If you’re afraid to answer your phone, you’re hardly alone. Spam calls have become so common that they’ve basically rendered the “phone” part of “smartphone” useless. Or at least, very dumb. But help might, finally, be on the way.
The Do Not Call list, which debuted in 2004, was perhaps the most popular program operated by the U.S. government in decades — 50 million numbers were entered before the list even took effect. Since then, another 170 million numbers were entered into the registry. U.S. telemarketers quickly learned to abide by the list or face multi-million dollar fines the Federal Trade Commission could impose — and there have been more than 100 enforcement actions.
It worked…for a while. But the combination of internet-based telephones and cheap long-distance calls have made it easy for telephone scofflaws to operate overseas, far beyond the reach of U.S. authorities. Unwanted calls have returned with a vengeance, making some wonder if the Do Not Call list works at all.
How bad is the problem? A firm called YouMail Inc. tries to count the number of robocalls that pester Americans, and the statistics are staggering. YouMail claims that 2.5 billion unwanted calls were placed just in April 2017, equaling 7.7 calls per person.
For fun, YouMail breaks down its data by ZIP code, and found that Atlanta wins for most robocalls received, with about 50 million placed just to the 404 area code in April. Another 35 million arrived at Atlanta’s 678 area code. Houston and Dallas area codes came in second and third. New York City’s 917 area code was fifth, with 29 million.
The robocall problem has been intractable for a series of reasons — mainly, because it makes the criminals who run scams like fake IRS debt collection like these a lot of money. But two other technology reasons stick out.
1. Criminals can “spoof” caller ID numbers.
First, it’s become easier for criminals to “spoof” caller ID numbers. That not only keeps consumers from blocking numbers, it can also make them more likely to answer. Calls that appear to come from the recipient’s own area code — or even share the same first six digits of their phone number — suggest a local call, so consumers are tempted to answer.
2. The telecom industry has a hard time stopping suspicious calls.
Second, the telecom industry has avoided implementing technology that would stop many suspicious calls because the firms claim they are legally required to connect calls, and they don’t have the authority to decide what is spam and what isn’t.
Years of frustration and consumer complaints finally nudged the Federal Communications Commission toward action last year, and it created the Robocall Strike Force. In August, tech heavy hitters like AT&T, Google, and Microsoft gathered in Washington, D.C., to discuss ideas.
Then in March, with the FCC under new leadership, Chairman Ajit Pai indicated he would go ahead with proposals from the task force. Specifically, he would call for a change in rules that explicitly gave telecom firms the right to cut off spammers.
“Under my proposal, the FCC would give providers greater leeway to block spoofed robocalls. Specifically, they could block calls that purport to be from unassigned or invalid phone numbers — there’s a database that keeps track of all phone numbers, and many of them aren’t assigned to a voice service provider or aren’t otherwise in use,” he wrote in a Medium post explaining the change. “There is no reason why any legitimate caller should be spoofing an unassigned or invalid phone number. It’s just a way for scammers to evade the law.”
Later in March, the FCC approved the proposal. The work isn’t done, however. There’s now a public comment period; a vote to enact the new rules won’t happen until later this year. Then there will be a transition period as carriers implement their spoofed-call-blocking technologies.
How to stop unwanted spam phone calls
Relief is in sight, but it’s not time to turn your ringtone back on just yet. For now, consumers can investigate third-party services like Nomorobo ($2/month, iPhone only, see a review here) or Hiya (free, see iTunes reviews here) that claim to help by using blacklists and other methods to identify spam callers. Some providers and smartphones offer their own free call-blocking options, but they are cumbersome to use. Consumers can Google phone numbers that call, just to see if others have complained online about them. Or simply keep screening those calls for a bit longer.
The vast majority of student loan borrowers who default and rehabilitate their loans are set up to fail again because of bad advice, a new government study claims.
The Consumer Financial Protection Bureau says a stunning 9 out of 10 of these high-risk borrowers were not enrolled in affordable repayment plans, such as income-driven repayment — meaning their monthly payments were much higher than they had to be. Predictably, those borrowers were five times more likely to re-default on their loans, racking up $125 million in unnecessary interest charges along the way.
Conversely, students who were enrolled in income-driven repayment plans, which reduce payments based on the borrower’s income, were much less likely to have trouble making on-time payments. Fewer than one in 10 re-defaulted when enrolled in income-derived repayment, the CFPB said.
