10 Business Identity Theft Risks in 2010

/0 Comments/in , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Advancements in technology over the past decade have created a tremendous amount of opportunity for the savvy businessperson. Whether it’s mobility, streamlined processes, marketing, or the ability to sell to a global market, there’s never been a better time to be in business.

Like anything good, there is always a negative. While there are certainly many negatives in technology, like the headaches when something doesn’t work correctly and the constant learning curve we must all endure, the biggest negative is security issues.

So for the SMB (that’s you, the savvy businessperson), here are ten considerations for the new decade:

Back up your back up. Numerous reports of cyber-war, thousands of new viruses weekly, and even Mother Nature reeking havoc on the Internet, have caused concern among industry professionals. Doing business in the cloud is fantastic; however, make sure you have redundant local backups of your data.

Anti-virus will not fully protect you. The sheer volume of attacks and new viruses created will keep the anti-virus vendors busy. But there is no way they can keep up the pace 100% of the time. There are numerous technologies that will immunize your PC and make whatever virus or spyware impotent, and any data on your machine typed in a browser useless to the thief.

Social media identity theft is the act of creating a blog or social media site that models your day to day operations. At any time someone can register domains or social media sites with your brand as the face. They then sell product that they never ship and/or do things to damage your brand. Scoop up your social media identities with Knowem.com

Social network nitwits. One of the easiest ways into your companies’ networks is via social media. The explosion of “I just made a tuna” communications has brought out the dumb in many people. The simple act of setting up a group on Facebook and getting your employees to join can open up a treasure trove of data that can facilitate social engineering attacks. Create policies and procedures that involve appropriate use.

Social engineering, the ruse of a confidence man, is back in full force. It never really went away, but with the amount of security in place, sometimes the path of least resistance is simply asking your cleaning crew for the keys to the building. By gaining the trust of employees over the phone, via email or in person, a con-man can get almost anything he needs to get whatever he wants. The best defense is effective policies coupled with ongoing awareness training.

Insider identity theft can ruin your business. Most companies have done their due-diligence to keep the bad guy from hacking from the outside. But many organizations have neglected the risks associated with employees gone bad and the internal damage that can be done. Numerous technologies monitor and control access to sensitive information. But preventing bad employees from doing bad things starts with not hiring bad people.

Phishing scams still work. Despite consumer and employee awareness, a carefully crafted and well designed email that looks like its coming from another employee is probably the most effective spear phish. Going after the CEO or high level executive or “whaling” can often be even more successful. The bigger they are the harder they fall as they say. From my experience it’s often the smartest ones in the room that lack all common sense. Test your employees; see what they will fall for. Then test them again.

Tighten up employee remote access. Allowing Suzy Admin to access the companies VPN from a home PC that Suzy’s son Steve uses to play games on servers hosted in North Korea will end up bad. Malware on a home computer can compromise usernames and passwords resulting in spyware on the network. Set up Suzy with her own laptop that’s fully locked down and prevents Steve from doing anything fun.

Peer to Peer (P2P) file sharing is a fantastic way to leak company and client data to the world. Obamas helicopter plans, security details and notes on congress members being deposed were all leaked on government controlled computers via P2P. Setting admin privileges and installing numerous technologies that will prevent P2P is essential.

Identity theft will get worse before it gets better. And whether it’s your identity, your families or your employee’s identity that is stolen, it can be a huge time suck and a costly event. The best defense involves a 3 legged stool. First, awareness training of all the scams that lure people in, and how to appropriately respond to numerous communications. Second involves a little time and investment in a “credit freeze” or “security freeze”. Learn how to do it HERE. Third is an annual investment in identity theft protection. In today’s cyber crime climate, and with the recession making people desperate to make money any way they can, NOT investing in identity theft protection is, in my opinion, irresponsible. The worst thing you can do is nothing.

Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Forget Privacy, Think Security

/0 Comments/in , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Everywhere you go there is a privacy advocate screaming to protect your privacy. Privacy advocates, bless them, are a dying breed. They fight for whatever privacy rights there are left and do their best to remain watchdogs. If your gig is privacy, my guess is you have lost all your hair and are popping Prozac to relieve the stress of todays anti-private society. And you are fully employed and very very busy.

