Fostering Awareness & Improving Security Education

Robert Siciliano Identity Theft Expert

Financial institutions have the most to lose and the most to gain by improving security education of their clients and employees.

A while back  I appeared on a local TV show talking about phishing. Amazingly, still, not everyone knows what phishing is. A good friend saw the show and was shocked by what she learned….about her bank.

She received a phishing email and didn’t know what it was. The email asked her to update her account. It was confusing so she called her bank. She spent 20 minutes on the phone with a bank rep discussing her account and the bank could find no record of the communication or any issues with her account. At the conclusion of the call the bank rep said, “I don’t know why you received this email, your account information is in order.” Click.

That night she saw my phishing clip and wondered why the bank never mentioned a single word about phishing. Her bank failed her. They failed to educate her and therefore failed to protect her. She is no longer a client of that bank.

The mindset of financial institutions needs to change drastically when it comes to educating their clients about identity theft and security issues. Old school “sweep it under the rug” don’t discuss it because it will scare people school of thought is dead. People want, need and require information to protect themselves.

The game has changed. People are concerned for their personal security and are hungry to learn. The fact that you or anyone reads this blog is a testament to society as a whole wants to learn. Soccer moms are now security moms.  I’ve seen major industry players in the anti-virus space catering to these mommy bloggers and others because they understand the public is hungry for this. Banks, well, not so much.

Engage the public and they will respect you and want to do further business with you.

Linda McGlasson, Managing Editor at BankInfoSecurity.com interviewed me for a segment on this issue. Listen to the Podcast here It requires a login but its worth your time.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing the lack of security in online banking on CBS Boston

Search Engines Link to Malware in Social Media Search

Robert Siciliano Identity Theft Expert

Now that the 3 major search engines Google, Bing and Yahoo index real-time search for Twitter and other social networks, consumers must be aware that not all relevant search is a safe click. Scammers and identity thieves see this as real-time free advertising for their malware.

When news breaks, the social media is now considered a trusted source for cutting edge information. The search engines trust that data and place those keyword search results on page one.

A criminal hacker seeing news break begins to multiply that message and embed malware in the links that lead to fraud.

Tainted Twitter and Facebook updates are riddled with spam and viruses in status posts where links are often disguised in short URLs that go to spoofed sites or include a downloadable virus.

The blind trust the search engines have in these results puts the user in jeopardy.

While all 3 search engines have automatic and manual processes for detecting such links, the sheer volume of hackers using this strategy creates a cat and mouse scenario that is far from fool proof.

While I certainly use social media to inform the world on current events, I don’t recommend you click on links from those who you aren’t familiar with. I never click links in the body of an email from those I’m not familiar with and I don’t do it on social media either.

If you are compelled follow the link, use a short URL decoder that provides a glimpse into where the link goes. Otherwise make sure you have the most updated browser that informs you of entry to spoofed sites. And make sure your antivirus is fully up to date.

Robert Siciliano personal security expert to Home Security Source discussing criminals using social media to commit fraud on Fox Boston

Diploma Mills Facilitate Identity Theft

Robert Siciliano Identity Theft Expert

Diploma mills were born along with elearning institutions who are actually legitimate and accredited bodies. Degrees and diplomas issued by diploma mills are frequently used for fraudulent purposes, such as obtaining employment, promotions, raises, or bonuses on false pretenses. They can also be used as a form of fake ID when posing as someone else to gain employment, impersonation of a licensed professional or used to assist as a breeder document leading to “real” fake ID’s.

A fake diploma is an effective social engineering tool used to gain access to your corporate networks.

From Wikipedia “A diploma mill (also known as a degree mill) is an organization that awards academic degrees and diplomas with substandard or no academic study and without recognition by official educational accrediting bodies. The purchaser can then claim to hold an academic degree, and the organization is motivated by making a profit. These degrees are often awarded based on vaguely construed life experience. Some such organizations claim accreditation by non-recognized/unapproved accrediting bodies set up for the purposes of providing a veneer of authenticity.”

