Woman Becomes Victim of Craigslist Scam

I have a love/hate relationship with Craigslist. I love the occasional deal I get (like the 25 hp outboard motor I just got) and I love how people use it to find stuff I’m selling or renting out (like an apartment). But I hate the way some people completely over price what they are selling, thinking that old boat motor is worth what a new one costs. Or worse, when scammers contact Craigslisters every time they post an ad trying to get them to ship something overseas and scam them out of their money.

Craigslist should be used with caution. People have been robbed, burglarized, scammed and in some cases their homes were invaded and some people have been killed.

I once listed a property for rent that was relisted for a 1/3rd of my asking price by scammers. People would pull into my driveway and knock on my door while the listing was active and after the listing I posted had expired too.

In Connecticut, a mother, father and son traveled a hundred miles to see a home for rent. The only trouble was, the homeowner wasn’t renting it out and she was still living in it. She was in fact trying to sell it. And when the real estate agent listed it for sale, she also syndicated the ad to multiple sites including Craigslist.

Just like my situation, she had to explain to the people who showed up they were scammed.

Here’s how the scam often works. The scammer copies and pastes the ad and poses as the homeowner who is conveniently away traveling on business in the UK. The scammer lists the ad for much less than is being asked to generate traffic. When people respond to the ad, the scammer tells them they can rent it out and all they have to do is forward him the first month’s rent via a money wire overseas. Some people will want to drive by to get a look without actually going in and that’s enough for them to send the money.

The way I thwarted this crime under my watch was to continually scan Craigslist for key words related to my ad to see if it was being posted by a scammer. When I discovered a fraudulent post, I emailed abuse@craigslist.com with the link. Craigslist was very responsive and took the posts down. I had to do this almost 20 times (the hate part) during the period I was renting out an apartment.

With Craigslist, be very careful who you contact and who contacts you. You never know who the person is or what their motivation may be.

Robert Siciliano personal security expert to Home Security Source discussing burglar proofing your home on Fox Boston. Disclosures.

Almost 13 Million Records Breached in 2010…So Far

According to the Identity Theft Resource Center, there have been 371 data breaches that have exposed 12,871,065 records so far this year in the United States.

NetworkWorld reports that businesses suffered the most breaches, making up 35% of the total. Medical and healthcare services accounted for 29.1% of breaches. The government and military made up 16.2% of breaches. Banking, credit, and financial services experienced 10.5% of breaches, and 9.2% of breaches occurred in educational institutes.

Even if you are protecting your PC and keeping your critical security patches and antivirus definitions updated, there is always a chance that your bank or credit card company may get hacked. I’ve received three letters accompanied by three replacement cards from my credit card companies over the last few years.

Beyond that, if someone else’s database is hacked and your Social Security number is compromised, you may never know about it unless they send you a letter or if you discover that someone has opened new accounts in your name.

In many cases, if (and that’s a big “if”) a company finds out their records have been compromised, they might provide credit monitoring of some kind. Credit monitoring is definitely something you should take advantage of. However, I wouldn’t wait for your information to be hacked and a letter to come in the mail before you take responsibility for protecting yourself.

I did a radio show today and a man called in telling a story of how he got a letter from his bank, but they didn’t activate credit monitoring for almost six months after he received the letter. With millions of records being compromised every year, consider your data breached!

Don’t waste time by only handling identity theft reactively. Do something about it now.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing celebrity identity theft on CNBC. (Disclosures)

A Viable Solution to Wave of Skimming and Point of Sale Attacks

Officials are reporting a wave of credit and debit card attacks targeting point of sale swapping, skimming of card data, and hacking into payment processors. Reports say the U.S. Secret Service, among others, are in the process of investigating a multistate crime spree.

The Oklahoma Bankers Association commented, “It is beyond apparent our bankers are taking great losses on these cards and we also need to explore creative ideas to mitigate these losses. It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment.”

Organized criminals have long been ramping up and coordinating multiple attacks. They continually find inventive ways to circumvent existing systems.

Electronic funds transfers at the point of sale (EFTPOS) skimming is when the POS is swapped out.

EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal is replaced with a skimming device. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets. In Australia, fast food chains, convenience stores, and specialty clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted.

