Protect Your Identity While Donating to Haiti

Robert Siciliano Identity Theft Expert

The Haiti tragedy has people all over the world scrambling to donate money to help in the relief effort. It is no surprise that scammers have ramped up and are sending “phish” emails designed to extract your money to their own nefarious cause, “themselves.” Right now, there is 24 hours news reports focusing on the tragedy and people are understandably getting sucked into the drama of the events. This is a prime time to reach out to those same people who are enmeshed in the reports and get them to donate to fake organizations. The following tip will help prevent you from getting scammed and get your donation into the right hands.

Do not donate cash: Anyone asking to come to your home or office and pick up cash is a scammer. Any phone calls or emails received requesting cash or to wire money transfers is a scam.

Be suspect of all emails requesting donations: I would never click on a link in an email, especially short URL’s. Always manually enter the domain name into the address bar. The best thing is to go directly to the organization’s website.

Check with the Better business Bureau: The first thing you should always do prior to making a donation to any charity is to check their credibility with the BBB. Go online to http://www.bbb.org/us/Charity-Reviews/ and search out the charity.

Give only to charities, not individuals: Any communication from someone requesting money because of their hardship is an obvious scam. But some people are saps for an emotional sob story. While you may be savvy enough not to fall for these scams, someone in your life who may be naïve could.

Give now and consider giving to the Red Cross: The American Red Cross is the most known and credible organization on the planet for helping out those in despair. Give now and give as much as you can.

Robert Siciliano is a personal security and identity theft expert for Home Security Source discussing phishing emails on CBS Boston. (Disclosures)

Google Gets Hacked & What It Means to You

Robert Siciliano Identity Theft Expert

Google disclosed that it had been breached by Chinese hackers, who were apparently targeting Chinese dissidents:

“The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.”

McAfee found evidence that the attack exploited a vulnerability in Internet Explorer. Google Enterprise president Dave Girouard blogged to inform Google App clients their data was safe: “This incident was particularly notable for its high degree of sophistication. This attack may understandably raise some questions.” Girouad stated, “We believe our customer cloud-based data remains secure.”

The most successful techniques of Chinese hackers involve phishing and social engineering. These hackers determine their targets, then send a “spear phish,” or targeted email, to a specific employee, in which they pose as a coworker or a vendor. Once the target clicks a link, a remote control or malicious software is automatically downloaded. On a broader scale, hackers may send a blast to everyone in the company and ultimately hook a few employees, giving them access to company accounts.

The recent Google attack indicates that criminal hackers with financial incentives aren’t necessarily the only ones attempting to penetrate your networks. There is a strong possibility that hacking is being sponsored by foreign governments with a much bigger agenda.

  1. Never click on links in the body of an email. NEVER!
  2. Always be suspect of any external or internal communications. You could be a target of a phish.
  3. Before you go divulging usernames and passwords to anyone in response to an email, pick up the phone to verify the need
  4. Make sure your PC is fully and automatically updated with its critical security patches.
  5. Anti-virus must be run automatically and fully up to date.
  6. Its not enough to just run anti-virus. Run a program that immunizes your PC against keyloggers
  7. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  8. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and social engineering invasions on the Montel Williams Show

Why Am I Logged Into Someone-else’s FriendFeed?

Robert Siciliano Identity Theft Expert

I have pretty tight controls over my network and access to my 510 usernames and passworded accounts. Yes he just said “510”…and counting. I have full administrative rights over every PC and nobody else has access to my home or office. So it came as a surprise to me when I went to log into my FriendFeed account to make an adjustment and I discovered I was logged into someone-else’s account. Serious, no joke, I’m not stupid. I have FULL access.

The account is owned by Canadian who sells diet pills and skin care. There are 3 feeds coming into the account all being sent from Ping.fm. I am able to access the full dashboard and change the picture, email associated and add or delete feeds. The dashboard provided me with the existing email address of its owner, and of course I emailed him to let him know of my access. But of course he hasn’t responded. I’m probably in a spam folder.

My first thoughts were that I have spyware and someone is able to remotely access my machine and use it as their own. I did a full system scan and there is nothing on my machine. There is no other strange activity going on so I’ve narrowed the issue down to this one account.

