happening, we'll all have free credit monitoring pretty soon.

Here's what the AJC says you should do if this breach affects you:

Policyholders who received an incorrect EOB should contact Blue Cross's dedicated toll-free number at 866-800-8776 between 7 a.m. and 9 p.m. Monday through Friday. Members who may have received an EOB of another individual should return it to Blue Cross. The company will provide a postage-paid envelope.

Private medical data exposed [Journal-Constitution](Thanks, Matt!)

Chris only noticed the massive withdrawals after the police arrested the thief.

They said they caught this guy at BestBuy trying to use somebody else’s credit card to buy a whole bunch of computers. Apparently BestBuy’s register system pops up an alert code if there is somebody trying to use a card that has been reported lost or stolen, and they call the cops. Impressive. The police caught the guy red handed. With drugs. And paraphernalia. And a bunch of people’s personal information.

At the time, I thought they got the sucker before he could do any real damage. But just to be safe, I checked with Bank of America. I was shocked to see my account was overdrawn by almost $300. Last I checked, I had almost 40k in there.

A quick review turned up 5 suspicious transactions. Two were deposits, and three were withdrawals. All five transactions occurred *inside* five different Bank of America banking centers. What amazed me most is the final two transactions. A withdrawal of 26k. And later that day, another withdrawal of 12.5k. Way to spot suspicious activity Bank of America. They handed the guy almost 40k in cash in one day.

Turns out the first two transactions where not just deposits. They were checks written to me, Christopher Hooley. The first one was $6200. The guy kept $5k and left $1200 in my account. The next one was a day later at a different center for $7500. Again, the guy kept $5k. I saw the debit slip online, and this guy’s signature wasn’t even a remote attempt to copy mine. To make matters worse, it turns out he was forging checks from another valley business, who subsequently called the police on ME!

Great work protecting your customers, Bank of America!

Way to Spot Suspicious Activity Bank of America [Chris Hooley's - ThinkBait-]
(Photo: Getty)

We wrote about Hoofnagle's research in February, when he was analyzing identity theft at banks. Since then, he's expanded his research to include incidents at all companies.

Although the research is useful, Hoofnagle concedes that it is imperfect: a customer who falls for a phishing scam doesn't necessarily impart any fault to the company. On the other hand, the amount of phishing-related identity thefts is dwarfed by other types of fraud, such as new accounts created from pre-approved credit solicitations. Hoofnagle asks for increased transparency by businesses, which would provide more useful data and lead to better analysis.

Measuring Identity Theft (Version 2.0)

We can't really blame Arthur for misreading DirecTV's past scrapes with bribery and thievery as a license to steal. To his credit, he apparently managed to show for a 9 a.m. Sunday appointment. Maybe the judge will see that as a mitigating factor during sentencing? He'll need all the help he can get: if convicted, Arthur faces between two and a half and seven years in jail.

TV installer allegedly swipes over 5G from Staten Island customer [Staten Island Advance] (Thanks to Todd!)
(Photo: brianc)

According to neighborhood gossipers on the Brooklyn Heights Blog, which tipped us to the story, Kaufman has a bit of a reputation for being shady. Several of the commenters also report fraudulent charges on their own accounts after eating at one of Kaufman's restaurants. Many of the reviews of Blue Pig online accuse it of using cheap factory-made ice cream and selling it as homemade, so maybe that was an early sign that honesty wasn't a high priority for Blue Pig's owners.

"Busted Chef; Heights food shop owner arrested on identity theft, forgery" [Brooklyn Paper]
(Photo: jere-me)

This SlickDeals forum thread talks about how if a merchant manually bills an account, without sending it through their credit card processor to get appropriate authorization, the bank will pay them without question. The good thing is that charges that are received by the bank that come through without an authorization attached are very easy to initiate a chargeback on.

Once again, it is up to the consumer to examine his bills and make sure his ass is protected.

