9 Warning Signs Your Identity Has Been Stolen

The Federal Trade Commission (FTC) provides the following list of warning signs that your identity may have been stolen:

  1. Accounts you didn’t open and debts on your accounts that you can’t explain
  2. Fraudulent or inaccurate information on your credit reports, including accounts and personal information, such as your Social Security Number, address, name or initials, or employer
  3. Failing to receive bills or other mail (this could indicate that an identity thief has taken over your account and changed your billing address—follow up with creditors if your bills don’t arrive on time)
  4. Receiving credit cards that you didn’t apply for
  5. Being denied credit or being offered less favorable credit terms, like a high interest rate, for no apparent reason
  6. Getting calls or letters from debt collec­tors or businesses about merchandise or services you didn’t buy.
  7. You may find out when bill collection agencies contact you for overdue debts debts you never incurred.
  8. You may find out when you apply for a mortgage or car loan and learn that problems with your credit history are holding up the loan.
  9. You may find out when you get something in the mail about an apartment you never rented, a house you never bought, or a job you never held.

The most efficient way to protect your identity is with an identity theft protection service and get a credit freeze.

Robert Siciliano personal and home security specialist to Home Security Source and author of 99 Things You Wish You Knew Before Your Identity Was Stolen. Disclosures.

P2P Security Concerns for Small Business

Peer to peer file sharing is a great technology used to share data over peer networks.  It’s also great software to get hacked. This is the same P2P software that allows users to download pirated music, movies and software.

In my own P2P security research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your client’s data. This can result in business securitybreaches, credit card fraud and identity theft. This is the easiest form of hacking. There have been numerous reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

#1 HaveP2P security policies in place not allowing the installation of P2P software on your workplace computers or employee laptops.

#2 A quick look at the “All Programs Menu” will show nearly every program on your computers. If you find an unfamiliar program, do an online search to see what it is you’ve found.

#3 Set administrative privileges prevent the installation of new software without your knowledge.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

5 Lessons Learned from RSA

A couple of weeks ago, the RSA Security conference took place in San Francisco, CA.  The increasing sophistication of hackers and visibility of data breaches (including one on the conference’s namesake company last year) makes this an exciting time to be in the security business.. While this show is for corporate IT and security professionals, there are some things that consumers can take away from all of this.

Social networking sites are prime targets for cybercriminals: Hackers are aware of the large numbers of people using sites like Facebook, Twitter, YouTube, and are using this to their advantage by putting offers out there to try and get you to click on malicious links. Security companies are using it to get the word out on protection. Security companies are using social media to help educate consumers – take the time to read their advice. McAfee pulls together lots of great content and advice and has over 575k on Facebook.

Hackers are targeting intellectual property: For a decade now credit card numbers, Social Security numbers and everything needed to take over accounts or open news ones has been a target. Criminals still want all that, and they also want proprietary data that will help their nation or company get an edge.

Advanced Persistent Threats (APTs) will be a bigger topic: You’ve heard the term “it’s not a matter of IF, but WHEN” and this applies to APTs. APTs are ongoing threats where the intent to persistently and effectively target a specific entity and can take criminals days to decades to achieve their goal.

Multiple layers of protection: For the enterprise, this is protection at all points, but this also applies to consumers. It used to be that all you needed was a firewall, then you needed antivirus, now you need anti-spam, anti-phishing, anti-spyware and for heavens sake make sure your wireless is protected too.  This is just the beginning! Expect more layers to come.

Protect the data and the device: It used to be all you had to be concerned about was protecting your PC. Now you have to be equally proactive in protecting your Mac, tablet and mobile phone. You still need antivirus and all the different layers of protection mentioned in the point above, but you also need to be aware of what stuff you have all your devices that can expose your personal information and identity.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

QR Codes Could Deliver Malware

You’ve seen barcodes all your life. So you know what they look like: rectangles “boxes” comprised of a series of vertical lines. When a cashier scans a barcode, you hear a familiar beep and you are charged for that item.

