23% of Online Fraud is “Friendly”

/in /by

Friendly fraud occurs when a customer makes an online purchase with a credit card and then, once the merchandise has arrived, calls the credit card company, claims never to have received the item, and requests a chargeback. The merchant has no way of proving the legitimacy of this card-not-present transaction, and is forced to refund the customer’s money.

According to a new study released by LexisNexis Risk Solutions, retailers lost more than $139 billion to fraud last year, with friendly fraud accounting for one fifth of those losses.

The problem for you, the consumer, is that banks and merchants tend not to believe identity theft victims, because friendly fraud complicates the reimbursement process. It’s not uncommon for victims to be required to sign affidavits and have them notarized.

Online merchants need a better system. Device reputation offered by anti-fraud experts iovation, would be one step in the right direction. While a customer is placing an order, device identification technology recognizes and re-recognizes PCs, smartphones, or tablets used to access online businesses across the Internet. Then, device reputation technology determines whether or not device the being used has a history of fraud (including histories of friendly fraud) or if high risk is assessed at transaction time. When a particular transaction is reported as fraudulent, that information goes into a globally shared knowledge base and the fraudster’s device and its related accounts are flagged in order to prevent repeated attempts under new identities. This protects the merchant and honest consumers from billions of dollars in losses to fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Dumb Intruder Calls Cops On Homeowner

/in /by

If I ever strived to be a dumb criminal I’d want to be Timothy James Chapek, 24 years old from Portland, Ore. This cat breaks into a home and jumps in the shower when the woman who lived there came home.

The kid locked the bathroom door and called 911. From the 911 call: “I just broke into a house and the owners came home…I think they have guns,” he told the 911 operator.

At the same time the homeowner confronted him and asked why he was in the house taking a shower and he says “I broke in. I was kidnapped.”

When the homeowner yelled at him telling him she was calling the cops he said “I’ve already called them. They’re on the phone right now.”

OMG!

How about not letting this happen in the first place?

Install signage. “Beware of Dog” and “This House is Alarmed” neon signs for $1.98. One for the front door and one for the back door.

Go to the pet store. Get 2 big dog bowls, one for the front porch and one for the back. Write “Killer” in permanent marker on it. This gives the impression you have a big dog. You can even buy a barking dog alarm.

Lock your doors and windows. Install a monitored alarm system. Consider ADT Pulse that comes with a battery backup even when the poser goes out.

Give your home that lived in look. Leave the TV on LOUD while you are gone.

Install timers on your lights both indoor and outdoor. Close the shades to prevent peeping inside.

Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse™ on Fox News.

7 Types of Hacker Motivations

/in /by

There are good and bad hackers. Here is a window into what they do and why:

White Hat Hackers: These are the good guys, computer security experts who specialize in penetration testing and other methodologies to ensure that a company’s information systems are secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle hackers.

Black Hat Hackers: These are the bad guys, who are typically referred to as just plain hackers. The term is often used specifically for hackers who break into networks or computers, or create computer viruses. Black hat hackers continue to technologically outpace white hats. They often manage to find the path of least resistance, whether due to human error or laziness, or with a new type of attack. Hacking purists often use the term “crackers” to refer to black hat hackers. Black hats’ motivation is generally to get paid.

Script Kiddies: This is a derogatory term for black hat hackers who use borrowed programs to attack networks and deface websites in an attempt to make names for themselves.

Hacktivists: Some hacker activists are motivated by politics or religion, while others may wish to expose wrongdoing, or exact revenge, or simply harass their target for their own entertainment.

State Sponsored Hackers: Governments around the globe realize that it serves their military objectives to be well positioned online. The saying used to be, “He who controls the seas controls the world,” and then it was, “He who controls the air controls the world.” Now it’s all about controlling cyberspace. State sponsored hackers have limitless time and funding to target civilians, corporations, and governments.

Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade secrets. They may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use similar tactics as hacktivists, but their only agenda is to serve their client’s goals and get paid.