Virtual credit cards are no protection [SlickDeals] (Photo: Getty)

"Step 1: Place a fraud alert on your credit files and monitor your credit reports regularly."
Contact at least one, but preferably, all three of the credit reporting companies and tell them to place a fraud alert on your credit report. Also provide a "victim's statement" asking them to notify you before making changes on current accounts or opening new accounts. You can reach the credit bureaus a few different ways:

Equifax : 1-800-525-6285; P.O. Box 740241, Atlanta, GA 30374-0241

Experian : 1-888-EXPERIAN (397-3742); P.O. Box 9532, Allen, TX 75013

TransUnion : 1-800-680-7289; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

There are also several other ways to get your credit report and a monitoring service.

"Step 2: Close the accounts that you know, or believe, are not opened by you or have been tampered."
Call each creditor and close any account that has been compromised by the identity thief. Request that the accounts be "closed by creditor's request," a simple "closed account" can reflect negatively on your credit report. Ask each creditor to send you the transaction records the identity thief made on your account. Creditors must provide this service, and do so at no charge.

If you encounter difficulty getting these records, send your requests by certified mail with return receipt requested so you have a document of when the creditor received your request.

"Step 3: File a complaint with the Federal Trade Commission (FTC) ."
You can file a complaint with the FTC online by filling out an online complaint form or you can call them at the Identity Theft Hotline at 1-877- 438-4338; TTY: 1-866-653-4261. You can also notify them by sending a letter to Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.

"Step 4: Contact your local police or the police in that community where the identity theft took place and lodge a complaint."
Contact and inform your local police department about the crime and submit as much proof as you can. It is recommended to supply them with a copy of your FTC ID Complaint form, your cover letter and any other paperwork that support your claims of identity theft. Once you make sure the police report contains all the affected accounts, send it to all the applicable creditors.

"Step 5: Change all your account passwords."
If the identity theft involves your ATM or debit card, change their PINs. Add passwords to any account that doesn't have one and avoid obvious passwords.

5 Steps To Take If Your Identity Is Stolen [DebtConsolidationCare]
(Photo: Getty)

From ABCNews:

In court documents, federal prosecutors say UBS bankers helped set up many of the secret accounts in Liechtenstein and, overall, hid as much $20 billion belonging to US citizens.

"Sums are enormous and UBS appears to have been particularly aggressive in the way they marketed their activities in the US and elsewhere," said Christensen. "So UBS is extremely vulnerable to losing their license in the US."

One UBS banker, Bradley Birkenfield, pleaded guilty last month and admitted to smuggling cash and diamonds for Americans trying to hide their wealth from the IRS.

In federal court documents obtained by ABC News, federal prosecutors allege that Birkenfield's bank trained bankers traveling to the US in "techniques to avoid detection" by law enforcement authorities, "including training bankers to falsely state on customs forms that they were traveling into the United States for pleasure and not business".

There will be Senate committee hearing tomorrow and ABC says that "among those called to testify are foreign bank account holders, including one of the wealthiest men in Los Angeles," and that the tax dodgers could face criminal prosecution.

Hundreds of Super Rich Under Investigation [ABCNews]

• $10 off a purchase of $50 or more
• $20 off a purchase of $100 or more
• $30 off a purchase of $150 or more

Stein Mart seems to think that when it comes to bad security, intention makes all the difference:

A representative for Stein Mart said the company is not aware that anyone's identity was stolen and that the company was a month away from having all their printing procedures corrected.

If you're really interested in those coupons, check out steinmartsettlement.com.

[WSMV Nashville] (Thanks to Martin!)
(Photo: Getty)

Allegedly, the following email was enough for Apple to hand over Marko's login information to a stranger with a yahoo.com email address:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

The stranger then logged in to Marko's account and changed his password. Fortunately, the security question stayed the same and he was able to regain access to his account. Meanwhile, the stranger had access to:

- My personal details
- My personal email
- All the files stored on my iDisk
- Everything I've synchronized to .Mac, including my Address Book, Bookmarks, Keychain items, etc.
- My credit card details as stored in my Apple Store profile
- My iTunes Music Store Account
- My ADC Premier membership, including the software seed key and other assets
- The iPhone Developer Program's Program Portal, including details of our development team

Whoops.

