Think grandma and grandpa are the most likely to fall for Internet scams? Think again, suggests a study on gullibility released earlier this month. 

Younger, less educated, underpaid Americans are the group most likely to fall for schemes of digital criminals peddling fake charities, rogue antivirus software or myriad other cons, the survey indicates. Middle-class earners are less likely to be victims, but folks earning more than $200,000 annually seem to be almost as gullible those living below the poverty line, it found.

Brits and Australians are more skeptical than their American counterparts, says the study, released by security firm PC Tools and survey firm The Ponemon Institute. Only those three nations were studied.

---

The vulnerable age result might surprise those used to the caricature of older folks who fumble their way through e-mail and Web pages.

"My gut tells me this is really surprising," said Larry Ponemon, who runs The Ponemon Institute. "Just with my own children, they grew up with technology. They are a lot smarter with these things, I thought. For me, it was a counterintuitive result. We found that in the UK and Australia as well."

But Stephen Greenspan, author of “Annals of Gullibility: Why We Get Duped and How to Avoid it,” said the young and uneducated are always the most vulnerable group because they often haven’t fully developed their skepticism sensors.

"As dumb as it is, a lot of people have responded (to an e-mail scam)," he said. "The biggest thing is how likely someone is to see through it."  

The study required a lot of self-reporting by victims on their own behavior, so its results should be taken with a grain of salt. Still, Greenspan said many of its findings were consistent with other research he's seen.

The survey found that scams involving a free prize or free antivirus software were the most successful with Americans, while online charity scams were only about half as likely to find victims. It also found that Americans in the Northeast and Southwest were most likely victims, while Midwesterners and residents of the Pacific Northwest were the most skeptical.

"I live in Michigan.  People here feel they have horse sense that have may not exist in other parts of the country," Greenspan said.

The study even waded into political territory, finding that Republicans and Democrats were about equally likely to be victims, while members of some "alternative" parties, like the Tea Party or the Green Party, rated better.  Independents were found to the most vulnerable.

The most susceptible target victim of all is a woman between 18 and 25, who lives in the Southwest, earns between $25,000 and $50,000 and doesn't hold a high school degree, the study says.  The most scam-proof demographic are is males aged 56 to 65 who've earned an advanced degree, live in the Midwest and earn between $150,000 and $200,000.

The study asked participants to rate how likely they were to fall for various scams, and also how likely they felt others in their demographic were to fall victim. Perhaps the most interesting finding in the study is how critical Americans are of other Americans' critical thinking.  In every category, Americans thought their compatriots were much more likely to fall for scams than Brits or Australians thought their countrymen to be.  Sixty-two percent of Americans, for example, believed other Americans would give a scammer their credit card number in exchange for a get-rich-quick opportunity, compared to just 43 percent of Australians.

"There is a sense in other parts of the world that Americans are naive," said Rich Clooke, a PC Tools spokesman.

The nations also differ radically when asked to define the best internal fraud-fighting tool. Americans seem to think they can outsmart con artists, as they ranked intellect (33 percent) as more important than natural skepticism (16 percent). Australians felt the opposite, ranking skepticism (38 percent) much higher than intellect (16 percent).

The number of survey takers who admitted they might fall for scams was surprisingly high across the board, Ponemon said.  Despite constant media attention to the problem, 53 percent of Americans thought they might click and download booby-trapped antivirus software.  Nearly 50 percent said they'd surrender personal information to download a free movie, and 55 percent said they'd give a potential scammer their cell phone number for a chance at a prize.

"People knew this was a survey about scams. ... You'd think they'd report themselves as less likely to fall for things," Clooke said. "I really think that complacency, not stupidity, is driving some of these results. Some people may have focused their lives around their computer and Facebook relationships (so) that they lose track of what's real."

Or, perhaps Internet users are finally getting the message that anyone can fall for a scam under the right circumstances.

"We all think we're better lie detectors than we are," said Greenspan, the gullibility expert. said.  He would know. He was a victim of Bernie Madoff's Ponzi scheme and lost about 30 percent of his retirement money when he invested in a Madoff feeder fund, persuaded by a friend who was a salesman for the fund.

Greenspan categorizes gullibility under a larger group of what he calls "foolish behaviors," and says four things contribute to someone being foolish at a particular moment: situation, cognition, personality and emotion. 

Situation usually involves our natural human tendency to move in packs and do what everyone else seems to be doing. Who wants to be the only person not making money during a booming stock market?

Cognition -- the ability to think through a potential scam -- can abandon potential victims. People of above average intelligence often fail to use that intelligence when conducting everyday business, like deciding whether or not to click on an e-mail.

Personality matters, or course.  Some people simply have weaker personalities that others, and are more susceptible to the power of suggestions. 

Meanwhile, emotion is almost always a tool of con artists. They'll urge you to act now because time is limited. They will wear you down with a lengthy sales pitch so you ultimately agree to purchase a time-share that you'd never buy if you were well-rested.

"You can make the point that the brain is (like a) muscle, and when it's tired, it doesn't function as well," Greenspan said. "That's where willpower fails.  It takes energy to resist."

One scam-proofing tactic suggested by Greenspan's model: Don't read e-mail late at night, or, at least, don't answer e-mail at night.

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).

 

Rich Cordray spent the past six months in the Washington, D.C., version of limbo: an unconfirmed political appointee waiting for a Senate vote on his future employment.  While he wandered around the nation’s capital trying to befriend skeptical Republicans – and wandered around the bureau’s Treasury Department offices in socks – many believed Cordray was destined to wait until November’s presidential election for a definitive up-or-down vote.