A QR code looks different and offers more functionality. QR stands for “quick response.” Smartphones can download QR readers that use the phone’s built-in camera to read these codes. When the QR code reader application is open and the camera detects a QR code, the application beeps and asks you what you want to do next.

Today we see QR codes appearing in magazine advertisements and articles, on signs and billboards; anywhere a mobile marketer wants to allow information to be captured, whether in print or in public spaces, and facilitate digital interaction. Pretty much anyone can create a QR codes.

Unfortunately, that’s where the cybercriminals come in. While QR codes make it easy to connect with legitimate online properties, they also make it easy for hackers to distribute malware.

QR code infections are relatively new. A QR scam works because, as with a shortened URL, the link destination is obscured by the link itself. Once scanned, a QR code may link to an malicious website or download an unwanted application or mobile virus.

Here’s some ways to protect yourself from falling victim to malicious QR codes:

Be suspicious of QR codes that offer no context explaining them. Malicious codes often appear with little or no text.

If you arrive on a website via a QR code, never provide your personal or log in information since it could be a phishing attempt.

Use a QR reader that offers you a preview of the URL that you have scanned so that you can see if it looks suspicious before you go there.

Use complete mobile device security software, like McAfee® Mobile Security, which includes anti-virus, anti-theft and web and app protection and can warn you of dangerous websites embedded in QR codes.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Small Business Tax Scams

The Internal Revenue Service issued its annual “Dirty Dozen” ranking of tax scams, reminding taxpayers to use caution during tax season to protect themselves against a wide range of that aren’t necessarily always perpetrated by an outsider trying to scam the business or individual, but sometimes these are inside jobs that put the company in hot water.

Hiding Income Offshore

Over the years, numerous individuals have been identified as evading U.S. taxes by hiding income in offshore banks, brokerage accounts or nominee entities, using debit cards, credit cards or wire transfers to access the funds. Others have employed foreign trusts, employee-leasing schemes, private annuities or insurance plans for the same purpose.

“Free Money” from the IRS & Tax Scams Involving Social Security

Flyers and advertisements for free money from the IRS, suggesting that the taxpayer can file a tax return with little or no documentation, have been appearing in community churches around the country. These tax fraud schemes are also often spread by word of mouth as unsuspecting and well-intentioned people tell their friends and relatives.

False/Inflated Income and Expenses

Including income that was never earned, either as wages or as self-employment income in order to maximize refundable credits, is another popular tax scam. Claiming income you did not earn or expenses you did not pay in order to secure larger refundable credits such as the Earned Income Tax Credit could have serious repercussions.  This could result in repaying the erroneous refunds, including interest and penalties, and in some cases, even prosecution.

False Form 1099 Tax Refund Claims

In this ongoing tax scam, the perpetrator files a fake information return, such as a Form 1099 Original Issue Discount (OID), to justify a false refund claim on a corresponding tax return. In some cases, individuals have made refund claims based on the bogus theory that the federal government maintains secret accounts for U.S. citizens and that taxpayers can gain access to the accounts by issuing 1099-OID forms to the IRS.

Frivolous Tax Arguments

Promoters of frivolous tax fraud schemes encourage taxpayers to make unreasonable and outlandish claims to avoid paying the taxes they owe. The IRS has a list of frivolous tax arguments that taxpayers should avoid. These arguments are false and have been thrown out of court. While taxpayers have the right to contest their tax liabilities in court, no one has the right to disobey the law.

Abuse of Charitable Organizations and Tax Deductions

IRS examiners continue to uncover the intentional tax deduction abuse of 501(c)(3) organizations, including arrangements that improperly shield income or assets from taxation and attempts by donors to maintain control over donated assets or the income from donated property. The IRS is investigating tax fraud schemes that involve the donation of non-cash assets –– including situations in which several organizations claim the full value of the same non-cash contribution.

Disguised Corporate Ownership

Third parties are improperly used to request employer identification numbers and form corporations that obscure the true ownership of the business.

