Privacy Laws for Kids Online

Numerous privacy groups are urging the FTC to update its Children’s Online Privacy Protection Act of 1998. The primary goal of the Children’s Online Privacy Protection Act, or COPPA, is to give parents control over what information is collected from their children online and how such information may be used.

Jeff Chester, Executive Director of the Center for Digital Democracy said, “The Commission should enact new rules for COPPA that draw upon its current investigations into behavioral marketing and other current digital advertising practices. It’s time for the FTC to do a better job of protecting the privacy of children online.”

The Internet today isn’t what is was in 1998. Back in the day, when dial up – the online equivalent of a horse and buggy – was the only means of getting around, the risks weren’t as great as they are now. The speed of technology has outpaced the security of information and the learning curve of users. Over time, many web operators conveniently forget the rules, chose to do things their own way, and then apologize when they are accused of doing something wrong.

The original COPPA was designed around websites that sell merchandise. Today, we have social media, Second Life, online gaming sites, and smartphones that can access the Internet anywhere, anytime.

The report states, “several start-ups…are experimenting with ways to use cell phones to bridge the digital and physical worlds and turn the tasks of everyday life, like buying coffee and running errands, into a game.” Many major companies are taking advantage of these applications for promotional purposes. A major fast food chain, for example, offers a soda and sandwich to people who “check in” three times. This company is also able to “use the data they collect from people’s cell phones to learn more about who their customers are and how they behave.”

Geolocation could pose a privacy threat. Information collected through geolocation is particularly sensitive, since it can allow a child to be physically contacted wherever he or she is, at any time. Parents need to be aware if there is misuse.

The descriptively named website PleaseRobMe.com aggregates real time location information that users have voluntarily shared on Twitter in order to bring attention to the potential problems with this type of sharing.

The risks are magnified for children, who will often fail to comprehend the significance of sharing personal information. And when a child’s location is collected automatically, neither the parent nor the child is aware that this information is being shared, nor are they given the opportunity to consent or refuse to consent to such data collection.

Kids are plugged in all day, which means it’s imperative that parents understand how these technologies are slowly infiltrating children’s’ lives in ways that we couldn’t possibly have imagined a decade ago. Hopefully, more transparency and oversight of the wild, wild web will keep new technologies in check, and your kids more secure. A great site to help educate you and your kids is www.WiredKids.org.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses child predators online on Fox News. Disclosures

Do You Really Need Identity Theft Protection?

I see plenty of articles disclaiming any form of identity theft protection and the related expenses. They have titles like, “Identity Theft Protection Doesn’t Work,” or, “Poor Man’s Guide to Identity Theft Protection.” Most of these articles have some degree of merit, but they usually miss the point.

The fact is, you can’t protect yourself from all forms of identity theft, and the types that you can guard against require a Rain Man-like focus. One way or another, it’s going to cost you time or money or both.

Identity theft protection detractors say, “Why pay a monthly fee when all you have to do is…”

Securely dispose of mail. The standard advice is to thoroughly shred preapproved credit card offers and anything that includes any account information. While this is good advice and should be heeded, it’s not going to protect you when your bank or mortgage company or utility provider tosses your information in a dumpster that is subsequently raided by identity thieves.

Opt out of junk mail and preapproved credit card offers. This is good advice and can be done at OptOutPrescreen.com. However, even if you opt out of new offers, others will still arrive. It’s inevitable. You also need to get a locking mailbox, but that still won’t fully protect you.

Get a P.O. box. This won’t protect you at all. Anyone who recommends this tactic doesn’t understand how identity theft occurs.

Check your credit for free at AnnualCreditReport.com. This is an excellent way to stay on top of your credit reports and keep tabs on what accounts may be open under your name. However, it’s only good for one credit report per bureau per year. You should really check your credit report monthly, and that isn’t cheap.

Set fraud alerts. Fraud alerts are a great layer of protection, but they expire every 90 days, and most people don’t bother to renew. Plus, fraud alerts only serve as a guideline for creditors, who are not required to contact you before issuing credit.

Get a credit freeze. This is a great way to help prevent new account fraud. I recommend this. But by itself, a credit freeze is not enough.

These are all layers of prevention that will help, but by themselves or even in combination, they cannot provide the same degree of protection offered by a reputable, full-service, paid product.