Cyber Terrorists: These hackers, generally motivated by religious or political beliefs, attempt to create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most dangerous, with a wide range of skills and goals. Cyber Terrorists ultimate motivation is to spread fear, terror and commit murder.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)

Tsunami Scam Warnings Keep Coming In

/in /by

In light of the earthquake and tsunami in Japan, and the subsequent tsunami warnings in Hawaii and on the US West Coast, McAfee is warning consumers about a number of online scams that have appeared within hours of these devastating events.

Sadly, scammers seem to come out of the woodwork during a natural disaster to catch consumers when they’re in a panic, looking for answers, and when they’re most vulnerable.  People should not click on links or respond to phishing e-mails for relief donations that ask for credit card numbers or other personal information.  In addition, be wary of tiny URLs on social media services and posts on social networking sites. Hundreds of domains that could be related to the disaster have been registered so far today, including a scam site that appeared within just two hours of the earthquake.

Follow these guidelines to ensure that donations to victim relief efforts are sent through legitimate sites:

.Org domains are cheap.  Registering does not indicate charitable status in any way.  Verify that the organization is actually a registered charity by typing the URL directly into a web browser.

Domain solicitations that arrive by unsolicited email, especially those sounding overly urgent or desperate, are very likely to be scams.

Be aware that donation requests made via advertising banners can also be scams.

If you’d like to help, support one of the major international organizations that have a “most in need” fund such as the Red Cross.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

Neighborhood Works Together To Fight Crime

/in /by

In Creekmoor in Orangeburg County South Carolina, residents are banding together to fight crime.

The Times and Democrat reports “Creekmoor residents are trying to put a stop to property crimes and thefts before the entire area is overrun with crimes far worse than burglaries. About 60 residents of the Columbia Road neighborhood met last week to discuss expanding patrols to put more eyes and ears on the neighborhood. “I’m not asking you to confront any of these people,” Creekmoor resident Malcom Crider said. “All I’m asking you to do is ride.” The neighborhood of about 200 homes began a Crime Watch group three years ago after the typically quiet, middle-class community began experiencing vehicle break-ins.”

The following is a scenario often used by suspects looking to burglarize homes in your neighborhoods as provided by the “Downey Police Department” in the Downey Patriot.

“A suspect may simply walk to the front door of a residence and knock on the door. If someone answers, the suspect will make an excuse for being at the wrong house and walk away. If there is no answer, the suspect will either leave the location before returning a short time later, or make his way into the back or side yard to find a way into the house.

Once out of view of the street, he will look for open windows or doors to gain entry into the residence. If the house is locked, the burglar will oftentimes force entry by breaking a window or forcing a door open.

A car with additional suspects will oftentimes wait a short distance away for the suspect to return with stolen property. The suspect may also call them to respond to the house to assist in the actual burglary of the location.

Because the actions of the burglars are usually not visible from the street, it is difficult for police to discover the crime in progress. Because of this, it’s imperative that residents in the area pay close attention to suspicious subjects in their neighborhood. This is especially true if you see someone knock on a door of a residence, then go to the back of the house when they fail to get an answer.

If you see people in your neighborhood – whether they are walking or sitting in a vehicle – that you feel may be looking for an opportunity to commit a crime, please call the Police Department.”

Robert Siciliano personal and home security specialist to Home Security Source discussing Home Security on NBC Boston.

Check Your Password Security

/in /by

Passwords are the bane of the security community. We are forced to rely on them, while knowing they’re only as secure as our operating systems, which can be compromised by spyware and malware. There are a number of common techniques used to crack passwords.

Dictionary attacks: These rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like John the Ripper or similar programs.

Cracking security questions: When you click the “forgot password” link within a webmail service or other site, you’re asked to answer a question or series of questions. The answers can often be found on your social media profile. This is how Sarah Palin’s Yahoo account was hacked.

Simple passwords: When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “1234567,” “12345678,” “123456789,” “princess,” “qwerty,” and “abc123.” Many people use first names as passwords, usually the names of spouses, kids, other relatives, or pets, all of which can be deduced with a little research.