Apple just gave out my Apple ID password because someone asked [Karppinen](Thanks, Ivy!)

Josh cc'd us on his Executive Email Carpet Bomb:

Dear American Airlines:

My name is Joshua, and my AAdvantage number is XXXX. I am writing in regard to ticket XXXXX, under record locator XXXX.

I would like a refund of the $15 fee I paid to check a bag on AA 4794 on June 27, 2008, as the flight was cancelled and I (and my checked bag) did not travel with American.

When the flight was cancelled, I called your customer service 800 number and requested that my itinerary be refunded. Your customer service representative processed this refund over the phone without difficulty. However, the refunded amount did not include the bag fee.

I am now advised by your telephone customer service that, in order to get my $15 refund, I must mail a letter with my original receipt for the bag fee to your refunds department in Tulsa. They have told me that they cannot issue a refund over the phone, and cannot waive their policy on the matter.

I do not find this to be an acceptable solution. You should not require me to mail a paper receipt when the information about the fee already exists in your computer systems. Indeed, I am not even sure what I did with that receipt after I left the airport. More broadly, while I understand your rationale for charging a fee for the first checked bag, you should not make it unreasonably difficult to collect a refund of the fee when the service is not provided.

I recognize that I am not currently an elite-level American customer. However, I qualified as AAdvantage Gold in 2006 and have over 100,000 lifetime travel miles under my belt on American. I have recently moved to Washington, DC and will be traveling frequently to New York and Chicago. Those are places to which both American and its competitors provide frequent service. I hope to continue doing that business with American, contingent on the refund of this fee.

I hope that you will be willing to refund this fee to me without further difficulty.

Sincerely,

Joshua

American's contract of carriage is silent on baggage fee refunds.

While Josh's EECB is detailed and concise, American's recent cash-hemorrhaging makes them less receptive to reason. Give the request an added punch by asking the Department of Transportation for their interpretation of American's greedy conduct.

(AP Photo/Paul Sakuma)

A doctor at the hospital, William T. Kumprey, was tired of seeing Farnam.

Farnam had been to the hospital several times in the last month or so. He had used his fake heart attack routine at Silk — an exotic lounge — at several restaurants and while getting out of various cabs.

The doctor told Farnam he would call the police the next time he caught him faking the clutch of death to avoid paying his bills.

Farnam let it slip that he had, earlier that very day, after a hearty meal for which he did not pay, absconded to Froedtert Hospital.

The doctor called police.

The 52-year-old faces nine months in jail and a $10,000 fine if convicted.

Cardiac arrest: Man faked heart attack when dinner bill arrived [Milwaukee Journal Sentinel]

Reader Adam writes in to let us know his relative found a working Dell computer in the dumpster at his office complex. It appeared to be in functional condition, so he took it home. Sure enough, it took only a bit of tweaking before it was back to working order—as a Curves Fitness employee and customer information smorgasbord.

Adam dug around a little bit on the computer and found employee phone numbers, customer addresses, and credit card info. The Curves in question is located on 134th Street in Vancouver, WA. Adam called to let them know what happened, here was their response:

Before I posted this I tried twice to talk to the manager of the offending Curves… both times I called they were “busy” or “out”. No one offered to take a message so I never left one.



I’m not sure if it’s that they are not used to men calling (Curves is a women’s club) or if their customer service is just as crappy as their data destruction policy. In any case, as I said in the post, I contacted the corporate office. After I made this post I did call again and got voice mail; so I left a message inviting the manager to [read this post].

Adam also contacted Curves corporate before contacting the local franchise. They told him that, although each franchise is responsible for its own IT and privacy policies, they agreed that this franchise's actions were inappropriate and they'd get in touch with the franchise.



Dear Curves, Respect Your Client and Employee

A reader named Ben writes,

Chase.com doesn't know how to protect their customers passwords. Their login page does not use a secure connection
(see attached). It uses http instead of https. That means that your password is not encrypted when submitted, which is pretty bad for a financial site. (However, they do care enough to include a meaningless, fake "secure" lock icon next to the login form.) I spoke with them a month ago, but they haven't changed anything.