To ensure peace of mind and protect your most valuable asset, your identity—subscribe to an identity protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss an identity theft “pandemic” on CNBC. (Disclosures)

Using Honeypots to Better Understand Security

When you think “honeypot,” images of that lovable furry bear, Winnie the Pooh, may come to mind. Pooh loved him some honey. And whenever he stumbled upon a pot of honey, he gorged himself on that sugary goodness until he passed out. Yum.

But in technology terms, a honeypot is a trap set to detect, deflect, or somehow counteract unauthorized use of information systems. Generally, a honeypot consists of a computer, data, or a network site that appears to be part of a larger network, but is actually isolated. (You may have seen reality shows where police set up a bicycle in front of a store and stake it out until someone steals the bike, then tackle and arrest the thief. A honeypot is similar, but without the tackling and arresting.)

Honeypots are tools used by researchers and security professionals to monitor the behaviors of criminal hackers and viruses, allowing the researchers to gather intelligence on how they operate. In this way, researchers can gain an understanding of the motivations and methods a hacker would use. This process helps developers think like the bad guy, giving them a better understanding of the necessary security needed to prevent and counter attacks.

When intuitive security professionals develop a honeypot mindset, they can anticipate the bad guy’s next move. They make numerous predictions about what he will do next and put redundant systems in place to prevent him from doing his job. This becomes second nature for some.

I’d recommend a similar strategy for your own personal security. When it comes to protecting yourself, think about your surroundings and what might make you a target. If you are processing a credit card transaction, think about how risky it may be and what to do in response to those risks. Before you leave your home, visualize the paths of least resistance into your house and what should be done to secure it.

Bad guys don’t play by the same rules we do. But if you understand their game and anticipate their next move, you can beat them.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses another databreach on Fox News. Disclosures

Are Contactless Payment Methods Secure?

“Contactless,” in this context, refers to the use of a wireless device. A payment is contactless when, instead of inserting your credit or debit card, you hold your card or keychain device within a few inches of the terminal, and your payment information is sent and processed wirelessly.

Contactless payments offer a faster and more convenient alternative to cash for small purchases at fast food restaurants, convenience stores, and transport terminals. They are also ideal for remote or unattended payment situations, such as vending machines, road tolls, or parking meters. So far, I haven’t seen a report of bad guys exploiting contactless payment systems.

Hackers, whether they’re black hat (bad guys) or white hat (security professionals), are always looking for vulnerabilities in technology. The bad guys’ intentions are to exploit these vulnerabilities for ill-gotten gain, and the security professionals’ are to make the technology more secure.

A white hat hacker demonstrated some of the vulnerabilities of early contactless technologies for Canada’s CBC News. However, these demonstrations took place in unrealistic settings, and the IT professional went to great lengths to concoct scenarios in which this payment processing method could lead to fraud. These scenarios encourage fear, uncertainty, and doubt, without providing any tangible testing value.

In response to the question of security in contactless technology, the Smart Card Alliance stated, “Contactless smart card technology includes strong security features optimized for applications involving payment and identities. Every day tens of millions of people around the world safely use contactless technology in their passports, identity cards and transit fare cards for secure, fast and convenient transactions. Multiple layers of security protect these transactions, making them safe for consumers and merchants. Some of these features are in the contactless smart card chip and some are in the same networks that protect traditional credit and debit card transactions.”

A researcher can manipulate tests in a controlled environment and create a desired outcome that seems to establish vulnerability, but there’s a big difference between that type of demonstration and real world penetration testing. To date, there is no such thing as 100% perfect security, and my guess is that there will never be. With that in mind, it is essential that the good guys continue to work towards that goal, impossible as it may be, and to expose flaws that they find, but they should do it responsibly.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses on CNBC. Disclosures

Mobile Phone Spyware Resellers Arrested

Spyware is sold legally in the United States. This software records chats, emails, websites visited, usernames and passwords, and basically everything a person does on that PC. Some spyware programs can record everything in a video file that can then be accessed remotely.

This is all perfectly legal as long as the PC’s owner is the one to install the software. Installing spyware on a computer that is not your own is illegal. Spyware can be great if, for example, you have a twelve-year-old daughter who obsessively chats online, and you want to know with whom she’s chatting or if you have employees whose productivity is less than satisfactory, you may want to check if they’re watching YouTube all day.