My gripe, people are freaking about full body scanners at the airports and the privacy issues involved. This isn’t a privacy issue, it’s a security issue. If you have to show a black and white image of your bum bum to avoid the plane from being blown up, so be it. Otherwise don’t fly.

“Privacy is dead, deal with it,” Sun MicroSystems former CEO Scott McNealy was widely reported to have declared over a decade ago. Scott hit the nail on the head and shortly after Tila Tequila became a famous lesbian pinup on MySpace, the Real World of reality TV was born, and we’ve been tweeting tuna sandwiches ever since.

Mark Zuckerberg CEO of Facebook who was around 13 years old when McNealy made his statement recently re-affirmed it by saying  “… in the last 5 or 6 years, blogging has taken off in a huge way and all these different services that have people sharing all this information. People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that’s evolved over time.”

The fact is, “Privacy is an illusion, said Robert Siciliano CEO of IDTheftSecurity.com, “the focus today should be security, not privacy” he continued. That right there is a ready made quote for you to copy/paste and make me a sage like my two counterparts :)~

Think of it like this: from birth you have a medical and birth record. These docs follow you everywhere in life and are filed and viewed by many. You can’t get admissions to schools, jobs or insurances without presenting these records. You are granted a Social Security number shortly after birth and that IS your National ID. Nine numbers that are connected to every financial, criminal and insurance record that makes up who you are and what you’ve done. But none of these docs are connected to you physically, which results in identity theft, a security issue.

Further, every time you visit a website with cookies enabled, use an ATM, credit card, RFID transponder on the highway toll, public transportation pass, make a call on a mobile phone, order a pizza over a home phone or simply use a computer to denote you ate that tuna, chances are – someone, somewhere – is recording that transaction and determining your location.

If you want to participate in society you have no choice but to give up your privacy. Fundamentally this is a trust issue. Humans lie and can’t be automatically trusted. We have considerable checks and balances in place to prevent lying from going unnoticed. Anonymity is dead due to the fact that bad guys try to hide or not pay. Transparency makes their chances of getting caught more likely. If you kill someone then drive down the highway, your chances of getting caught increase because your license plate is recorded through the toll. This is a good trade off for the family of the victim.

Knowing all this and understanding technologies impact on what you thought was privacy, should make you resigned to the fact that privacy is in-fact dead and an illusion. Now your focus needs to be security. Secure your financial identity so no-one can pose as you. Secure your online social media identity so no-one can pose as you. Secure your PC so no-one can take over your accounts.  And please, there is no sense in telling the world what you are doing and where you are every minute of the day. When you do this, you aren’t relinquishing privacy; you are compromising your personal security.

  1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
  3. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing cookies and privacy issues on FOX News

Neighbors Tip Leads to Arrest of Burglary Suspect

/0 Comments/in , /by

Robert Siciliano Identity Theft Expert

Where I live there isn’t much that goes on outside of my home that I don’t know about. I live on a dead end, so I have less traffic both on foot and by car than most. It’s still a well traveled area and I pretty much see every car that drives by, every person that walks down the street and most of the activity that goes on at the neighbor’s house too. Now I’m no nosy neighbor, I could care less what the neighbors do, as long as what they do doesn’t negatively impact me.

But I’m certainly very interested in what a stranger may be doing in the area. Most of us have a routine. We do many of the same things every day and see the same people too, and those people see us. And when someone “outside of the trusted circle” comes around, I want to know why, and what their business is. So like any barking dog, I let them know my presence. I may ask them directly what their business is or strike up a conversation about the weather. While many may not want to be bothered with this effort, I find that this is a very effective way to secure your home.

Two things happen when you engage in this way. First, anyone you address in any manner now knows from that point on for the rest of their lives that “the guy in that house is watching me.” Or is at least aware of his property and who is near or on it. Second, people who you engage this way now become a second set of eyes to watch out for anything suspicious on your home. If they know that you live there, opposed to 6 guys in ski masks, then they may call the police if they see something suspicious.