The diploma mills often model the names or accredited educational institutions. They may even take a portion of a universities name and make it a part of their own. Such modeling tactics involve using similar logos, color schemes, and designing their websites to mimic an Ivy League school, right down to the .edu web address.

Just like a legitimate college or university, diploma mills may actually require the student to purchase books, do homework and take tests.  However, the diploma mill may make it extremely easy for someone to pass. Students in many cases are able simply purchase a diploma no questions asked. Many of these organizations are nothing more than glorified print shops.

As an employer who requires a diploma as official entry to your organization, you must recognize the risks associated with accepting documents that are fake, designed to give the bad guy access to your networks.

Diploma mills and the documents they print can be difficult to detect. However, today, thanks to the Internet, many websites and organizations are publicly “outing” diploma mills.

When hiring and presented with a diploma, search out the name of the educational institution and see what comes up. More effective is to do a search of the name on the diploma then “diploma mill” in quotes. If you begin to see a trend of sites popping up referencing fraud then call your attorney. Someone who is likely to commit fraud of this nature, may cause even more problems when you decline their employment.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing fraud on Fox News

mCrimes Morph Into mBotnets

Robert Siciliano Identity Theft Expert

Botnets are robot networks of computers connected to the Internet that sit in our homes and offices. A botnet is generally banks of multiple PC’s from the 10’s to 10,000’s to millions. There are no hard numbers on botnets but last figure I saw was somewhere between 3-5 million. Another stat is 25 percent of all US based PC’s are on a botnet. That’s just insane.  Botnets PC’s are called Zombies. Zombies all generally share a virus in common that allows for a remote control component. The criminal hacker controls the zombies on the botnet via an IRC control server or via a peer to peer network.

The combined power of the zombies on the botnet allows the criminals to commit all kinds of crimes such as denial of service attacks, mass spam campaigns of blasting viruses to millions.

Often botnets are used to store stolen data or to host spoofed websites that collect that data.

Now comes “Sexy Space,” an infected text message containing a link that when clicked downloads a file making that phone part of an mBot. mBots are made up of “Zobiles”.  The download then infects the users contact list and in typical virus multiplication fashion, sends the Sexy Space text to them too.

It is believed that infected phones could then be used in similar ways as traditional zombies are.  The extra twist with a zobile is its ability to take pictures, video, and used as a covert audio listening device. It can also sniff out wireless connections to the Internet and gather additional data to be used to hack.

History indicates that we are at the forefront of an era in which criminal hackers develop tools and techniques to steal your money using your own cell phone. Fifteen years ago, cell phones were bulky and cumbersome, they had to be carried in bags or briefcases. Then they became chunky, heavy bricks. Calls dropped every other minute. Clearly, cell phones have evolved since then. Today’s cell phone is a lot more than a phone. It’s a computer, one that rivals many desktops and laptops being manufactured today.

Never click on links in text messages unless you are 100 percent sure it’s a legitimate communication from a trusted source.

Follow your phones manufacturers and carriers recommendations on securing your phone. A search on “mobile phone security” turns up options/downloads/security to consider.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing mobile phone crimes and hacking on the Mike and Juliet Show

Personal Security: Scareware Scares You In To Paying

Robert Siciliano Identity Theft Expert

Makers of fake anti-virus software force people to buy ‘scareware’. If one could have a favorite scam, for me, it would be “scareware.” My reasoning is it’s one of the few scams that actually gets through to me. My computer’s defenses are pretty good, but I still see scareware. They’ve even taken my blog posts and used my name to launch scareware in Google News Alerts. I have some criminal hacker’s attention and he created scareware in honor of lil’ ole me!

Web pages may be infected or built to distribute scareware. The goal is to trick you into clicking on links. After landing on a page, pop-ups bombard you and warn you that your PC is infected with an Ebola- like virus and your PC will die a horrible death with fluids running from all ports if you don’t fix it immediately for $49.95.