Spyware also comes in the form of a virus, which essentially does the same thing. When you click a malicious link or install a program that is infected with malicious software, numerous types of spyware can be installed as well.

Mobile phone spyware is relatively new and is quickly grabbing headlines. As PCs shrink to the size of a smartphone, spyware continues to evolve with this trend.

Apparently, cell phone spyware is illegal in Romania, since the Romanian Directorate for Investigating Organized Crime and Terrorism recently arrested fifty individuals, including “businessmen, doctors, and engineers, in addition to a judge, government official, police officer, and former member of Parliament,” who have been accused of monitoring cell phone communications of their spouses and competitors, among others, using off-the-shelf software.

Spyware can be installed on your cell phone remotely or directly. To protect your phone, never click on links in texts or emails that could actually point toward malicious downloads. Always have your phone with you and never let it out of your sight or let anyone else use it. Make sure your phone requires a password to have access. If your phone is password-protected, it will be difficult to install spyware.

If your phone is behaving oddly or you have some other reason to suspect that it contains spyware, reinstall the phone’s operating system. Consult your user manual or call your carrier’s customer service for step-by-step help with this process.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. Disclosures

Scummy Scammers and Targeted Attacks

I make a portion of my living speaking professionally. That means I get on a platform and present in front of an audience on issues revolving around personal security and identity theft.

So when I got this email, I was so happy to see I was being invited to England to speak to the esteemed Middlesex University in England.

I had to shorten the dialog to keep in tune with your attention span.

______________

8:09am

SCAMMER: From: Professor Wayne Erickson <middlesexuniversityconference@gmail.com>
Company: MIDDLESEX UNIVERSITY.


To: Respected Robert Siciliano, (
I am ‘Respected”, NICE!)

Am Professor Wayne Erickson from the Middlesex University
Here in London UK. We want you to be our guest speaker at this
Year Middlesex University Seminar which will take place here in
UK.

We are taking care of your traveling and hotel accommodation expenses including your speaking fee. If you will be available for our event, include your speaking fees in your email so it can be included in your CONTRACT AGREEMENT.

Stay Blessed
Professor Wayne

________________

8:10am

ME: Wonderful. Fee is $10,000. What are the next steps?

________________

8:38am

SCAMMER: It is really nice hearing back from you; we are over delighted to have
you honor our invitation. I will have loved to give you a call
so as to deliberate more on arrangements, but am out of office on an
official duty and will not be back until WEDNESDAY morning, we can only
communicate through emails at the moment.

We have agreed to buy your flight ticket and to pay your hotel
accommodation expenses. Also your Speaking fee is amounted to
10,000 USD 7,000 (SEVEN THOUSAND USD) deposit is to be paid as
soon as you procure all relevant travel documents so as to avoid any
disappointment. You are informed to get across your Work Permit to us
so your deposit can be approved according to our mandated rules and
regulation.

You are advised by the Event Organizing committee to immediately
contact our BRITISH EMBASSY here in the UK to procure your UK Work
Permit as soon as possible

This will enable us to proceed with all arrangements to welcome you
here in London. Contact the British Embassy official
information below.

BRITISH EMBASSY.  Name: Dr Owen Loren Email:britishembassycustomerservice@gmail.com

______________

8:40am

ME: Dr. Owen Loren, need work permits.

______________

9:11AM

SCAMMER: I acknowledged the receipt of your mail. I understood all the
contents. Without any waste of time and due to short time we have left
to proceed with the issuance of these important documents .Fortunately
for you I will be processing some files today at the UK BORDER AGENCY.
You are advised to immediately provide me with the listed
requirements.

View attachment below and immediately get back to me with all
requirements so I can proceed on the procurement of your PERMIT.

In your service,
Dr Owen Loren,
British Embassy Official.

In the attached document, the scammer requests for 550 pounds (837.277 USD)

____________

9:21am

SCAMMER: As soon as you get the PERMIT procured send me a copy of it so I can forward it to our FINANCIAL DEPARTMENT for your DEPOSIT to be sent
over to you, I will also begin with all reservations ASAP.

We also await the signed copy of your CONTRACT AGREEMENT.

Note: The UNIVERSITY has promised to reimburse all the expenses spent
on your PERMIT alongside your DEPOSIT.

We await meeting you in LONDON,

Stay Blessed,
Professor Wayne
Bye.