Once you've logged in, everything is encrypted, but that initial password transmission on the home page isn't. Fortunately, if you're a Chase customer you can change the address manually to https (just add an "s" to the end of the "http" and hit your enter key) to trigger the encryption.

Note: A couple of initial comments were lost from this post, but we thought this one from beavis88 was good to know:

As long as the target of the form is an https url (and it is), the data will be encrypted. This is bad form, no question, but they are not total and complete idiots at least.

"At the time that the woman passed away the family tried to cancel all of her credit cards, but it's believed that this one was inadvertently left out and a renewal card was sent in the mail. We think the granddaughter got a hold of that and took advantage of the situation,” said Officer Katie Flood.

Our favorite detail: the couple used the card to pay for the boyfriend's $500 DWI court costs. Grandma would be proud.

"Police: Couple Used Dead Grandma's Credit Card" [KOLN KGIN]
(Photo: Getty)

In case you needed more evidence that Direct Marketing Services isn't exactly a top-of-the-line company when it comes to data security, management, or customer relations, the breach wasn't even discovered internally:

Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.

After the story broke last week, the company announced plans to contact the victims of the breach.

Direct Marketing Services says it now plans to contact the victims of the breach, but of course that's only to avoid further bad press now that the story has broken. Fortunately, they contacted credit card companies when they were first notified of the breach, so the industry has been monitoring suspect accounts and/or issuing new cards as needed. If you shopped at the Montgomery Wards website and found your Discover, for example, you may have been a victim. Congrats.

So why wasn't it reported? Because it's financially more rewarding to flout the regulations that require it if you're dealing with online transactions:

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked, according to the National Conference of State Legislatures.

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets. Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order. Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."

You know what would make for some good PR? If an online company stepped forth and made a commitment to reveal data breaches in a timely manner, and hired an outside auditing firm to enforce said pledge. Instead, we'll start the countdown to a class action lawsuit against Direct Marketing Services.

"Wards didn't tell consumers about credit card hack" [Associated Press]

[The] undercover operation... at one point had Eastern European hackers chasing a female FBI agent through the streets of New York, trying to mug her for ATM-card-programming gear.

"Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist" [Wired Threat Level] (Thanks to Robbie!)
(Photo: Getty)

Rebecca got one of those calls from her mother that everybody dreads. "Is there anything you think you should tell me?" her mother wanted to know. Rebecca's mom got a piece of junk mail with Rebecca's first name and her boyfriend's last name and was under the impression Rebecca had snuck off for a Vegas wedding. She hadn't. After Rebecca calmed her mother down, she tried to figure out how Rite-Aid, where both had worked for a time, had merged her name and her boyfriend's. When Rite-Aid gave her the run around, we advised Rebecca to try an EECB to get some answers. Read her email, inside.

To The Board of Directors:

Good Morning. I am sure you can help me with a little problem that I am having with your company.

Last Friday, my mother received a piece of mail from your company's current promotion regarding the "gas giveaway" if I switched my prescriptions to you. Annoying as any other piece of junk mail is, this one was particularly disturbing. It was addressed as:

Rebecca J*****
[redacted]
[redacted] CT

My mother called me where I live, in Vermont, and told me of the mail that I had gotten. It turns out, my last name isn't J*******, it's F*******. My boyfriend's last name is J*****, though. When she called me, she was extremely agitated and excited (and not in a good way), over the fact that I had gotten married behind their backs. My mother had just gotten out of the hospital with congestive heart failure and a massive infection, and the last thing that she needed was to be excited.

I spoke with one of your customer service representatives on Monday, and she assured me that I would get a call with someone from "corporate" yesterday. I waited all day without a call. She told me that the marketing comes from the pharmacy division. My boyfriend hasn't had a prescription filled at a Rite-Aid in two and a half years, the time we've been together.