Last year, legitimate EFTPOS devices at McDonald’s outlets across Perth Australia were replaced with compromised card-skimming versions, cheating 3500 customers out of $4.5 million. They actually replaced the entire device you see at the counter when you order your Big Mac!

Officials say the problem is so bad they urged people to change credit and debit card PIN numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

Revisiting the Oklahoma Bankers Association’s statement, specifically, “It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment,” it sounds a little desperate to me. Credit and debit cards as we know them, with their magnetic strips, are easily compromised and frequently targeted by criminals. Now that Mexico and Canada are going chip and PIN, getting “creative” to save the mag stripe is going to take a lot more than a class in creativity. Sounds like a serious upgrade is in order.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. Disclosures

Make Personal Safety a Priority

We often hear people (including myself) drone on at how the system is broken and how good guys end up in jail and bad guys are released on good behavior. The criminal justice system is far from fair. Too often bad people are let out only to re-offend and sometimes do worse the second or third time around.  Securing your home is crucial way of protecting your home and family.

The Seattle PI reports “a man who police say beat an elderly woman and burglarized her home has schizoid-affective disorder, was released from jail three days before the attack and had to be placed in seclusion multiple times at Western State hospital.

The 81-year-old victim told police she thought he would have killed her if other elderly neighbors who police say he also assaulted didn’t come to her aid.”

That is likely someone’s mom and grandmother. Imagine this happening to a loved one.

“The man, who is on Department of Corrections supervision, has a lengthy criminal history including a conviction for custodial assault, second-degree robbery, theft, assault, negligent driving, domestic violence harassment and domestic violence assault.”

This is obviously a bad, bad man. He’s been diagnosed with mental illness and he has extreme tendencies towards violence. The frustrating part of this story is that it is evident in his current state of mind and in his history that he will do this again and again until he commits a heinous enough crime that gets him a life or death sentence.

The courts can only work within the confines of the law. Citizens can only hope the law is sufficient enough to guarantee their safety. What this ultimately means is a citizen’s right to safety is only guaranteed by what he or she does to protect themselves. The ultimate responsibility to protect yourself is on you. The justice system doesn’t necessarily provide justice. It is simply a guide.

By coming to terms with this and realizing the responsibility you have, you develop a higher sense of awareness and begin to put systems in place to prevent such atrocities from happening in your life or to someone you love.

Fundamentals include locking your doors, having a home security plan, investing in home security alarms and home security cameras. The worst thing you can do is nothing. The best thing you can do is be proactive.

Robert Siciliano personal security expert to Home Security Source discussing home invasions on the Gordon Elliot Show. Disclosures

Seven Social Media Landmines to Watch Out For

In the early days of the web, cybersquatting was a concern among corporations who were late to the game in getting their domain names. I had a little battle with LedZeppelin.com that I regret, but that’s another story.

Today that same battle is being played out in social media. Anyone can register any brand or likeness on social media with very little difficulty, and it’s free. Once the scammer owns your name, they can pose as you, blog as you, and comment as you.

The basis of much of this social media identity theft, or “impostering,” revolves around social engineering. When a profile claims to represent a certain person or brand, it is generally taken at face value. Lies propagated from such a credible source are likely to be taken as fact for quite a long time, if not indefinitely.

1. Someone may want to seize your C-level executive’s name on Facebook, LinkedIn, or Twitter, posing as that person in order to gather marketing intelligence. Once they are “linked” or “friended,” they have access to that person’s contacts and inner circle.

2. Another tactic is to pose as a family member of an executive, since on Facebook, parents and children are often “friends.” Pretending to be the child of one executive “friending” another in order to gather information is an effective con.

3. Given the opportunity, companies will often take over social networking pages in the name of a rival company. The competition, unable to use the page for their own benefit, loses market share.

4. In other scenarios, the same social networking page or profile can be used to disparage or slander the competing company.

5. Or worse, it could be used to spread falsehoods or create fake contests or scams that inevitably damage the brand.

6. There have been companies and individuals whose names or variations of their names were hijacked in response to a customer service issue gone wrong. The person then uses that platform to slam the company using the company’s own name.

7. Employees who are unhappy with their jobs can use social media to vent their frustration about their boss or company. This can easily result in a public relations nightmare.