Meanwhile ABCNews.com reports that A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers’ accounts with full access to troves of private information.

The glitch — the result of a routing problem at the family’s wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.

In each case, the Internet lost track of who was who, putting the women into the wrong accounts. It doesn’t appear the users could have done anything to stop it. The problem adds a dimension to researchers’ warnings that there are many ways online information — from mundane data to dark secrets — can go awry.

Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else. It’s not clear whether such episodes are rare or simply not reported. But experts said such flaws could occur on e-mail services, for instance, and that something similar could happen on a PC, not just a phone.

If this is what’s happening to me then it can happen to anyone. There is a logical explanation for this, and I don’t have it. If someone does, please chime in.

Like there aren’t enough security issues we now have to deal with hiccups on the internet that log us into someone else’s account because of switching errors. At least if it was a virus we could point a finger at someone. But now, based on what’s happening here, we can only point the finger at the “Internet” as a culprit. This is freaking me out.

All the more reason to protect your identity.

  1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
  3. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discusses lack of security in online banking on CBS Boston

Secure Your Social Media

Robert Siciliano Identity Theft Expert

In a shocking instance of high tech harassment, a hacker took over a woman’s Facebook account while she was on a camping trip, with no Internet and no cell phone service. The hacker impersonated this woman, but instead of attempting to scam her family and friends out of cash, he used her Facebook profile to post suicidal messages, including, “My only friend is the handgun in the back of my closet,” and, “I don’t want a funeral or memorial, I want it to be like I never existed.” After two and a half hours of Facebook drama, the victim happened to regain cell phone reception and discovered twenty voicemail messages begging her not to do “anything drastic.” By the time her son was able to get in touch with her, there were police gathered outside her home, preparing to break down the door. This is a nightmare that can happen to anyone.

  1. Strengthen your passwords; use upper/lower case, numbers and characters. Don’t use easily guessed words from the dictionary or pets names and kid’s birthdates, etc.
  2. Don’t access social media from libraries, internet cafes or any public computers that could have spyware.
  3. Make sure your own PC has updated virus definitions and security patches. Be careful with all the 3rd party apps in social media. Many are risky.
  4. Don’t click on links in emails from “friends” asking you to download a video or see pictures. This is becoming a common ruse in social media.
  5. Monitor who has access to your PC in your own home. Babysitters, friends of your children and various contractors in your home can access your information. I have a security camera in my home office that monitors everything 24/7/365.

Robert Siciliano personal security expert discussing social media identity theft on CNN

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)

Be Careful about False Alarms At Home

Robert Siciliano Identity Theft Expert

We are all familiar with the boy who cried wolf. The protagonist of the fable is a bored shepherd boy who entertained himself by calling out “Wolf!” Nearby villagers who came to his rescue found that the alarms were false and that they had wasted their time. When the boy was actually confronted by a wolf, the villagers did not believe his cries for help and the wolf ate the flock (and in some versions the boy).

Many, if not all of us are guilty of setting off our alarms accidentally. Sometimes we open a door or window that sets it off, other times we mess up the secret code. The result of this mishap is usually a very loud siren and the attention of your neighbors. If you don’t call to cancel in time, then it results in law enforcement showing up.

To give you an idea of how pervasive the problem is, in New Haven Connecticut, 10,000 to 12,000 burglar alarms go off in New Haven every year. Of those alarms, 96% are false. In many counties, towns, cities and states there are laws and ordinances that impose a fine for false alarms.

Not only does a false alarm cause the “boy who cried wolf” effect, it also saps law enforcement resources.

I am just as guilty as anyone of a false alarm. But I’ve never had law enforcement show to my home as a result.

1. Have your service provider set up your alarm system to call your mobile phone first, then your home phone second. If you don’t answer the phone then they will call the police.

2. Program your mobile phone with your alarm service provider’s number and call them the second you falsely set off your alarm. Memorize your PIN so you aren’t fumbling for it.

3. Don’t carry your PIN in your wallet. If your wallet is lost or stolen your address and alarm PIN is in the hands of a stranger.

