Lanced by Elance

Last night Elance (a site I've used to hire website designers and builders) let me know that it had a recent data breach that compromised my contact info including:

• Name
• Business email
• Business Telephone
• City
• and my Elance user ID

Click the image to enlarge.

In short, Elance is trying to act like the eBay for posting and selling programming jobs. Can you imagine if this email came out from eBay?

Elance is a Company Acting Badly for not hiring one of its own reviewed professionals to evaluate and secure its own site. A simple search on their site, like the one here, shows almost 2,500 different professionals with website security backgrounds, some with 100% positive rankings on over $500,000 of work. One of these folks couldn't have been hired by Elance? Isn't it ironic that Elance could have used it's own service? That's like folks at eBay not looking on their own listings for products that eBay could use at its own headquarters.

Elance posted a security alert here that gives more detail on what occurred. They've confirmed that the information the Elance didn't secure has shown up on other websites and that Elance users have received spam. Well that's great. Now my business email is going to get spam due to Elance's muck up?

Unfortunately, Elance like others who've not secured my personal information, does not:

• say when the theft happened
• confirm that someone at Elance will be held responsible for not safeguarding my info

Additionally, Elance focuses on resetting passwords and giving tips on picking passwords (like not to use the same one across sites). If Elance's passwords were encrypted, then this should not be an issue so why are they focused on it? Why would they whack everyone's password and force re-registration here?

Scrawlbug had also been nailed by Elance and posted a good suggestion here that all of us who were affected should set up Google Alerts to watch for our Elance ID.

Elance joins the ranks of Companies Acting Badly for losing my work information and not having hired one of their own profiled security experts to test, find and fix any architecture holes.

Data Schwab'd Update

Thanks to the folks at databreaches.net I now know more about what happened (per my Chuck I've Been Schwab'd post) as databreaches posted a notice that Charles Schwab sent to the NH attorney general.

In short:

• The theft occurred in early May - therefore it took Chuck some six weeks to notify me that I'd been Schwab'd
• The employee who violated policy was terminated - that saves a severance payment
• A suspect was arrested - gotta love the police
• The drive with my data was not recovered - did they check Craigslist?

Charles Schwab remains a Company Acting Badly for taking some six weeks to notify customers that their personal information was stolen and for not providing impacted customers with the same level of detail on the theft as they provide to an attorney general.

Chuck I've Been Schwab'd

Last week I received the following letter from Charles Schwab that they had lost a computer that contained unencrypted personal information including my name, social security number and account number. Given that I've got a few accounts at Schwab all associated with my name and SSN, let's assume they lost them all.

Click the images to see the letter.

How nuts is this? Another year and another supposedly high tech firm can't handle basic technology protocols like storing customer information on a server in a data center and if they need to store it on a laptop or desktop, then encrypt it so it can't be read.

And Schwab's letter? This obviously wasn't written by the folks who do the Talk to Chuck campaign.

1. "You may have been impacted..."
   No. I was impacted. Not may have been impacted. Someone has my personal info and it's Schwab's fault. I now have to monitor my credit reports once again.
   
   
2. "... a recent data incident."
   No. This was a process incident. It was a control incident. It was a security incident. Data was involved. But it was not a data incident.
   

And the line that really puts Charles Schwab in the leagues of Companies Acting Badly:

"It doesn't appear that the theft of this computer hard drive was intended for fraudulent purposes or identity theft".

Really? How do the braniacs at Schwab know the robber's intent? Have they spoken to them? Schwab can't monitor my credit reports so how would Chuck know if someone now had fraudulently taken out credit in my name? Even if Schwab could monitor my credit (which it can't) how would they know if a new credit card was taken out by me or fraudulently by someone who had stolen my SSN off their computer? Schwab can't and this line is useless and insulting.

Perhaps Schwab hired the same brilliant lawyers who helped BNY Mellon write that "we have no reason to believe your information has been or will be accessed or misused".

I checked Schwab's site to find their policy on personal information and found that they may have violated their own rules (click here to see their policy). According to Schwab, they "take steps to protect you from identity theft", including:

• using firewalls and encryption technology to protect personal information on our computer systems;
• training our employees on privacy and security to properly handle personal information about you.

Not quite a shining Chuck moment.

I tried calling the phone number Schwab gave in the letter and it was evident that this person and their supervisor were reading a script. In short, they didn't know when the theft occurred but could tell me it was in 2009 and they offered me a key fob random number generator to make my sign on to Schwab more complicated.