Loan servicers are responsible for informing borrowers about their options, but the CFPB has alleged previously that they do a poor job of it.
A Government Accountability Office report in 2015 found that while 51% of borrowers were eligible for a repayment program that could lower their payments, only about 15% were enrolled in it. The CFPB complaint database is littered with allegations that servicers make enrollment unnecessarily hard. And earlier this year, the CFPB and the state of Illinois both sued Navient — the nation’s largest servicer — and alleged the firm systematically failed to inform borrowers of their options. (Navient denied the allegation.)
Tuesday’s report focuses on a more narrow group — those who had stopped paying their student loans but had recently restarted payments and “rehabilitated” them. The group, which consists of about 600,000 borrowers, is considered the riskiest of the 43 million Americans who owe student loans.
Their plight shows the system is broken, said CFPB Student Loan Ombudsman Seth Frotman.
“For far too many student loan borrowers, the dream of a fresh start turns into a nightmare of default and deeper debt,” Frotman said. “When student loan companies know that nearly half of their highest-risk customers will quickly fail, it’s time to fix the broken system that makes this possible.”
The Student Loan Servicing Association, a trade group that represents servicers, didn’t immediately respond to requests for comment.
Roughly one in three student loan borrowers are late to some degree on their monthly payments. The Department of Education estimates that more than 8 million federal student loan borrowers have gone at least 12 months without making a required monthly payment and have fallen into default.
At-risk borrowers should know there are multiple programs designed to help them avoid default — income-contingent repayment, income-based repayment, and “pay as you earn” are all designed to keep payments at between 10% and 20% of income. Some offer payments as low as $5 per month, depending on income.
Thousands of consumers were left holding the bag — and out about $150 – when all-in-one cardmaker Plastc announced recently it was never shipping a product.
Is there any chance consumers can get their money back?
Yes. Even those who’ve already been told by their credit-card issuing banks that the charge is too old to dispute. Read on to learn about a little-known rule that gives credit and debit card customers up to 540 days to file a dispute in some situations. Even if you aren’t a Plastc victim, there’s a powerful consumer lesson to be learned here.
To refresh your memory, starting about four years ago, several firms announced products that promised to thin out Kramer-sized wallets everywhere — a single, digital credit card on which all other plastic cards could be loaded. New technology would let the makers of Plastc, Coin, and several others rewrite the magnetic stripe in real time, eliminating the need to carry around multiple credit cards. Optimistic buyers raced to preorder the gadgets. One by one, they were all disappointed, as so far, no all-in-one card has proved viable.
The makers of Plastc sure tried, however. At least, they said they did. Back in the fall, Plastc CEO Ryan Marquis took to Facebook to claim the firm had raised $9 million from 80,000 “backers,” and once again promised that success was around the corner. On April 21, Plastc gave up, announcing it was declaring bankruptcy. That left thousands of consumers wondering what would become of their preorders.
For the earliest backers, like Andrew Goodman, there’s probably very little hope.
“I’ve been a backer since April 2015 and certainly have no delusions of getting my money back,” said Goodman, who lives in West Chester, Penn. “I was given a flat ‘no’ from both Amex customer service and the third party they refer you to for complaints on purchases older than 12 months.”
But others, who gave Plastc their money a year or so ago, shouldn’t give up hope, even if they are initially rejected by their bank. A little-known rule governing most credit card transactions — so little known that even many in the banking industry don’t know it — means many consumers are eligible to dispute their transactions up to 540 days after they were initially posted.
Reddit threads and Facebook pages set up for disgruntled consumers are full of conflicting information, with some saying they’d managed to get a refund, while other say their card-issuing bank denied one, citing a 120-day time limit for disputes.
There is a 120-day time limit for disputes, but there is confusion over when that 120-day clock starts. The answer for Visa users, however, is quite clear on a document that sits on Visa’s website called “Visa Core Rules and Visa Product and Service Rules.” In a section titled “Chargeback Time Limit — Reason Code 30,” Visa tells participating banks and merchants that the clock doesn’t start until the purchased merchandise was supposed to be delivered — with a limit.