Shutting off this pop-up is often difficult and any buttons you press within this pop-up could mean downloading the exact virus they warned you of. BRILLIANT!

Studies show that organized criminals are earning $10,000.00 a day from scareware! That’s approximately 200 people a day getting nabbed. Some “distributors” have been estimated to make as much as $5 million a year.

What makes the scam so believable is there is actual follow through of the purchasing of software that is supposed to protect you. There is a shopping cart, an order form, credit card processing and a download, just like any online software purchase.

The software is sometimes known as “AntiVirus2009” “WinFixer,” “WinAntivirus,” “DriveCleaner,” “WinAntispyware,” “AntivirusXP” and “XP Antivirus 2008.” These are actually viruses or spyyware that infect your PC, or just junk software that does nothing of value.

Scareware programs are a threat to your personal security and online safety. Luckily, this is an easy fix. The best way to prevent seeing a pop-up for scareware is using the latest Firefox browser. Firefox lets few, if any pop-ups through. No pop-ups, no scareware. If you are using another browser and a pop-up –pops-up, shut down your browser. If the pop-up won’t let you shut it down, do a Ctrl-Alt-Delete and shut down the browser that way.

Robert Siciliano personal security expert to Home Security Source discussing ransomware, a form of scareware on Fox Boston. Disclosures

EFT Point of Sales Hackers Net $50 Million

Robert Siciliano Identity Theft Expert

Readers of these posts are familiar with ATM skimming. ATM skimming is a billion dollar problem and growing. A relatively new scam over the past few years is electronic funds transfers at the point of sale (EFTPOS ) skimming. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets. In Australia, Fast-food, convenience and specialist clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted.

Last year, legitimate EFTPOS devices at McDonald’s outlets across Perth Australia were replaced with compromised card-skimming versions, with 3500 customers cheated of $4.5 million. They actually replaced the entire device you see at the counter when you order your Big Mac!

Officials say the problem is so bad they urged people to change credit and debit card pin numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

In the United States a similar scam was pulled off at the Stop and Shop Supermarket chain.

“One reason POS machines are so vulnerable is that nearly all of the estimated 12 million devices in the U.S. employ a 40-year-old magnetic stripe technology that industry experts say is largely defenseless against the high-tech wizardry available to fraudsters today. These experts say that thieves can buy skimming gadgetry on the open market. Right now you can walk into a computer store in Malaysia and buy one of these devices for about $200”

The solution to this type of crime may be with authenticating the card or the card holder. Today this is out of the hands of the consumer. There are a number of new technologies that if banks/retailers/industries adopt to identify the actual card/user at the POS or even online, then most, if not all, of the card fraud problems will be solved. There is a race going on right now to see who gets there first. In the next 1-5 years we may see new cards being issued such as “chip and pin” which are standard in Europe. Or no new cards at all but changes in the system that identifies a fraudulent card making the data useless to the thief, or a 2 card system that requires a second swipe of another authenticating card the hacker doesn’t have access to. We will see how this all plays out.

You can’t protect yourself from these types of scams. However, by paying attention to your statements and refuting any unauthorized transactions within 60 days, you can recover your losses. When using any POS, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, or error messages, don’t use it.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing ATM skimming on ExtraTV

Police Battle Break-in Trend

Robert Siciliano Identity Theft Expert

Belmont Massachusetts is right near Boston. This is not too far from my house and it’s where people “Pahk the Cahh in Hahvad Yahd.”  Police are fighting a battle that has its residents all shook up over more than a dozen home burglaries in recent weeks. Many of the victims came home to broken windows and kicked in doors.

Among the missing items were jewelry, coins and electronics which are common resalable items fenced on the streets and in pawnshops. In at least 2 cases plasma TVs were taken.

Police say the number of break-ins is about on par with what they’d expect, although possibly on the higher side because of the trickle down effects of the economic downturn. Some of it’s based on the economy right now, said a spokesman for the department. “It’s people trying to supplement what little or no income they have. We encourage residents to use common sense, people have to take a little bit of responsibility for their own safety and security. Lock your cars, lock your doors.”