E*Trade and TD Ameritrade are offering me 25,000 frequent flyer miles to move my accounts. Will they have any better security over my personal info?

Charles Schwab joins IBM, Intuit and BNY Mellon as Companies Acting Badly for managing to lose my social security number and other personal information.

Stick it to Learning Express

Anything that would drive customers away from paying high prices for items at your store would seem like a dumb idea for a franchisee, especially in this economy. Learning Express of Westport, CT must either be flush with cash or have a lot to learn as they just ensured that I will not return and encourage my friends not to shop there.

What brought this about?

First some background. Learning Express sells many of the same toys (like Lego) that you'll find at Toys R Us, just with higher prices and a smaller selection. Why pay higher prices or have less choice? They wrap toys with Learning Express gift wrap and affix a from/to sticker to the outside so you can write the name of the birthday child and your child who gave the gift. We've been shopping there for 6 years.

Back to today.

My son recently received multiples of the same birthday gifts at his party. We returned a couple of toys to Learning Express of Westport and got a credit a few weeks ago. So far so good. We used the credit to purchase gifts for upcoming other kids' parties. The total was more than our credit so we paid the difference in cash. So far so good for us and Learning Express.

Until it came time to affix the from/to sticker. They wouldn't do it. That's right. The franchisee wouldn't put a 1 cent sticker on the toy because he said he had to spend too much time wrapping gifts. He won't affix a from/to sticker if you used a credit.

Dumb.

Stew Leonard's has a rule - the customer is always right. Learning Express' rule should be something like - for a penny, I'll lose a customer.

Learning Express joins the ranks of Companies Acting Badly for encouraging its customers to shop elsewhere, for making the exchange process cumbersome and for losing a customer over a 1 cent sticker.

Citi [isn't it ironic]

Following someone's feedback, I decided to delete a post on how Citibank was wasting my time. The person correctly pointed out that it was ironic that my time to write the post likely exceeded their impact on me.

He/she was correct.

Heartland Victim?

Citibank just canceled a credit card of mine and issued me new cards. The new cards came with this insert:

Upon calling to activate my new cards, an automated recording confirmed what their security message said "your card ending in xx has been compromised or stolen". The Citi rep who came on the line added that Citi doesn't know which merchant caused the problem, that Visa had sent over a list of account numbers and that Citi was issuing new cards as a precaution.

With all the recent news, like here and here, on Heartland's losing some 100 million account numbers about 2 weeks ago, want to bet that they're at fault?

Heartland is a Company Acting Badly for putting millions of customers at risk.

Garmin Responds to BBB

In response to my Better Business Bureau complaint, I received this email from a Garmin specialist (click to enlarge):

In short he's:

• confirming the $150 fee
• informing me that my warranty is over
• letting me know I can repair it myself
• suggesting where I can buy a battery
• reducing the fee to $75 (about 1x-1.5x the value of c330s sold on eBay) if I go with Garmin
  
• stating that Garmin won't repair the unit but will swap it out for another

No repair? Doesn't their website list a 'repair' fee? Was I right that all Garmin is doing is pseudo-selling a used unit to me with a 90 day warranty instead of repairing my unit with new parts?

My Garmin works fine. The battery is dead. A new battery should last years. If I buy a used c330 from Garmin under their 'repair' offer, I will receive another unit that could have its battery fail in 90 days.

As $75 is still unreasonable to repair a $8 battery and I do not like being forced to buy another used unit under a 'repair' lie, I decided to see about replacing it myself per Garmin's email suggestion. I searched on the BatteryPlus site they recommended - unfortunately they don't sell batteries to fix my unit. As I'm not MacGyver and needed instructions, I sent this reply (click to enlarge):

Garmin remains a Company Acting Badly for not being willing to repair a unit, replace a battery or charge a reasonable fee.

My original post is here and the BBB complaint is here.

Garmin Battery Update

Being upset with Garmin's exhorbitant repair fees, poor battery product design, and questionable 'repair' / sales practice, I reported them online to the Better Business Bureau (BBB).

Here's what I wrote:

In short, I offered to pay a 'reasonable' repair fee and to pay for shipping.

My original post is here.

Garmin Battery Battery

About 3 years ago I purchased a Garmin StreetPilot c330 GPS. The Garmin c330 is a great little unit that looks like a mini 1980s TV but has since been eclipsed by flatscreen, widescreen and more modern Garmin Nuvi models.