Last week, in a bit of a surprise, President Obama stuck his neck out perhaps as far as he has during his presidency, using a recess appointment to do an end-run around Senate Republicans and install the former Ohio attorney general as head of the new Consumer Financial Protection Bureau.

In an exclusive chat with msnbc.com on Monday, Cordray offered a quick view of what happens now. The bureau will immediately begin making rules for segments of the financial services industry that had previously slipped through the regulatory cracks, such as payday loans – a situation that Cordray said had created markets where “bad practices drive out the good.”  He also said that consumers who know they have a watchdog on their side will be emboldened to continue "muscling up" against companies, using blogs and social networks to join together and demand fair treatment.  The full, brief interview is below.

QUESTION: Millions of Americans say they've been cheated by the financial system, and feel that some American markets are unfair. What does Rich Cordray offer to them?

Answer: "I offer that I share their point of view that financial markets are broken in many ways and have been for long time, and it's high time we had watchdog agency to stand on their side and protect them in the marketplace -- a place where they often feel helpless and confused.

---

 

Q:  Describe two or three things American consumers might see immediately now that the bureau can begin its full operations.

A: "First, we are working to make prices and risks clearer for people, and we are working to make disclosures more simple so that consumers will be better informed, and better able to make comparisons.

“Second, now that we have full authority to level the playing field between banks and non banks, you'll see some markets that were operating in a distorted and destructive way, you'll see them begin to clean up.

“It's indisputable that some of these markets were distorted. You take a market and regulate part of it and leave the rest of it unregulated, bad practices will drive out the good. We saw that in mortgage marketplace. You'll see, with us able to police the whole market, that things will be better.

“And the third thing is that now that we have the authority to enforce the law, you're going to see institutions ... thinking more carefully about how they are treating customers, making sure that what they do is not just technically legal but also not unfair.  You'll see them asking themselves, "Is this the way you would want your own family treated in the marketplace?’"

“But there's one more piece that's interesting.  We are starting to see in these marketplaces that consumers are "muscling up." They understand that they have a voice, and that voice can matter, and they are using technology to band together and demand that they are treated better.  They will continue to do that, but having a watchdog will give them more confidence to do it in stronger and more effective ways.

Q: Can you give us -- without naming company names, if you must -- one example of an unfair practice that your bureau will be able to stop sometime soon?

A: “You will see that soon based on our actions. I'm not going to make that news today.”

Q: What does it mean to you, personally, that President Obama took the controversial step of installing you via recess appointment?

A: "It means to me that we have a responsibility to deliver for 300 million people now and we have the opportunity to do our job fully. … I feel a heavy responsibility."

While the bureau had begun work in July 2010, many of its real regulatory powers did not kick in until Cordray was installed.  Already, it had begun collecting complaints about credit card issuers and acting as an unofficial mediator between banks and account holders. It also has issued a report listing most frequent complaints. In December, it began doing the same for mortgage products.  Only days after Cordray was installed, the bureau announced it had launched “non-bank bank” oversight, including mortgage services, payday lenders, and student loan firms that don’t fall under traditional banking regulatory agencies. 

The bureau takes complaints on its Web site at ConsumerFinance.gov.

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).

The best way to protect yourself from an online financial scam is to diligently check your bank accounts. At least, until now.

Israeli-based Security firm Trusteer has found an elaborate new computer virus that not only helps fraudsters steal money from bank accounts -- it also covers its tracks.

---

Think of a crime plot involving a spy who plans to break into a high-security building and begins by swapping out security camera video so guards don't notice anything is amiss. Known as a surveillance camera hack, the technique has been used in dozens of movies.

A new version of the widely prevalent SpyEye Trojan horse works much the same way, only it swaps out banking Web pages rather than video, preventing account holders from noticing that their money is gone.

The Trojan horse employs a powerful two-step process to commit the electronic crime. First, the virus lies in wait until a customer with an infected computer visits an online banking site, steals their login credentials and tricks the victim into divulging additional personal information such as debit card information.  Then, after the stolen card number is used for a fraudulent purchase, the virus intercepts any further visits to the victim's banking site and scrubs transaction records clean of any fraud.  That prevents -- or at least delays -- consumers from discovering fraud and reporting it to the bank, buying the fraudster critical extra time to complete the crime.

Trusteer calls it a "post transaction" attack, because much of the virus' effectiveness is attributable to its ability to control what victims see after fraudulent transactions occur. Amit Klein, chief technology officer for Trusteer, said he believes criminals have used the technique for a few months, and it has infected real consumers. 

"I predict that the use of post transaction attack technology will significantly increase as it enables criminals to maximize the amount of fraud they can commit using their initial investment in malware toolkits and infection mechanisms," Klein said.

The new SpyEye came to Trusteer's attention when a large retail bank in the United States spotted it and shared with the firm, he said.

'A very scary tactic'
The virus' evidence-covering techniques are elaborate. First, it keeps track of all fraud committed by the criminal, and makes sure to remove those line items from online transaction lists.  It also edits balance amounts to prevent consumers from getting suspicious.

"This is a very scary tactic," said Avivah Litan, a financial fraud analyst at consulting firm Gartner. "Everybody thinks all they have to do is check their transactions and their balances. That's not true anymore."

The new virus technique ups the ante in the cat-and-mouse game between security companies and the computer criminals who try to steal consumers' money.  Consumer reports of fraud are still a very important part of fraud-fighting techniques, Litan said. 

"Most banks 'let the first transaction through,' because if they stopped everything that was potentially fraud, consumers would get annoyed," she said.  In some cases, fraud-checking tools kick in only after initial reports, so this version of SpyEye could buy criminals important time as they try to turn stolen data into cash.