“If the merchandise or services were to be provided after the Transaction Processing Date, 120 calendar days from the last date that the Cardholder expected to receive the merchandise or services or the date that the Cardholder was first made aware that the merchandise or services would not be provided, not to exceed 540 calendar days from the Transaction Processing Date.”
Since customers were only told their orders wouldn’t be filled April 21, that rule suggests the 120-day clock starts then, not on the date of the transaction. In other words, while some banks have been telling Plastc buyers they can’t dispute their charge if it was processed earlier than January of this year, that Visa rule says folks who ordered as far back as November 2015 still have the chance to dispute. That’s a big difference.
So for clarification, I called Visa.
“Your read of the rule is correct,” said Visa spokeswoman Sandra Chu. “It’s 120 days from (the notification of non-delivery).”
Chu advised consumers who are told otherwise by their Visa-issuing bank to have a link to the Visa service rules handy and point customer service agents to that section. The rules, she said, are required for any credit or debit transaction that is processed on the Visa network.
What about other credit card issuers?
Mastercard did not immediately return my call for comment, but its “Chargeback Guide” contains similar language. In a section titled “Time Frame,” the criteria is listed as “15 to 120 days from the delivery/cancellation date of the goods or services.” Another section mentions a 540-day overall limit.
American Express media relations did not offer an answer to the question, and I was unable to find official documentation online. An old response from the firm’s official Twitter account hints that consumers – at least back in 2011 – had a long time frame to file disputes over purchases they never received as promised.
“For non rcvd orders u can disputed even after 65 days from charge.U are given 60 days from promise date of delivery 2 dispute,” the account said at the time. That contradicts the explanation Goodman received, however; if MagnifyMoney gets clarification, we’ll update this story.
Discover didn’t immediately respond to a request for comment.
Meanwhile, some consumers with even older-than-540-day transaction dates say they’ve received goodwill refunds for Plastc from their banks.
So the moral of the story is: Always call your bank and ask. And if you get no for an answer, don’t assume that’s the only answer.
The idea seemed brilliant in its simplicity: Combine all the credit cards in your wallet into one slick, card-sized gadget with a chameleon-like magnetic stripe that could be swiped anywhere. All-in-one cards promised the end of bulging wallets forever.
Coin, the first well-funded entrant into the category, made a huge first impression thanks to a slick social media campaign and viral videos — one was seen 10.2 million times on YouTube. Imitators like Plastc and Swyp jumped in on the excitement and into the fray.
Frank Barbieri, a tech enthusiast and investor, was among the first to spot and share an ad for Coin.
“I was excited about the promise,” said Barbieri, who paid $50 on the spot to get in line to be among the first Coin customers.
The company said it wanted to raise $50,000 via pre-orders when it opened the doors on Nov. 13, 2013. It reached that goal — theoretically, 1,000 orders — within 47 minutes.
But minutes have turned into hours, days, and years … and those early enthusiasts are still waiting for their one card to rule them all. Coin has come and gone. Its wearable payments technology was sold to FitBit in May, and the company stopped producing its flagship product. What’s left of the category seems little more than Facebook pages where frustrated consumers beg for the status of their pre-orders.
Failure to Launch
Plastc, which was considered a close competitor to Coin when it launched in October 2014, is currently taking orders for its $155 product but has yet to ship a product. In a Facebook Live post in September and in an e-mail sent to customers*, the company said it has 80,000 pre-orders and has raised $9 million in revenue since its launch (*Updated on May 2, 2017: This has been updated to reflect the source, which was a Facebook Live video posted on the now-defunct Plastc Facebook page and also an e-mail sent to Plastc customers from Plastc CEO Ryan Marquis on Sept. 13, 2016). But it has repeatedly disappointed consumers with delays. Earlier this year, the ship date was bumped from April to August or September, according to a message attributed to CEO Ryan Marquis and posted on several online venues, including Reddit. The message offered consumers an opportunity to get a refund, but Marquis urged folks to be patient.
“I hope you stick around. Plastc Card is going to be an AWESOME product,” he wrote.
In July, the company announced another delay, blaming a typhoon that wreaked havoc with its parts suppliers in Asia. The release date was pushed into the fourth quarter of 2016.
When we reached out to Plastc, the firm said it was shipping orders “in late Q4 (Nov/Dec) of this year.” But separately, CEO Ryan Marquis said on a Facebook video released in late September that only a small group of buyers would receive their cards this year, as part of a test group, and the rest wouldn’t be shipped until next year.