Misuse of Trusts

For years, unscrupulous promoters have urged taxpayers to transfer assets into trusts. While there are legitimate uses of trusts in tax and estate planning, some highly questionable transactions promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Protect Your Small Businesses with Secure Flash Drives

USB flash drives are handy little devices that can cause big security headaches. Even with robust datasecurity policies USBdrives often fall thru the cracks (and out of pockets). These flash drives are often used by employees for both personal and business use which could potentially spread a virus from a home PC to the corporate network.

Additionally, lost USB drives among other devices with storage can cause even bigger headaches resulting in data breaches. A survey by a U.K.-based company found that last year, 4,500 USB flash drives were forgotten in the pockets of clothes left at the dry cleaners and thousands more handheld devices were left in the back seats of taxis.

Computerworld reports a 2007 survey by Ponemon of 893 individuals who work in corporate IT showed that:USB memory sticks are often used to copy confidential or sensitive business information and transfer the data to another computer that is not part of the company’s network or enterprise system. The survey showed 51% of respondents said they use USB sticks to store sensitive data, 57% believe others within their organization routinely do it and 87% said their company has policies against it.

Flash drives can be a security mess. Organizations need to have business security policies in place requiring secure flash drives and never plugging a found stray catinto the network either.

Ensure all data stored on a secure flash drive is encrypted. TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

What is Identity Theft?

Identity theft occurs when someone takes your personally identifiable information (PII), and misuses it, abuses it, and adapts it to his or her own life, often for financial gain. When an identity thief does this, your good name is soiled—the name you have worked so hard to keep in good standing. Rectifying it can be as simple as a phone call, or it can be as difficult as having to prove your innocence to a jury of your peers.

Identity theft, also known as identity fraud, encompasses various types of crimes. The identifying factor is that a criminal has wrongfully acquired and adopted someone else’s personal data. This can include the victim’s name, Social Security Number, address, date of birth, credit card information, bank account number, or any other type of personal information.

When identity theft affects you, it can consume your time and ruin your credit. You become a liability for an employer or a college administrator. You may be perceived as someone who has bad credit as a result of your own doing. You have a black mark on your reputation. In short, it is the victims, not the criminals, who have a difficult time functioning in a credit-driven society.

What follows is a real-world example of this type of crime:

An 18-year-old man was driving in his vehicle, and he rolled through a stop sign. He was pulled over by a police officer who witnessed the offense. When the police officer checked his information, it was determined that there was a warrant out for his arrest for numerous prior violations. After his arrest and subsequent trip to the police station, they learned that his Social Security Number was tied to a man who was 49 years old. This young man learned that his identity had been stolen a number of years ago! The identity thief had opened up several businesses in the young man’s name while he was still a child. Identity theft is the only crime that I am aware of in which you are presumed guilty until proven innocent.

The most efficient way to protect your identity is with an identity theft protection service and get a credit freeze

Robert Siciliano personal and home security specialist to Home Security Source and author of 99 Things You Wish You Knew Before Your Identity Was Stolen. Disclosures.

Jailbreaking an iPad Exposes Vulnerabilities

At the McAfee FOCUS conference in October of last year, members from McAfee Labs™ spoke about malware and other threats that affect security. One of the most popular events was when they brought an iPad on stage and did a live hack.

The researchers were able to remotely watch as a user accessed his email and even interacted with the device by accessing the iPad via an unprotected wireless Internet connection (like many of use in a café, airport or other public place).

The issue that made the iPad vulnerable has since patched, but the tools used in this hack were some that are also used to “jailbreak” a mobile phone or tablet.

Jailbreaking is the process of removing the limitations imposed by Apple and the associated carriers on devices running the iOS operating system. A jailbroken iPhone or iPad breaks Apple’s security and allows users to download applications, some of which are pirated from unofficial third party stores.

Similar to jailbreaking, rooting is the term used for this process of removing the limitations on any mobile phone or tablet running the Android OS.

Jailbreaking or rooting your mobile device may be desirable in some cases for some people, but what we all need to be aware of that by doing so, we are opening the device up to vulnerabilities which can be used for malicious purposes.