________________

9:30am

ME: This is such a fantastic opportunity. Please send photos of yourselves of your highest dress attire in your most coiffed hair with the attached document printed out. I will post them on my website to promote my esteemed engagement. I will get on my motorbike shortly after I received these wonderful photographs of your handsomeness and go directly to western-union to pay the fabulous fee to work. I need these photographs ASAP. Please include a handheld printable version of my name (as attached) in your hands (both hands) with the photograph to show my American colleagues how lucky I am to work with such incredible official as yourself. I look forward to these photographs ASAP and will provide to my webmaster then I will go on my motorbike to pay the fee. I am ready and awaiting your quickest timeliest response.

Your Esteemed Colleague and Most Wonderful Speaker

Robert Siciliano

NEW Demo Video http://YouTube.com/watch?v=mrcvMg1UDro
Robert Siciliano
http://IDTheftSecurity.com

_________________

All they need is one person each month to respond to this scam and they make bank. $850.00 is enough money for them to feed themselves all month. This isn’t such a sophisticated scam. However, speakers I know have fallen for it. The documentation and the targeted attack make it an effective ruse. Lawyers are getting scammed in a similar way. What makes this “spear phish” (a targeted scam) so scary is they sought ME out, they know my profession and who I am. But, apparently they don’t really know what I do, which is exposing their scumminess to the world. I feel dirty just communicating with them.

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures

National Strategy for Online Identification

The Internet has become a fundamental aspect of most of our lives. It goes beyond social media, online shopping, and banking. Critical infrastructures like water, sewer, electricity, and even our roadways all rely on the Internet to some degree.

The Internet’s weak link is the difficulty in reliably identifying individuals. When online, our identities are determined by IP addresses, cookies, and various “keys” and passwords, most of which are susceptible to tampering and fraud. We need a better strategy.

Howard A. Schmidt, the Cybersecurity Coordinator and Special Assistant to the President, points to The National Strategy for Trusted Identities in Cyberspace (NSTIC), which was developed in response to one of the near term action items in the President’s Cyberspace Policy Review. The NSTIC calls for the creation of an online environment where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the infrastructure that facilitates the transaction.

The primary goal is to build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation.

The National Strategy for Trusted Identities in Cyberspace is a document released to the public for comment. The Department of Homeland Security has posted the draft at www.nstic.ideascale.com, and will be collecting comments from any interested members of the general public.

Offline, there are currently dozens of identification technologies in play that go beyond the simplicity of Social Security numbers, birth certificates, drivers licenses, and passports

These include smart cards, mobile phones, biometrics such as facial recognition, ear canal recognition, fingerprints, hand geometry, vein recognition, voice recognition, and dynamic biometrics among others. In a future post, we will go into more details on each. However, there is not a consistent standard in the United States to date. In the near future, we may be the adoption of some of these technologies to properly identify who is who.

Robert Siciliano, personal security expert adviser to Just Ask Gemalto, discusses Social Security Numbers as National IDs on Fox News. Disclosures

Travel Security and Identity Theft Scams

Traveling for business or pleasure is hectic, unnerving, not at all glamorous and often draining. Often, we say we need a vacation after a vacation. And when traveling, the last thing you need is to be ripped off. Things to consider:

Hotel Rooms

Hotel rooms are not secure. Just last week I entered a hotel room with somebody else’s stuff laid out on the dresser and on the bed. It’s happened to me dozens of times. Sometimes the clerk assigns the same room to two people, or the keys work in multiple rooms. Never ever leave anything of value in your room.

Rental Cars

My wife traveled to Spain, got off the plane, and rented a car, and drove off the lot. At the first stop sign, a man knocked on her passenger window and pointed, saying, “Tire, tire.” She put the car in park and walked over to the passenger side. The tire was fine and the man was gone. When she got back in the car her purse had disappeared from the front seat. Her driver’s license, passport, cash, and credit cards were all gone.

Identifying Documents

When traveling, consider carrying your essential documents in a money belt, or one that hangs from a lanyard around your neck, hidden under your shirt. You should always carry photocopies of your identification, but they won’t do you any good if they’re stored in the same purse that was just snatched from your rental car. One smart option is to scan all your pertinent documents in full color and upload them to a secure web-based encrypted digital vault.

Lost Wallet Protection

Never include your Social Security card in any of these documents. There simply isn’t a reason to have you SSN with you while traveling. Consider an identity theft protection service that includes Lost Wallet Protection: just one phone call helps you notify your bank, cancel your credit and debit card cards, and order replacement cards.