“Stop lying to your (way too) loyal customers about when this outdated product is going to ship,” wrote Steve Bierfeldt on the firm’s Facebook page. Bierfeldt, a 30-something who lives in the New York City area, told me he ordered the product more than a year ago. After this latest delay, he requested a refund.
“I hope you stick around.”
“They’ve missed 3 or 4 public deadlines, and there is nothing to indicate they have a working prototype, much less a finished product,” Bierfeldt said. “It certainly seems they are stringing along customers and hoping the bottom doesn’t drop out. I hope they can pull it together because the idea of the product is a good one.”
Plenty of Plastc consumers aren’t convinced the product will ever arrive, and aren’t shy about complaining. On Plastc’s Facebook page, the firm is currently offering a T-shirt giveaway, leading another buyer to write, “Want my card not a damn T-Shirt.”
Plastc did not answer additional questions about the consumers’ frustration.
Michigan-based Stratos card got a lot of attention when it launched and began shipping some all-in-one cards in May 2015, but in another sign of how tough the market is, the firm nearly went under less than a year later. At the 11th hour, Stratos sold to Ciright One, a Pennslyvania-based firm working on a similar product. Ciright’s “One” card will pitch a slightly different angle, promising to help consumers keep track of their gift card balances, while also allowing use of credit cards. The firm’s website says its One Card will ship in 2017.
Bad Timing and Mixed Results
Why are all-in-one cards, and their elegantly simple idea, such a dud? There are plenty of reasons.
The key technology involved, which predates Coin, is called “dynamic magnetic stripe.” Installed on a gadget like Coin, it would theoretically allow consumers to load multiple cards onto the same device. Then it would change, chameleon-like, so it would look like the original bank-issued piece of plastic to any point of sale terminal. Fine so far.
But Coin and its ilk had bad timing. Barbieri was lucky enough to get an early version of Coin, but he found he could hardly use it anywhere. Just as Coin arrived, stores began abandoning the magnetic stripe in favor of EMV chip debit and credit cards. Coin had no way to deal with that.
“So it was a complete bust. [I] had to carry cards anyway,” Barbieri said.
But the chip issue is just the beginning of the problem faced by all-in-one card makers, says James Wester, a payments analyst at IDC Financial Insights. He’s not surprised that gadget makers shipwrecked while trying to change the way consumers spend money. Many tech firms have run aground before.
“Trying to participate in the payments space is very hard,” Wester says. “A lot of folks who try, find out the hard way.”
For starters, Coin and its imitators had to do the near-impossible: compete against a product that’s free and simple. Bank plastic doesn’t cost anything and works pretty much immediately. Cards like Coin cost money and have to be loaded and maintained.
“Is [carrying too many cards] a problem worth paying $50 to solve?” Wester asks. “When your largest competitor is a free product, that’s going to be really hard.”
As is clear from the continuing angst over conversion from magnetic stripes to chips — not to mention the fits and starts suffered by giant entrants Apple Pay and Google Wallet — old consumer payment habits die very hard. People don’t want to have to think about how they spend money; they just want it to work.
Coin, which had shipped two versions of its product, gave up earlier this year and sold its technology to Fitbit. A message sent to CEO Kanishk Parashar wasn’t returned.
Swyp shipped its first batch of long-awaited cards this summer after prolonged delays. Users are already complaining about the card’s major flaw: it is not EMV chip-enabled.
Not that all all-in-ones are giving up. Swyp, which promises a similar product it calls the “smart wallet,” shipped a batch of cards this summer to consumers who pre-ordered them. But these cards suffer from the same problem as Coin’s first batch: they only work as magnetic stripe cards, and can’t be used to complete EMV chip transactions.
Swyp is no longer taking pre-orders for them. The firm says on its website that the cards will go on sale next year. It also says Swyp will support both EMV and NFC in the future, but doesn’t say when.
Wester, who comes across as very cynical of all-in-one cards, thinks that firms like Plastc might actually have a window of opportunity created by the current chaos in payments. Consumers are still frustrated by the clunky changeover to chip credit and debit cards, and the associated slowdowns at checkout. Adoption of mobile phone payment or other schemes using wireless Near Field Communication (NFC) tap-and-pay technology has been sluggish too.
