---

Kremmen wrote:

With regard to sensitive data, I had a dig round the NIS2011 interface at the weekend and I could not find anywhere to check or enter my CC partial info strings.

 

Is it a facility now gone ?

---

 

Hi Kremmen,

 

Please see the opening post that precipitated this entire discussion.

Marcus is quite correct; I am puzzled by SendOfJive’s comment;

“It does block your sensitive info, but only when you are intentionally trying to send it.  The rest of the time it is only blocking numbers that look like your sensitive info, thus preventing harmless and necessary connections from completing successfully.  Once I realized this, and that the only cache of sensitive information on my hard drive was what I had entered in the Norton program itself, I stopped using Private Information protection.  Sorry, but I really don't see the value in it”

If the Add-On-Pack (AOP) Confidential Information Blocker (CIB) requests confirmation that I want what looks like my Debit card from being collected by an item on a web page and if I say no it does not receive it then that aligns perfectly with the Cambridge Dictionary Definition, i.e.:-

“Block: verb; to prevent movement through something, or to prevent something from happening or succeeding”

And that is what I want to happen whether it ‘knows’ it is my debit card details or not. A perfect example of this is: when logging into Yahoo Mail AOP CIB often warns me of some advertisement trying to read in my name and password while logging in so I select the ‘Block (default)’ option. So I am protected this is what I need any replacement to do, which conflicts with SendOfJive’s  opinion:

 “I think the threat you mention, of something malicious finding and sending one of your private numbers out as a single, recognizable entity is just not something that is going to happen.”

I also am a little surprised that there are such fundamental changes in NIS between v17.5 & 17.7 that a new version is required, are the parameters being passed between the coding changing data parsing format or parameter name or something as surely the interfaces should be kept consistent for backwards compatibility, By the way, I am still using NIS2010, v 17.8.0.5 and AOP v 4.7.10, same as for NIS 17.7! perhaps they remembered not to change any parameter formatting this time ;-) and the third type of option blocked is ‘web’ i.e alongside the aforementioned ‘instant messaging’ and ‘email’ options.

Anyway back to the point...

Data snooping /eaves dropping (not sure of the correct terminology so please excuse mine) on Web pages, e.g. key-logging, screen capture etc. must be a significant problem as otherwise online banks would not go to the effort of supplying a commercial Privacy Protection tool like Rapport Trusteer, which I use, for use alongside Internet Security suites, surely?

So this is a definite and long term requirement for any Internet security package and Kaspersky, ESET, ZoneAlarm, and many others now offer CIB feature like AOP does now and in the package not online. Whilst I can understand that the AOP CIB feature is only relevant whilst online that does not really justify being online for technical reasons.

However, there is one reason that it can be justified and that is distribution cost e.g. beta testing as that way the testing is done on Norton servers rather than via live update distributions. This point also raises LanaK’s assertion that the AOP CIB should be discussed on the Norton Online Family (NOF) forum. Whilst that may be so, why not mirror the discussion onto the forum for us? Also, I have searched the NOF forum for ‘CIB’, ‘privacy’, ‘confidential’, ‘information’, & ‘private’ but the none of the hits are relevant. The  discussions centre around kids online, i.e. totally irrelevant to debit card protection and... oh yes, the forum states that only FOUR pieces of information are possible to store and only one that is explicitly a telephone number;

 “At present, we support only four pieces of information and you cannot enter more than one phone number or email address. However, a modification request is already raised with decision makers to allow more than one email address and phone number in future. A possible workaround with present design: If you have two phone numbers, enter the second phone number in the field "Other private information". That way both phone numbers will be protected.

Syed, SQA Specialist, OnlinfeFamily.Norton”

I protect three telephone numbers with AOP CIB and four personal and two family email addresses not to mention card details, post codes.... etc. So this is presently a useless and reduced functionality product compared to AOP... and there is the punch line folks because I found these comments on the NOF forum that seems to explain why this is so...

“Re: Rumors that NOF won't be free from next here

09-27-2010 05:31 PM

Tywin7:  Please let me introduce myself to you. I'm the Sr. Product Manager responsible for NOF. I saw your post and wanted to follow up with you about your question.