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Social engineering: Social engineering is an elaborate type of lying. An alternative to traditional hacking, it is the act of manipulating others into performing certain actions or divulging confidential information.

There are a number of ways to create more secure passwords. One option is to create passwords based on a formula, using a familiar name or word, plus a familiar number, plus the first four words of the website where that password will be used. Mix in a combination of upper and lowercase letters, and you have a secure password. Using this formula, your Bank of America password could be “Dog7Bank,” for example. (Add one capital letter and an asterisk to your password, and it can add a couple of centuries to the time it would take for a password cracking program to come up with it.)

Password managers can also help generate and store secure passwords. Some people like Lastpass. Another incredibly efficient and secure service is Roboform, which has a “Generate” tab in its browser toolbar that creates passwords that can’t be guessed, like “ChF95udk.” All your passwords are backed up on a secure encrypted server and can sync on multiple PCs.

It is just as important is to make sure your PC is free of malicious programs like spyware and keylogging software. Beware of RATs, or Remote Access Trojans, which can capture every keystroke typed, take a snapshot of your screen, and even take rolling video of your screen with a webcam. But what’s most damaging is the possibility of a RAT gaining full access to your files, including any passwords being stored by a password manager.

Use antivirus and anti-spyware software and firewalls, and set up your PC to require administrative rights in order to install any new software.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers using social engineering to hack email on Fox News. Disclosures

Be Careful Of Earthquake Related Charity Scams

/in /by

Internet criminals follow a similar editorial calendar as newspaper and magazine editors, coordinating their attacks around holidays, and the change in seasons. They further capitalize on significant events and natural disasters. Japans earthquake is a biggie.

Whenever a natural disaster hits normal people get an urge to help those in distress. Our want/need/ability to help out comes from thousands of years of communal living as an interdependent species.

However natural disasters also bring out the worst in the bottom feeding sleazebags who smell blood.

Scammers have ramped up and are sending “phish” emails designed to extract your money to their own nefarious cause, “themselves.” Right now, there is 24 hours news reports focusing on the tragedy and people are understandably getting sucked into the drama of the events. This is a prime time to reach out to those same people who are enmeshed in the reports and get them to donate to fake organizations. The following tip will help prevent you from getting scammed and get your donation into the right hands.

Do not donate cash: Anyone asking to come to your home or office and pick up cash is a scammer. Any phone calls or emails received requesting cash or to wire money transfers is a scam.

Be suspect of all emails requesting donations: I would never click on a link in an email, especially short URL’s. Always manually enter the domain name into the address bar. The best thing is to go directly to the organization’s website.

Check with the Better business Bureau: The first thing you should always do prior to making a donation to any charity is to check their credibility with the BBB. Go online to http://www.bbb.org/us/Charity-Reviews/ and search out the charity.

Give only to charities, not individuals: Any communication from someone requesting money because of their hardship is an obvious scam. But some people are saps for an emotional sob story. While you may be savvy enough not to fall for these scams, someone in your life who may be naïve could.

Give now and consider giving to the Red Cross: The American Red Cross is the most known and credible organization on the planet for helping out those in despair. Give now and give as much as you can.

Never give out credit card numbers via an unsolicited email.

Never give out PIN or account numbers to anyone for any reason

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.

Mobile Payment is Coming

/in /by

Near Field Communications, or NFC, is the exchange of information between two devices via wireless signal. For example, a wireless signal emitting from your cell phone can act as a credit card when making a purchase.

This year, over 70 million mobile phones will be manufactured and sold with NFC built in.

NFC can be used in other ways beyond credit card transactions. It can integrate with hardware, such as your car, to unlock a door. It can activate software.

Soon enough, using your phone as a credit card will be commonplace. Mobile contactless payments, in which you pay by holding your phone near the payment reader at the register, are expected to increase by 1,077% by 2015.

According to a study by Boston-based research firm Aite Group, “The gross dollar volume of U.S. mobile payments is estimated to grow 68 percent between 2010 and 2015, but the mobile payments will continue to represent only a ‘tiny portion’ of U.S. consumer spending for many years.”

