How Much for a Fake I.D.?

If you want a Puerto Rican identity, it’s about $6000 for a “tripleta,” which can be used to hide illegal immigrants. Other forms of identification vary in price. A United States passport can range from $950 to $1650 to as much as$5500.

In the U.S., we have as many as 200 different forms of identification circulating, including passports from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. These are paper and plastic documents that can be recreated with a PC, scanner, printer, and laminator.

McAfee Avert Labs researcher Francois Paget found and posted an ad showing U.S. identities for $650 each. It’s not incredibly difficult to buy fake IDs online, but will they pass muster with technologies that look for tampering? Unfortunately, many will.

An order form asks all the right questions:

“By placing your order, you must have read and agreed to our Terms of Service.

The order procedure is the following:

1. You send us all the necessary information (depending on the document you want to order). We receive and process your order and give you payment information.
2. You pay 50% upfront money for document(s) producing.
3. We start to produce your document(s). Time constraints are 2-7 days (depending on your order).
4. We send you scan/photos of your ready-made document(s). You check all the details and give us confirmation.
5. You send us the second half of amount and your delivery address. You will receive your document(s) in several days via UPS, FedEx, TNT Express, DHL or EMS (free of charge for you).”

Here in the U.S., we use numerical identifiers that have no physical connection to ourselves. Some documents contain pictures that may not look like us, especially if eye glasses, beards, hair coloring, hair growth, hair removal, or weight fluctuations are involved. Some identification documents don’t include a photo at all. This is not effective authentication. Worldwide, the system isn’t much more secure.

All this makes it easier to steal your identity. Once the bad guy has a few bits of information, he can easily become you.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Social Security numbers as national identification on Fox News.(Disclosures)

Strong Passwords Aren’t Enough

I’ve said it before, use upper and lower case, use number and letter combinations and when possible, if the website allows it, use special characters. It has been documented that “Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.”

It is great advice to strengthen your passwords. It is just as important is to make sure your PC is free of malicious programs such as spyware and key-loggers.  Beware of RATS a.k.a “Remote Access Trojans.” RAT’s can capture every keystroke typed, take a snapshot of your screen and even take rolling video of your screen via a webcam. But what’s most damaging is RATs gaining full access to your files and if you use a password manager they have access to that as well.

RAT’s covertly monitor a PC generally without the user’s knowledge. RAT’s are a criminal hackers dream and are the key ingredient in spyware. Common RAT’s are the LANRev Trojan and “Backdoor Orifice”.

Installing RAT’s can be done by full onsite access to the machine or remotely when the user opens an infected attachment, clicking links in a popup, installing a permissioned toolbar or any other software you think is clean. More ways include picking up a thumb-drive you find on the street or in a parking lot then plugging it in, and even buying off the shelf peripherals like a digital picture frame or extra hard drive that’s infected from the factory. The bad guys can also trick a person when playing a game as seen here in this YouTube video.

An unprotected PC is the path of least resistance.  Use anti-virus and anti-spyware. Run it automatically and often.

A PC not fully controlled by you is vulnerable. Use administrative access to lock down a PC preventing installation of anything.

Many people leave their PC on all day long. Consider shutting it down when not in use.

Robert Siciliano personal security expert to Home Security Source discussing Digital picture frames with built in viruses on Fox News. Disclosures.

10 Very Stupid Criminals

Dumb Criminals are performing stupid crimes all the time.  Here is a list of 10 stupid criminal stories.

#1 Firefighters said it can’t get more ironic than this — an arsonist breaks into a convenience store, steals scratch-off lottery tickets, tries to cover his tracks by setting a fire, and in the process, sets himself on fire.

#2 Robber walked in to a store with duct tape wrapped around his head to conceal his face. The store manager had some duct tape of his own. He had a wooden club wrapped with duct tape that eventually sent the suspect fleeing the store. A store employee chased Duct Boy to the parking lot, tackled him and held him in a choke position until police arrived.

#3 Burglar breaks into a home and rifled gems from a jewelry box and helped himself to a check book, but the vodka and valium he had already downed that morning was taking its toll. And when the stunned homeowner came upstairs, she found him fast asleep under her bed.

#4 A woman stepped out of her car to talk to an officer about a crime she witnessed. While her back is turned, a man in a black cap carrying a big stick walked past her and and jumped into her car. The officer banged on the hood – to try to get the man to stop, but he got away. He was caught the next day.

#5 A policeman and his drug sniffing dog were invited to a Boy Scouts meeting for a demonstration. One of the boy’s mothers was arrested for having marijuana in her purse.