To ensure peace of mind before you travel—and year-round—subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

Stalkers Exploiting Mobile Phones

Mobile phone GPS (global positioning system) is often accurate in less than 100 feet. Many mobile apps work with GPS to inform you of local restaurants, banks, gas stations and attractions. Mobile phone GPS is also being used for driving navigation too, but I don’t find it as effective.

In this amazing age of progressive technology the uses seem unlimited. The good guy often finds out what he can do to improve his life with technology and the bad guy uses it to ruin others.

A U.S. Justice Department report last year estimated that more than 25,000 adults in the U.S. are victims of GPS stalking annually, including by cell phone.

The Wall Street Journal reports “The Federal Communications Commission required U.S. cellular providers to make at least 95% of the phones in their networks traceable by satellite or other technologies by the end of 2005. The agency’s intention was to make it easier for people in emergencies to get help. GPS chips send signals to satellites that enable police and rescue workers to locate a person.”

Mobile phone GPS can generally be activated in 2 ways. First, phone carriers offer a service to track the phone for a monthly fee. The service acts to find the phone if it’s lost or to be used by parent or a spouse to keep tabs on their families. Employers often activate GPS to locate employees. Once activated the carrier sends a text message to the phone alerting the person they are being tracked via the phones GPS. The person paying the bill who is responsible for the contract is usually the person who can turn on tracking.

Second, mobile phone spyware. Software is installed on the phone that allows for another level of “keeping tabs”. The software will locate the phone via GPS and also keep track of all the text messages and phone calls too. In this scenario spyware is most often installed manually by someone who has access to the device. Otherwise in rare instances it can be installed remotely.

“Stalkers” who use the phones GPS are usually someone close to the victim like a family member or ex- boyfriend/girlfriend that has the capability of turning on tracking.

If you suspect your phone’s GPS has been activated by the carrier then call to find out. If you don’t’ like the feature turned on, request it be turned off or get another phone under your own name. If you believe the phone has been compromised by spyware then call your carrier and request they walk you through the process of reinstalling the phones operating system. This will wipe away any spyware that tracks via GPS.

Robert Siciliano personal security expert to Home Security Source discussing mobile phone spyware on Good Morning America. Disclosures.

Daytime Burglaries on the Rise, Police Say

Many studies show burglaries actually happen more in the daytime than in the evening. Depending on whom you ask, the hours of 7-10 a.m. seem to be the most attractive times for burglars.

This is a time of the day when people are leaving for work. The bad guy may see you leave and take the opportunity to check if you locked your doors. First, he rings the bell and knocks on the door to see if you are home. If there is no answer, he jiggles the handle, if you didn’t lock your doors, he is in. If you locked the door, he may use a screwdriver or crowbar to force it open. If you don’t have a home security system, then, he is in with relatively little resistance.

In Downey California the local police sent out this message:

“In recent months the city of Downey has experienced a rise in the number of daytime residential burglaries reported to the police department. Many of these incidents have occurred in the same fashion and the police department is asking for your help in the prevention of such occurrences.

The following is a scenario often used by suspects looking to burglarize homes in your neighborhoods:

A suspect may simply walk to the front door of a residence and knock on the door. If someone answers, the suspect will make an excuse for being at the wrong house and walk away. If there is no answer, the suspect will either leave the location before returning a short time later, or make his way into the back or side yard to find a way into the house.

Once out of view of the street, he will look for open windows or doors to gain entry into the residence. If the house is locked, the burglar will oftentimes force entry by breaking a window or forcing a door open.

A car with additional suspects will oftentimes wait a short distance away for the suspect to return with stolen property. The suspect may also call them to respond to the house to assist in the actual burglary of the location.

Because the actions of the burglars are usually not visible from the street, it is difficult for police to discover the crime in progress. Because of this, it’s imperative that residents in the area pay close attention to suspicious subjects in their neighborhood. This is especially true if you see someone knock on a door of a residence, then go to the back of the house when they fail to get an answer.

If you see people in your neighborhood – whether they are walking or sitting in a vehicle – that you feel may be looking for an opportunity to commit a crime, please call the Downey Police Department”

Robert Siciliano personal security expert to Home Security Source discussing Home Security on NBC Boston. Disclosures.