The c330 comes with a rechargeable battery in the unit. This battery is required if you want to use the GPS when your car engine is not running, it helps find satellites more quickly and the battery allows you to remove the GPS from the base and still use it. My Garmin c330 battery died sometime early in January.

You would think that replacing a battery for the Garmin is straight forward. Think again.

With Garmin, you have to:

• remove a faceplate
• unscrew a front panel
• remove and put aside the antenna
• unscrew the battery bracket
• remove the battery
• cut the wires
• remove the battery from its casing
• remove a strip of metal
  
• solder a new battery
• solder the strip of metal
• install heat shrink around the battery
• heat it without causing it to explode
• insert the battery
• screw in the battery bracket
• reinstall the antenna in the exact same position as before
• screw on the front panel
• install the faceplate

There's a good tutorial and pictures of all these steps at GPSPassions.com, which you can see by clicking here. According to the poster and readers, you can do this in about 15 minutes and spend $10 or so on parts.

Not being comfortable with a soldering iron, I went to Garmin's site to see what they would charge.

It's $150 to repair my GPS. $150? It's not even worth $100. Why would anyone with second grade math spend $150 to repair a used Garmin c330 GPS you can buy on eBay for less than $100? And the folks at Garmin, who must be out to make any money they can, don't give you an option to just replace their dead rechargeable battery that you can't get at without MacGyver on your side. And the warranty on the repair? 90 days. 90 days for $150? A rechargeable battery should last years.

I thought this must be a joke so I called Garmin support and spoke to a rep about replacing my c330 battery. Not only did he confirm and stick by the $150 price, he told me that Garmin may elect to not replace my battery but to replace my GPS with another used c330 that they have in their return stock. What? No repair? So Garmin wants to effectively sell me for $150 (under the guise of repairing) a used unit that I could find on eBay for $50. Will it have a new battery that will last me another few years? They can't say.

Garmin is a Company Acting Badly for designing their products in a way that consumers can't replace a battery. Garmin is a Company Acting Badly for pseudo selling customers used goods under a 'repair' label. Garmin is a Company Acting Badly for installing a rechargeable battery that doesn't last more than a few years. Garmin is a Company Acting Badly for charging exorbitant repair fees that exceed a unit's value by two to three times.

ING Lying To You & Me

I recently signed up for and moved some spare cash to an ING Direct's Orange Savings Account. At the time the rate was about 2.75% APY which ING lowered this month to 2.50% APY.

Not having been aware of the change in rate, while viewing my account online, I clicked on a link to "Get more info on your rate". What did I learn? (click images to enlarge)

I learned that ING Direct still claims to be paying me 3.00% APY on my account not 2.50%.

For a business built online, ING Direct is a Company Acting Badly for having it's online rate information months out of date.

Citi Targeting Kids

As a loyal Citibank customer for almost 20 years now, I get disappointed when I see them acting badly and doing dumb things. Like targeting my son for a credit card. My seven year old son.

Below is the application that arrived yesterday. It's not the first time they've sent him one of these (click to enlarge).

It's not just any card. It's a Citi Gold card. For a seven year old? They'll give him 25,000 points with $750 in spending. That's about five years worth of allowance money. And if you read the fine print on the back... they are offering him a 13.99% interest rate. Not great. Not killer. If a seven year old should miss one payment... it shoots to 28.99%. He'll owe Citi for life.

How did Citi decide to target a seven year old? It's obvious that they bought or bartered for a list of American Airlines Advantage members (frequent fliers). They then determined who on the list didn't already have this credit card with Citi. I got my son his own Advantage number a few years when he flew American.

Innocent mistake? Or stupidity? American airlines knows my son's age as I've purchased tickets for him and flagged him as a minor. Either American can't scrub their list and send Citi only those over 18, Citi didn't think to ask American for a list of those over 18 or Citi actually wants to load debt on kids.

Once Vik figures out how to pay the US taxpayer back for its bailout, maybe he can ask his staff to stop targeting kids for credit cards. Citi, a company that acts badly once again.

You Comment I Follow

Today I read a number of blogs about a movement to remove standard attributes that Google puts in Blogger to prevent indexing for those who comment on your site.

After reading a number of posts and stories, with a most excellent one at Blogger Buster, I have removed all occurrences of rel="nofollow" from my template. Per Blogger Buster, "this means that your backlinks, and links in your comments will now be indexed by the three major search engines when they spider this blog". Tips 4 Blogspot commented that "only the author nofollow hack works". You can read more here.