4. Whenever you are setting up any access for anyone to enter your home while you are gone, your risks for false alarms go up dramatically. Provide specific hands on instruction on how to disable and reset the alarm. Telling someone over the phone how to do it is often insufficient.

Robert Siciliano personal security expert discussing home security on TBS Movie and a Makeover

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)

Protect Yourself from Social Engineering

Robert Siciliano Identity Theft Expert

Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. But in many cases the attacker certainly does come in contact with the victim.

You may be doing all you can and should to protect yourself from hackers and scammers. But a response to a simple email that looks exactly like your expected monthly bank e-statement can completely drain your bank account.  On its face there is no way to tell if the communication is real of fake. While hovering over the link may provide a clue, there’s really no way in differentiating all the 1’s and zeros in a typosaquatted domain.

It amazes me that my bank and credit card company still put links in monthly e-statements.

Social engineering has always been a “person to person” confidence crime. Once the conman gains the marks trust, the victim begins to “throw up” all kinds of information or begins to fork over cash and credit. Trust seems to be an inherent trait we all have from birth. I would suppose we would need to trust in order to survive as an interdependent communal species’, otherwise fear of others and not trusting would prevent us from relying on others to nurture us until we are tossed out of the nest.

The conman knows this and the heartless bastard takes full advantage of our trusting nature. Heck, I pulled it off on 2 woman by saying I was from the water company and walked right into there homes.

In the IT world social engineering is a huge problem because the conman doesn’t just access one bank account as in a one on one scam, he accesses thousands by scamming one IT admin or the secretary.

There is a tremendous amount of redundant security in place today that is often completely bypassed because of a simple lie and one naïve gullible person. The path of least resistance isn’t through an unpatched network, or an unsecured wireless connection, it’s via the phone, email, snail mail, social media or in person with a wink and a smile.

Check out this very comprehensive article by Computerworld and these two recent posts here and here.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief. Invest is a social media identity theft protection toll such as Knowem.com.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and home invasions on the Montel Williams Show

Homeowner’s Screams Scare Burglar from Home

Robert Siciliano Identity Theft Expert

What’s the point of having a home alarm system? An alarm system screams when you can’t or when you aren’t there.  Noise has been proven to be an effective deterrent. From birth we are taken by surprise by loud noises. Sirens, screams and big bangs startle us and make us hyper aware of our circumstances.

When someone or something is up to no good a loud notice often scares them away, on purpose, that’s what it’s designed to do. We scream naturally. Screaming is something we do right out of our momma at birth. Screaming brings oxygen to the body which facilitates alertness.

In Norwalk Connecticut a would-be crook was scared off by a female homeowner’s screams after she spotted the strange man in her home, police said.

Police said the complainant heard a noise and initially thought it was her husband entering their house. She went to investigate and saw a strange man walking down her hallway.

When she screamed, he ran out of the house and got into a car.

In most cases something like this can be prevented simply by locking your doors and windows. And by adding an extra layer of protection such as a home alarm system that has a very loud siren and also calls the police, you significantly reduce your chances of a bad guy breaking in to your home.

If burglars do get in, screaming is always a good thing. Scream loud and with intent. I further recommend running out of the house while you are screaming. If you end up trapped in your home with a bad guy that doesn’t want to leave, it can get ugly. Leaving your home and heading to a neighbor’s is always a good thing when possible. If you live in an area where there aren’t neighbors for miles, then build a safe room that you can hide in.

Robert Siciliano personal security expert discussing self defense on CBS Boston

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)

Don’t Let Strangers Enter Your Home

Robert Siciliano Identity Theft Expert

Sounds simple enough right? But when a decent looking affluent couple can breach the Whitehouse and gain entry to a formal party, protected by the Secret Service, then almost anything is possible.

Posing as a health inspector, police officer or even a secret service agent is probably done every single day with success. I once posed as a “water inspector” and gained access to people’s homes by saying I needed to “check the colorization of their water”, as I demonstrated on The Montel Williams Show here. A fake badge and a uniform of any kind can do wonders.

The AP reports a man accused of posing as a U.S. Secret Service agent and entering the U.S. Department of Health and Human Services, passed himself off as a Massachusetts police officer to enter a U2 concert last year.