We both worked together at Rite-Aid, but never once marked myself as being "connected" to him, except by address.

I cannot figure out how my first name got linked with my boyfriend's last name. Simply what I am asking for help with is to find out where this came from.

If you could help me, it would be greatly appreciated. I simply want to know where this name came from, so I can get it removed, and make sure it doesn't happen again.

And about the piece of mail? If your pharmacy can't even get my name right, and is linking me to other people I'm not even related to (yet), how can I trust them to get my prescriptions right? More than likely, I will never do anything personally identifiable with Rite-Aid again. I was once a loyal shopper, but if this problem cannot be solved, I may never shop there again.

Thank you for your time, and for reading my email.

Looking forward to your response,

Rebecca

It's one thing if a customer loyalty program gets confused about your name. Irritating, but unlikely to actually hurt you. It's another thing completely if the pharmacy decides you'd be better off married and starts sending junk mail to your mother's house in another state. If the pharmacy makes such an appalling, counter-intuitive mistake about what name to use on annoying junk mail, how badly are they going to screw up your prescription? If you're having trouble with Rite-Aid, the link with tips for sleuthing corporate contact information is here.

(photo: Clean Wal-Mart)

Many fuel tanks are equipped with rollover valves designed to cut off the flow of fuel when the vehicle rolls over. These valves, which are actually just small balls in the tank's neck, have the added effect of blocking any siphoning tubes entering the tank. This has forced some thieves into cutting into the tank itself. Tommy Westerman, a mechanic at Westerly Automotive in west Fort Worth said, "I had a young lady who drives a little Cavalier, and someone had used a drill to make a hole in the tank. For a new tank and labor it was about $400. It does damage."

Not all gasoline thieves are drilling tank holes. Some are cutting into the fuel filler tube which on some cars, runs along the underside of the vehicle. In these cases, trucks and SUVs are the popular targets since they sit higher off the ground.

Until auto-makers start designing vehicles to resist gasoline theft, authorities preach basic vehicle safety measures. Park in well-lit garages or driveways instead of the street. You can also install motion-sensitive security lights which could deter some would-be thieves. In addition, report any suspicious persons or activity occurring in parking lots. What tips do you have to help prevent the theft of gasoline from vehicles?

Gasoline thieves adopt a new drill [Star-Telegram]
(Photo: Getty)

"Taking it seriously" is a phrase companies use over and over again in public statements whenever they have bad PR. Our series of posts on occurrences of the phrase is our attempt to question how seriously companies are really taking these matters if every time they trot out this phrase by rote.

(Thanks to Michael!)
(Photo: cmorran123)

The victims purchased gas at Arco stations, which only accepts cash or debit cards. Thieves attached a card-reading device to the payment machine's keypad that allows them to steal bank card numbers and personal identification codes.

It can be hard to spot a modded card reader or ATM machine, although if you see something that looks blatantly tacked-on you might want to think twice before swiping your card there. Snopes suggests you "get into the habit of using the same ATM for almost all of your transactions so as to better recognize when something is different with the machine."

"ATM card thieves have struck statewide" [MercuryNews.com]
(Photo: blmurch)

He writes:

I'm at a loss of words right now, the anger and hatred for Bank of America has tuned me into a raging lunatic. I have been on the phone with them twice now, asked to speak with a manager/supervisor and I'm still sitting here spinning my wheels.

This past week, I went out of town to visit with my family. At the start of that weekend my account had $68.39 in it. I went to a coffee house and spent $8.89 there across two purchases (one for me and one for my wife when she joined me afterwords $5.71 and $3.18 respectively). I also went and spent $12.00 on a car wash. That day I had a fit of allergies hit me so I went to the drug store and bought some drugs to help me which came to $19.89. This now brings my total weekend spending to $40.78 and all done on Saturday. This would mean that my account would now be at $27.61. After I got back (Tuesday), I had money from my savings transferred in (see the $420.00 transfer into my account). I then used my check card two more times on Wednesday (yesterday) which are still pending (see the $44.00 and $5.55 purchase both of which say "pending"). However I went into my account today (Thursday) only to find BofA has slapped me with 3 overdraft fees!