"Usually they only need one day more to get the money, to push the fraud through," she said. "They always want to keep the security guys running after them."

Such cover-your-tracks techniques have been used before by virus writers, Klein said. In a simpler version, criminals who raided online bank accounts and wired money out of them would try to hide the transaction from victims using the same Web page interception trick. But this new flavor has more potential for success, because it involves stolen debit card numbers used at third-party merchants, creating complex transactions involving multiple banks and multiple security systems. 

Victim account holders who check their balance at an ATM -- or even at a second uninfected computer -- would be able to spot the fraudulent transactions. The virus doesn’t impact bank systems, merely the characters that are displayed within the infected system's Web browser.  That means paper statements would reveal the fraud, too.

Of course, consumers who rely on paper statements could be a full 30 days behind when it comes to spotting fraudulent transactions.

While Klein is worried about the "post transaction" attack, he said consumers who have vulnerable Web browsers are bound to be victims of one fraudster or another.

"My take is that if your computer is infected with financial malware, it's game over anyway," he said. "My takeaway is you need to prevent getting infected with financial malware in the first place."

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration). 

Americans taking their first look at Rick Santorum  are in for a surprise if they try to Google him for more information.

The first link you'll find won't be a discussion of Santorum's conservative political views, or a campaign brochure, or even criticism of the former Pennsylvania senator's congressional record.

The first link offers a faux definition of the word "santorum" as the byproduct of a sex act - a very graphic definition, at that. Because the definition appears right on the search results page, it's convincing enough that someone might be convinced the suddenly prominent Republican presidential candidate has suffered from an unfortunate coincidence involving his last name for his entire life. 

In fact, the "coincidence" is only about eight years old.

---

In 2003, Santorum angered many in the gay and lesbian community when he appeared to tell an Associated Press reporter -- in very twisted language -- that gay sex was not entitled to privacy protections, and could therefore be banned by the government. 

(A transcript of his interview is here. There are other interpretations of his remarks.)

Publication of the interview caused outrage among gays,  and it eventually found voice in Seattle-based sex columnist Dan Savage, who took up a suggestion from a reader and decided to play a Google trick on Santorum.  He held a contest to decide precisely how to define "santorum," then created a Web page that did so called SpreadingSantorum.com, and finally he helped create a network of other Web pages that pointed to the page.  Soon enough, SpreadingSantorum became the top search result for Google (and Bing, and Yahoo) searches of "santorum."

"Real" links about the former senator appear farther down in the search results.

Tricking Google results is a common practice by those using search engine optimization tricks. It's a constant cat-and-mouse game between Google's algorithm writers and anyone who has a desire to manipulate what happens when Internet users scratch a search engine itch.  Companies worried about random customer complaints can employ tactics to push down the negative remarks so casual searchers don't find them.  Others find ways to make links to their Web pages more prominent than competitors' pages. 

It's easy to use SEO tactics to create faux definitions or Internet memes, too.  Not long ago, I played such a trick on the audience at the RSA technology conference with fellow speaker Hugh Thompson. We make up a concept -- "context reflux" and seeded the Internet with it.  Then we played a fake game of balderdash with them, letting the audience vote on which definition of the word was accurate.  Thousands voted: No one questioned that the Internet might be lying about the definition, which was the point of the exercise.

While clicking on SpreadingSantorum.com brings up a page that includes only the sex act definition, and indicates the word also refers to the former senator, users who click again find plenty of content regarding Santorum's political positions.  That makes the website political satire. While Santorum has called the site "filth," he has conceded that it's protected by the First Amendment.

Politically motivated search manipulation has a long -- and mixed -- tradition. In 2007, searches for "miserable failure" pushed users towards a biography of George W. Bush.  (That trick is more rightly called a “Google bomb,” but the effect is much the same.)

Google has refused to manually remove such pages or results in the past, but it has tinkered with its algorithm to demote such results. It ultimately did so with "miserable failure." So far, even after contacts from Santorum's campaign, the firm hasn't taken any steps to demote Savage's SpreadingSantorum.com page.

Should Santorum remain a prominent presidential candidate, he might manage to overcome the SEO problem the old-fashioned way -- by inspiring thousands of websites and links to his real content.  That's no small task, however. More than 47,000 Facebook users "like" Savage's page, and he has an eight-year head start on Google's magic formula for results.

It should be noted that while many parents would not want their children to see Savage's page, schoolchildren searching for information on Sen. Santorum can be shielded from it if adults turn on Google's SafeSearch feature. Also, searches for "Rick Santorum" or "Sen. Santorum" pull up the expected results.

For much more on Sen. Santorum's Google problem, including a discussion of potential political bias by Google, see Danny Sullivan's excellent explanation at SearchEngineLand.

 

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration). 

Will Americans believe President Barack Obama was fighting for their consumer rights by trying to force a vote on Consumer Financial Protection Bureau nominee Richard Cordray, or will they believe Senate Republicans were fighting to prevent creation of an unwieldy new government agency with unchecked powers?

We're about to find out.

Thursday morning brought congressional theatre that ended with the Senate effectively rejecting Obama's nominee to head the newly formed Consumer Financial Protection Bureau.  There was little mystery to the vote --  44 Republicans pledged in May to block his nomination, and only 41 were needed to spike it. The final tally was 53-45, with Republican Olympia Snowe  of Maine voting "present." Sen. Scott Brown of Massachusetts, facing the bureau's inventor Elizabeth Warren, was the lone dissenting GOP vote.

The only mystery is, who will Americans blame now?