Blogger Buster notes that Randa Clay created some badges for use on your blog to show that you support this policy. As I needed a smaller badge of 88*32, I have modified Randa's badge and share it here so others can feel free to use it.

Randa's standard logo

is here.

The html code for my modified badge

(on the lower right of my blog) is:

<div style="background-color: rgb(255, 255, 255); width: 88px; height: 32px;">

<div style="margin: 2px 2px 0px; background-color: rgb(255, 153, 0); float: right; width: 84px; height: 12px; color: rgb(0, 0, 0); font-family: arial; font-style: normal; font-variant: normal; font-weight: bold; font-size: 9px; line-height: normal; font-size-adjust: none; font-stretch: normal; padding-top: 1px; text-align: center;">
U COMMENT
</div>

<div style="margin: 2px; background-color: rgb(0, 0, 0); float: right; width: 84px; height: 12px; color: rgb(255, 255, 255); font-family: arial; font-style: normal; font-variant: normal; font-weight: bold; font-size: 9px; line-height: normal; font-size-adjust: none; font-stretch: normal; padding-top: 1px; text-align: center;">
I FOLLOW
</div>

</div>

AT&T Missed Pricing Me

What other company could promise you a price on the medium they control and not deliver? Could Cablevision have a price on a TV screen that they didn't honor? Could NY Magazine have a price on a magazine insert that wasn't true?

Why can an AT&T rep then over the phone, tell me what my price will be and it comes in different?

Attached is my latest AT&T bill (click to enlarge).

For those who guessed that they wouldn't honor the online price of $40, for those who thought Noreen would be wrong, for those who guessed $45... you win. Read the previous posts here and here.

Time to switch to Verizon?

For completely not delivering on a promise to a customer, AT&T remains a Company Acting Badly.

AT&T Lost My Baggage

Today I received the following from AT&T (click images to view).

After my previous trouble with AT&T (click here), and that it summarized my Monthly Rate as $-19.90, I found this letter totally confusing and called AT&T to explain it to me.

According to the first rep at AT&T in NYC, AT&T is going to bill me twice for the same service. They will be charging me $51 for the All Distance plan and the new $25 in my letter. Can your car go through two toll booths at one time? How can AT&T bill me for two plans on the same line? According to AT&T's rep, it's my fault for requesting the same service online. After I explained that I couldn't do anything online and had to do it through the phone center she put me over to a specialist.

Like an airline sending my baggage to another city, AT&T's rep sent me to a hold pattern and after a few minutes to another rep, Noreen in CT, who let me know that she's not a specialist. According to Noreen, specialists aren't available on Saturday afternoons. Noreen let me know that I'm on the All Distance plan, that I will only be charged once, and that my total bill (excluding Canada) will come to $45 per month.

$45 per month? Didn't I start trying to get the $40 per month they advertise on line?

After a few minutes on hold, Noreen returned to confirm that I will get the $40. Anyone want to bet what I will see on my next AT&T bill? $51? $76? $45? 40? or $31.10 ($51-19.90)?

For having letters that make no sense, for having NYC reps that don't know what they are talking about and for not being able to transfer someone to a 'specialist' on a weekend, AT&T remains a Company Acting Badly.

Checkfree - Not For Me

I like to pay bills online. Saves time, money, paper, the environment. I like to do it through either my bank or direct to the service provider (like Cablevision). I only use Checkfree to pay my water bill since Aquarion won't allow you to pay them directly.

Yesterday I received the following email from Checkfree (click image to enlarge):

Now firstly, Checkfree is a Company Acting Badly for putting together such a poor email:

• U.S. zip codes have 5 digits not 4
  
• The return email address "customercenter.net" doesn't look like Checkfree
• It says it was sent by Silverpop - who's Silverpop?
• The 877 phone number doesn't appear on their website
• It says I may be affected - shouldn't they have logs to know who was on their site?
  
• the overall message just feels like spam

Surprisingly, it's real. I logged into Checkfree and got this message (click image to enlarge):

The real problem with Checkfree is what they are not being transparent and specific about what happened. If I understand it, for roughly a 10 hour period, all traffic to Checkfree.com was re-routed to another fake site. If you entered info at this site, then that fake site has a copy of it. Additionally, that fake site may have installed some malicious software on your Windows PC. How did Checkfree let this re-routing happen? What have they done to make sure it doesn't happen again?

