Beware of Furnace Scams

To my horror, old man winter is knocking at my door.  There is snow on the ground in Boston accompanied by a howling wind with a wind chill of wicked, wicked, wicked cold. Did I say it’s wicked cold? It’s only 37 degrees but feels like 10 below. Frankly, I should live on an island in the pacific for more than one reason, and avoiding winter is one of them. I’m a very delicate flower.

Anyways, if you are proactive you should have already gone through with your annual maintenance regime with your forced hot air furnace, or forced hot water boiler.

In this process you may change air or water filters, clean out tubes, clean ducts, tighten up any water or air leaks, or flush the system of bad fluids. If you haven’t done any of this or have no idea what I’m talking about you may be a good target for furnace scams.

The most effective way not to be scammed is to do business with those you know, like, and trust. A referral by someone you trust who has a long term relationship with a licensed plumber or pipefitter is often the best way to get a reputable contractor to do maintenance or install a new system. Keep in mind any heat/cooling related work can cost under a $100.00 to several thousands. And if you don’t have an honorable contractor, they can easily fleece you.

Look for a license and confirm its validity with the local registry.

Be especially aware of duct cleaning scams. Do your research on how often they should be done and watch the contractors every single move. You want to see dirt and see dirt removed.

Confirm they are insured.

Don’t do business with anyone who does door to door sales.

Beware of scare tactics.

Always require a full proposal.

Get second and third opinions.

Get references.

Search them online and seek out any complaints with the Better Business Bureau.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

Community Comes Together to Fight Burglary

In Rochester New York they are being “plagued” by burglaries which rose by over 13 percent in the last year. As a result they organized a Burglary Prevention Clinic to teach homeowners how to better secure their homes.

WHEC reports one of the residents was quoted saying “It’s so easy to forget that maybe I didn’t lock my window, or I didn’t secure my door, or my lock is a little loose.”

This particular event had more than the standard Neighborhood Watch attendees. In attendance was law enforcement, security professionals, locksmiths, politicians, insurance agents and community members all sharing their experience and best practices to keep safe.

They discussed a number of security issues, people voiced their concerns but one politicians stated very poignantly “I would say the most important thing is that there’s a lot that we can do to protect each other, so communication with your neighbors, and relationship with your neighbors goes a long way.”

Use solid steel or solid wood doors.

Trim shrubs to eliminate hiding spots.

Report suspicious activity in your neighborhood.

Start a neighborhood watch and get to know your neighbors.

Inform a few trusted neighbors of any travel plans to assist in the collection of newspapers and mail.

Install a home security system monitored by law enforcement and consider security cameras too.

Robert Siciliano personal and home security specialist toHome Security Source discussing burglar proofing your home on Fox Boston. Disclosures.

Feds Catch Carder

WE DO NOT SELL DUMPS. DO NOT EMAIL OR CALL US.

WE DO NOT SELL DUMPS

“Carders” are the people who test and sell credit card details (most likely phished) to other individuals who carry out the actual credit card fraud. Carders are the most visible of criminals who distribute and sell stolen data to whoever is willing to take it and burn it onto a white card or make purchases over the internet. “Dumps” is a term for the batches stolen credit card data they buy and sell.

Computerworld reports:

“Tony Perez III, of Hammond, Indiana, pleaded guilty to the charges on April 4. In his plea, Perez said he sold counterfeit credit cards encoded with stolen account information. Perez found customers through criminal ‘carding forums,’ Internet discussion groups set up to aid in the buying and selling of stolen financial account information and related services.”

“During a June 2010 search of Perez’s residence, Secret Service agents found 20,987 stolen credit card accounts on his computers, in his email messages, in an online account and on counterfeit credit cards he was in the process of manufacturing, according to court documents. Credit card companies have reported more than US$3.1 million in fraudulent charges associated with those accounts, court documents said.”

Carding is a full time profession for thousands of hackers worldwide. Retailers’, banks’, credit card processors’, and many other corporations’ databases often contain millions of credit card numbers, and are targeted in “advanced persistent threats.” Any entity that accepts credit cards online or in the physical world is a ripe target for fraud.

It’s in the retailer’s best interest to put online fraud prevention measures in place to thwart credit card fraud use on their sites. This not only helps them keep their chargebacks and fees low, but it also protects their brand reputation with their loyal customers.  But how can retailers detect when fraudsters are stealing from their websites in the first place?

Before verifying identity and credit information, first make sure that the computer, tablet or smartphone connecting to the site is not a known fraudulent device – one used to steal from your business in the past, or from other online businesses.

Would you like to know if the device is acting suspicious such as masking its IP address or constantly changing its characteristics between transactions?  Is it opening an excessive number of new accounts, or are new countries suddenly accessing your customer’s existing accounts?

There are many indicators of risk and companies like Oregon-based iovation Inc. helps online businesses set up fraud and risk rules in advance so that as transactions come in, the rules run and all checks in a fraction of a second. This device identification service can stop the transaction right then and there.

Carders are just one piece of the cybercrime puzzle.  Having a defense-in-depth approach to fraud prevention is essential.  And sharing fraud intelligence with other businesses can only help you catch more fraud, and meanwhile, take more business with confidence.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Identity Theft Ring Targeted Banks

In what is considered “the largest identity theft takedown in U.S. history,” 111 individuals were indicted for “stealing the personal credit information of thousands of unwitting American and European consumers and costing individuals, financial institutions and retail businesses more than $13 million in losses over a 16-month period.”

The five different identity theft and forgery rings involved in these crimes targeted banks using a variety of techniques. From inside jobs to robberies and credit card fraud, this criminal network, based in Queens, New York but with ties to Europe, Asia, Africa, and the Middle East, was organized and profitable.

The criminals’ primary focus was on credit cards. Many of the defendants are accused of using stolen credit card numbers to purchase “tens of thousands of dollars worth of high-end electronics and expensive handbags and jewelry,” not to mention staying at five-star hotels Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years.”

“Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years,” explained Queens district attorney Richard Brown.

Police Commissioner Kelly commented, “These weren’t holdups at gunpoint, but the impact on victims was the same. They were robbed. We assigned detectives to financial crimes because of the potential victimization is so great, especially as the use of credit cards and their vulnerability to identity theft have grown along with the Internet.”

More financial institutions could protect their clients and themselves by incorporating device identification upfront in their fraud detection processes to keep scammers out, as the recent FFIEC guidelines suggest. Oregon-based iovation Inc. offers the world’s most advanced device identification service, which is already in use at many major financial institutions offering commercial and retail banking as well as credit issuance.  The device recognition service, called ReputationManager 360, is used alongside other risk-based authentication tools for a layered defense against organized crime.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Approaching Holidays Bring “12 Scams of Christmas”

Whether you like it or not, whether you’re ready or not, the Christmas machine has arrived—well before Thanksgiving—at least as far as stores and advertisers are concerned. And there’s no question that scammers, identity thieves, and criminal hackers have already begun setting traps for holiday shoppers.

So whether they’re using PCs, Macs, or mobile devices, consumers should be looking out for “The 12 Scams of Christmas”: the dozen most dangerous online scams this holiday season, as revealed by McAfee.

1. Mobile Malware: McAfee cites a 76% increase in malware targeting Android devices in the second quarter of 2011 over the first, making it the most targeted smartphone platform. New malware has recently been found that targets QR codes, digital barcodes that consumers might scan with their smartphones to find good deals on Black Friday and Cyber Monday.

2. Malicious Mobile Applications: These are mobile apps designed to steal information from smartphones, or to send out expensive text messages without a user’s consent. Dangerous applications are usually offered for free, masquerading as games.

3. Phony Facebook Promotions and Contests: Cyber scammers know that contests and free offers are attractive lures, and they have sprinkled Facebook with phony promotions and contests aimed at gathering personal information.

4. Scareware: This fake antivirus software tricks recipients into believing their computers are at risk, or have already been infected, so that they will agree to download and pay for phony software. An estimated one million victims fall for this scam every day.

5. Holiday Screensavers: A Santa screensaver that promises to let you “fly with Santa in 3D” is malicious. Holiday-themed ringtones and e-cards have been known to be malicious, too.

6. Mac Malware: Cybercriminals have designed a new wave of malware directed squarely at Mac users. According to McAfee Labs, as of late 2010, there were 5,000 pieces of malware targeting Macs, and this number is increasing by 10% from month to month.

7. Holiday Phishing Scams: Cyber scammers know that most people are busy around the holidays, so they tailor their emails and social messages with holiday themes in the hopes of tricking recipients into revealing personal information.

8. Online Coupon Scams: When consumers accept an offer for an online coupon code, they are asked to provide personal information, including credit card details, passwords, and other financial data

9. Mystery Shopper Scams: Mystery shoppers are hired to shop in a particular store and report back on their customers. Sadly, scammers are now using this appealing job to lure people into revealing personal and financial information.

10. Hotel “Wrong Transaction” Malware Emails: Scammers have designed travel-related scams in order to tempt us to click on dangerous emails. Once opened, an attachment downloads malware onto the victim’s machine.

11. “It Gift” Scams: When a gift is hot, not only do sellers mark up the price, but scammers will also start advertising these gifts on rogue websites and social networks, even if they don’t actually have the popular items.

12. “Away From Home” Status Updates: Posting information about your vacation on a social networking website could actually be dangerous. Thieves may see your post and decide that it sounds like a good time to rob you.

Be sure you have active, comprehensive protection for all of your devices. McAfee All Access is the only product that lets individuals and families protect a wide variety of Internet-enabled devices, including PCs, Macs, smartphones, tablets, and netbooks, for one low price.

Robert Siciliano is an Online Security Evangelist for McAfee. See him discuss identity theft on YouTube. (Disclosures)

How To Recover a Hacked Facebook Account

At least weekly some stressed out victim of a Facebook hack a.k.a “account takeover”, contacts me to help them get their account back in order. While I do have a connection or two at Facebook, I’m not in a position to send an email or flip a switch and make it all good just like that. Facebook doesn’t allow that.

The victim of the hack is in the best position to fix it themselves.

First, be proactive. Set up your computer with auto updates for your operating system, anti-virus, anti-phishing, anti-spyware and have a 2-way firewall turned on and lock down your wireless connection.

Facebook offers a number of security features, Use all of them. Take screenshots of your settings and contact info, print them, and store them in a secure place.

Opt-in security features:

Trusted Friends

What are trusted friends?

Trusted friends are friends you can reach out to if you ever get locked out of your Facebook account (ex: you turn on login approvals and then lose your phone, you forget your Facebook password and can’t get into your login email account to receive a password reset). If you get locked out, we’ll send each of your trusted friends a security code. All you need to do is call your friends and collect the codes.

Secure Browsing (https)

What is Secure Browsing (https)? What are the benefits?

Secure Browsing (https) is an opt-in security feature. When you turn this feature on, your traffic (i.e. all of your activity) on Facebook becomes encrypted, making it harder for anyone else to access your Facebook information without your permission.

Login Notifications

What are Login Notifications?

Login Notifications are an opt-in security feature where alerts are sent to you each time your account is accessed from a new device.

To turn on Login Notifications:

Go to your Security Settings page (Account > Account Security > Security)

Click on the Login Notifications section

Check the box next to the type of alerts you’d like to receive and save your changes

Note: If you want to receive text message alerts, you’ll need to add a mobile number to your account.

Login Approvals

What is Login Approvals?

Login Approvals is an opt-in security feature similar to Login Notifications, but with an extra security step. With Login Approvals, each time you try to access your Facebook account from an unrecognized device (ex: any computer or mobile phone you haven’t named and saved to your Facebook account), you will first have to enter a security code we’ve sent to your mobile phone.

To turn on Login Approvals:

Go to your Security Settings page (Account > Account Security > Security)

Click on the Login Approvals section

Check the box and save your changes

If all else fails go here: https://www.facebook.com/hacked this is the system Facebook has in place to help you get your account back regardless of if the hacker changed your email address.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Almost 80% of Retailers Data At High Risk

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

Now, after five years of pushing standards out to merchants and retailers, a Verizon study has found that 79% of retailers are noncompliant. That means your credit card data is at risk in 8 out of 10 transactions.

InformationWeek reports numerous reasons why credit and debit card data is at risk. The first is that the burden posed by PCI causes businesses to view PCI as a nuisance, rather than a standard. Instead of working towards better security, they shun it.

Another risk factor is that most merchants only maintain basic compliance. Credit card processors hold merchants’ feet to the fire by requiring that PCI standards be met, but only audit annually so merchants don’t maintain security throughout the year. When it comes time to be audited, merchants will often fail because they’re unprepared or because the rules have changed.

Finally, lack of awareness increases risk. According to Verizon, “the greater awareness of PCI found in a business, the greater the actual compliance.” Jennifer Mack, director of global PCI services, says, “The more aware your organization is of the standard, the more prepared you are for the type of approach you take.” Seems like common sense to me!

No matter how you slice it, retailers are a target and must employ multiple layers of fraud protection to thwart cyber criminals. One way that retailers are uncovering suspicious activity on their site is by utilizing powerful tools for early detection. iovation Inc., the leader in device recognition technology, allows retailers to create multiple rules and adjust them as threats emerge and evolve.  They do this without collecting any personally identifiable information (PII) from the retailer.

As devices (such as computers and mobile devices) with fraudulent histories connect to the retailer’s website, the business is alerted in real time. And when velocity or geolocation alerts are triggered, the retailer knows in real time. iovation’s living database of device intelligence is shared across its global base of finance, gaming, travel, shipping, dating and retail clients. They share information to detect fraudulent activity as soon as possible, before product is shipped and chargebacks and fees are incurred. They call it device reputation.  I call it another bit of common sense for retailers.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

Introducing: 99 Things You Wish You Knew Before Your Identity Was Stolen

Yes, it’s a glorious day with the birth of my new book. I’ve spent 15 years in the trenches, reporting on all issues of personal security. Now I’ve taken what I know about protecting your identity and avoiding fraud and packed it all into 99 tips, a quick read of less than 35,000 words. Now you can also become an expert on how to protect yourself from these horrible crimes.

But I didn’t do it by myself. McAfee, the largest and most trusted name in digital security, helped me. Their teams of threat experts are constantly fighting off the bad guys, and I drew upon their vast experience and research.

In 99 Things You Wish You Knew Before Your Identity Was Stolen, I proactively demystify identity theft and computer fraud by presenting the relevant information surrounding these issues in the form of simple, bite-sized chunks, In order to make consumers, families, employees, and small businesses safer and more secure. Readers will learn the difference between scareware, ransomware and spyware. They’ll learn about the types of cybercriminals, such as black hats, crackers, script kiddies, and hacktivists. And most importantly, readers will learn how to protect their identities, both online and in the physical world.

As millions of consumers begin searching and shopping online during the holiday season, McAfee understands the necessity of spreading awareness of cybercriminals’ tactics and methods for protecting oneself from identity theft and online fraud.

So, from November 9th through the 15th, McAfee will be offering a complimentary PDF copy of my just-released book through Facebook. To get your free copy, click “like” on McAfee’s page.

After November 15th99 Things You Wish You Knew Before Your Identity Was Stolen will be available in print, ePub, and PDF, and can be found on Amazon, the Amazon Kindle, the Sony eBook Store, and 99-Series.com from $5.99-$14.97.

Robert Siciliano is an Online Security Evangelist for McAfee. See him discuss identity theft on YouTube. (Disclosures)

Thinking About Building a Safe Room?

A safe room also known as a panic room is designed to keep bad out and extend your lifetime. Bad could be in the form of Mother Nature’s wrath, manmade disaster or a human predator.

There are varying levels of options and financial investments based on what exactly you want to protect yourself from.  For example if you live in a part of the world where tornados are a problem then you may build your safe room with similar security features as you would when trying to protect from a predator. But may not as extreme as protecting yourself from manmade disaster, like nuclear fallout.

FEMA has a guide that begins the process of building a safe room and asks you to consider: When extreme weather threatens, individuals and families need advance warning and protection from the dangerous forces of extreme winds. Individuals and communities in tornado and hurricane areas need structurally sound safe rooms and early alert systems.

What is the cost of installing a safe room?

Can I install a safe room in an existing home?

Can I build the safe room myself?

Where is the best location for the safe room?

Where can I find plans for safe room construction?

FEMAs guide discusses having a safe room in your home or small business that can help provide “near-absolute protection” for you and your family or your employees from injury or death caused by the dangerous forces of extreme winds.

This is a good start for anyone considering a safe room of any kind. In the next post we’ll get into detail about what designs may be considered when building one to protect for predators and even manmade disasters.

Robert Siciliano personal and home security specialist toHome Security Source discussingADT Pulse on Fox News Live. Disclosures

Human Security Weaker Than IT Security

Information technologies have evolved to a level at which the developers, programmers, and security specialists all know what they’re doing, and are able to produce products and services that work and are reasonably secure. Of course, there’s always room for improvement.

Despite the amount of criminal hacking that goes on, users who effectively implement the appropriate measures and refrain from risky behaviors enjoy relative security.

The Wall Street Journal reported on a study by Dartmouth’s Tuck School of Business, quoting professor Eric Johnson:

“Criminal hackers are increasingly turning to digital versions of old-fashioned con games, literally gaining the confidence of employees through innocuous-seeming phone calls purporting to be from fellow workers, or even through regular mail, in order to entice them into downloading malicious code or revealing a password. The threat of data leakage is thus highest where a human is put in a position to decide whether to click on a link or divulge important information. The [phishing] techniques have become more hybrid.”

If you are reading this, chances are you do a pretty good job with information security to prevent identity theft, at least on the consumer level. But you also need to start thinking about avoiding Jedi mind tricks. Within the security world, these cons are known as “social engineering.”

Whether you receive a phone call, an email, or a visitor at your home or office, always question those who present themselves in positions of authority.

You should never automatically place your trust in a stranger.

Within your own home or business, set clear guidelines regarding what information should or should not be shared.

Keep in mind that when you lock a door it can be unlocked, either with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face-to-face, with a cynical eye for a potential agenda.

In the end, if a bad guy has pulled the wool over your eyes, they often will want to infect your Mac or PC. Keep your computers operating systems critical security patches up to date and install a total protection product.

Robert Siciliano is an Online Security and Safety Evangelist to McAfee and Identity Theft Expert. (Disclosures)