People can easily pose as city officials, delivery or service people, or as someone whose car broke down and needs assistance. The moment you open that door you are risking your family’s safety.

My family’s number one rule is we do not open doors to strangers. That’s it, end of story. My younger ones want to show how big they are by getting the door, but they now know better that they aren’t at all allowed to open it without their parent’s permission.

  1. Always have your screen door and your entry door locked at all times.
  2. Install a surveillance system at each entrance that gives you a facial and full body view of visitors.
  3. If you order products to be delivered to your home specify “no signature required.” This way you can set up a place for the deliveries that allows them to drop the package off.
  4. Anytime a city worker knocks on your door call city hall to verify that they should be there.
  5. It’s not enough to check a badge, license or credentials. IDs can easily be faked.
  6. Have your home alarm system on all day even while you are home.

Robert Siciliano personal security expert discussing being an imposter and home invasions on the Montel Williams Show

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)

Data Breaches: The Insanity Continues

Robert Siciliano Identity Theft Expert

The Identity Theft Resource Center Breach Report also monitors how breaches occur.  This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches.  For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009.  This was a change from all previous years, where human error was higher than malicious attacks.  One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information.  For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Insider Theft 16.9%
Hacking 19.5%
Data on the Move 15.7%
Accidental Exposure 11.8%
Subcontractor 7.2%

Insanity might well be defined as repeating the same action again and again, and expecting a different outcome.  With that in mind:

Insanity 1 – Electronic breaches:  After all the articles about hacking, and the ever growing cost of a breach, why isn’t encryption being used to protect personal identifying information?  Proprietary information almost always seems to be well protected.  Why not our customer/consumer personal identifying information (PII)?

Insanity 2 – Paper breaches:  Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII?  Do we dare ask that those laws be actually enforceable?  Perhaps we are waiting for paper breaches to reach 35% of the total.

Insanity 3 – Breaches happen:  Deal with it!  You will get notification letters.  Breach notification does not equal identity theft.  Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website.  This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.

Insanity 4 – A Breach is a Breach:  Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.”  If it is your #$@%2 SSN that is out on the Internet, do YOU think there is “risk of harm?”  Some companies might say “no.”

Insanity 5 – Data on the Move:  You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years.  But, really!  This is 100% avoidable, either through use of encryption, or other safety measures.  Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.”  With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace.”

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News


2009 Data Breaches: Identity Theft Continues

Robert Siciliano Identity Theft Expert

The Identity Theft Resource Center® Breach Report recorded 498 breaches, less than the 657 in 2008, more than the 446 in 2007. Are data breaches increasing or decreasing? That is the question no one can answer. This fact will not change until there is a single data breach list requiring mandatory public reporting. With some breaches not being reported publicly, and some state Attorneys General not allowing public access to reported breaches, we doubt that anyone is in a position to answer the question above. When we allow laws to be created requiring breach reporting but not disclosure, and provide minimal enforcement or penalty for non-compliance, we can expect a lack of public disclosure. Counting breaches becomes an exercise in insanity.

ITRC collects information about data breaches made public via reliable media and notification lists from various governmental agencies. There are breaches that occurred in 2009 that never made public news. So rather than focus on a question without an answer, ITRC used percentages to analyze the 498 breaches recorded this year looking for any changes or new trends. (Both raw numbers and percentages have been provided in all charts)

The main highlights are:
• paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
• business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
• malicious attacks have surpassed human error for the first time in three years
• Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

In 2009, the business sector increased to 41% of all the publicly reported breaches. While there are some small statistical changes in the other sectors, business continues to increase for the fifth year in a row. The financial and medical industries, perhaps due to stringent regulations, maintain the lowest percentage of breaches.

Business 41.2%

Educational 15.7%

Government/Military 18.1%

Health/Medical 13.7%

Banking/Credit/Financial 11.4%

The ITRC Breach Report recorded more than 222 million potentially compromised records in 2009. Of those, 200 million are attributed to two very large breaches. Before obsessing with record count, however, one should be aware that in more than 52% of the breaches publicly reported, NO statement of the number of records exposed is given. Therefore, it is unknown how many total records may have been exposed due to breaches in 2009.”

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News