---

Obama and Democrats spent the week campaigning for Cordray in several states where Republican Senators face re-election campaigns, including Maine and Nevada.  Senate Republican minority leader Mitch McConnell of Kentucky responded by accusing Obama of playing politics.

RELATED: Details of the vote from NBC's First Read

“Now he’s suddenly making a push to confirm his nominee — because it fits into some picture he wants to paint about who the good guys and the bad guys are in Washington,” McConnell said on the Senate floor Tuesday. “... So once again he's going to use the Senate floor this week to stage a little political theater. He’s setting up a vote he knows will fail so he can show up afterward and say he’s shocked.”

Speaking in Kansas on Tuesday, Obama argued that Republicans are simply being obstinate. 

"Nobody claims (Cordray's) not qualified,” he said in a speech about the economy. “But the Republicans in the Senate refuse to confirm him for the job; they refuse to let him do his job. Why? Does anybody here think that the problem that led to our financial crisis was too much oversight of mortgage lenders or debt collectors?”  

Political considerations aren't far behind, however, as White House Press Secretary Jay Carney said Republicans who vote against Cordray will have to "to explain to their constituents why they did not support common sense reforms," according to the Wall Street Journal.

As a practical matter, Thursday's cloture vote prevented Democrats from ending debate on the Cordray nomination, thus preventing an actual vote on his nomination.  It doesn't mean Cordray has no shot to run the agency, however.  The administration could still attempt a recess appointment, and some observers speculate that the Senate vote is merely a step along that path.

Such a move could threaten the legitimacy of the entire agency, however, and would undoubtedly lead to accusations foul play from Republicans, and perhaps trigger litigation from banks the agency would try to regulate. 

But without a director, the bureau is already hamstrung on a number of fronts. Many of the bureau's regulatory powers don't kick in until a director is named.  It can't supervise so-called non-bank banks, like payday lenders, for example.

“The list of financial tricks and traps that consumers are forced to deal with keeps growing,” said Travis Plunkett, legislative director of the Consumer Federation of America, an advocacy group. “Fourteen months after Congress created the CFPB, the agency needs a permanent leader so it is not fighting financial abuses with one arm tied behind its back.”

The nascent bureau has begun to take on some less controversial tasks during this start-up phase. Last week it announced results of a story of credit card complaints; this week it released a new, simplified model credit card agreement that cuts down verbiage from 5,000 to 1,100 words.

Still, Republicans held firm, because they say the new consumer bureau would have too much power as currently constructed.  Sen. Richard Shelby, R-Ala., the ranking Republican on the Senate Banking committee, went so far as to call it "a monster, as far as future regulation."

Five Republican Senators, including moderate Susan Collins of Maine, attended a public event on Tuesday to reiterate their view that the bureau shouldn't fully open for business unless dramatic changes are made.

“It is inconceivable that in this time of tight budgets that we would create a new agency that is completely unaccountable in terms of its budget,” Collins said.

 Among their demands: the bureau should be led by a commission, not an individual; it should be not have its own source of funding from the Federal Reserve; and it should be subject to Senate committee oversight.

So far, Democrats haven't budged on any of those demands -- setting up a fight over public opinion that Obama didn't shy away from at his speech in Kansas,

"Every day we go without a consumer watchdog is another day when a student, or a senior citizen, or a member of our armed forces … could be tricked into a loan that they can't afford -- something that happens all the time," he said. "And the fact is that financial institutions have plenty of lobbyists looking out for their interests. Consumers deserve to have someone whose job it is to look out for them. And I intend to make sure they do. And I want you to hear me, Kansas: I will veto any effort to delay or defund or dismantle the new rules that we put in place."

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration). 

A single error on your credit report can really hurt. It might drop your credit score 50 points, costing you an auto loan or pushing you into subprime mortgage status. It could cost a job if you're in the process of applying.  It could raise your auto insurance rates.  And, says consumer Tom Tupper, it's a direct insult to your integrity as a person.

But worst of all: Sometimes it seems that no amount of hard evidence can persuade a credit bureau to fix such a costly mistake. At least, that's the story Tupper is telling. And he has plenty of evidence to back it up.

Tupper's travails through credit bureau TransUnion's dispute resolution process sound like they sprang from a Joseph Heller novel; and the “Catch-22” he describes offers a glimpse at how bureaus apply justice the 20,000 times per day that consumers plead for help with a mistake on their credit report.

"It is an insult to report something about me inaccurately. It’s not acceptable. … It’s a reflection of my integrity as a person,” Tupper said. ”I do take it personally.”

---

 TransUnion refused to answer questions about Tupper’s situation for this story.

“To protect the privacy of consumers, TransUnion does not comment on individual cases,” said company spokesman Clifton O’Neal.

 But Tupper is eager to share his version of events.

Tupper, an avid credit monitoring user, says he spotted an error in his TransUnion report in October indicating that he was 30 days late on a car loan payment in September 2010. He looked up his TransUnion credit score, and found it had plummeted by 48 points. Days later, when the mistake spread to Equifax and Experian, his scores from those firms fell too, but not as sharply.

 The 43-year-old Irvine, Calif. software engineer keeps copious records -- he has copies of every monthly statement from his car loan -- and he was sure he'd never been late. But the September 2010 blemish was even more curious because he was being reported late by Santander Consumer USA, a loan-servicing company that had taken over the loan from Citibank that month. He also sold the car a soon after, and had copies of the payoff check from the dealership that was deposited to pay off the loan. Finally, he even made an extra payment to Santander after he traded in the car, just to make sure there was no late payment.

Fast-forward to October of this year, when Tupper looked at his credit report and discovered that Santander was reporting him as a deadbeat. His blood boiled.