The best thing to do is gather every possible brand name and individual name that could be used against you. Even if you never use the site, you own the name. This can be done manually for free or by paying a small fee. I’ve done both. Manually is very time consuming. One site that can help you do it yourself for free or provide full service for a fee is knowem.com.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. (Disclosures)

9 Tips to Protect Your Home from a Summertime Burglar

Nationwide, “burglars made off with $4.6 billion in electronics, jewelry, cash and other items in 2008, according to the FBI. In more than 30 percent of those burglaries, the thief got inside without forcing open a door or window. Many occurred during the day.”

As you pack your car for your next road trip, realize someone’s probably watching.  Neighbors often peek their heads through their windows when they see activity. I’m one of those neighbors. I like to see what is going on and I often keep tabs on who is doing what and when. If a neighbor is leaving to travel, I know about it.

I’m not nosy, I’m security conscious. Nosy is when the neighbor asks questions and pokes around your business. Security conscious is when you observe, adopt situational awareness and try to identify if the rolled up rug your neighbor is stuffing in their trunk is just a rug or if that rug has his wife in it.

Burglars use these same observation tactics. They look for signs you are traveling. They look for outside lights on 24 hours a day. They look for dark homes inside at nighttime. They look for no car in the driveway, mail and news papers piled up or uncut grass that’s three weeks overgrown.  And they look to see you packing your car before a trip. A bad neighbor or his bad seed of a kid may be peering through their windows when you pack. That kid may end up in your house hours after you leave.

The Washington Post reports “but police say there are simple steps residents can take to make it less likely their home will be the next target. “Reduce the opportunity,” District Police Chief Cathy L. Lanier said. “People don’t just walk down the street and decide ‘I’m going to hit your home today.’ They do some casing. The key, police say, is securing your home and eliminating signs that you are away. Doors and windows should be locked even if you’re only heading to the park or a neighborhood barbecue for a few hours.”

Here are a few tips to help protect the safety of your home while you are on vacation:

  • Pack your car in your garage or late at night under the cover of darkness.
  • Use timers on indoor and outdoor lights.
  • Let a trusted neighbor and the police know you are traveling.
  • Unplug garage door openers.
  • Have a neighbor park their car in your driveway.
  • Have a landscaper mow your lawn.
  • Don’t share yourhttp://www.homesecuritysource.com/Blogs.aspx?TopicName=Travel travel plans on social media or on a voicemail outgoing message.
  • Lock everything of significant value in a safe.
  • Invest in a home security camera system and home security alarm system.

Robert Siciliano personal security expert to Home Security Source discussing burglar proofing your home on Fox Boston. Disclosures.

mCrime Higher on Hackers’ Radar

This year’s Defcon convention of hackers in August brought to light a fact that many in the security industry have known: mobile phones are becoming a bigger target for criminals.

Recent news of applications on the iPhone and Android that are vulnerable to attack and possibly designed to send your data offshore have reinforced the security concerns for mobiles.

It is inevitable that over the next few years as millions of smartphones replace handhelds and billions of applications are downloaded, risks of mobile crime (mCrime) will rise. As we speak, the large antivirus companies are snapping up smaller mobile phone security companies in anticipation of a deluge of mobile attacks.

Right now, however, the path of least resistance continues to be the data-rich computer that sits in your home or office, or maybe your mortgage broker’s office. Unprotected PCs with outdated operating systems, unsecured wireless connections, antivirus software that hasn’t been updated, and reckless user behavior will continue to provide a goldmine for criminals.

The problems with computer security will continue as Microsoft abandons XP users and stops offering security updates. But as more and more users shed Windows XP and upgrade to Windows 7 and beyond, mobiles will become attractive targets.

In the meantime, protect your mobile phone.

The Blackberry is the most “natively” secure. It’s been vetted by corporations the world over to protect company data. Enable your password. Under “General Settings,” set your password to “On” and select a secure password. You may also want to limit the number of password attempts. Encrypt your data. Under “Content Protection,” enable encryption. Then, under “Strength,” select either “stronger” or “strongest.” When visiting password-protected Internet sites, do not save your passwords to the browser. Anyone who finds your phone and manages to unlock it will then have access to all of your account data and, ultimately, your identity.