#6 Robber holds up a liquor store and demands all the money. Clerk gives him the money then the robber demands a bottle of scotch. The clerk refuses unless the robber shows him ID to verify his age. Robber showed his ID.

#7 Woman’s car is stolen with her mobile phone in it and she reports it to the police. Police call the thief on the phone saying they were responding to a news paper ad to buy the car. Thief shows up to sell the car.

#8 Two robbers enter a store and one screams “Nobody move or I’ll shoot!” His partner moved, he got shot.

#9 Guy breaks out of jail and goes to his girlfriend’s house. He accompanied her to court the next day on a charge she faced.  While at court he went outside to smoke a cigarette, she couldn’t find him and had him paged. Two cops recognized the name and arrested him.

#10 Bank robber stuffed a bag of money down his pants. The teller put an exploding dye pack in the bag. The dye pack exploded.Ouch! He didn’t make it out the door.

Robert Siciliano personal security expert to Home Security Source discussing burglar proofing your home on Fox Boston. Disclosures.

World War II Veteran Fights Off Suspect in Home Invasion

An elderly World War II veteran fought off a man who had broken into his home and attacked the Marine veteran.

The Boston Herald reports the Vet was sitting in his living room watching TV and his wife was upstairs. The home invader comes in and attacked the Vet, then “as he was being attacked, the man shouted, drawing the attention of his wife who then called police while the suspect fled when the retired Marine fought back.”

Immediately the state and local police went into the neighborhood and found the perpetrator “soaking wet and had fresh blood on his white t-shirt and cuts on his hands and was found to have property stolen from the home”.

Everyone loves a happy ending.

Resistance in an attack has been proven in most cases to send the attacker fleeing. Resistance can be a tricky proposition whether or not a weapon is involved. As long as you survive, you’ve done the right thing.

Every family must have a plan for home security and a home security alarm.

Consider a trained German shepherd as a protection dog as well.

Another consideration is a home safe-room also known as a “panic room” where families can hide out in a relatively bullet proof, well stocked room equipped with wireless communications and wait for law enforcement to show up.

Never talk to strangers via an open or screen door. Always talk to them through a locked door.

NEVER let children open the doors. Always require an adult to do it.

Not all home invaders knock, some break in without warning.  That’s just another reason to have that home alarm on while you are home.

Install a 24-hour camera surveillance system. Security cameras are a great deterrent.  Have them pointed to every door and access point.

Robert Siciliano personal security expert to Home Security Source discussing home invasions on the Gordon Elliot Show. Disclosures

College Students At Risk For Identity Theft

September is National Campus Safety Awareness Month. I helped Uni-Ball conduct a survey of 1,000 college students and 1,000 parents. The survey revealed that while about 74% of parents believe students are at a moderate to high risk for identity theft, and 30% of all identity theft victims are between 18 and 29, only 21% of students are concerned about identity theft.

It’s no surprise that most college students are indifferent when it comes to their personal and information security. When you are in your late teens or early twenties, you feel a sense of invincibility. However, once you have a few years under your belt, you begin to mature and gradually realize the world isn’t all about keg parties and raves.

Here are a few more interesting statistics:

  • 89% of parents have discussed safety measures with their kids, yet kids continue to engage in risky behavior
  • 40% of students leave their apartment or dorm doors unlocked
  • 40% of students have provided their Social Security numbers online
  • 50% of students shred sensitive data
  • 9% of students share online passwords with friends
  • 1 in 10 have allowed strangers into their apartments

College students have always been easy marks because their credit is ripe for the taking. Students’ Social Security numbers have traditionally been openly displayed on student badges, testing information, and in filing cabinets and databases all over campus. Landlords and others involved in campus housing also have access to students identifying information.

Any parent sending a child off to college should be concerned.

Limit the amount of information you give out. While you may have to give out certain private data in certain circumstances, you should refuse whenever possible.

Shred everything! Old bank statements, credit card statements, credit card offers, and any other documents containing account numbers need to be shredded when no longer needed.

Lock down your PC. Make sure your Internet security software is up to date. Install spyware removal software. Secure your wireless connection. Use strong passwords that include upper and lowercase letters as well as numbers. And never share passwords.

Be alert for online scams. Never respond to emails or text messages that appear to come from your bank. Always log into your bank account manually via your favorites menu.

When sending students back to school, consider protecting your family with a subscription to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on any of your accounts. For additional tips, please visit

Geolocation Technology; Please Stalk and Rob Me

Technology is meant to make life easier, safer and in some cases fun-er. Geolocation is supposed to make you save a few bucks on discounts when you “check in” at participating retail stores and gather “points”. It is also supposed to tell your friends and followers via geo-tagging that you just snapped a photo somewhere.  However there is nothing “safe” about this technology.