He immediately went online and filled out the TransUnion dispute form. He heard back four days later, when his request for a correction was denied and TransUnion affirmed the late payment.  Furious, he sent a second dispute form to TransUnion, this time in snail mail, along with a folder piled high with documentation.  Tupper shared the file with msnbc.com. Here's a sample of what he included:

*A letter from Citi Financial and Santander making it clear that Santander USA only began servicing the account as of 9/6/2010. That meant Santander couldn't report him as 30 days late in September 2010.

*Santander's first monthly account statement to him, showing his payment was received and credited on Sept. 17, 2010, and that his account was up to date.

*A copy of the loan payoff check, including routing and transit numbers indicating it was cashed.

*Loan payoff notes from both Citibank and Santander.

Tupper heard nothing for weeks, so he called TransUnion on Nov. 15.  The response he received was straightforward:

"They said, 'Here's the deal. We've just completed our investigation, and we're not going to change it.'" Tupper said.  "And the operator said that since I'd disputed it twice, any other dispute I tried would be seen as frivolous and would be ignored."

When Tupper pressed for a reason, he said the operator was rude, but eventually told him that there was no way for TransUnion agents to verify his documents as authentic. She didn't offer him any way to make the documents believable to the firm

"I kind of went ballistic," he said.  "I said, 'If you think about that, how can anyone prove anything to you?' "

Similar complaints have dogged the credit reporting agencies and their dispute process for at least a decade. By law, the agencies are supposed to give consumers a chance to make their case when lenders place blemishes on their credit reports. But in practice, consumer lawyers argue, credit reporting agencies often ignore evidence supplied by consumers and simply ask lenders -- called furnishers, in credit bureau language -- to "verify" the debt. It's the equivalent of asking, "Did you say this?" When furnishers confirm they did, that's often the end of the case.

Depositions taken from former employees in cases filed against the credit bureaus paint a frantic picture of dispute resolution, which often occurs in off-shore call centers. According to SmartMoney magazine, one TransUnion official said that workers were expected to complete up to 22 cases an hour. An Equifax worker estimated she was allotted four minutes per dispute.  There isn’t time for much more than a simple yes or no question to the lender.

"It is really quite appalling when you really think about it," Tupper said. “When I gave that proof to TU and demanded they remove the incorrect entry, they basically ignored me and sided with the data furnisher... So here is the rub: What's to stop anyone from reporting anything derogatory about you to a (credit bureau)?"

The credit bureaus, as a group, often argue that their system is overwhelmed with fraudulent disputes by shady credit repair agencies and consumers trying to game the system.  And they argue that many errors are corrected.  A 2005 report by Congress' General Accountability Office found that 69 percent of surveyed consumers who had disputed items on their credit report said they'd been removed.  That report also cited testimony from the Consumer Data Industry Association indicating these results for consumer disputes: data had been deleted in 27 percent of the disputed cases, but verified and left on the person’s report in 46 percent of the cases.

Mountains of consumer complaints found online suggest Tupper's case is not unusual, however.

"If I come at you with evidence, it seems to me that as an organization you ought to err on the side of caution, rather than side with the lender,” Tupper said. “... In simple terms, TransUnion has effectively taken the stance that there is no level of documentation that a consumer can maintain which they will accept as legitimate proof that they have wronged the consumer. If a consumer's banking records, along with the very account statements provided to the consumer by a lender, other banking transit documents, and payoff documents are not considered as adequately evidentiary by TransUnion in an accuracy dispute, then what hope does any consumer have of ever protecting themselves from victimization?"

Tupper's story, however, has a happy ending.  He exercised a relatively new consumer right granted by Congress in 2005, but not implemented until last year that lets consumers dispute credit report blemishes directly with the furnisher after a failed dispute with a credit bureau.  Tupper sent his powerful packet of evidence to Santander via e-mail in late November, and followed up with a flurry of phone calls.  Santander quickly changed the way it was reporting Tupper's account to "paid as agreed," and within 48 hours, his credit report was clean again. His credit score returned to normal soon after.

"For me, it was more infuriating than anything else because it was so wrong," Tupper said. "I wonder how many consumers in my position simply give up, and live with seven years of inaccurate credit scoring because they simply haven't got the means to fight back....  These agencies wield tremendous power in the lives of consumers, and unfortunately they are frequently difficult to hold accountable for wronging consumers.”

RED TAPE WRESTLING TIPS

If you feel you have an error on your credit report, it's important to file a dispute right away. There are  plenty of guides for doing so online; start with the Federal Trade Commission's instructions.

The ability to dispute a report directly with a furnisher is an important new right for consumers. Here are tips on how to begin that process.

And if all else fails, look for a consumer attorney with experience fighting Fair Credit Reporting Act cases at the National Association of Consumer Advocates website.

 Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration). 

Given a chance to complain, credit card consumers jumped at the opportunity. 

The Consumer Financial Protection Bureau opened for business earlier this year, and its first actions were to solicit consumer complaints about credit cards and set up a system for resolving disputes.  In three months ending Oct. 21, cardholders filed more than 5,000 complaints and requests for help.

An interim report issued this week offers insight into the bank practices that most bug consumers:  Billing disputes, collection practices, and debt protection sales pitches. Surprisingly, late fees did not crack the top 10.  

Mysterious fine print is a common thread through many of the complaints.

"The biggest thing we see is consumer confusion," said bureau spokeswoman Jennifer Howard.  "Customers and credit card issuers aren't always on same page when it comes to understanding the terms of the deal."

---

According to the report, account holders struggle to understand both terms of their contracts and details of additional offers like debt protection.  There's a "mismatch between consumer expectations and the way the product functions," the report says.

