Leaked Social Security Numbers Put “Personal Security and Safety at Risk”

Allen West, a Republican Congressional candidate, is speaking out after a mailing from the Florida Democratic Party releases his Social Security number and his wife’s federal employee number. “It’s an attack against me and I think it shows the weakness of the character of Ron Klein and definitely the Florida Democratic party, to put a person’s personal security and safety at risk,” said West, “And also affects my family as well.”

The Florida Democratic Party responded by stating, “We apologize for the oversight of not redacting this information from the public record included in the mailer,” and by offering West two years of identity theft monitoring, but West says he will not accept their money.

Meanwhile, in Virginia, a judge has ruled it is legal to post Social Security numbers on websites. Every city, state, and town has its own set of regulations determining the collection and management of public records, including birth, death, marriage, court, property, and business filings. Many of these documents include Social Security numbers. And many are posted on the Internet.

The Privacy Act of 1974 is a federal law that establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of personally identifiable information in federal record systems.

Back in 1974, identity theft wasn’t an issue, so having your Social Security number on your driver’s license, school ID, and most other documents wasn’t a big deal. Then someone figured out how to use a Social Security number to pose as someone else, and from there, identity theft became big business.

When a judge rules that it’s okay to post Social Security numbers online, and a politician states that a similar act “puts a person’s personal security and safety at risk,” it’s clear that we have a systemic problem, one which the government is unlikely to solve.

It is important to observe basic security precautions to protect your identity. But you have no control over the security of your personal information when it is stored in government and corporate databases.

Consumers should consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection includes all these features as well as live help from fraud resolution agents if your identity is ever compromised. For more tips on protecting yourself, please visithttp://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Social Security numbers as national IDs on Fox News. (Disclosures)

Cybersquatting Scams Aren’t Over Yet

Cybersquatting, simply put, is the act of procuring someone else’s trademarked brand name online. The Anti-cybersquatting Consumer Protection Act, a U.S. federal law enacted in 1999, describes cybersquatting as registering, trafficking in, or using a domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else.

Cybersquatters squat for many reasons. Some squat for fun or because they like the brand or name, while other squatters use the domain to advertise competitors’ wares, or for stalking, harassment, or outright fraud. Most cybersquatters offer to sell the domain at an inflated price to the person or company who owns the trademark contained within the domain name.

In particularly malicious cases of cybersquatting, identity thieves use a domain similar to that of a bank or other trustworthy entity in order to create a spoofed website for phishing. If the desired domain isn’t available, typosquatting is the next best option. After Annualcreditreport.com launched, more than 200 similar domains were quickly snapped up.

Computerworld discussed the havoc that cybersquatting can wreak on a brand’s reputation. Sometimes, criminals copy a brand’s entire website in order to collect usernames and passwords from unwitting visitors. The hackers then test those names and passwords on other websites. Cybersquatting increased by 18% last year, with a documented 440,584 cybersquatting sites in the fourth quarter alone, according to MarkMonitor’s annual Brandjacking Index report.

I’ve written before about the time I was accused of cybersquatting. I wasn’t, I swear! I bought myself some domains in the early 90’s, way before cybersquatting was illegal. I sold some, and regrettably gave up some others. And there was one that will haunt me until the day I die. I owned LedZeppelin.com for five or six years. Led Zeppelin was and is my favorite band, and as a fan, I bought the domain as a keepsake. I would get emails from people all over the world, saying things like, “I am Paulo from Brazil, I love the Led Zep!”

With cybersquatting on the rise, it makes sense to claim your name, your brand name, and your kids’ names as soon as possible. There are numerous new domain extensions coming out all the time. Dot Co recently launched without much fanfare, but it creates a new opportunity for criminals to hijack your brand. I just snagged “siciliano.co.” So go get your domain before the bad guy does!

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. Disclosures

Facebook Beefs Up Your Security

It is obvious to many that Facebook has got the message and is becoming more responsible for their users security. For a few months now I have enjoyed a security feature they implemented that allows you to say in control of your logins.

Login notifications: This feature sends you an email or text telling you someone has just logged into your account.

To set up and enable notifications

1. go to “Account” upper right hand corner

2. in the drop down menu to “Account Settings”

3. in the main menu go to “Account Security”

4. click “Yes” next to “Would you like to receive notifications from new devices”

5. the same can be done with text messages if you have your mobile plugged into Facebook. But don’t have your mobile displayed on your page publically.

6. Log out then log back in and it will ask you to identify the computer.

One time passwords: This makes it safer to use public computers in places like hotels, cafes or airports. If you have any concerns about security of the computer you’re using while accessing Facebook, we can text you a one-time password to use instead of your regular password.