The key to being a “safe” iPhone owner is to add apps that help secure your information. Enable the passcode lock and auto-lock. Go into your phone’s “General Settings” and set the four-digit passcode to something that you will remember but is not overtly significant to you. That means no birth dates, anniversary dates, children’s ages, etc. Then go back into “General Settings” and set the auto-lock. And turn your Bluetooth off when you aren’t using it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. (Disclosures

Celebrity Identity Theft Issues

The only difference between a so-called celebrity and you and I is exposure. Their lives are subjected to much more attention than most people and for that they pay a price. Ours is a celebrity obsessed culture that has multiple TV programs every day of the week that focus solely on the lives of the popular people. With that attention often comes baggage unforeseen by the individual prior. But once they are in the spotlight they either shine or crash and burn.

The unfortunate side effect of this much attention is security issues. When a person has so many millions of eyeballs on them chances are there will be a stalker or two along with someone who will do their best to swindle them.

As McAfee recently pointed out criminals are also using celebrities on the internet to hack your PC. Cybercriminals often use the names of popular celebrities to lure people to sites that are actually laden with malicious software. Anyone looking for the latest videos or pictures could end up with a malware-ridden computer instead of just trendy content. Cameron Diaz has replaced Jessica Biel as the most dangerous celebrity to search for on the Web.

Jennifer Anniston along with Anne Hathaway, Liv Tyler, Cher and Melanie Griffith, among others were victims of credit card fraud to the tune of hundreds of thousands of dollars by their beautician. Liv Tyler was swindled out of $214,000. If these celebs weren’t paying attention to their credit card statements chances are they ate most of those fraudulent unauthorized charges. Card holders only have 60 days to dispute fraud. After that it’s up to the discretion of the bank if they want to hear your plea.

To ensure peace of mind —subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing celebrity identity theft on CNBC. (Disclosures)

What is “Social Registration”?

Social media has evolved into the fifth major form of media: print, radio, television, Internet, social. While social media functions on the Internet, there’s no denying that it is its own platform. It encompasses most forms of media in one tight and neat package. Some social networking sites have more users than number of residents in some countries.

In the process of this explosive growth, a few social networking websites like Facebook, Twitter, and LinkedIn have risen to the top. And in each frontrunner’s quest to be the biggest, fastest, and strongest, each wants to be your “single sign-on” in the form of a registration. Webmail providers Google and Yahoo also want you to log in to other sites using their credentials. This means when you visit any other site with a registration requirement, they may ask for your username and password but also give you the option to login in using your Facebook or Google credentials.

This same process can also link your different social media communities with each other and facilitate cross-posting.

The idea behind social registration is that each user has a somewhat established online identity. Over time, the user’s various identities in each community or platform begin to merge for purposes of shopping, communicating, and connecting to different devices. This can allow you to hop from one place to another without having to enter multiple usernames and passwords.

All that said, rarely will I engage in social registration. If one account is ever compromised, and it’s linked to others, then the hacker accesses multiple accounts with a single hack. If the accounts are of low security value then it may not be a big deal, but once email credentials are involved, the risks increase. There are security measures behind the scenes that protect you in some ways. I’m just not so trusting.

Look at it this way: does your online banking interface allow you to log in via Facebook? I didn’t think so. Of course, if anyone wants to walk me through their bulletproof process and change my mind, I’m listening.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses hackers on social media on CNN. (Disclosures)



Seven Smartcard Keys To The Internet

There has been a bit of buzz lately regarding an Internet “kill switch” and a handful of trusted individuals given the responsibility of rebooting the Internet, should it go down from cyber attack or be shut down for whatever reason.

The operation is born of the Internet Corporation for Assigned Names and Numbers (ICAAN). ICANN was formed in 1998. It is a not-for-profit public benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable, and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.

ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its role coordinating the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet.

Popsci reports that “part of ICANN’s security scheme is the Domain Name System Security (DNSSEC), a security protocol that ensures Web sites are registered and “signed” (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC , as it’s known, and during a major international attack, the system might sever connections between important servers to contain the damage.”

The lucky seven holders of the smartcard keys are from all over the world.  Each key has an encrypted number which is part of the DNSSEC root key that by themselves are useless, but combined they have the ability to restart the Internet. The process of rebooting the web requires five of the seven key holders to be in the United States together with their keys. That’s a pretty lofty responsibility for anyone. You can learn more about the card process in this video.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses the possibility of an Internet crash on Fox Boston. (Disclosures)