Don’t Let Strangers Enter Your Home

Robert Siciliano Identity Theft Expert

Sounds simple enough right? But when a decent looking affluent couple can breach the Whitehouse and gain entry to a formal party, protected by the Secret Service, then almost anything is possible.

Posing as a health inspector, police officer or even a secret service agent is probably done every single day with success. I once posed as a “water inspector” and gained access to people’s homes by saying I needed to “check the colorization of their water”, as I demonstrated on The Montel Williams Show here. A fake badge and a uniform of any kind can do wonders.

The AP reports a man accused of posing as a U.S. Secret Service agent and entering the U.S. Department of Health and Human Services, passed himself off as a Massachusetts police officer to enter a U2 concert last year.

People can easily pose as city officials, delivery or service people, or as someone whose car broke down and needs assistance. The moment you open that door you are risking your family’s safety.

My family’s number one rule is we do not open doors to strangers. That’s it, end of story. My younger ones want to show how big they are by getting the door, but they now know better that they aren’t at all allowed to open it without their parent’s permission.

  1. Always have your screen door and your entry door locked at all times.
  2. Install a surveillance system at each entrance that gives you a facial and full body view of visitors.
  3. If you order products to be delivered to your home specify “no signature required.” This way you can set up a place for the deliveries that allows them to drop the package off.
  4. Anytime a city worker knocks on your door call city hall to verify that they should be there.
  5. It’s not enough to check a badge, license or credentials. IDs can easily be faked.
  6. Have your home alarm system on all day even while you are home.

Robert Siciliano personal security expert discussing being an imposter and home invasions on the Montel Williams Show

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)

Data Breaches: The Insanity Continues

Robert Siciliano Identity Theft Expert

The Identity Theft Resource Center Breach Report also monitors how breaches occur.  This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches.  For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009.  This was a change from all previous years, where human error was higher than malicious attacks.  One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information.  For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Insider Theft 16.9%
Hacking 19.5%
Data on the Move 15.7%
Accidental Exposure 11.8%
Subcontractor 7.2%

Insanity might well be defined as repeating the same action again and again, and expecting a different outcome.  With that in mind:

Insanity 1 – Electronic breaches:  After all the articles about hacking, and the ever growing cost of a breach, why isn’t encryption being used to protect personal identifying information?  Proprietary information almost always seems to be well protected.  Why not our customer/consumer personal identifying information (PII)?

Insanity 2 – Paper breaches:  Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII?  Do we dare ask that those laws be actually enforceable?  Perhaps we are waiting for paper breaches to reach 35% of the total.

Insanity 3 – Breaches happen:  Deal with it!  You will get notification letters.  Breach notification does not equal identity theft.  Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website.  This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.

Insanity 4 – A Breach is a Breach:  Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.”  If it is your #$@%2 SSN that is out on the Internet, do YOU think there is “risk of harm?”  Some companies might say “no.”

Insanity 5 – Data on the Move:  You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years.  But, really!  This is 100% avoidable, either through use of encryption, or other safety measures.  Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.”  With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace.”

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News


2009 Data Breaches: Identity Theft Continues

Robert Siciliano Identity Theft Expert

The Identity Theft Resource Center® Breach Report recorded 498 breaches, less than the 657 in 2008, more than the 446 in 2007. Are data breaches increasing or decreasing? That is the question no one can answer. This fact will not change until there is a single data breach list requiring mandatory public reporting. With some breaches not being reported publicly, and some state Attorneys General not allowing public access to reported breaches, we doubt that anyone is in a position to answer the question above. When we allow laws to be created requiring breach reporting but not disclosure, and provide minimal enforcement or penalty for non-compliance, we can expect a lack of public disclosure. Counting breaches becomes an exercise in insanity.