Simply text “otp” (that’s O T P for ‘One Time Password’) to 32665 on your mobile phone (U.S. only), and you’ll immediately receive a password that can be used only once and expires in 20 minutes. In order to access this feature, you’ll need a mobile phone number in your account.

Remote logout: the ability to sign out of Facebook remotely is now available to everyone. These session controls can be useful if you log into Facebook from a friend’s phone or computer and then forget to sign out. From your Account Settings, you can check if you’re still logged in on other devices and remotely log out.

Under the Account Security section of your Account Settings page you’ll see all of your active sessions, along with information about each session.

Robert Siciliano personal security expert to ADT Home Security Source discussing social media Facebook scammers on CNN. Disclosures.

Losing Control of a Digital Life

We have heard it all before, once you post it on the Internet; it is no longer in your control.

Anything digital is rRepeatable. Re-peat’ a-ble: “To say again. To utter in duplication of another’s utterance. To tell to another. To do, experience, or produce again. Capable of being replicated.”

In very simple terms whatever kind of digital file it is; picture, video, audio file, email, IM, Office doc or text, it can be copy/pasted, reposted, emailed, forwarded, MMS’d. You name it.

In some cases this can be a good thing. For example if you are a musician and you aspire to make it big you create an MP3 or video and release it in as many places as possible and hope it goes viral all over the Internet.

Repeatable media can be used to make a point. In Korea a woman allowed her dog to go No 2 on a train and refused to clean it up. Someone on that train took a photo of her and the “2”. That photo shamed her into compliance worldwide.

In other situations this can be embarrassing for some. In 2003 a 15-year-old from Canada was filmed by classmates in an embarrassing video of him getting all “Luke Skywalker” with a golf-ball retriever like it was a light saber. The clip “Star Wars Kid,” was viewed 900 million times online by 2006. This was not the kind of attention he could handle and it had a very negative impact on his life.

Most people’s concern should revolve around repeatable media that damages ones online reputation. Photos of drinking alcohol to the point of intoxication that shine a light of irresponsibility have caused harm to many people.

And then there is the bizarre. Fox News reports a Massachusetts mother was horrified when she found her 7-month-old child’s photo on popular promotions site, Craigslist, advertising his own adoption. She said the photo was from her family’s blog.

What does this mean to you? Realize right now, “big brother” is the least of your concerns. I’d be more concerned about your little brother and his iPhone. Just know going forward that we are all living in the phish bowl. And mind your Ps and Qs.

Robert Siciliano personal security expert to ADT Home Security Source discussing sharing too much information online on Fox News. Disclosures.

Criminal Hackers: The Soldiers of the Web Mob

Today’s criminal hackers are very different than those who hacked for fun and fame a decade ago. Every week, I see stories about more criminals in faraway lands, making millions from various scams, emptying the bank accounts of small businesses or draining the financial reserves of entire towns.

High-tech crimes can be committed by lone individuals, by small groups, or by organized web mobs. These web mobs structurally resemble the longtime operation of the Russian and Italian mafias, the Irish mob, the Bandidos, and the Hells Angels.

The Anti-Phishing Working Group has noted the success of Avalanche, a particularly large and successful web mob with an emphasis on phishing: “Phishing has always been attractive to criminals because it has low start-up costs and few barriers to entry. But by mid-2009, phishing was dominated by one player as never before—the ―Avalanche phishing operation. This criminal entity is one of the most sophisticated and damaging on the Internet, and perfected a mass-production system for deploying phishing sites and crimeware– malware designed specifically to automate identity theft and facilitate unauthorized transactions from consumer bank accounts.”

Avalanche was responsible for two-thirds of all phishing attacks launched in the second half of 2009, and for the overall increase in phishing attacks across the Internet.

Cybercrime of this magnitude requires a carefully ordered hierarchy. The players include:

  • Programmers, who write the viruses that will infect victim’s PCs
  • Carders, who sell stolen credit card data
  • IT guys, or black hat computer professionals, who maintain the hardware necessary to keep the operation running
  • Hackers, who look for vulnerabilities in networks and plant malicious code
  • Social engineers, who come up with the scam and write phishing emails to send to potential victims
  • Money mules, who are often foreign, traveling to the US specifically to open bank accounts, and who may also launder money
  • Bosses, who run the show, bring together talent, manage, and delegate

All of this is very real and it is happening right now. Even though data security hasn’t been in the media spotlight this year, we should all be aware of these risks.