You can read more about Checkfree getting hacked at fatwallet, zdnet, and at signs101 where some folks thought it was spam.

This will guarantee they don't get more of my bill pay items, and if Aquarion ever offers a direct debit option from their site directly, I will sign up.

AT&T Learning From Airlines

Ever fly on a plane and realize that the guy sitting next to you paid a lot less for the exact same seat? Ever wonder if your neighbor is getting the exact same service from AT&T and paying a lot less?

In February 2007 I moved onto an AT&T plan that covered my unlimited local, regional and long distance calling, their "All Distance" plan. It costs $51.00 per month.

AT&T has recently been sending me lots of mail encouraging me to bundle my Internet, cell phone, TV service with them. I've got no interest in that at this time but I did want to see how competitive they were with my home phone plan. I was surprised that Verizon's almost equivalent plan (fewer features that I never use) is cheaper. I was shocked that AT&T has the same plan as mine available for $40 online. 20%+ cheaper? Including taxes, that difference will work out to roughly $150/year I'm paying more than the next guy.

That's right, my neighbor could have been getting the same plan as me for less. Did AT&T reduce my rates when their new pricing hit? No. In all this mail they send me, did they let me know I could save just by asking for the same plan and new price? No. Did AT&T try and milk more money out of me. Yes.

On top of that, when I called AT&T, I was told I would have to re-order the exact same service online in order to get the lower price. Well that's a waste of time. And what happened when I tried to order it online? You guessed it. I have to call AT&T again.

For not letting a customer know that they could save money on the exact same services, for not automatically giving their customers the new price points, and for sending a customer from their phone center to their website only to be told to go back to their phone center, AT&T is a Company Acting Badly.

Citi Speak

Perhaps when they're not laying off 50,000 employees, the folks at Citibank could figure out how to map the English language.

As a long time customer, I recently added a new payee to Citi's online banking program. Citi has Business and Individual payees split and upon choosing business, I hit their search.

I was attempting to add Conroy Irrigation (great bunch of folks).

Here's the list of matches from Citi... as they refer to it that 'closely match the name' I entered.

Now where does Energetix, Wichita, or Greystone sound like Conroy? Perhaps in Citi land. Again, a Company Acting Badly for investing in a tool for customers that only wastes our time.

Citi Bold Update

In the 200 days since I received Citi CEO Vikram Pandit's "Bold" email, we've seen Citi post record losses, declare that tens of thousands will be laid off, increase credit card fees, and have members of its board clamoring for the head of its Chairman.

And it's stock price? Down.... way down... As of today, Citi's stock has fallen some 73% from $34.77 when it named Pandit as CEO on Dec 10th, 2007 to $9.50 as of Nov 14th, 2008. You can see the stock chart here.

El Loco Toro

For the first time in months I received an automated telemarketer call at home. Ever since placing our phones on the National Do Not Call Registry last year, we have had few if any of these type of calls.

This one was unique...

"Don't be alarmed. This is the last chance to lower your interest. Press 1 to continue."

Don't be alarmed? That in itself is alarming.
Last chance to lower my interest?
On what?
My mortgage?
Car loan?
Credit cards?

Press 1 to continue. I hung up. And reported a complaint at the National Do Not Call Registry.

The name and number on caller ID? Toro Bravo LLC. 850-916-3033. A quick Google search show that Toro Bravo is a restaurant in Gulf Breeze, Florida that finds its name being abused by this telemarketing firm.

Cablevision Not Trying Too Hard

In my most recent online bill from Cablevision I got a notice that once again they are going to be jacking their cable rates in December of 2008.

What puts Cablevision on the list of Companies Acting Badly is the line that "While every effort is made to keep our prices as low as possible...". Really? Every effort? Hmmm...

How about not charging me for the dozens and dozens of channels I don't use? How about instead of offering a standard, Silver and Gold preset package with tons of channels that you offer to let me pick them a la carte?

According to an early 2006 article in USA Today, the average person only watches 15-17 channels a month. Why then should I be paying for 250 channels? In the same article the FCC states that I could save 13% by an a la carte structure. They also quote a survey where 54% of Americans would rather pick and pay for their channels.

An article around the same time in the LA Times notes that Canada, Britain, India and Hong Kong all have some variation on A La Carte pricing.

Cablevision is a Company Acting Badly for not making "every" effort to keep prices as low as possible.