NFC-enabled plastic allows “contactless credit cards,” which are popular in Europe, but are nearly unavailable in the U.S. And that could be an opening for a card like Plastc. (On its site, the firms says it will support NFC, but not chips, at launch). Tap-and-pay NFC transactions can be nearly instantaneous, which might attract consumers and create a value proposition, Wester said. And if they are integrated into wearable devices, which is Fitbit’s master plan, they could give runners an easy way to grab a bottled water without slowing them down.
Still, Wester repeated many times, creating a brand new form of payment is among the most challenging areas of technology innovation. It’s so challenging that he offers his entrepreneurial friends this advice:
“If you have money to burn on a smart idea, don’t go into payments,” he said. And if you have money to burn on a product, consider spending it on something other than a pre-order for a payments gadget.
Yahoo says 500 million user accounts have been compromised, and they are telling users to change their passwords. That’s good advice, and below you’ll find better advice from security firm Sophos.
But first: For the next several days, or even weeks, beware emails that appear to come from Yahoo. Now will be a great time for phishers to trick users into following alleged “change your password” links that actually lead to hacker-controlled sites.
In general, it’s always good practice to update your passwords, password manager and security questions if you hear of a potential data breach that might affect you. Even data breaches from several years ago could still impact you today.
I disagree about using a new password for every site. I mean, it’s a lovely idea, but it’s just not realistic. Instead, I’m an advocate of having password families.
One simple password for throwaway accounts you don’t care about, like newsletters; one medium-hard password for sites that require a registration, but don’t involve money; and then one really strong password for financial accounts that you change on a regular basis.
For that tough password, use something clever, like the first letter of every word in a sentence. Like this: I Was Born on November 1 in North Dakota — IWBoN1iND (I wasn’t, by the way). Change a number to a symbol and you are in good shape, like IWBoN!iND.
Now, as for how often you should change your password — I asked a bunch of experts that question not long ago and got some interesting answers.
Graham Cluley – Independent computer security analyst, formerly of Sophos and McAfee (more about him)
I only change my password if I’m worried a service has been hacked/compromised. I have different passwords for each site. In fact, I reckon I have over 750 unique passwords. I use password management software. I think requiring people to regularly change their password is a bad idea. it encourages poor password choices, (such as) ….passwordjan, passwordfeb, etc.
For your corporate network account? Several times a year. For an online newspaper that requires registration in order to read it? Never. As always, it’s about threat modelling: Figure out which services are the important services FOR YOU. Then use a strong, unique password on those, and change it regularly. For non-important sites: who cares.
James Lyne, Global Head of Security Research at Sophos, speaking specifically about corporation passwords (More about him)
The requirement to change your passwords is a preventive measure that is designed to minimize the risk of your already stolen password being cracked and used. Over 2014 there have been a huge number of attacks which have led to the loss of password hashes (or other representations). These password ‘representations’ require time and effort for attackers to crack and reverse to their plain text form. Depending on the hashing scheme in use and the resources of the attacker this can take little, or a very long time. Changing your password regularly helps manage the risk of an attacker stealing your password hash from the provider (without you knowing) by increasing the probability you have changed it before they use it.
There is a real balance to be struck with password rotations. Some enterprises set painful rotation rules that require staff to regularly learn a new password and commit it to memory – ironically this can lead to staff producing poor passwords to meet the requirement which again ironically makes it much easier for the attacker to break. Providing the service provider does their part and secures your password with an appropriate storage mechanism often using a significantly longer, complex and hard to guess password is a much better defence. Good luck to the cybercriminal going after a 128 character password stored as a (moderately poor) SHA1 hash.
Password managers help you generate long and complex passwords that will be hard to crack even if lost, that said, if you go this far and implement a manager you may as well rotate your passwords once in a while as you don’t need to remember them and it helps minimize the risk of attackers using stolen credentials (particularly on sites that store your password poorly). Most enterprises would do well to consider how to improve their password storage security and the strength of the original password over a 30 day rotation period.
Harri Hursti – independent security researcher, famous for “The Hursi Hack” of voting machines (more about him)
This is not (an easy question) … because also changing the password too often can become a security risk
It greatly depends. Passwords I use more often, over the internet and are in sensitive sites are changed 2-3 times a year. Then there are very important passwords which are either used very seldom or are used in more secure environment and those I change once a year, or not even then.