Mobile payment is still in the testing phase in the United States, Canada, and other countries around the world.

Security is paramount. A new type of smartcard-based SIM is at the core of mobile payment security. It contains a small computer with its own software designed to protect the payment account information. Your credit card provider will make sure that mobile payment is fully secure, or it will not happen.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses identity theft in front of the National Speakers Association. Disclosures

Washington Man Steals Over 1000 Identities

/in /by

While we often hear about international criminal hackers compromising databases and stealing credit card information, identity theft is often committed locally, by someone with access to sensitive paperwork.

In one such case, a suspected identity thief was recently arrested in Washington, after driver’s licenses, credit cards, and Social Security numbers were stolen from more than a thousand victims across the state.

Detectives believe the documents were stolen from cars and homes and used to open fraudulent bank accounts in victims’ names. Seized evidence includes bags of driver’s licenses, credit cards, credit card swipers, Social Security cards, and a list of thousands of names and Social Security numbers. It is difficult to estimate the total financial loss as the investigation is still underway, but so far the number is into the high thousands, and sure to increase.

According to court documents, the suspect admits being involved in identity theft in order to support his drug habit.

It is important to observe basic security precautions to protect your identity, like using a locked mailbox and checking your online statements often. But while you can store paperwork containing personal information in a locked safe and refrain from keeping sensitive documents in your car, there’s little you can do to ensure the safety of your personal information when it’s stored by corporations and government agencies.

Consumers should consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on their accounts. McAfee Identity Protection includes all these features, as well as immediate assistance from fraud resolution agents if your identity is ever compromised. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

Should Dating Sites Require Background Checks?

/in /by

It’s no secret that there are kooky people in the world, and those kooky people seem to gravitate to the Internet. My theory is that those with ulterior motives relish the anonymity of the web, which allows them to lure in their victims more easily. I can see why they’d appreciate that. It’s easier to lie online.

There’s no body language, no intonation in one’s voice, and no emotional connection to the other person. It’s harder for a person’s sixth sense to connect with an avatar.

The Internet provides a great cover for predators.

In Connecticut, State Representative Mae Flexer introduced a bill designed to make online dating safer. “Sexual predators now have a new tool to find victims — Internet dating websites,” she told the General Law Committee.

And in Texas, State Representative Diane Patrick, is proposing that online dating sites be required to disclose to members whether or not background checks are done, which she believes would make online dating safer.

Online dating sites argue that people should use common sense, and point out that not all background checks are entirely accurate. What if the person’s profile is made from stolen information in the first place? The fact is, online dating sites are selling a lot more than an opportunity to connect. They market to the public, inviting them to find love using their website. And they give users an air of legitimacy by default. Posting a profile on a mainstream dating site implies a certain level of credibility.

Background checks would be a good start, and can often provide someone with all they need to make an informed decision. But they may also create a false sense of security and cannot be relied upon completely, especially when people lie about their identity.

Dating sites could incorporate another layer of protection, such as checking the computer used to create the profile in the first place. Device reputation spots online evildoers in a fraction of a second, by examining the computer, smartphone, or tablet used to connect to the dating website or social network. If a device is associated with unwanted behavior, such as spam, online scams, fake profiles, bullying or predatory behavior, the website can reject the new account or transaction. If the computer or smart phone passes the first test of not being associated with unwanted behavior, further identity and background checks would be performed. If the device does not pass, there is no need to pay for further checks.

According to Jon Karl, Vice President of Marketing at iovation Inc., “We stop 150,000 online fraudulent activities every single day. At one of our international dating clients’ websites, one out of five profiles created are found to be fraudulent. We help protect their brand and keep their members safe by identifying the bad actors upfront before they have a chance to come in contact with legitimate members.”

That being said, it would be a good and prudent practice for any online dating site to further vet and screen users. It won’t keep all the bad apples out, but it will significantly reduce those who are currently using the system for no good.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Safe Personal Dating on Tyra. (Disclosures)