This is why I love this story:

“Officers had responded to a burglar home alarm and found a broken window in the rear of a residence. A search of the area at the time turned up no suspects. Several neighbors, however, had notified police of a suspicious vehicle that had been seen in the area and were able to provide a good description and license plate number. Police were able to use the information to locate the thief in a nearby town. Police added that it appeared the home alarm had scared the burglar.”

This is a perfect example of layers of protection. The burglar home alarm scared the guy away and the neighbors helped get him arrested. Definitely, install a burglar alarm and make an effort to let people you come in contact with know that your home is one that is security conscious.

Robert Siciliano personal security expert to Home Security Source discussing home security on NBC Boston. Disclaimer

Protect Your Identity While Donating to Haiti

/0 Comments/in /by

Robert Siciliano Identity Theft Expert

The Haiti tragedy has people all over the world scrambling to donate money to help in the relief effort. It is no surprise that scammers have ramped up and are sending “phish” emails designed to extract your money to their own nefarious cause, “themselves.” Right now, there is 24 hours news reports focusing on the tragedy and people are understandably getting sucked into the drama of the events. This is a prime time to reach out to those same people who are enmeshed in the reports and get them to donate to fake organizations. The following tip will help prevent you from getting scammed and get your donation into the right hands.

Do not donate cash: Anyone asking to come to your home or office and pick up cash is a scammer. Any phone calls or emails received requesting cash or to wire money transfers is a scam.

Be suspect of all emails requesting donations: I would never click on a link in an email, especially short URL’s. Always manually enter the domain name into the address bar. The best thing is to go directly to the organization’s website.

Check with the Better business Bureau: The first thing you should always do prior to making a donation to any charity is to check their credibility with the BBB. Go online to http://www.bbb.org/us/Charity-Reviews/ and search out the charity.

Give only to charities, not individuals: Any communication from someone requesting money because of their hardship is an obvious scam. But some people are saps for an emotional sob story. While you may be savvy enough not to fall for these scams, someone in your life who may be naïve could.

Give now and consider giving to the Red Cross: The American Red Cross is the most known and credible organization on the planet for helping out those in despair. Give now and give as much as you can.

Robert Siciliano is a personal security and identity theft expert for Home Security Source discussing phishing emails on CBS Boston. (Disclosures)

Google Gets Hacked & What It Means to You

/0 Comments/in , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Google disclosed that it had been breached by Chinese hackers, who were apparently targeting Chinese dissidents:

“The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.”

McAfee found evidence that the attack exploited a vulnerability in Internet Explorer. Google Enterprise president Dave Girouard blogged to inform Google App clients their data was safe: “This incident was particularly notable for its high degree of sophistication. This attack may understandably raise some questions.” Girouad stated, “We believe our customer cloud-based data remains secure.”

The most successful techniques of Chinese hackers involve phishing and social engineering. These hackers determine their targets, then send a “spear phish,” or targeted email, to a specific employee, in which they pose as a coworker or a vendor. Once the target clicks a link, a remote control or malicious software is automatically downloaded. On a broader scale, hackers may send a blast to everyone in the company and ultimately hook a few employees, giving them access to company accounts.

The recent Google attack indicates that criminal hackers with financial incentives aren’t necessarily the only ones attempting to penetrate your networks. There is a strong possibility that hacking is being sponsored by foreign governments with a much bigger agenda.

  1. Never click on links in the body of an email. NEVER!
  2. Always be suspect of any external or internal communications. You could be a target of a phish.
  3. Before you go divulging usernames and passwords to anyone in response to an email, pick up the phone to verify the need
  4. Make sure your PC is fully and automatically updated with its critical security patches.
  5. Anti-virus must be run automatically and fully up to date.
  6. Its not enough to just run anti-virus. Run a program that immunizes your PC against keyloggers
  7. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  8. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and social engineering invasions on the Montel Williams Show

Why Am I Logged Into Someone-else’s FriendFeed?

/1 Comment/in , , , , , , , , /by

Robert Siciliano Identity Theft Expert

I have pretty tight controls over my network and access to my 510 usernames and passworded accounts. Yes he just said “510”…and counting. I have full administrative rights over every PC and nobody else has access to my home or office. So it came as a surprise to me when I went to log into my FriendFeed account to make an adjustment and I discovered I was logged into someone-else’s account. Serious, no joke, I’m not stupid. I have FULL access.