ITRC collects information about data breaches made public via reliable media and notification lists from various governmental agencies. There are breaches that occurred in 2009 that never made public news. So rather than focus on a question without an answer, ITRC used percentages to analyze the 498 breaches recorded this year looking for any changes or new trends. (Both raw numbers and percentages have been provided in all charts)

The main highlights are:
• paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
• business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
• malicious attacks have surpassed human error for the first time in three years
• Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

In 2009, the business sector increased to 41% of all the publicly reported breaches. While there are some small statistical changes in the other sectors, business continues to increase for the fifth year in a row. The financial and medical industries, perhaps due to stringent regulations, maintain the lowest percentage of breaches.

Business 41.2%

Educational 15.7%

Government/Military 18.1%

Health/Medical 13.7%

Banking/Credit/Financial 11.4%

The ITRC Breach Report recorded more than 222 million potentially compromised records in 2009. Of those, 200 million are attributed to two very large breaches. Before obsessing with record count, however, one should be aware that in more than 52% of the breaches publicly reported, NO statement of the number of records exposed is given. Therefore, it is unknown how many total records may have been exposed due to breaches in 2009.”

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Data Security Predictions For 2010

Robert Siciliano Identity Theft Expert

Forrester Research, Inc. in Cambridge, MA is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology.

They released their 2010 data security predictions. Heading into 2010, they are predicting five new data security trends:

1) Enterprises will keep their data security budgets relatively flat;

2) Market penetration for data loss prevention (DLP) tools will increase even as prices fall by half;

3) Cloud data security concerns will begin to dissipate;

4) Full disk encryption will continue its steady march into the enterprise, spurred on by breach disclosure laws; and

5) Enterprises will give enterprise rights management (ERM) software a second look as an enforcement option coupled with DLP.

Information Rights Management (IRM) is a term that applies to a technology which protects sensitive information from unauthorized access. It is sometimes referred to as E-DRM, Enterprise Digital Rights Management. Sensitive data and information such as Patient records, personal tax or financial information in .PDF, XLS, .DOC, .TXT etc., needs security.

Zafesoft is a content IRM company that actively secures, controls, and tracks content wherever it is utilized; this is the next generation of content security. IRM information is secure, viewable, edit-able and transferable.

Authorized IRM content users can copy, paste, edit, save etc. The security travels with the content or portions of it with tracking anywhere in the world. Unauthorized users are never able to view, edit or copy/paste.

Forrester hit the nail on the head with rights management. When rights management is accessed by a hacker, the data is useless to the thief who hacks from the outside or gains unauthorized access from the inside.

It would be smart business for healthcare, legal, and any organization to incorporate DLP in the form of IRM now, before a breach occurs and data is lost.

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Impostor Poses as Secret Service Agent and Police Officer

Robert Siciliano Identity Theft Expert

At a friend’s 40th birthday party, we wound up discussing my Craigslist ATM, and that led to a conversation about how easily people can be conned. One friend’s new boyfriend began telling us how frequently he is able to con people in order to get into bars and clubs. “I never wait in lines,” he claimed, “and I always get VIP treatment.” I hate lines, too, but I have a hard time lying to get what I want.

He says he finds the phone number of the bar or club and calls ahead of time, claiming to be the manager of a Boston Celtics player and explaining that he’ll be coming to the bar with a few people and that his player will arrive later. He gets the name of the club manager and someone from security. That night, he goes straight to the front of the line and drops the manager or bouncer’s name and acts as if he’s entitled to enter. He says his success rate is 100%, and I believe him.

When a  couple can crash a formal event at the White House despite Secret Service presence, then almost anything is possible. People successfully pose as health inspectors, police officers, and even Secret Service agents. As I demonstrated on The Montel Williams Show, I once posed as a “water inspector,” gaining access to people’s homes by saying I needed to “check the colorization of their water.” Any kind of fake badge and uniform can do wonders.

One recent example is a Massachusetts man who has been accused of posing as a Secret Service agent in order to enter the U.S. Department of Health and Human Services and pleaded guilty to disorderly conduct, trespassing, and impersonating a public official after attempting to enter a U2 concert without a ticket by impersonating a police officer:

“Authorities say he flashed what appeared to be a gold Massachusetts State Police badge and entered Gillette Stadium in Foxborough, Mass., on Sept. 21. They say he didn’t have a ticket to the concert.

He repeatedly asked to see the fire chief and where the ambulances were parked. When he refused to identify himself, stadium security called police, who then arrested him.”

A criminal can easily impersonate you online or in person to commit financial identity theft as it relates to new account fraud and account takeover, or to commit social media identity theft. This is why a credit freeze and an identity theft protection service are essential. Because identity theft will flourish until we are properly identified and systems are in place that point towards effective authentication and identification which leads to accountability.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief. Invest is a social media identity theft protection toll such as Knowem.com.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and home invasions on the Montel Williams Show

Reality Show Actor Robs Banks

Robert Siciliano Identity Theft Expert

Here we have a series of bank robberies, an appearance on a nationally televised reality show and the arrest of a man who was running from the law. Apparently, he robbed a bank, then went on the show, then robbed two more banks after the show.

“What an incredibly stupid thing to do, to commit a bank robbery, then go on a national TV show and make a spectacle of yourself and then come home and commit two more bank robberies,” the detective said. “He should be on the ‘Dumbest Criminal’ show.”

Investigators watched the show on their own time and eventually recognized the reality show actor also on surveillance footage from the bank robberies.

The detective linked two robberies thanks to the surveillance video showing what looked like the same young man wearing a baseball cap. He stated “I didn’t recognize him at the time; that’s the last place where you’d expect to find a suspect in your cases.”

The robber/actor told somebody, “Now that I’ve been on national TV, something from my past may come back to get me.” Ya think?

If there is one single technology that I would have to pick from over the past 50 years as the absolute best of the best it is definitely video. In three words “video captures life”. And in this case, it captured a criminal. A dumb one at that.

Install video surveillance around your home. Have cameras at the entrance way, on each corner of the house surveying the entire perimeter, all entrances and exits and whatever “blind spots” where someone may hide.  Even put a few cameras inside your home that monitor your family and the entrances. Video ROCKS!

See Robert discussing bank robberies on CBS Boston

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)

Pair Accused Of Stealing TSA Workers Identities

Robert Siciliano Identity Theft Expert

In my early 20’s I bought real estate in a depressed area north of Boston in Lynn Massachusetts. At 20, that’s all I could afford. Lynn was then and is now known as “Lynn Lynn the City of Sin, you don’t go out the way you come in.” Lynn’s a hard city known for drugs and prostitution.  It’s also the home of various biker gangs known as “one percenters” The theory is 1% of all people come out of their momma just bad.

No surprise that the Boston Channel reports a Lynn couple was accused of selling the identities of at least 16 Transportation Security Administration workers at Logan International Airport.

Police said the ID data was allegedly taken by a female TSA contract worker who is related to one of the two Lynn suspects.

A TSA spokesman said the agency takes the ID theft very seriously.

“TSA can assure the traveling public the release of this information does not compromise aviation security,” TSA spokeswoman Ann Davis said.

TSA said the agency is helping workers obtain free credit reports so they can ensure their personal information remains secure, Davis said.

Well Ann, that’s step in the right direction but it won’t protect the identities of the victims. They need credit freezes, credit monitoring and at least a vacation to Maui to get over all the stress.

What’s more bothersome about this is the fact that this is a breach of airline/airport security that goes way beyond identity theft that isn’t being discussed. Just like THIS GUY got access to a corporation’s facility with a fake ID, a terrorist can do the same with a stolen TSA ID. To steal the ID of a TSA worker gives one access to the airport then to luggage and more. There needs to be a tighter system that prevent this. We need effective identification that makes another’s identity useless to the thief.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing stolen luggage at Logan on CBS Boston

11 Robbed of Pants in Home Invasion, Drug Related

Robert Siciliano Identity Theft Expert

At least three masked men broke into a home, made 11 people inside remove their pants, shot one man and fled with the pants, their contents and televisions.

You’re probably wondering why they would steal someone’s pants? Police said the robbers apparently made the victims remove their pants so they could steal their wallets and other belongings as well as to prevent them from pursuing the robbers when they fled.

The reports states that the crime might have been a drug related one. Criminals often target criminals. “There is no honor among thieves” as they say. It’s very common for one bad guy to break into another bad guy’s house if he has drugs or stolen items because the bad guy isn’t about to report his contraband to the police.

The problem here that I’ve seen too many times is the home broken into and burglarized (no gun nobody home) or robbed (weapon involved, often a home invasion) is often one that is owned by a legitimate law abiding citizen, but their teenage or adult child living at home is mixed up in stuff they shouldn’t be.

This is a real problem that many families face. You may be blissfully unaware of your child’s involvement with crime or you conveniently turn a blind eye.

If something seems wrong, something is wrong and don’t for a second think it’s a “phase”. These things can get very ugly, very fast. Signs often include your child being secretive (they all are) or your kids ducking in and out of the house with bags or boxes. They may begin to enter in the house via the basement or garage where they didn’t use too. If they are associating with shady people that’s a red flag. If their behavior seems suspicious in any way pay closer attention than you ever have.

One way to protect yourself and your family is to have a constant monitoring or your home with video surveillance. This way everything going on is recorded and this may reduce the chances of a child gone astray using your house as a safe house.

Always have your home alarm on and make sure it’s monitored by the local police.

The idea is to make your home a tougher target from outside forces or inside jobs.  The worst thing you can do is nothing.

See Robert discussing home invasions on the Gordon Elliot Show

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)

How to Hack a Corporate Network…with Facebook

Robert Siciliano Identity Theft Expert

There’s a lot of excessive trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. They have no reason to distrust. People who are your “Friends” are generally those who you “know, like and trust”. In this world, your guard is as down as it will ever be. You are in the safety of your own home or office hanging with people all over the world in big cities and little towns and never have to watch your back.

Ethical hackers are the tech industries white nights, also known as “white hat hackers”. Steve Stasiukonis from Secure Network Technologies is such a person. He’s hired by by companies CIO’s to penetrate an organizations network to determine where its vulnerabilities are.

The process of a white hat starts with a permission based hack that often leads to results that make the CIO nauseous. Getting the data may mean hacking a wireless connection, hacking a public facing website, or even going through a skylight after hours. In Dark Reading Steve writes about how he did it with a fake badge and a Facebook profile. This is a perfect example of how vulnerable people make themselves and their corporate networks because of what they post to Facebook.

We started the project by scouring all of the social networking sites for employees of our target company. Not surprisingly, we found numerous people who openly discussed what they did for a living. We also found numerous employees who openly discussed disappointment in their employer.

We perused popular social networking site like MySpace, LinkedIn, and Plaxo, and ended up focusing on Facebook.com. The majority of our customer’s employees were using Facebook, so we created a Facebook group site identified as “Employees of” the company. Using a fictitious identity, we then proceeded to “friend,” or invite, employees to our “company” Facebook site. Membership grew exponentially each day.

By creating a group, they were able to get access to employees profiles. The “group” is a place where those who you know, like and trust are your “Friends” and in this case fellow employees who you have no reason to distrust.

Because our assignment required us to compromise a secured facility, we chose to use the identity of one of our Facebook-friended employees to gain access to the building.

Because of the companies size they were able to recreate the identity of an employee that wasn’t known to the branch office to which they breached. But his name was still in the system. So with a little creativity, a fake business card and enough information gleaned off of Facebook, they were able to re-create their man.

On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client’s logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.

Later that evening, he returned to the empty office building to conduct a late-night hacking session. Within a short period of time, he had accessed the company’s sensitive secrets.

Awesome. This is a perfect example of why Facebook is a nightmare to the corporate CIO. I don’t share that trust that most people have in Facebook. I’m all business on Facebook. I’m not all that friendly. Kind of a stiff. I’m also a security professional, not so trusting. So to my “Friends” (the actual 10 out of the 400 that I have) I apologize to all. I’m just not ready to share my daily routine with everyone just yet. If ever.

People often try to “friend” me, and I can see that they are “friends” with people I know. But I don’t know them. And the mutual friends often tell me that they don’t know the person, but were “friends” with someone else they knew, and they accepted based on that! That’s nuts! Next thing you know, they are trolling through your “friends” and befriending people in your network, who accept based on their trust in you! Dizzy yet? The point is, stop the madness! Don’t allow these trolls into your life. Mom told you not to talk to strangers. I’m telling you not to “friend” strangers, because they could be scammers.

Scammers are watching. They know that once you are on Facebook, your guard goes way down.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook hacking on CNN

Florida’s Dumbest Criminals

Robert Siciliano Identity Theft Expert

There are all kinds of dumb. But “dumb and criminal” is hard to beat. Fox Tampa shamelessly (and we appreciate the candor) lets us all know they may take the cake in dumb criminals.

A Bay County man arrested for shoplifting had a request for deputies: let him drink the beer he stole. He became combative when they refused.

A Marion County deputy pulled over a naked man riding a motorcycle. Turns out the cyclist was drunk. He was one of many naked people in the news.

A naked 21-year-old man covered in feces was arrested in Martin County after jumping into a neighbor’s pool. A Clearwater woman knocked on a stranger’s door in the middle of the night asking for cigarettes. She was naked.

A naked 91-year-old Lake Worth man held a 26-year-old burglar at gunpoint until police arrived.
Another burglar trying to rob an elderly man wasn’t so lucky. The 24-year-old broke in to a Liberty County home waving a toy gun and was shot and killed by an 82-year-old homeowner with the real thing.

A Fort Pierce man was charged with stealing $22 worth of aluminum cans from a scrap yard and then returning the next day to try to sell them back. A man tried stealing a live ferret in Jacksonville Beach by stuffing it down his pants. A Dade City man was charged with stealing 19 packages of deodorant to pay off a drug debt.

Usually this works in reverse, but a man was caught trying to break INTO the Brevard County jail he was released from the week before.

Two men wandering through a Deltona neighborhood asked a deputy for a ride home. The deputy said sure, but only after he could search them. They said sure, and the deputy found cell phones, GPS devices and a box of strawberry-flavored Pop Tarts stolen from neighborhood cars.

Crime and food intersected a few times in Florida this past year. Volusia County authorities arrested a 19-year-old after his mother said he threw a taco at her for unplugging his video game system.

A Dunnellon woman was arrested after allegedly hitting a man in the head with a raw steak after he refused a piece of sliced bread. A Gainesville father was arrested for hitting his daughter with a pizza slice when she wouldn’t turn off a computer.

  • Let’s face it, dumb or smart, there are criminals everywhere. The best defense is a good offense; a solid strategy and being smarter than the bad guy (or dumb one).
  • Invest in a home security system and keep it on and monitored 24/7/365.
  • Make sure it has glass break sensors, monitors doors, windows and has motion sensors.
  • Be sure to protect basement windows all the way up to the highest level windows and porch doors for maximum home safety.
  • Install at least a 4-16 cameras surveillance system that can be accessed from the web and has full night vision.
  • Remove or lock up exterior ladders preventing the bad guy from gaining access.
  • Lock all doors and windows when you are home and away. Especially at night and in the summer months too.

See Robert discussing personal and home security on NBC Boston

Robert Siciliano is a personal security and identity theft expert for Home Security Source. (Disclosures)