A big part of the bureau's mandate is to act as an express route for resolution of consumer issues. Of the 5,000-odd complaints submitted, 4,254 were forwarded to the bank involved; banks said they'd resolved 3,151 of those. Consumers disagreed about that satisfaction rate, with only 2,238 agreeing that their dispute had been solved. Another 500 said their complaints were pending.

The text of the complaints is not public, but the bureau is working on a method for providing "public reports" that will include "certain aspects of credit card complaint data."

Meanwhile, the bureau will soon begin accepting complaints about other financial products, such as mortgages and home equity loans.

“When consumers contact us, we get a snapshot of how the consumer finance markets are working,” said Raj Date, a special adviser to the secretary of the Treasury for the Consumer Financial Protection Bureau. "We will continue to work with consumers, credit card companies, government agencies, and others to improve consumer education and ensure CFPB’s regulation, supervision, and enforcement efforts are effective.”

Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).

Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for criminals, making it easy to commit identity theft or even take control of entire networks that would otherwise be secure?

It’s not only possible, but likely, say researchers at Columbia University, who claim they've discovered a new class of computer security flaws that could impact millions of businesses, consumers, and even government agencies.

Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reported by msnbc.com.  They say there's no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too – and there's no way to tell if hackers have already exploited it.

---

The researchers, who have working quietly for months in an electronics lab under a series of government and industry grants, described the flaw in a private briefing for federal agencies two weeks ago. They told Hewlett-Packard about it last week.

HP said Monday that it is still reviewing details of the vulnerability, and is unable to confirm or deny many of the researchers’ claims, but generally disputes the researchers’ characterization of the flaw as widespread.  Keith Moore, chief technologist for HP's printer division, said the firm "takes this very seriously,” but his initial research suggests the likelihood that the vulnerability can be exploited in the real world is low in most cases.      

“Until we verify the security issue, it is difficult to comment,” he said, adding that the firm cannot say yet what printer models are impacted.

But the Columbia researchers say the security vulnerability is so fundamental that it may impact tens of millions of printers and other hardware that use hard-to-update “firmware” that’s flawed.

'Crystal clear'
The flaw involves firmware that runs so-called "embedded systems" such as computer printers, which increasingly are packed with functions that make them operate more like full-fledged computers. They also are commonly connected to the Internet. 

"The problem is, technology companies aren't really looking into this corner of the Internet. But we are," said Columbia professor Salvatore Stolfo, who directed the research in the Computer Science Department of Columbia University’s School of Engineering and Applied Science. “The research on this is crystal clear.  The impact of this is very large. These devices are completely open and available to be exploited.”

Printer security flaws have long been theorized, but the Columbia researchers say they've discovered the first-ever doorway into millions of printers worldwide.  In one demonstration of an attack based on the flaw, Stolfo and fellow researcher Ang Cui showed how a hijacked computer could be given instructions that would continuously heat up the printer’s fuser – which is designed to dry the ink once it’s applied to paper –  eventually causing the paper to turn brown and smoke.

In that demonstration, a thermal switch shut the printer down – basically, causing it to self-destruct – before a fire started, but the researchers believe other printers might be used as fire starters, giving computer hackers a dangerous new tool that could allow simple computer code to wreak real-world havoc.

Hewlett Packard, in a statement, said all its printers include such thermal switches, and these would prevent a printer fire in all cases.

"(The thermal breaker) cannot be overcome by a firmware change or this proposed vulnerability," it said.

Click here to read H-P's full statement issued in response to this story.

Cui and Stolfo say they've reverse engineered software that controls common Hewlett-Packard LaserJet printers. Those printers allow firmware upgrades through a process called "Remote Firmware Update." Every time the printer accepts a job, it checks to see if a software update is included in that job.  But they say printers they examined don't discriminate the source of the update software – a typical digital signature is not used to verify the upgrade software’s authenticity – so anyone can instruct the printer to erase its operating software and install a booby-trapped version.

In all cases, the Columbia researchers claim, duping a would-be target into printing a virus-laden document is enough to take control of that person's printer; but in some cases, printers are configured to accept print jobs via the Internet, meaning the virus can be installed remotely, without any interaction by the printer's owner.

“It's like selling a car without selling the keys to lock it,” Stolfo said. “It’s totally insecure.”

Rewriting the printer's firmware takes only about 30 seconds, and a virus would be virtually impossible to detect once installed. Only pulling the computer chips out of the printer and testing them would reveal an attack, Cui said.  No modern antivirus software has the ability to scan, let alone fix, the software which runs on embedded chips in a printer.

“First of all, how the hell doesn't HP have a signature or certificate indicating that new firmware is real firmware from HP?” said Mikko Hypponen, head of research at security firm F-Secure, when told of the flaw. “Printers have been a weak spot for many corporate networks.  Many people don’t realize that a  printer is just another computer on a network with exactly the same problems and, if compromised, the same impact.”

There are plenty of points of contention between HP and the researchers, however. Moore, the HP executive, said the firm’s newer printers do require digitally signed firmware upgrades, and have since 2009. The printers tested by the researchers are older models, Moore said. 

In contrast, the Columbia researchers say they purchased one of the printers they hacked in September at a major New York City office supply store.

Moore also said that the impact of any potential vulnerability is limited because most home users have InkJet printers – not LaserJet printers – and they do not permit remote firmware upgrade, he said.

Still, a widespread flaw in LaserJet printers would raise serious issues. Hewlett Packard dominates the printer market; the firm says it's sold 100 million LaserJet printers since 1984, meaning millions of computers could be vulnerable. HP, by far the dominant printer seller worldwide with 42 percent of the market, sells about 50 million printers of all kinds annually, according to IDC.

