Protecting Your Customer Data from Hackers

Criminal hackers hack for fun, fame, revenge, trade secrets, or terror, but mostly they hack for financial gain. According to a data breach study, based on 75 incidents in the second half of 2010, 13% of web hacking cases involved leaked client data leading to financial fraud. (The top two reasons hackers attacked websites were site defacement at 15% and site downtime at 33%.)

Once customer information is hacked, it can be used to open new accounts or to take over existing accounts. It often takes only a few hackers to crack a system containing millions of customerrecords. These thieves will then broker and sell the information to other hackers.

The victims find and repair the vulnerabilities in their systems, but the damage has already been done. The individuals whose data has been compromised face an uphill, ongoing battle to protect themselves from financial fraud.

Protecting small business customer data starts with network securitybasics including:

Software: Antivirus, antiphishing, antispyware. Total protection “all access” suites of protection and full disk encryption

Hardware: Routers, firewall security appliances

Physical security: Commercial grade solid core doors, security alarm systems, security cameras.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing  ADT Pulse on Fox News. Disclosures


Big Time Black Market For Your Credit Cards



There is an entire underground black-market out there hacking, buying and selling your information to steal your identity. The most sought after data is your credit card numbers.

“Carders” are the criminals who buy and sell “dumps,” which are large quantities of credit card and bank account details. Carders and other criminal hackers are also interested in so-called “fullz,” which include first and last names, email addresses and passwords, billing addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, bank account numbers and routing numbers, and even information like the names of victims’ employers and the number of years victims have been at their current jobs. These details help criminals commit new account fraud or account takeover fraud.

Krebs on Security recently reported on, a public-facing website that openly sells this data to registered members. The website proclaims, “Our Databases are updated EVERY DAY. About 99% nearly 100% US people could be found, more than any sites on the internet now.”

Prices for bits and pieces of your identity go for as little as 9 cents, and it looks as though Social Security numbers are available for as low as $3 each.

Most of this stolen data results in new account fraud. Fraudulent credit card applications are the most lucrative form of new account fraud. Identity thieves love credit cards because they are the easiest accounts to open, and they allow thieves to quickly turn data into cash. Meanwhile, consumers don’t find out that credit cards have been opened in their names until they are denied credit or bill collectors start calling.

Robert Siciliano personal and home security specialist to Home Security Source discussingcredit and debit card fraud on CNBC.

SXSWi Sneak-Peek: First Look At Gemalto’s Mobile Idea/Next Lounge

South by Southwest Interactive (SXSWi), March 9-13, 2012 in Austin, Texas is an incubator of cutting-edge technologies. The event features five days of compelling presentations from the brightest minds in emerging technology, scores of exciting networking events hosted by industry leaders, and an unbeatable line up of special programs showcasing the best new websites, video games, and startup ideas the community has to offer. From hands-on training to big-picture analysis of the future, SXSW Interactive has become the place to experience a preview of what is unfolding in the world of technology.

Gemalto, a digital security leader, will be hosting the Mobile IDEA/NEXT Lounge on the 6th floor of the Hilton throughout SXSW Interactive. The lounge will serve as a hub for those attendees interested in learning, engaging, and sharing in discussions around all aspects of mobility—from the mobile phone to the cloud—and the digital security solutions they necessitate.

There will be a ton of talks and events happening each day in the IDEA/NEXT Lounge. From daily talks and influencer podcasts to daily happy hour panel discussions, the Lounge will be a hub of activity. Even with all that planned, Gemalto wants to hear from SXSW Interactive attendees. Feedback can be sent via Twitter to @JustAskGemalto or @Gemalto_NA.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

I Found Your Data on That Used Device You Sold

Over the past 15 years, the increasingly rapid evolution of technology has resulted in new computers or mobile phones becoming outdated in a matter of one or two years. Chances are, you’ve gone through no less than ten digital devices in the past decade, if not more. It has become standard practice to upgrade to a newer device and often sell, donate, or discard the old one. Or you’ve received a new computer or mobile phone for a holiday gift and need to get rid of the old one.

What did you do with all of your old devices? Some may be in your basement, others were given away, and you might have hocked a few on eBay or Craigslist. Did you know it is very likely that you inadvertently put all of your digital data in someone else’s hands if you no longer have the device?

I recently bought 20 laptops, desktops, netbooks, notebooks, tablets, Macs, and mobiles through Craigslist, all from sellers located within 90 minutes of my home. Of the 20, three of them had never been wiped, meaning that I bought the devices exactly as they once sat on someone’s desk. The original owners had made no effort to clean out the data, which meant that I was able to access the records of their entire digital lives. 17 of the devices had been wiped, meaning that the seller took the time to reformat or reinstall the operating system. Of the 17 wiped drives, seven contained remnants of the previous users’ digital lives. Despite the effort made to reformat or reinstall the operating systems, there were partitions and leftover data on the drives.