In 2 cases they determined teenagers broke into homes to party. One family came home to find liquor and cigars stolen. Another reported their house was messy and smelled of alcohol and one of the beds was slept in.

According to the U.S. Department of Justice only about 17 percent of property crimes are ever solved.

I have a question. Have any of these people ever heard of a “home security system?”  It’s a simple question. You know, those electrical noisy thingies that set off an alarm when an unauthorized person or party forcibly enters the residence? These same doo-hickies CALL THE POLICE. With all due respect, and please, excuse my insensitivity to the matter, while the homeowner is not responsible for the break-in, and while it is an awful thing to happen, you are in the best position to prevent it.

The worst thing you can do is nothing. The best thing you can do is be proactive. As eloquently stated, “people have to take a little bit of responsibility for their own safety and security.”

Robert Siciliano personal security expert, to Home Security Source discussing personal security on TBS Movie and a Makeover. Disclosures

Citizens Need to be More Involved in Cybersecurity

Robert Siciliano Identity Theft Expert

In the University of Cincinnati’s Journal of Homeland Security and Emergency Management, the authors write “The general population must be engaged as active security providers, not simply beneficiaries of security policy, because their practices often create the threats to which government responds.” Somebody is saying to take personal responsibility and start doing things securely opposed to expecting it to all be done for you. What a revelation!

Just because everyone has access to the Internet, doesn’t mean they are using it securely. If a person decides to login, they should take some basic courses or read about how to login securely. And the education doesn’t stop there. New scams pop up every day and one has to be aware of their options. I write almost every day and there is never a shortage of topics for me to discuss.

The Internet can be a dangerous neighborhood with bad people around every corner. I got an email from a colleague today who is in the security business. He asked me if the email he received from Facebook to change his password was a fake or real. This is a smart guy, who obviously never heard of the Facebook phishing scam before.

NetworkWorld reports They cite the coordinated attack that overwhelmed U.S. and South Korean government sites last July as being the type of attack that individuals can unwittingly participate in by allowing their computers to be taken over by botnets, the authors say. The awareness they call for has to go beyond simply “if you do not protect yourselves bad things will happen to you” and create a sense that cyber security is a civic duty. Most users remain unaware that not only is their computer data vulnerable, but that their insecure access to cyberspace can be exploited by others turning them into unwitting agents of coordinated cyber threats [both criminal and disruptive attacks],”they say. “Cybersecurity must become a national civic responsibility.”

Frankly, we as citizens HAVE TO do something. Richard Clarke, the president’s cybersecurity adviser, recently wrote that the Department of Homeland Security “has neither a plan nor the capability” to protect the U.S.’s cyber infrastructure. He said companies and individuals “almost uniformly believe that they should fund as much corporate cybersecurity as is necessary to maintain profitability and no more.”

Whether you realize it or not, your computer is one of the biggest threats to your personal security. The Obama administration believes that your computer is also one of the biggest threats to national security.

The message is: Think before you click. Know who’s on the other side of that instant message. What you say or do in cyberspace stays in cyberspace — for many to see, steal and use against you or your government.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in  Intelius identity theft protection and prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU. (Disclosures)

3. Make sure your anti-virus is up to date and set to run automatically.

4. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

5. Check your bank statements often, online, at least once a week.

6. Visit US-Cert here

Robert Siciliano identity theft speaker discussing the mess of data security on Fox News

How Banks Fail to Provide Effective Online Security

Robert Siciliano Identity Theft Expert

A Texas bank is suing one of its customers who was hit by an $800,000 online bank theft that could determine who is to be held responsible for protecting their online accounts from fraud.

Computerworld reports Romanian and Italian based criminal hackers launched numerous wire transfers out of the client’s back account. The bank recovered $600,000 of the $800,000.

The victim wanted all its money back and sued the bank to be reimbursed of the $200,000. The bank in turn filed a lawsuit requesting the bank certify it had adequate security that was considered “commercially reasonable”. The bank doesn’t want anything more than to be absolved of the $200,000.

