Online Gamers Risk Credit Card Fraud

/in /by

The Sony Corporation has been providing consumers with stellar electronics since before the introduction of the Walkman. The past six months have been harsher for Sony, with attacks by hacktivists and numerous breaches of clients’ data.

Many recent breaches involved usernames, passwords, email addresses, and in some cases, credit card numbers. Each compromised data point is another opportunity for a criminal to steal your identity and make money at the expense of your good name.

If a company becomes aware that usernames and passwords have been compromised, they should notify users and prompt them to change their passwords. Users should change passwords every six months, regardless of whether a breach has occurred. Passwords should include upper and lowercase letters and numbers, and should not be used across two or more accounts. I have 700 different accounts and 700 different passwords.

Beware of spear phishing emails. When hackers get your email address from a breached gaming account, they will send emails that look like they are coming from the company that has been breached. Never click on links within an email. Instead, go to your favorites menu or manually type the correct address in the address bar.

Pay close attention to credit card accounts. I monitor my accounts weekly for all activity. Simply log in, look at each charge, and refute unauthorized charges immediately. A new free service called BillGuard scans your credit cards daily and alerts you to hidden fees, billing errors, forgotten subscriptions, scams, and fraud.

If you have provided a credit card number to your child for online gaming, beware of purchases they may make that you have previously approved. Many gaming sites try to upsell their users, and will charge the credit card on file. Spend some time with your child discussing appropriate online behavior, and look for parental controls that will send you email alerts when your child makes a purchase.

McAfee, the most trusted name in digital security, includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live agents who can help subscribers resolve identity theft issues. For additional tips, please visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

 

Myth: Apple Products Don’t Get Viruses

/in /by

Have you ever bitten into an apple and found a worm? I have, and it’s yummy! Anyway, how many times have you heard, or even said, “I won’t get that computer virus because I have a Mac”?  While Mac users tend to feel somewhat insulated from viruses, it’s time for anyone who owns an Apple computer, iPhone, iPad, or other Apple device to listen up.

The growing popularity of Apple products has inspired cybercriminals to create viruses that will harm Macs. Until now, Macs have been immune to these threats, but McAfee Labs is seeing the very first wave of fake programs targeted at Mac users. In other words, there are an increased number of programs known as “scareware,” which claim to protect users from viruses, but users who attempt to install the supposed antivirus software are actually downloading malicious software. This malware can damage the user’s computer or compromise personal information, including banking details.

Mac users are also equally susceptible to phishing and other social engineering scams, if not more so, since they may have an inflated sense of security that can lead to riskier behavior.

It’s important for Mac users to be aware of these emerging threats and take the appropriate precautions.

To avoid becoming a victim, download Mac updates as soon as they’re available, so you’re protected from these latest threats.

Never download or click on anything from an unknown source.

When searching the web, use the safe search tool, which tells you if a site is safe to click on or not, right in your search results.

Keep your computer safe by installing security software.

With more than 11 million victims just last year, identity theft is a serious concern. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself by visiting CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

 

Dumb Home Invaders Busted Using Victims Mobile

/in /by

Here is why home security systems are absolutely essential. A homeowner in South Carolina is sleeping when he hears a loud banging noise. He gets out of bed to investigate and comes face to face with a man in his home wearing a ski mask. Question: Do they have snow in South Carolina? Do they ski?

Anyway, the home invader drops the man to his knees and sticks a gun in his ear. Then the victim’s girlfriend get a gun stuck in her ear as they both stayed on their knees at gun point while the home invaders ransacked the house.

The home invaders stole their mobile phones, and their games including Wii, Nintendo, Xbox, two pistols and three shotguns along with cash and jewelry.

Based on the score I bet the victims knew the home invaders. Luckily for the victims the home invaders left without any additional violence.

The home invaders used one of the victims’ cell phones later on that day. What the dumb criminal probably didn’t realize is mobile phones have GPS and location based data that can allow anyone including the police to trace the phone location pretty accurately.

Police staked out the location which was a motel and saw two men who fit the home invaders description then searched their room and found the victims stuff.

Technology is great. It helped catch these criminals, and this wasn’t the first time a cellphone has help police carch a criminal, in Maryland another dumb criminal was caught after leaving behind charging phone.

However technology in the form of a home alarm could be used better to proactively prevent this. While the victim isn’t responsible for getting invaded, they are in the best position to prevent it.

Robert Siciliano personal and home security specialist toHome Security Source discussingADT Pulse on Fox News Live. Disclosures

Doggy Door: Easy Burglar Penetration

/in /by

Many years back I lived on a peninsula north of Boston in a small ocean view cottage. The band “Talking Heads” apparently lived there years earlier when they were starting out.  There’s a song or two they wrote that references the area. It’s a very cool place. The kind of place people think you can leave the doors unlocked and windows open. It’s famous for “Ipswich Clams” if that rings a bell. I’ve been known to dig a few bushels or pecks.