In an exclusive demonstration for msnbc.com at Columbia University’s Intrusion Detection Systems Laboratory, Cui and Stolfo revealed the kind of havoc an attacker could wreak once they gained control of a printer. After sending a virus-laced print job to a target printer, the device's small screen read, in sequence, "Erasing...Programming...Code Update Complete."

In one demonstration, Cui printed a tax return on an infected printer, which in turn sent the tax form to a second computer playing the part of a hacker’s machine. The latter computer then scanned the document for critical information such as Social Security numbers, and when it found one, automatically published it on a Twitter feed.

A hacker who merely wanted to wreak havoc could easily disable thousands – or perhaps millions – of vulnerable printers, Cui said, as it is trivial to send the printer upgrades that would render it inoperable.  

Beachhead?
But the researchers say the possibilities created by hijacked printers go far beyond pranks or identity theft. Printers on a company network are nearly always trusted by other computers. A hijacked printer could act as a beachhead to attack a company's network that was otherwise protected by a firewall. Few companies are prepared to protect themselves from an attack by their own printer.

Moore also disagreed with this assertion. He said standard print jobs could not be used to initiate a firmware upgrade; only specially-crafted files sent directly to the printer can do that. Were that true, the vulnerability could only be exploited on printers left exposed to the Internet; printers behind a firewall would be safe.

“This (vulnerability) is probably not as broad as what I had heard in their first announcement,” Moore said. “It sounds like we disagree on what the exposure might be.”

But the Columbia researchers say standard print commands sent both from a Macintosh computer and a PC running Linux tricked an HP printer into reprogramming itself. Moore later conceded that might be true; but the two sides disagreed on whether users in a Microsoft Windows environment were safe from the attack.

Even home users with printers that are not directly connected to the Internet are at risk, Cui said.  As long as the printer is connected to a computer – through a USB cable, for example –  it could be used to launch attacks, or as part of a botnet.

A quick scan of unprotected printers left open to Internet attack by the researchers found 40,000 devices that they said could be infected within minutes. 

Cui discovered the lack of authentication by physically disassembling the printer, and painstakingly reading output from its chipset, one character at a time. The chips run off-the-shelf operating systems like VxWorks and Linx, a scaled-down version of the Linux operating system designed for embedded devices.  Reprogramming the chip was relatively easy, he said – and now that the concept has been proven, he thinks others could reproduce his work in a day or two. 

"In fact, it's almost impossible to think that someone else hasn't already done this," he said.

Fixing the flaw will not be easy, Stolfo said.  There is no natural path to update printer operating system software, as there is for desktop PC software.  It's possible a consortium of firms could "push out a fix," once one is available, he said. He urged HP to work with companies like Microsoft to help consumers update their printers. (Msnbc.com is a joint venture of Microsoft and NBC Universal.)

One particularly vexing part of the fix: Printers that are already compromised by rogue software likely cannot be fixed. An attacker could easily shut down the pathway for future updates that would “cure” an infected printer.

“If and when HP rolls out a fix, if a printer is already compromised, the fix would be completely ineffective.  Once you own the firmware, you own it forever. That’s why this problem is so serious, and so different,” Cui said. “This is nothing like fixing a virus on your PC.”

Such inability to help consumers manually secure their printers could ultimately have disastrous consequences, Stolfo said.

 “It may ultimately lead to telling everyone they just have to throw their printers out and start over,” he said. "Fixing this is going to require a very coordinated effort by the industry," Stolfo said.

Rogue software
Hypponen said that the anti-virus industry could develop software tools that would detect booby-trapped print jobs in word processing documents or emails, and thwart attempts to update printers with rogue software that way. But such an approach would hardly be foolproof.

The Columbia researchers are just beginning to sample printers sold by other manufacturers; the research is inconclusive so far, but Stolfo and Cui believe the problem is not limited to Hewlett-Packard machines.

 “I think it is very wise to broadcast the problem as soon as possible so all of the printer manufacturers start looking at their security architectures more seriously,” Stolfo said.  “It is conceivable that all printers are vulnerable. …Printers that are 3-, 4-, 5-years-old and older, I’d think, all used unsigned software. The question is, ‘How many of those printers are out there?’ It could be much more than 100 million.”

That’s why Stolfo and Cui decided to go public with the vulnerability: They believe the sheer scope of the flaw requires immediate attention and cooperation from multiple elements of the tech industry. The two are currently helping HP devise a mitigation strategy.

HP continues to research the potential flaw, but it’s too early for the firm to announce which products might be impacted, or what consumers should do.

“Until we know things like whether Windows users are affected, whether this is a class or specific product issue, it is frankly irresponsible to say more,” Moore said.  “If this turns out to be the broad (problem) that's being discussed…we will reach out to customers and get it fixed.  We support our customers and value their trust.”

Printers, however, are just the tip of the iceberg when it comes to vulnerable embedded devices, Stolfo warned.  Columbia researchers have found that many gadgets now wired to connect to the Internet – including DVD players, telephone conference tools, even home appliances – have no security at all.

"Right now, very few people are thinking about the security of all these devices, so we're moving on to look at many more of them,” Stolfo said, noting that supposedly secure offices – even in sensitive government agencies – have networked teleconferencing devices, printers, even thermostats that create security risks.

“This is a whole area that is being ignored,” he continued. “While most folks are focused on applications, there is a comfort level with (embedded systems) that is nonsensical. There's no focus on the security of these devices we take for granted and we carry into secure environments every day.”

Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).

Carol Denne and her husband Larry both worked government jobs for decades, but as they entered their late 50s, Larry's fast-shrinking 401(k) account and Carol’s modest pension pointed to one stark reality: Retiring with dignity in their Philadelphia suburb would be impossible. In fact, Carol ran the numbers over and over and came to the conclusion that retiring anywhere in the U.S. was unrealistic.

"Either my husband was going to have to work until he died, or we were going to have to leave the country," she said.  "He'd been working since he was 15, and that was long enough.  So we left."

So four months ago, Carol and Larry departed the U.S. -- leaving behind their four children and five grandchildren -- and moved to a mountain village in Panama.

"We found we could live on my retirement here," Carol said by phone from their new home outside the town of David, on the Latin America's country's west side. They were surprised to find a healthy number of "gringos" already living in their suburb, called Volcan.  "We are seeing a growing number of 'ex-pats' who are in our same situation. This points to a growing number of families that are torn apart as parents and aunts and uncles are forced to move away to retire.”

---

They pay $500 per month to rent a four-bedroom home, enjoy dinners for $10, and now believe they'll be able to live out their lives without worrying about running out of money.

With Larry 59 years old and Carol 57, the Dennes fit into the demographic that might actually be suffering the most during the current economic downturn.  While much has been written about youth who graduate college and have few economic opportunities and families threatened with foreclosure, both groups will presumably benefit when the economy rebounds -- even if the recovery is 10 years off.  But for workers nearing retirement, there is no time to make up their share of the $2.7 trillion in retirement investments that vanished between 2007 and 2009, according to the Urban Institute.

As we’ve chronicled here before on Red Tape, older Americans who lose their jobs have a hard time finding new employment. Many unemployed 50-somethings believe ageism is a factor, and there is some data that might support those accusations. The unemployment rate for workers aged 55-64 has more than doubled, from 3 percent in 2006 to 7.1 percent in 2010, according to a recent report by Congress’ Government Accountability Office. Median unemployment length for the group soared from 11 weeks to 31 weeks from 2007 to 2010. The report also found that an estimated 25 percent of adults 50 and over had exhausted their savings in response to a layoff or other recession-related event, and half in that age group say they had delayed a medical or dental procedure to make ends meet. Meanwhile, the normal safety net of home equity has been decimated by the housing bubble collapse.

Things were different for the Dennes before 2008, before the economic crash caused by the near collapse of the financial system. Larry was a manager at a local recycling company and had dutifully socked away money into his 401(k). Between her $3,000 per month pension earned as a civilian working for the Navy and his retirement savings, the couple thought they'd have options. Then, the crash swept away most of Larry's 401(k) and reality hit.   

"I'm angry about that, angry that was situation we were faced with. It was difficult leaving friends and family behind," Carol said. "We didn’t have that much to start with. To lose all that was a big deal."

The couple had never been to Latin America, and spoke no Spanish, but they were desperate for options and attended a seminar on retiring in Panama.  They were hooked.

"Our friends couldn't believe we were going to do that," Carol said.

It's a conversation that's being repeated around the country. Solid data on the number of U.S. retirees is hard to find, but the trend seems on the rise.  The Social Security Administration paid benefits to 509,000 overseas retirees in 2008, the most recent available data. That's a sharp uptick from the 396,000 who received benefits in 2000.

The economics seem irresistible.  Housing costs in places like Ecuador, Mexico and Panama are a fraction of those in the U.S. Many Latin American countries offer retirement benefits and health care to U.S. ex-pats living there.  And the pace of life is hard to beat.

"We live in an eternal spring," Carol said.  "We’re in the mountains, where the temperature is always around 75 or 80. It never snows. There's no leaves to rake in the fall, no shoveling in the winter. It's absolutely beautiful here."

Panama regularly ranks among the top places for ex-pats to retire when magazines like International Living or organizations like AARP conduct surveys. International Living ranked Panama third globally, behind only Ecuador and Mexico, in a survey that weighed cost of living, health care, culture, infrastructure, etc. (The U.S., by the way, ranked 22nd, just ahead of Slovenia and the Dominican Republic). Panama's "pensionado" program also offers deep discounts to seniors on everything from prescription medicine to food and airline tickets.

Those will come in handy, as the couple has plans to return to the U.S. frequently to see their children and grandchildren. Meanwhile, a steady stream of visitors is coming to their piece of paradise.

"We've already had one daughter come down, and another one is coming in January," Carol said.

Technology helps keep them connected with home -- Facebook, email, and Skype make it relatively easy to keep up with friends and family.  Of course, it's not flawless. I had to dial the Dennes’ phone number six times before the call went through. Other ex-pats on bulletin boards devoted to life in Panama complain that electricity and water services aren't always reliable.  But such hiccups are part of life in Panama, Carol said.

"You learn to go with the flow," she said. "The pace of life is different."

The couple has already adjusted, for the most part, Carol says. 

"I miss nothing. Maybe the convenience having so many stores nearby," she said.  A painter, she has to travel about 45 minutes to buy supplies like acrylic paints.

But that's not going to change, as the couple plans has no plans to return to the U.S.

"We're down here for the long haul. We can't afford to live in the States," she said. "My sister is older, she has a good job, and she's going to have to work 10 years before she retires.  I'm shocked that that has happened. I don't know what's going on. Boomers are working even longer, or until they die, or are leaving country like we are. The recession has affected everybody in hard ways."

Don't miss the next Red Tape:
*Get Red Tape headlines on your Facebook Wall
*Follow Bob on Twitter. 
*Get an e-mail newsletter with Red Tape stories (requires Newsvine registration).