Couples Online Bank Account Hacked Leads to Identity Theft

Robert Siciliano Identity Theft Expert

In 2007, a U.S. couple fell victim to identity theft when a criminal accessed their online bank account and stole $26,500 from a home equity credit line. The money was transferred to an Austrian bank that refused to return the funds to Citizens Financial Bank. So Citizens Financial informed the couple that they were liable for the loss. When the couple refused to pay, the bank notified the credit bureaus that their account was delinquent and threatened to foreclose on their home. So the couple sued the bank, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, as well as accusing the bank of negligence.

Who should be held responsible? Well, the jury’s out. Literally.

Did the couple accidentally give their data to a phisher? Were they dumb, or was it just bad luck? Was their Internet security software up to date? Does that matter? Should the bank activate their zero liability policies and simply chalk it up to a loss? I’m a big believer in personal responsibility. However, if the bank offered a system that can be easily defeated then maybe they should take some responsibility.

White hat hackers are struggling to stay one step ahead of the criminals. There are more ways to compromise data today than ever before. Viruses quadrupled in one year, from just over 15,000 in 2007 to nearly 60,000 in 2008. Black hat hackers are out in full force.

In 2000, the white hats were supposedly about a year ahead of the black hats in technology, meaning that it should take about a year for the black hats to hack the white hats. Other research shows that by 2004, the black hats were about two weeks behind the white hats. And now here we are in 2009. In many cases, the black hats are years ahead of the white hats. The good guys are losing.

Many new viruses may already be on your hard drive, dormant, waiting for a signal to activate. They may be Trojans, waiting to strike when you log on to your online bank account.

We tend to have numerous viruses in our own bodies, which take control once our immune system is weak, or when they come into contact with one another. Similarly, your PC may have viruses lurking within. It’s easy for a PC to catch a virus when we simply visit a website, click on a link or download a program that we believe to be safe.

The technology of the criminal hacker has evolved, and is continuing to evolve faster than that of the white hats. This means you have to be on your game. Stay informed, and don’t let your guard down.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

3. Make sure your McAfee anti-virus is up to date and set to run automatically.

4. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

5. Check your bank statements often, online, at least once a week.

Robert Siciliano Identity Theft Speaker discussing online banking insecurity

Cybersquatting Leads to Identity Theft

Robert Siciliano Identity Theft Expert

Ever click on a link in an email or while browsing online, and something just wasn’t right? The domain name in the address bar was off by a letter or two? Or a word was misspelled? Maybe there was a number tossed in for good measure? This is either cybersquatting or typosquatting, and it’s a problem.

Cybersquatting is the act of procuring someone else’s trademarked brand name online, either as a dot com or any other U.S.-based extension. Cybersquatters squat for many reasons, including for fun, because they are hoping to resell the domain, they are using the domain to advertise competitors’ wares, stalking, harassment or outright fraud. Social media identity theft, or grabbing someone else’s given name on social networks, is another form of cybersquatting or, when it occurs on Twitter, Twitter squatting.

In particularly malicious cases of cybersquatting, identity thieves will use a domain similar to that of a bank in order to create a spoofed website for phishing. If the domain isn’t available, typosquatting is the next best option. After Annualcreditreport.com launched, more than 200 similar domains were quickly snapped up.

This is just one more reason to actively protect yourself from identity theft.

This week, Computerworld discussed the havoc that cybersquatting can have on a brand’s reputation. Sometimes, criminals copy a brand’s entire website in order to collect usernames and passwords from unwitting visitors. Then, the hackers will test those names and passwords on other websites. Cybersquatting increased by 18% last year, with a documented 440,584 cybersquatting sites in the fourth quarter alone, according to MarkMonitor’s annual Brandjacking Index report.

Intellectual property owners can sue cybersquatters under the federal Anticybersquatting Consumer Protection Act, but it’s expensive and damages are limited to $100,000. They can try to shut down sites containing copyrighted content under provisions of the Digital Millennium Copyright Act, and in some cases, they might be able to pursue violators for trademark abuse under provisions of the Lanham (Trademark) Act.