Anyway regardless of the fact it was off the beaten path and a relative “safe” area I still had a home security alarm system.  I’m not one to take chances. Even though it was “safe” a local kid who develops a drug problem can make a mess of things trying to get his next fix.

While living there I had “Niki”. She was a protective German shepherd Husky mix and probably the sweetest animal that has ever lived and was very very intelligent. Where I lived there was very little auto traffic and she was smart enough to avoid cars so I built her a doggie door to let her come and go.  I’d sometimes get calls when I was at work (her tags had my number) that she had made her way to the beach and was sitting with someone at their lounge chair asking me if they could give her water. She was something else.

One weekend I went away with Niki and came home to a disaster in my house.  Cabinets were opened and stuff pulled out, a small dresser was knocked over there was papers and trash everywhere and then I noticed POOP!

A masked burglar broke in! And pooped! Then I saw paw prints! It was a raccoon! The little bugger spent the weekend at my house and got in through the doggie door. The next night I waited for that burglar, all night, and I caught him. I made a hat. But that’s another story.

The Boston Globe reported a pair of teens were arrested and charged with breaking and entering through a doggie door. Police said the two suspects stole two iPods, prescription pills and $100 cash from the house. The teens were arrested after police arrived at the home following a call from a neighbor.

Obviously a doggie door is easy entry. If you have one you can still have a home security system, but you’d have to turn the motion sensors off if you have a larger dog. Installing security cameras set to alert of an intruder is a good option. Adding outdoor signage would act as another layer of protection.

Niki died 6 years ago. She was 15. She is missed.

Robert Siciliano personal and home security specialist toHome Security Source discussingADT Pulse on Fox News. Disclosures

Financial Institutions Can Protect Their Clients Using “Defense in Depth”

/in /by

Back in 2005, the Federal Financial Institutions Examination Council (FFIEC) made security recommendations for banks and financial institutions in response to the increase of cybercrime. Since then, banks have implemented most, if not all, of these guidelines, and cyber criminals have responded by challenging each layer of security, by exploiting different technologies or coming up with new hacking techniques.

The latest security recommendations strongly suggest a layered or “defense-in-depth” approach, which the National Security Agency defines as a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy strikes a balance between the protection capability and cost, performance, and operational considerations.

The FFIEC recommends that financial institutions replace simple device identification with complex device identification, which most banks had already implemented long ago. Therefore, the next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences. iovation, an Oregon-based security firm, offers this service and more.

The FFIEC also recommends that financial institutions replace challenge questions, which are often fact-based questions, and can be easy to figure out with the use social networking data, with “Out of Wallet” (OOW) questions that don’t rely on publicly available information.

Challenge questions include, “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” OOW questions are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Keir Breitenfeld, Senior Director of Experian Decision Analytics recently joined Device Reputation pioneer and leader, iovation, for a webinar presentation addressing the FFIEC guidelines.  You can listen to his presentation on applying proportional treatment to risk-based authentication efforts and dynamically managing credit and non-credit data questions to mitigate fraud via the webinar.

Ultimately, financial institutions must implement a layered approach to security. iovation’s device reputation service is a must-have layer that contributes greatly to a defense-in-depth approach, assessing risk throughout multiple points on an institution’s website.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Beware Of Home Deed Scams

/in /by

Home property deeds are documents showing home ownership and provided to home buyers and certified by county clerks or registrars after closing on a home purchase.  Deeds are generally public records and available for free or a small fee at the state or country registrar’s office.

There 2 types of deed scams. The first involves the fraudulent sale of deed documents and the second involves the fraudulent sale of actual homes by forging deeds.

In the course of a person’s life they may never own or only own 1-2 homes. After a purchase their deeds may sit in a drawer or at a lawyer’s office or live online never to be seen again. Like an automobile title, we sometimes lose track of property deeds and don’t adequately protect these important documents.

Rogue document sales: Deeds are the perfect document to be used as a tool by scammers. Because of the legal aspect and generally obscurity of a deed, scammers pose as government agencies such as “The U.S. Government Federal Citizen Information Center” and will send out letters or emails targeting homeowners recommending home owners get official copies of their deed. However only the registrar or clerk’s office can issue a certified copy and these scammy companies often charge as much as 1000% more than what a clerk will charge.

Stealing your home: When criminals “steal your home” they are essentially selling the home to a real buyer who is being defrauded.  Criminals will often break into summer homes or vacant homes and change the locks. They will list the property and go through an official closing. While there are checks and balances in place such as title searches, criminals simply forge documents and tell lots of lies.

To protect yourself from someone stealing your home when traveling for an extended period or from stealing a second home start with installing a home alarm security system. Having a monitored alarm and security cameras is definitely one layer of protection.

Robert Siciliano personal and home security specialist toHome Security Source discussing burglar proofing your home on Fox Boston. Disclosures.

Do You Own a Safe? Why Not?

/in /by

Approximately two million homes are burglarized every year. That’s one home every fifteen seconds or so. Police only catch one out of ten burglars, which means the bad guys do it over and over again. Burglaries result in over $4.5 billion in losses annually, or over $2000 for the average victim.

