It's such a shame that the companies we trust (and pay) to protect our credit records still don't seem to know how to make an honest dollar. The State of Florida recently confirmed that it is investigating Freecreditreport.com for the same reasons so many of these firms have been investigated before - misleading advertising, negative opt-in enrollment, and failure to honor cancellation requests.

And it's not the first time. Freecreditreport's parent company Experian settled a similar lawsuit with the FTC in 2005, and other companies in the same business have been accused of the same practices. One of these lawsuits was lead by the Attorney General of California and I was even a victim.

I'd heard many complaints against Experian and decided to try for myself. I signed up for a free credit report (which I don't recall ever getting in the end) and as expected was immediately enrolled in a credit monitoring service for $79 per year. Although I cancelled in the time alloted, lo and behold I was still charged the $79. After a few phone calls and a lot of effort I finally managed to get a credit a few months later.

The greatest shame is that most of these firms offer credit monitoring services as a defense against identity theft, and I believe that if used properly (and provided by an honest firm) these services can be of great benefit. I've been using a credit monitoring service for nearly three years and am more than happy to pay the $12 every month for the peace of mind.

But the behavior of these firms continues to erode consumer confidence in the credit monitoring industry, and in the services they need and want to trust. And given the enormous benefit and growing demand for good credit monitoring, you'd think these companies could make even more money if American consumers actually trusted them?

Shane posted a comment explaining that the reason McAfee's SiteAdvisor failed to detect any phishing web sites in a recent study by Carnegie Mellon University was because the free version was not intended as a phishing detector.

I think that's a fair point and worth clarifying. I was one of the early users of SiteAdvisor (long before McAfee bought it) and it worked pretty well at giving me background information on web sites I was visiting. I don't recall it claiming to detect phishing web sites but rather determing if visited sites hosted spyware or questionable links, or were poorly rated by SiteAdvisor's network of testers.

The Plus version of the product does claim to offer phishing protection and it wasn't clear from the CMU study if they tested the free or Plus version - I recall they just called it SiteAdvisor. It will be interesting to see if CMU clarifies this point or include the Plus version in future testing.

Yesterday I mentioned the limitations, both technical and user, of the growing list of toolbars and browser plug-in's designed to detect phishing web sites.

Carnegie Mellon University just released the results of tests conducted on ten of the most popular toolbars and the results are not that encouraging. In tests like these the researchers usually present the toolbars with a selection of fraudulent and legitimate web urls and see how well they do in telling the difference.

According to the research, Spoofguard performed the best at detecting fraudulent web sites but also incorrectly identified many legitimate web sites as fraudulent (known as false positives). IE7, Google, Earthlink, Netcraft and Cloudmark had very few false positives but missed around 15% of fraudulent web sites.

Four of the toolbars were unable to detect even half of the fraudulent web sites. Most surprisingly, McAfee's SiteAdvisor seemed to come out worst in the tests and was unable to identify a single fraudulent web site. Be interesting to hear what McAfee's response is.

The report also highlighted the issues of usability and human factors and concluded "Overall we found that the anti-phishing toolbars that were examined in this study left a lot to be desired."

The browser wars are heating up again, but this time the focus is phishing and the prize is the title for best at detecting phishing web sites before unwary users get hooked.

A number of studies have been published over the last few months comparing the performance of the handful of browsers that claim to be able to spot phishing web sites and alert the user that they might want to give the suspicious site a wide berth.

Both Internet Explorer and Firefox boast phishing detection, with different studies giving each the edge over the other. Earthlink also has a contender, as has McAfee (with its recently-acquired SiteAdvisor), and Netcraft.

So far the tests are pretty meaningless. Many are based on small samples (some testing as few as 50 web sites) to be of any great value and others are funded by the manufacturers - a study funded by Microsoft found IE to be superior, and another study paid for by Mozilla a few weeks later claimed Firefox as the winner. And we know from experience that the phishers are very good at figuring out the weaknesses of these defenses and rendering them obsolete..

But having used most of these phishing tools I think the biggest problem is that users won't use them. They'll ignore the warnings the browsers provide or they just won't understand how the warnings work. More likley though, after a few trys they'll simply disable the browser because they can often slow down surfing as they check each site before making a recommendation. Most users still put convenience and simplicity over security and that's a hard habit to break. No matter how clever a paid researcher claims you are.

I guess it was bound to happen. In a world where class and status have become such symbols of separation, you can now add phishing to your list of "must haves" or at least "must have done to me."

A new Gartner report finds that phishers are now showing a greater preference for the well-heeled and that individuals who earn more than $100,000 a year are likely to receive around 60% more phishing emails than the average user. They're also likley to lose an average of $4,362 per incident compared to the national average of $1,244.

And the phuture? One expert suggests the likelihood of phishing attacks so finely targeted that they will set up a single site to target just one high rolling victim at a time. With everything else going on in the world, phishers playing phavorites really phisses me off! Maybe the key to being less vulnerable to phishing, and to losing less money, is to make less money. Now there's a security solution I never thought about.