Knowing this had to have been done in error (and knowing that in the past BofA has had really great customer service) I gave them a call to point out the error of their ways and to correct my account. This is where I started to loose my sanity as BofA tries to explain how in fact the charges which are still pending brought my account to $18.84 and that the purchases I made over the last weekend caused my account to go over and in fact is why I have three overdraft fees. (Are you as confused as I am? Did BofA invent a time machine that they never told us about??)

Now they explained to me that when I make a purchase that purchase causes a "hold" on my account for that much (hence the Pending) and my account reflects that amount being taken out. Which makes since, I can understand that, but what I cannot understand is how a purchase I made in the "future" made it so that the purchases I made in the "past" cause my account to go over and thus I get three overdraft fees as apposed to one or in what I thought was my case, none.

Am I missing something here? I mean I never did take a class in quantum physics but I did get a B+ in Calculus and both me and my wife (who is a finance major and works as an auditor for a financial institute) cannot understand the math BofA is using here.

I have attached a snapshot of my bank statement so hopefully you can understand and maybe show me where the BofA math is coming from, because to me, I can't see it.

He later added:

Today I went into my local branch (where I opened my account) and talked with an Account Executive (the people above tellers that have offices, I think that's their title but I could be wrong). After I spoke with them and explained my situation, showed them a printout of my bank statement and also explained what BofA told me on the phone, they preceded to call their customer relations line and get the 411.

After the woman explained my situation to the lady on the other line, they told her something that she couldn't understand and thus handed me the phone so so they could explain it to me. The woman on the line proceeded to explain how the hold on the pending amount $44.00 and the charge for $5.55 made my account $10.00 so all remaining charges caused my account to go under and given an overdraft fee. She said this was because when you make a purchase the bank puts a hold on those funds until the receipt from the transaction gets mailed to them for verification.

I tried to explain to the woman on the line that using HER rules that would mean (minus the 420 I deposited into my account to counter act any of this happening) that only the 44.00 charge would have caused my account to go over and thus I should only be charged one overdraft fee and not three. She did not agree and kept reiterating the same thing she told me over and over again.

At this point I said I was done talking with her and handed the phone back to the Account Executive and she hung up on her. The Account Executive was very kind to me, she understood that there is no reason my account should be charged overdraft fees because it was never bellow zero in the first place. She went to her Bank manager and they agreed to pay me half of the fees back to me.

I can't knock the Account Executive or the Bank manager because they understood my situation and understood where I was coming from and did everything in their power to correct the situation. Granted if Corporate BofA had better policies or a calculator that can add and subtract properly I would have never needed to go to them in the first place.

All in all, I still would like the remainder of my money back but I feel somewhat vindicated that at least my local bank understood where I was coming from and did what they could to mend my wounds.

Jason is still out over $50 for Bank of America's error, and not an inch closer to understanding the bank's justification for its ludicrous charges. We're not ones for math, wormholes, or mathematical wormholes, but maybe one of you scientists can untangle Bank of America's convoluted logic. Publish your hypotheses in the comments for peer review.

1. Don't write checks.

Here's the reason: If I write a check at Walgreens or CVS, I'm leaving that check behind with the clerk. And on that check is my name, address, phone number, my bank's name and address, my bank account number, routing number, and my signature. And if that store clerk writes down my driver's license on the front of the check, in nine states—including the one I live in—that's my Social Security number, too. Then, next to it he writes my date of birth.

"Well, I don't get that check back. So I don't know if CVS destroyed the check, if they put it in a warehouse for seven days or 30 days. What I do know is that anyone who sees the front of that check has more than enough information to draft on my bank account.

2. Make sure the IRS cashed your tax check. Crafty thieves look for envelopes addressed to the IRS and, like resourceful squirrels, rip out the delicious fruit inside and claw off the IRS' name and replace it with their own.

3. Don't put checks in your mailbox. "That's like putting the flag up [for fraudsters] to come get my mail." Entrust your check-filled envelopes to the post office.