Chester Wisniewski and Paul Ducklin, senior security advisors at Sophos. (More about Chester and Paul)
The answer, loosely, is this.
Change a password if any one of these is true:
You suspect (or know) it has been compromised.
You feel like changing it.
You have been re-using passwords and have decided to mend your ways.
Banks are willing to tolerate some credit fraud losses in order to maximize sales.
Mention fraud in any group of friends, and you are bound to hear someone tell a breathless story about their credit or debit card getting “hacked.” After all, the Justice Department says about 7 percent of U.S. adults are hit with ID theft – mostly card fraud – every year. That number might be even higher. A survey of MagnifyMoney readers found more than 22% had dealt with credit card fraud before.
Dealing with fraudulent charges can certainly be a hassle. Changing your account number at all the places where you use automated payments — from Netflix to Hulu to the electric company — can take some time, and you risk a late fee if you screw up.
Here’s the thing no one in the financial system likes to talk about when it comes to fraud: just how little banks—and even merchants—care about fraud.
“Banks don’t lose sleep over it, so neither should you,” says Gartner fraud analyst Avivah Litan. “Sure, [getting hacked] is upsetting, but consumers should be very relaxed, because they’re almost always going to get all their money back.” To be sure, nearly 100% of our readers received full refunds after their credit cards were hacked.
Banks and merchants could dial up their security systems so tightly that fraud would be nearly eliminated. But they don’t, because that would only make it tougher for legitimate customers to spend money. When fraud security is too tight, legitimate consumers would inevitably get tangled up in the security checks. Merchants and banks would lose sales and irritate customers. In the end, they’d rather tolerate some losses in order to maximize sales.
That’s not to say banks and merchants do nothing to protect their customers. Most use a variety of systems they employ to sniff out potential fraud. If you are an online shopper and have ever tried to ship something to an address that differs from your card billing address, you’ve probably encountered these fraud checks. Many involve scores, not unlike credit scores, that work like this:
A transaction that involves an international credit card shipped to an unusual address for a small but valuable item would get a high fraud score; an item purchased repeatedly by a customer and sent to their known address would get a low score. Companies make their own decisions about how much risk to take — how high a fraud score they allow — before stopping transactions.
It’s a tricky calculation, but Litan says some banks are willing to set the dials so low that they only detect 65 percent of fraud.”They’re not going to get in the way of their consumers,” she said. “That’s just the way they do it. It’s not like they don’t have fraud protection. They just aren’t going to tune it as tight as they can.”
Here’s a recent example that shows just how laissez-faire banks can be about fraud.
Remember when the Target credit card hack began a wave of database thefts that led to hundreds of millions of credit card account numbers being compromised?
Many banks, knowing that criminals had these stolen numbers, didn’t even bother to cancel associated cards and issue new ones. Instead, it became common practice to put the accounts on a watch list, and only cancel them once actual fraud incidents arose. That generally gave the criminals one or two bites at the apple before a hacked account was shut down.
That being said, more critical transactions, sure as cash wire transfers, often come with tougher fraud standards, requiring up to 99 percent fraud detection.
The bottom line:
The next time you fret about fraud, or see an ad for a service trying to sell you fraud protection, remember that there’s no need to be hyper-vigilant. Your liability is capped in most cases at $50 as long as you report the theft quickly, and most banks waive that, too.
Take reasonable steps to avoid credit card fraud: Don’t use your credit card at a suspicious website. Check your statements every month for fraudulent charges. But don’t lose sleep over it, because banks aren’t. Save your digital anxiety for far more serious hacking incidents like the theft of healthcare data or a ransomware attack against your hospital. Those hacks involve far more valuable personally identifiable information, like Social Security numbers or health conditions, that you can’t simply cancel and reissue. Recovering from that kind of hack can be a lifelong ordeal, rather than a simple phone call. So, don’t sweat the small hacks.
What to do if you’ve been hit with credit card fraud:
MagnifyMoney has published a free Credit Monitoring and Identity Theft Guide. This guide can help you create a strategy to reduce the risk of identity theft happening, to identify fraud as soon as it does happen and to make it as easy as possible to resolve any fraud that does happen on your account.