The bank states all transfers originated from unauthorized wire transfer orders that had been placed by someone using valid Internet banking credentials belonging to the victim. How the victim’s credentials fell into he wrong hands has not been disclosed. It seems it was the victim’s lax security opposed to the banks. There are numerous ways this can happen. What is evident is there were wire transfers of various dollar amounts ranging from $2500.00 to $100,000 made to different accounts all overseas. The bases of the victim’s lawsuit are that the bank should have systems in place to detect such activity.

Small businesses and banks are losing money via attacks on their online banking accounts. It’s very simple: criminal hackers send an e-mail with a link to a malicious site or download to employees who handle their company’s bank accounts. These malicious links then steal the username and passwords the employees use to log in to their online banking accounts. Done.

So, if my PC is compromised because I don’t have adequate security and $800,000 goes missing from my account, whose fault is it?  At first glance some may say the victims, others may say the banks. The fact that there are so many ways passwords can be compromised and accounts can be taken over, and banks know this, it should motivate banks to have redundant security in place. Hacks like this undermine people’s confidence in the system.

Here is a similar story being played out. I’m a big believer in taking action and making sure my systems are secure. And, the bank has some responsibility here too. I, we the public, have limitations on what we can do to be secure. I bet anything the bank will tighten up regardless of what the outcome of the lawsuit is because they have to see there is a weakness in their system. If they don’t, they are stupid.

I’ve been trying to transfer money from one bank account to another. My bank has made it difficult to do so. Painful even. It’s a customer service and a security issue. Ultimately they provide an option to do so and it requires paperwork, online authentication, phone calls and text messages. It’s not a matter of logging in and transferring money by entering another account. Even with my own login details I’m having a hard time transferring money.

Check to see how easy or difficult your bank makes it. Because if it’s easy peazy, that could be an issue if your PC is hacked.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in  Intelius identity theft protection and prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU. (Disclosures)

3. Make sure your anti-virus is up to date and set to run automatically.

4. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

5. Check your bank statements often, online, at least once a week.

Robert Siciliano Identity Theft Speaker discussing online banking insecurity

Apartment Security 101

Robert Siciliano Identity Theft Expert

According to the National Crime Prevention Council, apartments have an 85 percent more chance of being burglarized. Homeowner or renter, everyone has the same cares and concerns regarding their personal security.

As a landlord, or, as I request they refer to me, a Landdude, I make apartment security a priority for my tenants. We have home security systems, surveillance cameras, 400 watt sodium lighting on the exterior and a process in place where we watch out for each other. If I’m traveling, my tenants pay extra attention to my family and vice versa.

We have a schedule that involves locking exterior doors and making sure the property is secured. If a stranger is in the area or paying unwanted attention to us or the property, we call each other to decide what we may do in response. There’s always strength in numbers.

If you are looking to make a move and an apartment is in your future, make sure you do your homework.

While the landlord may interview you, you should interview the landlord. Find out what his/her processes are for security. What is their annual investment? What is their philosophy regarding apartment security? Do they even have one?

Does the landlord do anything in regards to background checks? What is the existing security at the property? Ask about lighting, cameras, locks on doors and windows and has he even changed the keys since the last tenant. What is the immediate neighborhood like? Are their local drug houses, etc?

Contact the local law enforcement and ask for a record of recent crimes committed. Get some statistics. Some law enforcement agencies will be more or less cooperative. You want to know about the prevalence of violent crimes, sex offenders and theft.

One of the most effective ways to get the pulse of the community is by buying the local newspaper. The police blotter over a one month period is telling.

Ask if you have permission to install an in-apartment home security system with motion detectors. This should not be negotiable. Wireless home security systems are non-invasive and not expensive.

Require a peep hole on your door.

If the doors are glass paned opposed to solid core doors, then your potential landlord isn’t concerned about your security.

Robert Siciliano personal security expert to Home Security Source discussing burglar proofing your home on Fox Boston. Disclosures