A safe can be had for under a hundred dollars, or up to several hundred, and can last forever.

You don’t need to be a convenience store, a jewelry store, or a bank to need a safe. If you keep money or credit cards in your house, you need a safe. If you have uninsured or uninsurable jewelry, you need a safe. If you have essential paper documents, like birth certificates, Social Security cards, insurance papers, stocks, bonds, or vehicle titles, you need a safe. Investing in a fireproof safe will also protect cash and valuables and save you the hassle of replacing important documents in case of a fire.

I’ve had four different safes over the past twenty years, because my needs have changed. While living at school and then in a small apartment, I had a portable, fireproof safe for documents and jewelry. (Yes, I wear gold jewelry, but that’s another story.) Then, when I owned a multifamily building, I upgraded to a medium-sized safe. And now that I have a family, I protect our belongings with a larger safe. There’s also a safe specifically for firearms, but we’ll get into that some other time.

I’ve always owned SentrySafe products . There are certain brands whose products always seem to work perfectly, right out of the box. Products that work so well, once you buy one, you’ll never have to replace it. That’s SentrySafe’s line of products.

SentrySafe is a family-owned business that has been making fire-resistant safes for over eighty years. I’m proud to be working with them on a campaign to introduce their new Big Bolt Safe. This little beast is sitting right here, bolted to my floor, as a handy thief repellent.

SentrySafe’s values — “Quality, Loyalty, Growth, and Innovation” — are evident in their products. These are terms I identify and agree with, as I’m German Shepherd-loyal, and innovation is what keeps my kids fed.

As a homeowner or apartment dweller, you know stuff happens. Your first concerns should be theft and fire prevention. You probably have home insurance, but instead of relying on a reactive solution to these issues, wouldn’t it be better to add a layer of protection, actively reducing your risk ahead of time, for a fraction of the cost of insurance? What do you think?

Robert Siciliano is a Personal and Home Security Expert for SentrySafe. See him Discussing burglar proofing your home on Fox Boston. Disclosures.

 

FFIEC Mandates “System Of Layered Security” to Combat Fraud

/in /by

For any cave-dwelling, living-under-a-rock, head-in-the-sand, naïve, under-informed members of society who aren’t paying attention, we have serious cyber-security issues on our hands.

Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They are using stolen usernames and passwords to transfer money through wire transfers, Automated Clearing House (ACH) and through billing fraud.

The Federal Financial Institutions Examination Council (FFIEC) has repeatedly implored that come January 2012, any lagging financial institutions will be required to significantly upgrade their security protocol. Since any existing form of authentication can be compromised, the FFIEC recommends that financial institutions should institute systems of “layered security.”

Previous FFIEC recommendations discussed authentication, suggesting that the security issue takes place when a user logs in. But in fact, not all the danger occurs at login. Other website integration points are vulnerable to security issues, particularly at the point when money is transferred.

According to the FFIEC’s recent update:

“Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.”

One of the FFIEC’s recommendations for financial institutions involves complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Smart financial institutions aren’t just complying with the FFIEC’s security recommendations, but are going beyond by incorporating device reputation into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Mobile Banking More Secure Than Computer E-Commerce?

/in /by

Mobile banking is on the rise for more reasons than convenience sake. In truth, it’s more secure than traditional online baking.  Accessing your banks mobile website or using your banks mobile application is inherently more secure than using a computer.

Why?

Computers are big targets for thieves. PC’s mostly run on Microsoft’s most hacked operating system, they typically contain a great deal of data, and they are vulnerable to viruses created by criminal hackers. Over the past decade criminals have learned the ins and outs of exploiting online banking using PC’s. In the past 15 years or so, the desktop computer has been hacked in every possible way, making the computer and the data it contains and transmits extremely vulnerable to fraud.

Mobile banking on the other hand is relatively new – the operating systems vary, viruses and other malware aren’t as prevalent and the technologies in handsets themselves vary greatly among manufacturers.

Computers are still the “low hanging fruit” while mobile phones aren’t as attractive due to computers being so vulnerable.

The mobile carriers’ networks are more difficult to hack than your home or local coffee shop’s wireless network. Mobile carrier services like 3G have a much higher level of encryption and aren’t open like broadband internet. Meaning you can’t just jump on someone’s 3G connection in most cases.

With mobile banking there is the added benefit of additional layers of authentication, in which the account holder authorizes various transactions via text message or call backs with an additional code, making mobile banking even more secure.

As mobile banking becomes more popular, investigate it and try for yourself. You will love the convenience and appreciate the security.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

Why Complex Device Identification Isn’t Enough

/in /by

“Simple device identification” relies on cookies or IP addresses to confirm that a customer is logging in from the same PC that was used to create the account.

The Financial Federal Institutions Examination Council has explained the fallibility of this system:

“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.

“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.

While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.

According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.” You can listen to the FFIEC-related webinar presentation at: www.iovation.com/ffiec

If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.

Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures