Cyber Criminals Target Online Gambling Sites

Do you gamble online? Millions outside the U.S. do and love it. My gaming experience consists of online Solitaire and Tetris, which shows you how adventurous I am. But for those who gamble online, there can be significant risks.

The same cyber criminals targeting banks and retailers working hard to collect and sell stolen personal data, including names, addresses, Social Security numbers, and credit card details, are using those stolen identities to win big in defrauding online gambling sites.

And as more people turn to online poker, bingo, sportsbooks, and betting sites, cyber criminals are developing more sophisticated ways to take advantage of legitimate players and the gambling sites themselves. Financial fraud such as chargebacks and money laundering are major issues for gambling operators, not to mention player collusion and bonus abuse.  Plus, the operators have the responsibility of keeping problem gamblers (self-excluders) from re-entering their sites.

Bonus incentives, as explained in this case study on WagerWorks, are offered to attract new players to games and to increase overall play time, but these incentives also attract the attention of cyber criminals since they can set up multiple accounts under stolen identities, and take advantage of the free money offered for each new account.

Gambling sites, like banks and retailers, are forced to deal with a wide spectrum of Internet crimes and other in-game abuses that cost the industry hundreds of millions of dollars in fraud losses each year.

Many gambling sites have increased efforts to detect suspicious players, but Internet-savvy criminals have learned to mask their true identities, changing account information to circumvent conventional methods of fraud detection.

It is increasingly necessary for online casinos to deploy more effective solutions, which analyzes information beyond that which is supplied by users. By starting the fraud detection process with a device reputation check from companies like Oregon-based iovation Inc., gambling sites can stop problem players within a fraction of a second and avoid further checks and fees when the device is known to be associated with fraud.  According to Chrystian Terry, Director of Casino Operations at WagerWorks, “iovation helped us shut down 20 sophisticated rings. Imagine the lifetime value of bonuses on nearly 300 accounts – that’s tens of thousands of pounds! The service paid for itself on the first day.”

At the recent Caribbean Gaming Show and Conference in Santo Domingo, Max Anhoury, Vice President of Global Sales at iovation, shared in his presentation to attendees that 350,000 fraudulent attempts within gambling sites alone have been reported and shared in their global knowledge base in the last 12 months. And while iovation’s database of half a billion devices typically sees about 2% of devices within most industries associated with negative behavior, within the online gambling industry, that number increases to 5% of devices associated with fraud. That’s approximately 500,000 “known” unique devices trying to defraud gambling sites. Sites armed with device reputation know when they are on their sites and can keep them out.

The online casino industry has an opportunity to work in tandem with merchants, banks, travel sites and even shipping companies to share data that helps pinpoint the devices responsible for fraudulent activity. Shared device reputation intelligence makes this possible for the first time.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Social Security Numbers as National IDs on Fox News. (Disclosures)

How To Prevent Investment Fraud

The Securities and Exchange Commission defines a Ponzi scheme as “an investment fraud that involves the payment of purported returns to existing investors from funds contributed by new investors. Ponzi scheme organizers often solicit new investors by promising to invest funds in opportunities claimed to generate high returns with little or no risk. In many Ponzi schemes, the fraudsters focus on attracting new money to make promised payments to earlier-stage investors and to use for personal expenses, instead of engaging in any legitimate investment activity.”

The best way to avoid being taken by a Ponzi scheme is to make an effort to understand how the system is supposed to work.

The North American Securities Administrators Association recommends the following precautions:

– Contact your state or provincial securities regulator to see if the investment vehicle and the person selling it are registered.

– Contact your local Better Business Bureau to see if any complaints have been filed against the venture’s promoters or principals.

– Deal only with financial advisers, broker-dealers or financial institutions having a proven track record.

– Ask for written information on the investment product and the business. Such information, including financial data on the company and the risks involved in the investment, is contained in a prospectus.

– Don’t take everything you hear or read at face value. Ask questions if you don’t understand, and do some sleuthing for yourself.

– Steer clear of investments touted with no downside or risk.

But these tips wouldn’t be enough to prevent someone like Bernie Madoff from making a convincing play for your money.

To prevent yourself from falling for a more sophisticated scam, you need to understand the concept of “custody,” which refers to where the funds are housed. Make sure your funds are under the custody of a reputable investment firm such as a Charles Schwab, Fidelity, or Merrill Lynch. You should be able to see your accounts when logging into their website. Financial advisers may be employed by a custodial firm or may be independent brokers. Your funds should be with a large, well-known firm, not in the custody of a broker.

Bernie Madoff was a financial adviser who got away with his fraud because he controlled his clients’ assets and falsified the documentation. If you invest with a financial advisor that generates his own statements, you are at risk.

A financial adviser or broker should only have access to your funds in order to manage them, not to control them. They shouldn’t be able to withdraw funds without your consent. And they should never have the ability to move funds without your awareness.

Identity theft can happen to anyone. McAfee Identity Protection, offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first and provides live access to fraud resolution agents who work with the victim to help restore their identity even from past theft events. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing Ponzi Scams. on CBS Boston (Disclosures)

Home Invasion Suspects Don “FBI” Gear

In Buffalo New York WBEN reports  “Buffalo Police are investigating a home invasion at a Sussex Street home. The male victim told police the suspects accosted him, wearing what appeared to be FBI badges and jackets.”

“The victim reported that he was driving down Welker Street at around 8:45 AM, when four or five black males wearing “FBI” gear stopped him, and forced their way into his van. The then made the man drive them back to his house. Once inside, the victim said the suspects tied up and pistol-whipped his wife. They then ransacked the home, and made off with jewelry and possibly other items. Before they left, the suspects shot the male victim in his hand.”

That’s a tough one. In a recent post “Fake Cops Home Invasion — Respecting Vs. Trusting” It is important to respect the position of the title. Everyone deserves some respect until they don’t. But, to blindly trust the person behind the title/uniform/badge etc, can get you hurt.

We live in a society that has many rules. We need rules because without rule, we’d devolve into chaos. Those rules are often broken by those who believe they are above them or are simply so desperate that they need to break them to get their next fix. Some of these rules are more “guidelines” than they are law.

If the homeowner drove straight to the police department because he was concerned for his personal security, regardless of what kind of jacket the perpetrators were wearing, he could have saved himself lots of trouble.

Robert Siciliano personal and home security specialist to Home Security Source discussing home invasions on the Gordon Elliot Show.

10 Social Media Security Considerations

Social media security issues involve identity theft, brand hijacking, privacy issues, online reputation management, and users’ physical security.

Social media provides opportunities for criminals to “friend” their potential victims, creating a false sense of trust they can use against their victims through phishing or other scams.

Register your full name on the most trafficked social media sites, and do the same for your spouse and kids. If your name is already taken, include your middle initial, a period, or a hyphen. You can do this manually or speed up the process by using Knowem.com.

Get free alerts. Set up Google alerts for your name and kids’ names, and you’ll get an email every time one of your names pops up online. You should be aware if someone is using your name or talking about you.

Discuss social media with your kids. Make sure they aren’t sharing personal information that would compromise their own or your family’s security with their “friends.” Monitor what they do online. Don’t sit in the dark, hoping they are using the Internet appropriately. Be prepared not to like what you see.

Be discreet. What you say, do, and post online exists forever. There is no way to completely delete a digital post. Keep it professional, and be aware that someone is most likely monitoring you, possibly including your employer.

Maintain updated security. Make sure your hardware and your software are up to date. Update your antivirus definitions, your critical security patches, and so on.

Lock down settings. Most social networks have privacy settings. Don’t rely on the defaults. Instead, set these preferences as securely as possible. The main social media websites offer tutorials, which you should use.

Always delete messages from unfamiliar users. I get messages from scammers all the time, and I’m sure you do, too.

Don’t share personal information through games or applications. Nothing good can come from publishing “the 25 most amazing things about you.”

Always log off social media sites before walking away from the PC. If you ever use a friend’s or a public PC, this habit will save lots of aggravation.

Don’t use geolocation features, which literally track your every move in order to announce your location to the world. There’s no reason to allow anyone, anywhere, to stalk you. And don’t post status updates sharing the fact that your home is vacant.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. Disclosures

23% of Online Fraud is “Friendly”

Friendly fraud occurs when a customer makes an online purchase with a credit card and then, once the merchandise has arrived, calls the credit card company, claims never to have received the item, and requests a chargeback. The merchant has no way of proving the legitimacy of this card-not-present transaction, and is forced to refund the customer’s money.

According to a new study released by LexisNexis Risk Solutions, retailers lost more than $139 billion to fraud last year, with friendly fraud accounting for one fifth of those losses.

The problem for you, the consumer, is that banks and merchants tend not to believe identity theft victims, because friendly fraud complicates the reimbursement process. It’s not uncommon for victims to be required to sign affidavits and have them notarized.

Online merchants need a better system. Device reputation offered by anti-fraud experts iovation, would be one step in the right direction. While a customer is placing an order, device identification technology recognizes and re-recognizes PCs, smartphones, or tablets used to access online businesses across the Internet. Then, device reputation technology determines whether or not device the being used has a history of fraud (including histories of friendly fraud) or if high risk is assessed at transaction time. When a particular transaction is reported as fraudulent, that information goes into a globally shared knowledge base and the fraudster’s device and its related accounts are flagged in order to prevent repeated attempts under new identities. This protects the merchant and honest consumers from billions of dollars in losses to fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Dumb Intruder Calls Cops On Homeowner

If I ever strived to be a dumb criminal I’d want to be Timothy James Chapek, 24 years old from Portland, Ore. This cat breaks into a home and jumps in the shower when the woman who lived there came home.

The kid locked the bathroom door and called 911. From the 911 call: “I just broke into a house and the owners came home…I think they have guns,” he told the 911 operator.

At the same time the homeowner confronted him and asked why he was in the house taking a shower and he says “I broke in. I was kidnapped.”

When the homeowner yelled at him telling him she was calling the cops he said “I’ve already called them. They’re on the phone right now.”

OMG!

How about not letting this happen in the first place?

Install signage. “Beware of Dog” and “This House is Alarmed” neon signs for $1.98. One for the front door and one for the back door.

Go to the pet store. Get 2 big dog bowls, one for the front porch and one for the back. Write “Killer” in permanent marker on it. This gives the impression you have a big dog. You can even buy a barking dog alarm.

Lock your doors and windows. Install a monitored alarm system. Consider ADT Pulse that comes with a battery backup even when the poser goes out.

Give your home that lived in look. Leave the TV on LOUD while you are gone.

Install timers on your lights both indoor and outdoor. Close the shades to prevent peeping inside.

Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse™ on Fox News.

7 Types of Hacker Motivations

There are good and bad hackers. Here is a window into what they do and why:

White Hat Hackers: These are the good guys, computer security experts who specialize in penetration testing and other methodologies to ensure that a company’s information systems are secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle hackers.

Black Hat Hackers: These are the bad guys, who are typically referred to as just plain hackers. The term is often used specifically for hackers who break into networks or computers, or create computer viruses. Black hat hackers continue to technologically outpace white hats. They often manage to find the path of least resistance, whether due to human error or laziness, or with a new type of attack. Hacking purists often use the term “crackers” to refer to black hat hackers. Black hats’ motivation is generally to get paid.

Script Kiddies: This is a derogatory term for black hat hackers who use borrowed programs to attack networks and deface websites in an attempt to make names for themselves.

Hacktivists: Some hacker activists are motivated by politics or religion, while others may wish to expose wrongdoing, or exact revenge, or simply harass their target for their own entertainment.

State Sponsored Hackers: Governments around the globe realize that it serves their military objectives to be well positioned online. The saying used to be, “He who controls the seas controls the world,” and then it was, “He who controls the air controls the world.” Now it’s all about controlling cyberspace. State sponsored hackers have limitless time and funding to target civilians, corporations, and governments.

Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade secrets. They may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use similar tactics as hacktivists, but their only agenda is to serve their client’s goals and get paid.

Cyber Terrorists: These hackers, generally motivated by religious or political beliefs, attempt to create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most dangerous, with a wide range of skills and goals. Cyber Terrorists ultimate motivation is to spread fear, terror and commit murder.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)

Tsunami Scam Warnings Keep Coming In

In light of the earthquake and tsunami in Japan, and the subsequent tsunami warnings in Hawaii and on the US West Coast, McAfee is warning consumers about a number of online scams that have appeared within hours of these devastating events.

Sadly, scammers seem to come out of the woodwork during a natural disaster to catch consumers when they’re in a panic, looking for answers, and when they’re most vulnerable.  People should not click on links or respond to phishing e-mails for relief donations that ask for credit card numbers or other personal information.  In addition, be wary of tiny URLs on social media services and posts on social networking sites. Hundreds of domains that could be related to the disaster have been registered so far today, including a scam site that appeared within just two hours of the earthquake.

Follow these guidelines to ensure that donations to victim relief efforts are sent through legitimate sites:

.Org domains are cheap.  Registering does not indicate charitable status in any way.  Verify that the organization is actually a registered charity by typing the URL directly into a web browser.

Domain solicitations that arrive by unsolicited email, especially those sounding overly urgent or desperate, are very likely to be scams.

Be aware that donation requests made via advertising banners can also be scams.

If you’d like to help, support one of the major international organizations that have a “most in need” fund such as the Red Cross.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

Neighborhood Works Together To Fight Crime

In Creekmoor in Orangeburg County South Carolina, residents are banding together to fight crime.

The Times and Democrat reports “Creekmoor residents are trying to put a stop to property crimes and thefts before the entire area is overrun with crimes far worse than burglaries. About 60 residents of the Columbia Road neighborhood met last week to discuss expanding patrols to put more eyes and ears on the neighborhood. “I’m not asking you to confront any of these people,” Creekmoor resident Malcom Crider said. “All I’m asking you to do is ride.” The neighborhood of about 200 homes began a Crime Watch group three years ago after the typically quiet, middle-class community began experiencing vehicle break-ins.”

The following is a scenario often used by suspects looking to burglarize homes in your neighborhoods as provided by the “Downey Police Department” in the Downey Patriot.

“A suspect may simply walk to the front door of a residence and knock on the door. If someone answers, the suspect will make an excuse for being at the wrong house and walk away. If there is no answer, the suspect will either leave the location before returning a short time later, or make his way into the back or side yard to find a way into the house.

Once out of view of the street, he will look for open windows or doors to gain entry into the residence. If the house is locked, the burglar will oftentimes force entry by breaking a window or forcing a door open.

A car with additional suspects will oftentimes wait a short distance away for the suspect to return with stolen property. The suspect may also call them to respond to the house to assist in the actual burglary of the location.

Because the actions of the burglars are usually not visible from the street, it is difficult for police to discover the crime in progress. Because of this, it’s imperative that residents in the area pay close attention to suspicious subjects in their neighborhood. This is especially true if you see someone knock on a door of a residence, then go to the back of the house when they fail to get an answer.

If you see people in your neighborhood – whether they are walking or sitting in a vehicle – that you feel may be looking for an opportunity to commit a crime, please call the Police Department.”

Robert Siciliano personal and home security specialist to Home Security Source discussing Home Security on NBC Boston.

Check Your Password Security

Passwords are the bane of the security community. We are forced to rely on them, while knowing they’re only as secure as our operating systems, which can be compromised by spyware and malware. There are a number of common techniques used to crack passwords.

Dictionary attacks: These rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “1234567,” “12345678,” “123456789,” “princess,” “qwerty,” and “abc123.” Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research.

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

There are a number of ways to create more secure passwords. One option is to create passwords based on a formula, using a familiar name or word, plus a familiar number, plus the first four words of the website where that password will be used. Mix in a combination of upper and lowercase letters, and you have a secure password. Using this formula, your Bank of America password could be “Dog7Bank,” for example. (Add one capital letter and an asterisk to your password, and it can add a couple of centuries to the time it would take for a password cracking program to come up with it.)

Password managers can also help generate and store secure passwords. Some people like Lastpass. Another incredibly efficient and secure service is Roboform, which has a “Generate” tab in its browser toolbar that creates passwords that can’t be guessed, like “ChF95udk.” All your passwords are backed up on a secure encrypted server and can sync on multiple PCs.

It is just as important is to make sure your PC is free of malicious programs like spyware and keylogging software. Beware of RATs, or Remote Access Trojans, which can capture every keystroke typed, take a snapshot of your screen, and even take rolling video of your screen with a webcam. But what’s most damaging is the possibility of a RAT gaining full access to your files, including any passwords being stored by a password manager.

Use antivirus and anti-spyware software and firewalls, and set up your PC to require administrative rights in order to install any new software.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers using social engineering to hack email on Fox News. Disclosures