Here’s the link to the full paper that was written from this demo:http://www.mcafee.com/us/resources/white-papers/wp-apple-ipad-hack.pdf

The lesson we all can learn from this? We need to protect ourselves by:

Using strong passwords and locking our devices

Ensuring that anti-malware and anti-theft protection are in place on our mobile devices

Taking precautions when using public Wi-Fi connections

Being aware of what we do online and how it can make us vulnerable

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Vacation Rentals Are Scam Bait

Although it’s been a mild winter people still get itchy to head out for a ski vacation or a tropical one. Many people are searching online classifieds like Craigslist, eBay, newspapers and real estate listings for vacation rentals.

The most suspect site is Craigslist. I’m fully engaged in Craigslist and continually receive scammy communications from supposed buyers. This means scammers are on the site as buyers and sellers full time.

Certainly there are plenty of legitimate ads for vacation rentals however many are suspect. I rented out an apartment I own in the past and a Craigslist scammer set up a duplicate ad with my photos and everything and cut my price in half.

If you choose to engage in a rental and a security deposit is required it is best that you visit the property and hand deliver a check. If you request to visit the property and are denied then the ad is more than likely fraud.

If the property is hundreds or thousands of miles away and visiting isn’t an option then there is a much higher risk. In these circumstances never wire money as there is very little recourse. Using a credit card is a little safer, but no guarantees.  Here is where the honor system comes in. Otherwise your best bet is to deal with a real travel site with positive reviews.

Google the person, their email, the title of the ad and/or property you are considering renting. If something negative pops up, beware. If the property address doesn’t exist, beware.

Your best bet is to search listings on local real-estate sites. A licensed Realtor is 1000 times safer than blindly using Craigslist.

Robert Siciliano personal and home security specialist toHome Security Source discussing scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

Don’t Let Location-Based Services Put You in Danger

Location-based services utilize geo-location information to publish your whereabouts. In some cases, these services can also provide discounts or freebies as a reward for “checking in” at participating businesses and gathering “points.” These services can also be used to share photos and other media in real-time with your friends and followers.

Geo-location or geo-tagging can be used on PCs, but is primarily applicable to mobile phones. The geo-location software usually obtains its data from your device’s Internet protocol (IP) address or your global positioning System (GPS) longitude and latitude. Many of today’s social networking sites are now incorporating location-based services that allow users to broadcast their locations via smartphone.

Carnegie Mellon University has identified more than 80 location-sharing services that either lack privacy policies or collect and save user data for an indefinite period of time.

Some companies have even adopted the technology, which they’ve dubbed “GPS dating,” to connect singles with other local singles anywhere, any time. These dating services make it easy to find other users by providing photos and personal descriptions.

This technology is immensely useful to predators, thieves, and other criminals, since it makes it so simple to determine where you are, and where you are not. They can access a full profile of your itinerary, all day, every day. Someone who is paying unwanted attention to you can see your exact address each time you “check in.”

One of the most extreme examples of the dangers posed by GPS-locators is the issue of domestic abuse victims who seek safety at a shelter; volunteers have adopted a policy of removing batteries from women’s phones as soon as they arrive, so that abusers cannot track their victims to the shelter.

Thieves use geo-location to determine whether you are home or not, and then use that data to plan a burglary.

Stalkers who use the phone’s GPS are usually close to the victim—a family member or ex-boyfriend or girlfriend, for example—and use their personal access to manually turn on GPS tracking.

To protect yourself from broadcasting your location, you should:

Turn off your location services on your mobile phone or only leave it enabled for applications like maps. Most geo-location services are turned on by default.

Be careful on what images and information you are sharing on social networks and when. For example, it’s best to wait until you are home to upload those vacation photos.

Make sure you check your privacy settings on your social networking sites that you’re sharing information on to make sure you are only sharing information with your friends and not everyone.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing GPS Dating Security on Good Morning America. (Disclosures)