After having spent the past few months working with a forensics expert, I’ve come to the conclusion that even if you wipe and reformat a hard drive, you may still miss something. IT professionals tasked with data destruction use “wiping” software, and you can too. But after what I’ve seen, more needs to be done. This means external and internal drives, thumb drives, SD cards, and anything else that stores data really should be destroyed.

So whether you destroy an unwanted drive with a sledgehammer, or use a drill press to turn it into swiss cheese, or use a hack saw to chop it into pieces, and then drop those pieces into a bucket of salt water for, oh, say a year, just to be safe, for your own good, don’t sell it on eBay or Craigslist.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Credit Card Skimmer Use Portable Point of Sales

A German “computer whizz-kid” was arrested recently while attempting to transport the latest bank scamming technology into Britain.

The 26-year-old married father of two worked at various software companies worldwide, gathering the necessary technologies and components to create a card skimming device designed to replace the real point of sale devices at restaurants or other retail establishments.

In the United States, consumers often hand their credit cards over to waiters or waitresses, for example. A waiter disappears and comes back moments later with a receipt to be signed. Overseas, in Europe and other countries, portable point of sale (POS) devices allow the waiter to charge a credit card right at the table.

In Europe, credit cards use chip and PIN technology, following the global standard known as EMV, which stands for Europay, MasterCard, and Visa. This technology is more secure than regular magnetic stripe cards used in the United States. Nevertheless, the German credit card skimmer possessed 17 devices capable of skimming security and account details from chip and pin card readers.

What’s more, these skimming devices were equipped with wireless technology, which would allow the fraudster to access the stolencredit card data remotely. Had they been successfully implemented on ATMs and POS devices, identity theft criminals would have been able to receive victims’ banking details automatically on laptops or mobile phones up to 100 meters away.


This type of credit cardfraud already occurs in the United States in different forms, but online retailers can protect themselves from fraudulent transactions. If a customer’s PC, smartphone, or tablet indicates an abnormally high level of risk, the merchant can reject the purchase in advance. iovation, the global leader in device reputation, has blocked 35 million fraudulent online transactions in the last year.

Prevent credit card skimming and protect yourself from credit card fraud by checking your statements regularly.

Robert Siciliano personal and small business security specialist to ADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

How Safe Is Paying With Your Phone?

mCommerce, or mobile commerce, refers to financial transactions conducted via smartphones or other mobile devices. But are mobiles really meant for financial transactions?

While about a third of mobile phone users remain unwilling to dabble in mCommerce due to identity theft concerns, the majority of users are apparently comfortable making purchases with their phones, just as they would with a PC.

mCommerce’s strength is the variation between mobile operating systems and handset technologies from different manufacturers, which makes it difficult for criminals to create and distribute mobile malware. Additionally, mobile carriers’ networks have higher levels of encryption, making it more difficult for a hacker to access a 3G connection, for example.

Handset manufacturers, application developers, and mobile security vendors continue working to improve mobile security. Banks are offering a consistent sign-on experience for both their online and mobile channels, including multifactor authentication programs for mobile.

Consumer Reports estimates that almost 30% of Americans that use their phones for banking, accessing medical records, and storing other sensitive data do not take precautions to secure their phones.

Download a mobile security product such as McAfee Mobile Security. This is particularly crucial for Android users, as Androids tend to be more vulnerable to attacks.

Use your carrier’s 3G connection to send sensitive information, rather than Wi-Fi.

Use your bank’s dedicated mobile application, rather than accessing their main website via mobile device.

Set your device to lock automatically after a set period of time.

Invest in software that can remotely lock, locate, and wipe a missing mobile.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Shipping Scams Go After Small Business

A colleague with a small business was cleaning out his warehouse of tools and supplies and decided to list many items on Craigslist. I have lots of experience in this process and I can tell you “It’s always something”.

An application called “CraigsPro” allows you to go through your items snapping pictures and creates a simple Craigslist advertisement within a minute.

One item he was selling was a portable generator. He got the following email and sent it to me:

“Thanks for the prompt response,i will like to proceed with the transaction asap and my mode of payment will be via Bank certified check. However, to ease the pick up the item will be picked-up from you by my shipper once you receive and cash the check,i am willing to wait for your bank to verify and clear the check before the shipper pickup the item therefore I’ll need this detail below to mail out the check.

* The Full name on check
* Mailing address (Deliverable Address)
* Phone Number

Proceed to delete the advert of this item if my mode of payment is accepted and get back to me asap with your details to mail out the certified check to you.



My friend responded with his address for the “buyer” to send a check. Within 3 days via Federal Express an actual check came in the mail for hundreds of dollars more than the item was listed for. The additional dollars were supposed to pay for the shipping costs.

If my friend was to deposit thebogus check the funds would have shown in his account within a few days, thereby prompting him to mail out a business check to thecraigslist scammers. But once the check was determined a fake by the issuing back the funds would have been removed from his small business account.

To prevent overpayment scams never fall for advanced fee shipping scams. They are so obvious.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Bad Drivers And Insurance Scams Uncovered Online

Some people can’t help bragging and babbling about themselves online. Whether in a blog post, tweet, Facebook status update, or YouTube video, chances are if it happened, it’s going to come out online.

The Internet is making it much easier for fraud investigators to learn everything they need to know about their subjects.

Teenagers and street racers regularly publish accounts and videos of their exploits on Facebook, attracting attention from viewers who forward these reports to police, resulting in fines and arrests.

Fox Business reports, “In one Texas trial, a jury will likely give large weight to a video pulled off YouTube. The video shows a $1.2 million Bugatti Veyron – a limited production French sports car – careering into a saltwater lagoon. The owner, an auto dealer who had increased his insurance to $2.2 million shortly before the incident, claimed he had swerved to avoid a pelican. But Philadelphia Indemnity Insurance Co. argues no pelican can be seen in the video.”

The old adage, “You can run, but you can’t hide,” rings truer than ever with the Internet. Not only can fraud investigators use Internet posts against unwitting criminals, they can also expose criminal activity based on the reputation of the very devices with which they are posting. Whether a person voluntarily shares information through social media, or is captured on video that winds up online, or if the digital device they use has acquired a reputation for cybercrime, it’s harder than ever to escape the truth.

Device reputation analysis examines computers, tablets, and smartphones for a history of suspicious behavior, investigating for characteristics consistent with fraudulent use. This allows online retailers, dating websites, gaming websites, and insurance companies to deny criminals access to their networks, often before their first attempt.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Banks Blame Cybercrime Victims for Hacking

It’s Tuesday morning after a long weekend, the bookkeeper comes in a little late but hits the books right away. She comes into your office and asks you about a series of wire transfers you made over the holiday weekend to new employees who apparently live overseas. And then your heart sinks. Because you have heard about how small business bank accounts are hacked, but didn’t think it would happen to you.

It’s happening to the tune of around 1 billion dollars a year. Small business bank accounts are being hacked and the banks are pointing the finger at their customers. Why? Because in many cases there are no actual data breaches at the banks. Cybercrime is often taking place right in the small businesses offices on their own PCs.

Blooomberg reports “Organized criminal gangs, operating mostly out of Eastern Europe, target small companies, school districts and local governments that maintain fat commercial bank accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren’t covered by insurance as individual accounts are.”

However one bank fought back and won. iovation reports “one Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this cybercrime case.

Small businesses are under siege today and must know their bank accounts are being targeted by cyber-thieves. One solution is certainly a secure IT infrastructure and another, in some cases, may be moving to a bigger bank. Some smaller banks simply can’t handle the loss whereas bigger banks may have the resources to absorb them. If you bank with a small bank now is the time for a heart to heart talk.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Another Way to Investigate Insurance Fraud

Insurance fraud has been around since the dawn of the insurance policy, largely due to its reliance on the honor system. It’s fairly easy to file and process a fabricated claim—just a matter of filling out paperwork online, really. While there are certainly some checks and balances in the claim investigation process, there are often too many variables to make a conclusive determination of a claim’s legitimacy, and with an ever increasing number of policies being created online, the insurance industry needs to take added precautions against fraudsters. reports, “Insurers can use indicators and experience of fraud awareness techniques to identify patterns and they are more aware of the possibilities of fraud and exposure they have in the fleet side of the business, but we can’t be complacent.”

According to Damian Ward, head of the fraud team at law firm Halliwells, a more sophisticated variety of fraud involving criminal gangs has been a problem within the industry for quite a while. Ward says fraudsters take advantage of the ease with which motor insurance may be obtained. “With the internet, there is little underwriting control and it is easier for people to set up false policies and claims.”

Insurance fraud investigators may not know what many in the financial, retail and banking sectors are already aware of, which is that the digital devices being used to file claims can be identified as collaborators in a larger conspiracy. Once these PCs, laptops, Macs, tablets, or smartphone are “fingerprinted” and their reputations are established, investigators can begin putting together the pieces of the puzzle in order to take down a criminal enterprise.

ReputationManager 360, by iovation Inc., can re-recognize devices and share the reputation of those devices, plus assess transaction risk in real-time for insurance companies. Hundreds of online businesses use this software-as-service to detect fraud upfront, reduce financial losses and protect their brand reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)