I’ve written before about the time I was accused of cybersquatting. I wasn’t, I swear! It was the early 90’s, and I had an IBM PS1 Consultant 3.1 Microsoft operating system and a rockin’ 150 MB hard drive. I bought myself some domains. I sold some, others I regrettably gave up. And there was one that will haunt me ’till the day I die.

I owned LEDZEPPELIN.com for about 5-6 years. Led Zeppelin was and is my band, and as a fan, I bought the domain as a keepsake. I would get emails from people all over the world, saying things like, “I am Paulo from Brazil, I love the Led Zep!”

Then, when Clinton passed a law later making cybersquatting illegal, I knew it was only a matter of time. I had it for five years before anyone from the band’s team of lawyers approached me about it. And when they did, I didn’t know how to handle it. And my lawyer at the time, even less so. Ultimately, I gave it up without a fight, but I’m sure the band’s lawyers billed them for the one inch thick book of a lawsuit I was served with. Sorry, dudes. My bad.

In this case, the lawyers saw an opportunity to build a case against me, a fan who would have been happy with a stupid guitar pick from Jimmy. Instead I sat in silence for a year while they built a huge case as to why they should own the domain. When served, I freaked out and called them, yelling that they could take it, that I never wanted that.

One of few regrets. But I have a nice one inch thick souvenir all about me and the band and why I’m an idiot.

Anyway, with cybersquatting on the rise, it makes sense to claim your name, your brand name, and your kids’ names on social networking sites and domain names as soon as possible. Just in case you get famous, you don’t want to have to fight a twit like me.

Protect your identity too.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker discussing stolen domain names on Fox News

Preventing Card-Skimming Identity Theft

Identity Theft Expert Robert Siciliano

Skimming is one of the financial industry’s fastest-growing crimes, according to the U.S. Secret Service. The worldwide ATM Industry Association reports over $1 billion in annual global losses from credit card fraud and electronic crime associated with ATMs.

Skimming can occur in a few different ways. The most common is when a store clerk takes your card and runs it through a device that copies the information from the magnetic strip. Once the thief has the credit or debit card data, he or she can place orders over the phone or online. Thieves can also copy the data on blank cards, or “white” cards. White cards are effective at self checkouts, or when the thief knows the clerk and is able to “sweetheart” the transaction. A white card can also be pressed with foils to look like a legitimate credit card, as seen in this video.

The PCI Security Standards Council provides guidelines designed to help merchants securely store and transmit card account data and prevent it from falling into the hands of criminals. Retailers who fail to comply with PCI’s standards can be fined up to $500,000 by credit card providers such as Visa and MasterCard. PCI recently released a series of recommendations for the prevention of skimming scams. “Skimming is becoming a widespread problem. These are guidelines for what retailers should be looking at with their reader devices”, says Bob Russo, general manager of the PCI SSC. “We discuss different techniques for protecting those point-of-sale devices.”

The PCI Council’s “Skimming Prevention: Best Practices for Merchants” guidelines include a risk assessment questionnaire and self-evaluation forms to gauge susceptibility to these types of attacks and to determine where they need to shore up their defenses. The guidelines cover how to educate and protect employees who handle the point of sale devices from being targeted, as well as ways to prevent and deter compromise of those devices. They also detail how to identify a rigged reader and what to do about it, and how physical location of the devices and stores can raise risk.

Thieves can completely replace a merchant’s point of sale terminal with a device that is rigged to record or divert card data wirelessly, or simply store the data until the criminal comes back and removes it. (This is what happened to Stop and Shop.)

Criminals can also place a device on the face of an ATM, which appears to be a part of the machine.  It’s almost impossible for civilians to know the difference unless they have an eye for security, or the skimmer is of poor quality. Often, the thieves will hide a small pinhole camera in a brochure holder near the ATM, in order to extract the victim’s pin number. Gas pumps are equally vulnerable to this type of scam.