The Norton Online Family that you use today is a free service and will remain free. We currently do not have any plans to charge for the features that you're using today. In the future, we do plan on offering a for-pay version of NOF that has additional features but we will not remove or discontinue the NOF service that you have and use today. It will remain a free service.”

(yg, Symantec Employee)

There you go, if you want AOP CIB full functionality from May 2011 (when AOP support is ended) I expect we will have to pay extra for it, probably descibed in PR speak as a “optional feature”

Also note the reply to that particular NOF forum posting...

“I take it that   "we do plan on offering a for-pay version of NOF that has additional features" means that the ideas and bug testing that we original guinea pigs have discussed with your product developers we will have to pay for or do you plan on offering this to us original members free of charge by way of thanks for our input?”

Still a few teething problems with NOF methinks (check the forum, it looks like a complete shambles over there!) and is primarily about kids profiles, kids web use their mobile numbers and other issues around kids and bugs with NOF (looks bad, by the way) but nothing relevant  to adult privacy issues, e.g. debit cards. LanaK...show me where on the NOF forum pages it tells you how to enter debit card details, email pass words, post codes, house number & street name, bank account numbers, mobile & landline, fax number, email password, etc... (ALL not four) into the personal information of someone who is not a child.

Finally, since you have insisted on having our private information on your servers...how are you ensuring that our data is kept and protected e.g. with reference to “Data Protection Act 1998 (DPA)” and the associated European act “Privacy and Electronic Communications (EC Directive) Regulations 2003” because many people should be concerned as if the servers are in the US the data protection legislation is industry specific, e.g. Children online (COPPA) health (HIPAA) and financial (FACTA) but there is no overiding requirement that would cover this issue like the“Data Protection Act 1998 (DPA)” etc... . What about destruction of the data (including backups) when a customer stops using NOF?

Hi BigRon,

 

You said:

when logging into Yahoo Mail AOP CIB often warns me of some advertisement trying to read in my name and password while logging in so I select the ‘Block (default)’ option. So I am protected this is what I need any replacement to do, which conflicts with SendOfJive’s  opinion:

 

I am not quite understanding what you mean by an advertisement trying to read your name and password.  Could you explain more precisely what is going on?  In order to log into Yahoo Mail you have to send your credentials.  If you have a cookie that remembers them and sends them automatically, this is normal and necessary.  It should not be blocked.  What happens when you block the data?

 

Also, you state:

key-logging, screen capture etc. must be a significant problem as otherwise online banks would not go to the effort of supplying a commercial Privacy Protection tool like Rapport Trusteer,

 

Again, bear in mind that logging into your bank site is another time that you want to, and must send your credentials online in order to access your account.  In both of these cases, Norton would be warning you about something that you are doing intentionally.   The only time your private data leaves your computer is when you manually or automaticially enter it into a proper online form.  Numbers identical to your private data don't matter.  There is absolutely no security risk if you enter the URL of this post into your address bar and the post number matches your debit card number.  No one will ever associate the two.

Hi BigRon,

 

Not to digress from the topic at hand, but if I may, I would like to suggest that using a debit card online is far less safe than using a credit card.  A debit card actually transfers real money out of your account.  So if a bad guy gets ahold of that card's credentials your account can be cleaned out, and the money will remain gone until your bank agrees to restore your losses, which it has no obligation to do.  A credit card, on the other hand, limits your liability to $50, which most banks waive anyway, and does not actually transfer any of your money to someone else's account.  So even if you are defrauded, you still have all your money while the charges are being contested and you will not be liable for more than $50, at worst.  Also, some credit cards allow you to generate a one-time-use number with a capped dollar amount through your bank site, so you never have to post your real card number anywhere online.  I would urge you to always use a credit card rather than a debit card, if at all possible.

 

And now back to our regular topic, already in progress....

I note that the Confidential Information Blocking feature is all around "The Child". I think those of us who used this feature want to block the PC from allowing this information out without permission. Is that available ?