To protect yourself from the bad guy, make sure your PC is fully updated with critical security patches, antivirus software, anti-spyware software, a secure wireless connection, and a two-way firewall. Check your online account statements frequently, and consider investing in identity theft protection that monitors your credit reports and monitors your information on the internet’s back ally chat rooms.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking wireless networks on Fox Boston. Disclosures

Whats Next: “On Demand Burglary”

Generally when a burglar or thief sets out to break into a home their motivation is to steal any item they can sell at pawnshops or to those on the “black market”. The phrase “black market” has always intrigued me.   It means doing business “in the dark” or out of the view of law enforcement. Any underground economy where business is done illegally or with illegal goods or services is considered the black market.

There has always been a black market demand and there always will be. Certain things like illegal drugs are a staple of this economy. “On Demand Burglary” refers to items that someone may have had their eye on and the thief meets that demand. On the low end one might envision a bicycle a neighbor just bought for his kid and on the high end an expensive rare painting a collector wants.

The BBC reports a man in the UK was injured when he walked into his home and surprised three men armed with a sledgehammer and a crowbar robbing his house. They stole money, jewelry and the family’s valuable pet Chihuahua. The family has offered a reward for the return of the dog which is called ‘Bruce’.

The homeowners’ son was quoted saying “They took mum and dad’s wedding ring and a wee bit of money, but the thing that has really vexed them is that they have taken the wee house dog called Bruce and it’s that, that has really upset them.”

Local Police were quoted saying “The belief is that these robberies are ‘on demand burglaries’ where robbers are stealing to meet orders”.

Consider for a moment if you spent the time to research an item then went out of your way to buy it, it is certainly in the scope of a bad guy to target it and take it.

Protect yourself and prevent a home invasion:

Nothing you own is worth fighting for. If someone ever wants your stuff let them have it.

If you ever walk in on a burglar turn around and run out of the house. The quicker you leave the safer you will be.

Consider what you own that might catch the eye of a criminal and who that criminal may be and what you need to do to protect it.

Invest in a home security system. The concern is protecting life and limb first and protecting your stuff second.

Robert Siciliano personal security expert to ADT Home Security Source discussing Home Security on NBC Boston. Disclosures.

IRS Fully Reliant on Social Security Numbers

On the Policy, Practice & Procedures page of their website, the IRS addresses the public’s concern regarding Social Security numbers on checks:

Complete Social Security Numbers (SSN) on Checks or Money Orders Remitted to IRS

Issue: Tax Professionals and clients have concerns about taxpayers putting their full SSN on checks remitted to IRS in payment of a balance due. Page 74 of the Form 1040 instructions directs taxpayers to put their full SSN on checks.

Response: The SSN Elimination and Reduction program is presently working on mid-to-long-term solutions to address the use of SSNs on checks remitted to IRS in payment of a balance due. To ensure payments are posted to the correct account, we encourage taxpayers to include their SSNs on checks and money orders submitted to the IRS. IRS processes millions of returns and payments each year, including many from taxpayers with the same or similar names. If you are concerned about providing the SSN, you may consider using the Electronic Federal Tax Payment System. EFTPS is a secure alternative to mailing a check.”

Essentially, if you want to be sure that you’re properly credited for any money paid to the IRS, and avoid being labeled a tax evader, you don’t have much of a choice about including your Social Security number on checks and money orders.

The IRS sent 201 million notices to taxpayers during the fiscal year 2009, and most of those mailings included Social Security numbers. Social Security numbers may also appear in more than 500 computers systems and 6,000 internal and external forms. According to the Treasury Department Inspector General, “this is because Social Security numbers are used to associate correspondence and documents with taxpayer accounts.”

The IRS is currently in the process of reviewing their current reliance on Social Security numbers as primary account numbers for all citizens. Some have suggested that we may eventually switch to barcodes, but if this transition ever does take place, it isn’t likely to happen anytime soon.

At present, the IRS, along with many other government agencies and corporations, relies on Social Security numbers and will do so for years to come. This continued reliance will inevitably result in additional data breaches and therefore, more stolen identities.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first, providing live access to fraud resolution agents who work with victims to help restore their identities. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss IRS related identity theft on Fox News. (Disclosures)

7 Tips To Better Credit Card Security

Every time you use a credit card, you increase the chances of that card number being used fraudulently. Cards can be skimmed and hacked in a number of different ways.

#1 Watch your card. Whenever you hand your credit or debit card to a salesperson or waiter, watch to see where your card is taken and what is done with it. It’s normal for the card to be swiped through a point of sale terminal or keyboard card reader. But if you happen to see  your card swiped through an additional reader that doesn’t coincide with the transaction the card number may have been stolen.

#2 Cover your PIN. There may be cameras or “shoulder surfers” recording your PIN at an ATM or point of sale terminal. Cover up the keypad to foil the bad guys’ plan.