Geolocation can be used on a PC but is primarily used with a mobile phone. The geolocation software gets its data from your PCs IP address or your phones GPS longitude and latitude. It’s actually a nifty “tool” and a smart use of available technologies.

Some companies have even adopted the technology calling it “GPS Dating” for singles on the dating scene and help a person find someone local to them whenever and wherever. These same sites have photos and descriptions of the person which makes it that much easier to “find” the person. I did a spot on Good Morning America here discussing the security implications of GPS Dating.

With geolocation, the value in this technology for the bad guy is to determine where you are and where you are not. They can get a full profile of your itinerary all day every day. Someone who is paying unwanted attention to you gets every address you are at when you “check in”.

Extreme problems arising with these technologies as they pertain to GPS are with women in domestic violence situations when the woman heads to a shelter; the first thing the shelter does is take the battery out of the phone and/or turn it off so the abuser doesn’t show up at the shelter.

Thieves use geolocation to determine if you are home or not then use that data to plan a home burglary. I had a chance to appear on the CBS Early Show to discuss a gelocation site that revealed ones location away from home and its impact on personal security.

Stalkers who use the phones GPS are usually someone close to the victim like a family member or ex- boyfriend/girlfriend that has the capability of turning on tracking. If you suspect your phone’s GPS has been activated by the carrier then call to find out. If you don’t’ like the feature turned on, request it be turned off or shut it off in your phone.

The bottom line is geolocation could pose a privacy threat. Information collected through geolocation is particularly sensitive, since it can allow an adult or child to be physically contacted wherever he or she is, at any time.

Robert Siciliano personal security expert to Home Security Source discussing GPS Dating Security on Good Morning America. Disclosures.

iTunes a Platform for Phish Scammers

iTunes users all over the world are being hooked in a possible phishing scam that siphons cash out of their PayPal accounts. Phishing scams, of course, consist of emails that appear to be coming from a legitimate, trusted business. These emails are often designed to trick the victim into revealing login credentials. Once the phishers have access to the account, they begin withdrawing funds.

In this case, scammers used victims’ iTunes accounts to purchase gift cards, which were paid for by the victims’ linked PayPal accounts. Some victims of this particular scam have has just a few dollars stolen, while others have had their accounts emptied.

Gift cards are a form of currency created by the issuer. Their value is in the products or services available when cashed in. A scammer can purchase a $100 gift card and sell it online for $50. Pure profit.

There are many variations of iTunes gift card scams:

1. Scammers can easily set up websites posing as a legitimate retailer offering gift cards at a discount, having fraudulently obtained those gift cards. They may accept people’s credit cards and make fraudulent charges. In these cases, the victim can refute the charge, but will need to either cancel the credit card or persistently check their statements once their card has been compromised. Like Mom said, if it sounds too good to be true, it probably is.

2. The system for generating codes that are embedded on a plastic card or offered as a download is nothing more than software created by the card issuer or a third party. At least one major retailer has had their gift code generation compromised, and who knows how many more have been or will be compromised in this way. Criminal hackers can then offer the codes at a significant discount.

3. iTunes gift card scams are so effective, in part due to the limited availability of iTunes downloads in certain countries. There are numerous copyright issues, with some music companies making deals with musicians and iTunes, while others refuse to do so. Scammers have capitalized on this, using it as a marketing tactic.

The best way to avoid phishing scams is to never click on links in the body of an email. Always go to your favorites menu or manually type the familiar address into your address bar. And never provide you login credentials to anyone, for any reason.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses iTunes gift card scams on NBC Boston. (Disclosures)

Debit Cards Fraud Means Difficult Recovery

There are 437,000,000 debit cards in circulation, and their use is on the rise. Criminal hackers are paying attention. Credit cards offer some measure of protection when it comes to “zero liability policies,” as long as the cardholder refutes the charges within 60 days. But when a debit card is compromised, the stolen money is can be hard to get back.

I get unfortunate emails like this all the time:

“I was a victim of debit card fraud. I live in Las Vegas, NV and have a debit card and I know that not all rules apply for debit cards. We had a problem out here with “skimming.” Over $300.00 dollars was taken from my account and I still had the card  in my possession. It was done at 2 bank ATM machines, about 2 minutes apart on different sides of town. I contacted my bank and got no results. My bank said that I had to have given my card and pin number to someone. I fought and fought and lost. I know that there is or was a time limit of this but is there anything else I could have done?”