A customer at a New York City bank discovered a skimming device on the face of an ATM, and went inside the bank to inform the branch manager. The manager, who had never seen an ATM skimmer and wasn’t sure what to do, took the skimmer and thanked him. The customer then remembered, from numerous reports about ATM skimming, that there is usually a second part to the ATM skimmer, the camera. In this case, he found it behind a small mirror that alerts the ATM user to beware of “shoulder surfers.” He brought the camera to the bank manager, who replied by saying, “Maybe we should shut that machine down, huh?” The bank manager contacted bank security, shut down the machine, and alerted other area banks.

To help combat this type of crime, ADT unveiled the ADT Anti-Skim ATM Security Solution, which helps prevent skimming attempts and detects skimming devices on all major ATM makes and models. ADT’s anti-skim solution is installed inside an ATM near the card reader, making it invisible from the outside. The solution detects the presence of foreign devices placed over or near an ATM card entry slot, without disrupting the customer transaction or operation of most ATMs. It can trigger a silent alarm for command center response and coordinate video surveillance of all skimming activities. Also, the technology helps prevent card-skimming attempts by interrupting the operation of an illegal card reader. This technology does not require any software adjustments be made to the ATM itself, and does not connect to or affect the ATM communications network. Prior to its North American introduction, the ADT Anti-Skim ATM Security Solution was successfully field tested on dozens of ATMs of four major U.S. financial institutions in controlled pilot programs. Testing pilots yielded positive results, with no known skimming compromises occurring.

You can protect yourself from these types of scams by paying attention to your statements and refuting any unauthorized transactions within 60 days. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or if the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. Use strong PINs, with both upper and lowercase letters, as well as numbers. And invest in Intelius identity theft protection. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft expert, discusses ATM skimming on Fox News.

Credit/Debit Card Identity Theft Concerns Trump Terrorism

Robert Siciliano Identity Theft Expert

recent Unisys study found that, in the midst of the global financial crisis, American’s primary fear is credit and debit card fraud. 68% of those surveyed are extremely or very concerned about the security of their credit or debit card data, and 66% are extremely or very concerned about identity theft.

Compare that to 58% who are extremely or very concerned about terrorism and war, and 41% who fear the possibility of a serious health epidemic. If we actually had a pandemic, I’m sure the public would favor health concerns over money. But so be it.

Credit card fraud comes in two different flavors: account takeover and new account fraud. Account takeover occurs when an identity thief gains access to your credit or debit card number through criminal hacking, dumpster diving, ATM skimming, or perhaps when you hand it over to pay at a store or restaurant. Technically, account takeover is the most prevalent form of identity theft, though I’ve always viewed it as simple credit card fraud.

Federal laws limit cardholder liability to $50 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. Debit card fraud victims must notify the bank within two days in order to be protected by this $50 limit. After that, the maximum liability jumps to $500. And if a victim doesn’t discover or report the fraud until after 60 days have passed, the liability could be the entire card balance, for a debit or credit card. Once your debit card is compromised, you might not find out until a check bounces or the card is declined. And once you do recover the funds, the thief can just start all over again, unless you cancel the account altogether.

1. Protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

2. Protecting yourself from new account fraud requires more effort. You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each.

3. Invest in Intelius Identity Protect. Because when all else fails you’ll have someone watching your back.

Includes:

·         Triple Bureau Credit monitoring – monitors changes in your credit profiles from Equifax, Experian and TransUnion-includes email alerts of any suspicious changes
·         Social Security Number and Public Record Monitoring – monitors the internet and public sources for fraudulent social security number, aliases, addresses, and phone numbers
·         Junk Mail Reduction – stop identity thieves from using personal information from your mailbox, trash or even phone calls by eliminating junk mail, credit card offers and telemarketing calls
·         Neighborhood Watch – includes a sex offender report, list of neighbors and a neighbor report on each of your neighbors
·          Identity Theft Specialists  – if in the unlikely event you become a victim of identity theft our Identity Theft experts will work with you to restore your identity and good name
·         Credit Report Dispute – if you find errors on your credit report we will help you resolve them quickly
·         Protection Insurance and Specialists -Identity Protect has you covered with up to $25,000 in Identity Theft Recovery Insurance and access to Personal Identity Theft Resolution Specialists.
·         Triple Bureau Credit monitoring – monitors changes in your credit profiles from Equifax, Experian and TransUnion-includes email alerts of any suspicious changes
·         Social Security Number and Public Record Monitoring – monitors the internet and public sources for fraudulent social security number, aliases, addresses, and phone numbers
·         Junk Mail Reduction – stop identity thieves from using personal information from your mailbox, trash or even phone calls by eliminating junk mail, credit card offers and telemarketing calls
·         Neighborhood Watch – includes a sex offender report, list of neighbors and a neighbor report on each of your neighbors
·          Identity Theft Specialists  – if in the unlikely event you become a victim of identity theft our Identity Theft experts will work with you to restore your identity and good name
·         Credit Report Dispute – if you find errors on your credit report we will help you resolve them quickly
·         Protection Insurance and Specialists -Identity Protect has you covered with up to $25,000 in Identity Theft Recovery Insurance and access to Personal Identity Theft Resolution Specialists.

Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC

Another Identity Theft Ring Busted

Identity Theft Expert Robert Siciliano

The feds are getting better at busting criminals every day. Seventeen criminals, many from Eastern Europe, pilfered more than 95,000 stolen credit card numbers and $4 million worth of fraudulent transactions.

The New York Times reports the men were involved in a vast conspiracy known as the Western Express Cybercrime Group, which trafficked in stolen credit card information through the Internet and used it to create forged credit cards and to sell goods on eBay. They used digital currencies like e-gold and Webmoney to launder their proceeds.

Several of the scammers — Viatcheslav Vasilyev, Vladimir Kramarenko, Egor Shevelev, Dzimitry Burak and Oleg Kovelin — were charged with corruption. Vasilyev, 33, and Kramarenko, 31, were arrested at their homes in Prague, have been extradited to Manhattan. Shevelev, 23, was arrested in Greece last year, is still awaiting extradition. Burak, 26, a citizen of Belarus and Kovelin, 28, a citizen of Moldova have not been arrested

Vasilyev and Kramarenko recruited work from home employees to advertise and sell electronics on eBay. When someone would purchase an item, the two men would pocket the buyer’s payment, give a cut to their recruit, then use a stolen credit card number to purchase the item from a retail store and send it to the buyer. In essence, they used eBay to obtain a legitimate buyer’s credit card number through a legitimate channel and didn’t actually “hack” anything. They simply set up pseudo-fake auctions that, in most cases, delivered the product, but also obtained the victim’s credit card number and then made fraudulent charges.

Burak and Shevelev were “carders” who sold stolen credit card information on a website called Dumpsmarket and, probably, in chat rooms. “Dumps” is a criminal term for stolen credit cards and “carders” are the scammers who buy and sell them. Kovelin was a criminal hacker who stole victims’ financial information via phishing emails and more than likely used the victims’ own account information against them.

Protect yourself:

  1. Check your credit card statements often, especially after using an online auction site. Refute unauthorized charged within 60 days to be made whole by the issuing bank.
  2. Don’t just buy the lowest priced product on and auction site. Use auction sellers who have been approved my many and have a solid track record.
  3. Anytime you ever receive an email asking for personal information, credit information, banking etc, do not enter it. Just hit delete. Often victims will receive and email from a trusted source like eBay directly to their account because they have been actively engaging the fraudulent auctioneer. eBays system doesn’t recommend giving your credit card information outside their network in an email.
  4. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  5. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Identity Theft Speaker Robert Siciliano discusses a study done by McAfee on mules bilked in work-at-home scams on Fox News