The account is owned by Canadian who sells diet pills and skin care. There are 3 feeds coming into the account all being sent from Ping.fm. I am able to access the full dashboard and change the picture, email associated and add or delete feeds. The dashboard provided me with the existing email address of its owner, and of course I emailed him to let him know of my access. But of course he hasn’t responded. I’m probably in a spam folder.

My first thoughts were that I have spyware and someone is able to remotely access my machine and use it as their own. I did a full system scan and there is nothing on my machine. There is no other strange activity going on so I’ve narrowed the issue down to this one account.

Meanwhile ABCNews.com reports that A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers’ accounts with full access to troves of private information.

The glitch — the result of a routing problem at the family’s wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.

In each case, the Internet lost track of who was who, putting the women into the wrong accounts. It doesn’t appear the users could have done anything to stop it. The problem adds a dimension to researchers’ warnings that there are many ways online information — from mundane data to dark secrets — can go awry.

Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else. It’s not clear whether such episodes are rare or simply not reported. But experts said such flaws could occur on e-mail services, for instance, and that something similar could happen on a PC, not just a phone.

If this is what’s happening to me then it can happen to anyone. There is a logical explanation for this, and I don’t have it. If someone does, please chime in.

Like there aren’t enough security issues we now have to deal with hiccups on the internet that log us into someone else’s account because of switching errors. At least if it was a virus we could point a finger at someone. But now, based on what’s happening here, we can only point the finger at the “Internet” as a culprit. This is freaking me out.

All the more reason to protect your identity.

  1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
  3. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discusses lack of security in online banking on CBS Boston

Secure Your Social Media

/2 Comments/in , /by

Robert Siciliano Identity Theft Expert

In a shocking instance of high tech harassment, a hacker took over a woman’s Facebook account while she was on a camping trip, with no Internet and no cell phone service. The hacker impersonated this woman, but instead of attempting to scam her family and friends out of cash, he used her Facebook profile to post suicidal messages, including, “My only friend is the handgun in the back of my closet,” and, “I don’t want a funeral or memorial, I want it to be like I never existed.” After two and a half hours of Facebook drama, the victim happened to regain cell phone reception and discovered twenty voicemail messages begging her not to do “anything drastic.” By the time her son was able to get in touch with her, there were police gathered outside her home, preparing to break down the door. This is a nightmare that can happen to anyone.

  1. Strengthen your passwords; use upper/lower case, numbers and characters. Don’t use easily guessed words from the dictionary or pets names and kid’s birthdates, etc.
  2. Don’t access social media from libraries, internet cafes or any public computers that could have spyware.
  3. Make sure your own PC has updated virus definitions and security patches. Be careful with all the 3rd party apps in social media. Many are risky.
  4. Don’t click on links in emails from “friends” asking you to download a video or see pictures. This is becoming a common ruse in social media.
  5. Monitor who has access to your PC in your own home. Babysitters, friends of your children and various contractors in your home can access your information. I have a security camera in my home office that monitors everything 24/7/365.

Robert Siciliano personal security expert discussing social media identity theft on CNN

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)

Be Careful about False Alarms At Home

/0 Comments/in , /by

Robert Siciliano Identity Theft Expert

We are all familiar with the boy who cried wolf. The protagonist of the fable is a bored shepherd boy who entertained himself by calling out “Wolf!” Nearby villagers who came to his rescue found that the alarms were false and that they had wasted their time. When the boy was actually confronted by a wolf, the villagers did not believe his cries for help and the wolf ate the flock (and in some versions the boy).

Many, if not all of us are guilty of setting off our alarms accidentally. Sometimes we open a door or window that sets it off, other times we mess up the secret code. The result of this mishap is usually a very loud siren and the attention of your neighbors. If you don’t call to cancel in time, then it results in law enforcement showing up.

To give you an idea of how pervasive the problem is, in New Haven Connecticut, 10,000 to 12,000 burglar alarms go off in New Haven every year. Of those alarms, 96% are false. In many counties, towns, cities and states there are laws and ordinances that impose a fine for false alarms.