Federal laws limit credit card holder liability to $50 in the case of fraud, as long as the cardholder disputes the charge within 60 days. Debit card fraud victims must notify the bank within two days after discovering the fraudulent transactions in order to maintain this $50 limit. After that, the maximum liability jumps to $500. And if a victim doesn’t discover or report the fraud until after 60 days have passed, the liability could be the entire card balance, for a debit or credit card. Once your debit card is compromised, you might not find out until a check bounces or the card is declined. And once you do recover the funds, the thief can just start all over again, unless you cancel the account altogether.

Here is Regulation E in black and white:


Limitations on amount of liability. A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

(1) Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

(2) Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less.”

Debit card fraud can happen a number of ways. ATM skimming, gas pump skimming, or point of sale skimming are a few. The key, of course, is the bad guy gets your PIN. In the end, the bank doesn’t want to believe that you were defrauded. It’s cheaper for them to conclude that you are lying.

Always cover up your PIN when entering in any POS, pump, or ATM.

As inconvenient as this may seem, if you are a regular user of a debit card, you should check your statements online daily.

Consider limiting your debit card use. I use mine for deposits and withdrawals. But I only use it around two or three times a month.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Killer Computer Viruses

When most people think about a virus, they think of a fever, chills, and maybe a potential pandemic. But when they think about a computer virus, they think of a headache, or worse, identity theft.

Unusually, one report claims that a computer virus played a role in the deadliest air disaster in Spanish history. Others refute this claim, arguing that a virus was not the cause.

USA Today reports, “Spanish newspaper El Pais cites a 12,000-page investigative report that outlines how a computer infection, spread via an infected USB thumb drive, may have been a contributing factor. The report says a malicious program precipitated failures in a fail-safe monitoring system at the airline’s headquarters in Palma de Mallorca.”

Whether or not a virus contributed to the delay or cancellation of the flight’s departure, which led to the crash, this type of scenario is possible. Now and in the future, incidents like this may involve malicious technology.

Technology plays a role in many aspects of our lives, and when that technology is corrupted, the results can be disastrous. Consider the extent to which hospitals, banks, water treatment facilities, electrical grids, airports, gas stations, and even roads rely on technology.

Steve Stasiukonis, a penetration tester, describes how USB thumb drives can turn external threats into internal ones in two easy steps. After being hired to penetrate a network, he says, “We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.”

In this scenario, the USBs were dropped in a bank parking lot, then picked up by the employees and used to compromise the network. Fortunately for the bank, this was only a test of the network’s security.

Bad guys will use every possible mechanism to accomplish their goals. Do your best to increase your security intelligence. Regardless of your job description, security is everyone’s responsibility.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss another data breach on Good Morning America. (Disclosures)

More ATM Skimmers Being Used By Gangs

A report issued by the FTC finds that customers in the process of withdrawing cash from ATMs are more likely to be victims of ATM fraud than a direct, physical crime, and skimmer devices have recently been found on gas pumps and ATMs throughout Northern California.

ATM skimming occurs when a device is placed on the face of an ATM, often over the slot where the card is inserted. The skimmer, which may use Bluetooth or cellular technology to transmit the data to criminals wirelessly, appears to be a part of the machine. It’s almost impossible for ATM users to know the difference unless they have an eye for security, or the skimmer is of poor quality. Often, the thieves will hide a small pinhole camera in a brochure holder, light bar, mirror, or speaker on the face of the ATM, which is used to capture the victim’s PIN. Gas pumps are equally vulnerable to this type of scam.

Always shield the ATM keypad with your hand while entering your PIN. Be vigilant while using an ATM. Look around and beware of anyone lurking – they could be waiting to pounce, or shoulder surfing, trying to see your PIN. And if you ever sense that something is off about an ATM or gas pump, just leave.

Choose a PIN that’s not easily guessed but can be entered quickly. Using consecutive numbers or repeating the same numbers is never a good idea. Many new ATMs won’t allow you to choose a “soft” PIN anyway.

Don’t ever let anyone assist you at an ATM. It’s hard to envision what kind of scenario might require another person to intervene at an ATM. But consider this possibility: your card gets stuck and a stranger graciously peeks his head over your shoulder to help. He frees your card and helps you finish the transaction. In the process, he got your PIN and swapped your card with another.

Beware of ATM skimming and learn to recognize a skimmer. Here is an example of a particularly well-made skimming device, which would be easy to miss. Not all are as well crafted, but some are very good.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses dummy ATM scams on NBC Boston. (Disclosures)