#3 Change up your card number. This is inconvenient but effective. The more frequently you change your number, the more secure that number will be. Once or twice a year is good.

#4 Select online shopping websites carefully. When searching for a product or service online, do business only with those you recognize. Established e-retailers are your safest bet.

#5 Beware of phishing. Never purchase products or services by responding to an email. This generally results in your card number being phished.

#6 Use secure sites. Before entering a credit card number, always look for “https” in the address bar. The “s” in “https” means the site has an additional layer of protection that encrypts the card number.

#7 The most important tip of all is to watch your statements. This extra layer of protection requires special attention. If you check your email daily, you ought to be able to check your credit card statements daily, too, right? Once a week is sufficient, and even once every two weeks is okay. Just be sure to refute any unauthorized withdrawals or transactions within the time limit stipulated by your bank. For most credit cards, it’s 60 days, and for debit cards the limit can be 30 days or less.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit card fraud on NBC Boston. Disclosures



Live ATM Skimming Video Confiscated

ATM skimming, the top ATM-related crime, accounts for about $350,000 in fraud every day in the United States, exceeding a billion dollars a year.

An organization called EAST, or European ATM Security Team, posted seized video footage from a compromised ATM, depicting the installation of a camera and skimmer. The video shows how criminals collect cardholders’ PINs.  It also shows how easily cardholders can protect their PINs. This must-see video is simple, but says a lot. (You can watch more ATM skimming demonstrations on Extra TV.)

EAST explains, “while the vast majority of ATM transactions are completely secure, criminals do occasionally target cash machines to try to either steal cards (card trapping) or to copy cards (card skimming). In both cases, the criminals need to obtain the 4-digit cardholder PIN to allow for fraudulent cash withdrawal. The video shows criminals installing a micro camera above an ATM PIN pad and then placing a skimming device over the card reader throat. The scenes that follow show cardholders conducting transactions at the ATM and it’s easy to see that the criminals can’t obtain the PIN of those who cover their hand when entering it.”

To help combat this type of crime, ADT has introduced the ADT Anti-Skim ATM Security Solution, which helps prevent and detect skimming on all major ATM makes and models. ADT’s anti-skim solution is installed inside an ATM near the card reader, making it invisible from the outside.

When using an ATM, beware of skimming devices. The following cardholder security tips are courtesy of the LINK ATM Scheme.

– Protect your PIN by standing close to the ATM and shielding the key pad with your other hand.

– Check to see if anything looks unusual or suspicious about the ATM. If it appears to have anything stuck onto the card slot or key pad, do not use it. Cancel the transaction and walk away. Never try to remove suspicious devices.

– Be cautious if strangers offer to help you at an ATM, even if your card is stuck or you’re having difficulties. Don’t allow anyone to distract you.

– Where possible, use an ATM which is in clear view and well lit.

– Check that other people in the queue are a reasonable distance away from you.

– Keep you PIN secret. Never reveal it to anyone, even someone who claims to be calling from your bank or a police officer.

– Avoid opening you purse, bag or wallet when you’re in the queue. Put your money away immediately.

– Regularly check your account balance and bank statements, and report any discrepancies to your bank immediately.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss ATM skimming on Fox Boston. (Disclosures)

Caller ID: Tool for Scammers

Most of us tend to trust the person on the other end of the telephone more than we trust an email in our inbox. However telephone scams continue to plague people and successfully empty the victims bank accounts.

Caller ID spoofing occurs when your phone rings and your caller ID displays a name and number that seem legitimate, but are, in fact, spoofed. The caller has masked his or her true name and number. Most people aren’t aware of caller ID spoofing, and therefore have no reason to question the phone call’s legitimacy.

Caller ID spoofing is often sold as a tool for law enforcement. It can provide a useful disguise if, for instance, a suspect has been withholding child support. But a civilian who suspects a spouse of infidelity might use caller ID spoofing to conduct his or her own investigation. On-call doctors who wish to keep their phone numbers private may need to provide spoofed numbers for clients.

The fraudulent uses for caller ID spoofing vastly outweigh the legitimate ones. Anyone can obtain this technology and pose as law enforcement, a lottery, a charity, a government agency, a credit card company, or anything else that might be lucrative. Abuses of caller ID spoofing have raised hackles with government officials.

Don’t automatically trust the information displayed by you caller ID.

No matter what your caller ID says, never give out personal information over the phone.

If a caller tells you you’ve won something or stand to lose something, tell them you’ll be happy to discuss if further, but that you’ll have to call them back. Then go online, search for a valid number, and call to confirm the details.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses another databreach on Fox News. Disclosures