Man, I see you all have been busy on this subject somethin' major.  BigRon, it's not that some advertisement is attempting to "steal" your data- well at least not while signing into your client/e-mail provider. It's just that during the sign-in process, Yahoo! is attempting to verify the info being submitted. There's 1 of two things that you could do to rid yourself of those flags, hence easing your mind:

 

1) Simply uncheck the e-mail opt. We're given the 3 opts. from which to protect data- web, e-mail, or/and instant msging.  or 2) Make it an exception for Yahoo!.

 

I, myself, prefer the latter.  That way I could choose the "allow always" opt. then when done, I just go back and delete the exception I made. (But there's nothing wrong with leaving an exception for what ever client that you use regularly.)

 

And, yet again, SendOfJive is correct. If you're with a reputable bank, you're covered. And "yes" it's better to use a credit card for on-line purchases. Most banks now allows you to have a checkings card. This doubles as a debit(for ATM withdrawals w a pin) and a credit card. So if you're just using a debit card, you should really inquire of the checkings card. Here back when Katrina hit, my banck promptly flagged my account and put back any money/charges made that weren't legit- all without me knowing. I only found out when I personally tried to use the card as a cc. Though I was still able to use it as a debit card w/pin, I couldn't use it on-line as a debit card. And on top of it all, they were aware of my purchasing habits via the history of drafts I've made since I became a member.

Also most banks generally have security encrypted links ending with ".asp". This is related to some level url security. This isn't just limited to banks, either. 9 out of 10 encrypted sites host, at least, this type of security. So BigRon, don't worry yourself sick about those flags. You seem to have the same fears I used to have with the the 3   flags I'd get. But during my use of the AOP, reading various articles in mags like Maximum, PC World, CNet.com, PC Tools, etc. etc....and people, like SendOfJive, I've come to understand the general ins-and-outs the AOP along CIB app types.

And lastly, to answer the question submitted by Kremmen, "yes"; but CIB discussed here only applicable NIS v'10. You can also scan through earlier postings in this discussion.(Or just ask away.)

Yvonne,

 

I think you may have mis-understood the original question.

 

Some of us (myself included) used the add-on pack to protect web-pages sending personal information (e.g. e-mail addresses) WITHOUT OUR SPECIFIC CONSENT on a PAGE-BY-PAGE BASIS.

 

You must know this.

 

You will also know that the mechanism was via a pop-up which allowed us to decide there & then whether we wanted the info to be transmitted.

 

Instead, the 'Norton Online Family' controls becomes a complete DOG' S BREAKFAST, from what I can see - you can only set it up to 100% block specified info being transmitted - no flexibility whatsoever - either permanently on or off - until you go into the gubbins of the abomination and re-set it!

 

HOW ON EARTH ARE WE EXPECTED TO DO ANYTHING LIKE THAT ON A PAGE-BY-PAGE BASIS ??

 

IF THIS FEATURE IS NOT RE-INTRODUCED, I WILL LOOK ELSEWHERE TO FIND OTHER PACKAGES WHICH TAKE PROTECTING OUR PERSONAL INFORMATION - FLEXIBLY - MORE SERIOUSLY !!

 

sincerely.

Big ups to Anfortas!! Through it all I failed to point out that "page-by-page" scenario. Anfortas' comment further magnifies the points that're being made and debated here through out this discussion. His point further extends the advantages of CIB as apposed to the "ins & outs" of  NOF. Mad props again to Anfortas for bringing yet another valuable point to this discussion.

Hi Anfortas and Marcus,

 

I am truly puzzled.  Under what circumstances would your email address end up on a web page without your consent?  It seems to me that you would either have to have entered the information manually or previously set up an automatic fill-in - in which case, why would you want to block it?  Can you please give an example where a bit of actual private information (not a number coincidentally matching the information) was put online in a situation that would indicate a compromise of your personal data?  Maybe I'm missing something but the only alerts I ever got when I had not actually intentionally entered a private number, were for identical, but totally unrelated numbers having nothing to do with the information I was trying to protect.