Not only does a false alarm cause the “boy who cried wolf” effect, it also saps law enforcement resources.

I am just as guilty as anyone of a false alarm. But I’ve never had law enforcement show to my home as a result.

1. Have your service provider set up your alarm system to call your mobile phone first, then your home phone second. If you don’t answer the phone then they will call the police.

2. Program your mobile phone with your alarm service provider’s number and call them the second you falsely set off your alarm. Memorize your PIN so you aren’t fumbling for it.

3. Don’t carry your PIN in your wallet. If your wallet is lost or stolen your address and alarm PIN is in the hands of a stranger.

4. Whenever you are setting up any access for anyone to enter your home while you are gone, your risks for false alarms go up dramatically. Provide specific hands on instruction on how to disable and reset the alarm. Telling someone over the phone how to do it is often insufficient.

Robert Siciliano personal security expert discussing home security on TBS Movie and a Makeover

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)

Protect Yourself from Social Engineering

/0 Comments/in , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. But in many cases the attacker certainly does come in contact with the victim.

You may be doing all you can and should to protect yourself from hackers and scammers. But a response to a simple email that looks exactly like your expected monthly bank e-statement can completely drain your bank account.  On its face there is no way to tell if the communication is real of fake. While hovering over the link may provide a clue, there’s really no way in differentiating all the 1’s and zeros in a typosaquatted domain.

It amazes me that my bank and credit card company still put links in monthly e-statements.

Social engineering has always been a “person to person” confidence crime. Once the conman gains the marks trust, the victim begins to “throw up” all kinds of information or begins to fork over cash and credit. Trust seems to be an inherent trait we all have from birth. I would suppose we would need to trust in order to survive as an interdependent communal species’, otherwise fear of others and not trusting would prevent us from relying on others to nurture us until we are tossed out of the nest.

The conman knows this and the heartless bastard takes full advantage of our trusting nature. Heck, I pulled it off on 2 woman by saying I was from the water company and walked right into there homes.

In the IT world social engineering is a huge problem because the conman doesn’t just access one bank account as in a one on one scam, he accesses thousands by scamming one IT admin or the secretary.

There is a tremendous amount of redundant security in place today that is often completely bypassed because of a simple lie and one naïve gullible person. The path of least resistance isn’t through an unpatched network, or an unsecured wireless connection, it’s via the phone, email, snail mail, social media or in person with a wink and a smile.

Check out this very comprehensive article by Computerworld and these two recent posts here and here.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief. Invest is a social media identity theft protection toll such as Knowem.com.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and home invasions on the Montel Williams Show

Homeowner’s Screams Scare Burglar from Home

/0 Comments/in , /by

Robert Siciliano Identity Theft Expert

What’s the point of having a home alarm system? An alarm system screams when you can’t or when you aren’t there.  Noise has been proven to be an effective deterrent. From birth we are taken by surprise by loud noises. Sirens, screams and big bangs startle us and make us hyper aware of our circumstances.

When someone or something is up to no good a loud notice often scares them away, on purpose, that’s what it’s designed to do. We scream naturally. Screaming is something we do right out of our momma at birth. Screaming brings oxygen to the body which facilitates alertness.

In Norwalk Connecticut a would-be crook was scared off by a female homeowner’s screams after she spotted the strange man in her home, police said.

Police said the complainant heard a noise and initially thought it was her husband entering their house. She went to investigate and saw a strange man walking down her hallway.

When she screamed, he ran out of the house and got into a car.

In most cases something like this can be prevented simply by locking your doors and windows. And by adding an extra layer of protection such as a home alarm system that has a very loud siren and also calls the police, you significantly reduce your chances of a bad guy breaking in to your home.

If burglars do get in, screaming is always a good thing. Scream loud and with intent. I further recommend running out of the house while you are screaming. If you end up trapped in your home with a bad guy that doesn’t want to leave, it can get ugly. Leaving your home and heading to a neighbor’s is always a good thing when possible. If you live in an area where there aren’t neighbors for miles, then build a safe room that you can hide in.

Robert Siciliano personal security expert discussing self defense on CBS Boston

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)