4. Treat your checkbook like cash. Leaving a checkbook exposed in your car is like hanging a sign on your windows reading "Smash Me!"

5. Balance your checkbook, or at least keep an eye on your online bank statement:

About 51 percent of Americans do not reconcile their bank statement—they don't even open it. Banks love this because we have a law in the United States called Article 3, Section 406 of the Uniform Commercial Code. It says that you have 30 days from receipt of your statement to notify the bank of any discrepancies that may appear on your statement. If you don't do that, then the bank has no liability to pay you.

Our online banking setup keeps us from hunting down the checkbook lurking somewhere in our apartment. Do people still use checks?

5 Ways to Avoid Being a Check-Fraud Victim [U.S. News & World Report]

It's alleged that while Jackson worked at Time Warner, she received a payment on a customer's account through a credit card and kept the victim's credit card numbers. This allegedly happened at a call center located in Blue Ash, according to a Time Warner representative.

In the following weeks, Jackson allegedly ordered items over the internet and over the phone using the numbers.

Investigators said Jackson had the items sent to her home, but it is not yet clear whether that led to her arrest.

Wait, she used the stolen info to shop and mail things to her own address? We're going to allege that Jackson was an idiot.

"Former Time Warner Cable Employee Arrested For ID Theft" [WCPO News]

Remember TJX's gigantic security breach problems last year, where data on 94 million accounts was stolen? Good for you, because apparently TJX doesn't. A former employee of a TJX store in Lawrence, Kansas was fired recently for posting anonymous complaints online about the current sorry state of his store's security, which included the store manager writing server login and password information on a sticky note, and the store resetting employee passwords to blank fields.

According to The Register,

Benson's May 8 posting was prompted by news that managers had changed the password for employees to access the store server. Inexplicably, it was set to blank. When Benson first began working for TJX, his password was the same as his user name, he said. Then came word in January 2007 that unknown hackers had brazenly intruded on the company's network over a 17-month period. For a time following the disclosure, TJX employees were required to use relatively strong passwords. The change to a blank password clearly represented a step backward, Benson thought.

TJX says the former employee divulged confidential information, but Benson claims that he's acting as a whistleblower to get them to improve their security:

"My information is still on that server," he continued, referring to the machine that sits in an office at the TJ Maxx where he once worked. "So if their network is insecure, then my information is insecure. I'd prefer they get it fixed."

"TJX employee fired for exposing shoddy security practices" [The Register] (Thanks to Will!)
(Photo: crazytales562)

Dan writes:

I got an interesting call from my father today. Turns out that when I moved to California and called Bank of America to change my billing info and phone number, they didn’t do it. Instead, they kept my old address and phone number, which is where my parents currently live.

I was a little late making a payment this month (my bad, and I intend to pay immediately). So, Bank of America calls the number they have on record, and the man who picks up tells them I’m not there. They then tell the man my account balance, that I’m overdue to pay, and the amount I’m overdue. Now, mind you, this is before the man they called tells them who he is. Strike one: Giving my account information to a perfect stranger who has already told them that he’s not me.

Then, when he questions the fact that they just gave him my account information, the rep asks who they’re speaking to, and he identifies himself as my father. At that point, they don’t apologize, but instead ask him, “Well, would you be willing to make a payment on his behalf?” He responds with, “No, I wouldn’t like to pay the bill for my 25-year old son.” Strike two: Asking my father, who is not on my account, the father of a 25-year old (not a 16 or 17 year old that he’s responsible for) and has nothing to do with my loan, to pay my bill.

No strike three yet, and I hope there won’t be one. I called to complain, and was forwarded to the voicemail of a call center manager. Since I’m on the west coast and it was already about 6pm my time, I’m cutting them a break and giving the benefit of the doubt that I’ll get a call back first thing tomorrow.

-Dan

That's kind of you Dan. We wouldn't be so generous. If you do decide you want to rid yourself of Bank of America, here's a tip: Ask them about your interest rate.

(Photo: epicharmus )