I Found Your Data on That Used Device You Sold

Over the past 15 years, the increasingly rapid evolution of technology has resulted in new computers or mobile phones becoming outdated in a matter of one or two years. Chances are, you’ve gone through no less than ten digital devices in the past decade, if not more. It has become standard practice to upgrade to a newer device and often sell, donate, or discard the old one. Or you’ve received a new computer or mobile phone for a holiday gift and need to get rid of the old one.

What did you do with all of your old devices? Some may be in your basement, others were given away, and you might have hocked a few on eBay or Craigslist. Did you know it is very likely that you inadvertently put all of your digital data in someone else’s hands if you no longer have the device?

I recently bought 20 laptops, desktops, netbooks, notebooks, tablets, Macs, and mobiles through Craigslist, all from sellers located within 90 minutes of my home. Of the 20, three of them had never been wiped, meaning that I bought the devices exactly as they once sat on someone’s desk. The original owners had made no effort to clean out the data, which meant that I was able to access the records of their entire digital lives. 17 of the devices had been wiped, meaning that the seller took the time to reformat or reinstall the operating system. Of the 17 wiped drives, seven contained remnants of the previous users’ digital lives. Despite the effort made to reformat or reinstall the operating systems, there were partitions and leftover data on the drives.

After having spent the past few months working with a forensics expert, I’ve come to the conclusion that even if you wipe and reformat a hard drive, you may still miss something. IT professionals tasked with data destruction use “wiping” software, and you can too. But after what I’ve seen, more needs to be done. This means external and internal drives, thumb drives, SD cards, and anything else that stores data really should be destroyed.

So whether you destroy an unwanted drive with a sledgehammer, or use a drill press to turn it into swiss cheese, or use a hack saw to chop it into pieces, and then drop those pieces into a bucket of salt water for, oh, say a year, just to be safe, for your own good, don’t sell it on eBay or Craigslist.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Credit Card Skimmer Use Portable Point of Sales

A German “computer whizz-kid” was arrested recently while attempting to transport the latest bank scamming technology into Britain.

The 26-year-old married father of two worked at various software companies worldwide, gathering the necessary technologies and components to create a card skimming device designed to replace the real point of sale devices at restaurants or other retail establishments.

In the United States, consumers often hand their credit cards over to waiters or waitresses, for example. A waiter disappears and comes back moments later with a receipt to be signed. Overseas, in Europe and other countries, portable point of sale (POS) devices allow the waiter to charge a credit card right at the table.

In Europe, credit cards use chip and PIN technology, following the global standard known as EMV, which stands for Europay, MasterCard, and Visa. This technology is more secure than regular magnetic stripe cards used in the United States. Nevertheless, the German credit card skimmer possessed 17 devices capable of skimming security and account details from chip and pin card readers.

What’s more, these skimming devices were equipped with wireless technology, which would allow the fraudster to access the stolencredit card data remotely. Had they been successfully implemented on ATMs and POS devices, identity theft criminals would have been able to receive victims’ banking details automatically on laptops or mobile phones up to 100 meters away.

Scary.

This type of credit cardfraud already occurs in the United States in different forms, but online retailers can protect themselves from fraudulent transactions. If a customer’s PC, smartphone, or tablet indicates an abnormally high level of risk, the merchant can reject the purchase in advance. iovation, the global leader in device reputation, has blocked 35 million fraudulent online transactions in the last year.

Prevent credit card skimming and protect yourself from credit card fraud by checking your statements regularly.

Robert Siciliano personal and small business security specialist to ADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

How Safe Is Paying With Your Phone?

mCommerce, or mobile commerce, refers to financial transactions conducted via smartphones or other mobile devices. But are mobiles really meant for financial transactions?

While about a third of mobile phone users remain unwilling to dabble in mCommerce due to identity theft concerns, the majority of users are apparently comfortable making purchases with their phones, just as they would with a PC.

mCommerce’s strength is the variation between mobile operating systems and handset technologies from different manufacturers, which makes it difficult for criminals to create and distribute mobile malware. Additionally, mobile carriers’ networks have higher levels of encryption, making it more difficult for a hacker to access a 3G connection, for example.

Handset manufacturers, application developers, and mobile security vendors continue working to improve mobile security. Banks are offering a consistent sign-on experience for both their online and mobile channels, including multifactor authentication programs for mobile.

Consumer Reports estimates that almost 30% of Americans that use their phones for banking, accessing medical records, and storing other sensitive data do not take precautions to secure their phones.

Download a mobile security product such as McAfee Mobile Security. This is particularly crucial for Android users, as Androids tend to be more vulnerable to attacks.

Use your carrier’s 3G connection to send sensitive information, rather than Wi-Fi.

Use your bank’s dedicated mobile application, rather than accessing their main website via mobile device.

Set your device to lock automatically after a set period of time.

Invest in software that can remotely lock, locate, and wipe a missing mobile.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Shipping Scams Go After Small Business

A colleague with a small business was cleaning out his warehouse of tools and supplies and decided to list many items on Craigslist. I have lots of experience in this process and I can tell you “It’s always something”.

An application called “CraigsPro” allows you to go through your items snapping pictures and creates a simple Craigslist advertisement within a minute.

One item he was selling was a portable generator. He got the following email and sent it to me:

“Thanks for the prompt response,i will like to proceed with the transaction asap and my mode of payment will be via Bank certified check. However, to ease the pick up the item will be picked-up from you by my shipper once you receive and cash the check,i am willing to wait for your bank to verify and clear the check before the shipper pickup the item therefore I’ll need this detail below to mail out the check.

* The Full name on check
* Mailing address (Deliverable Address)
* Phone Number

Proceed to delete the advert of this item if my mode of payment is accepted and get back to me asap with your details to mail out the certified check to you.

Thanks

Keith Lourdeaufewlongsx@XXXX.com”

My friend responded with his address for the “buyer” to send a check. Within 3 days via Federal Express an actual check came in the mail for hundreds of dollars more than the item was listed for. The additional dollars were supposed to pay for the shipping costs.

If my friend was to deposit thebogus check the funds would have shown in his account within a few days, thereby prompting him to mail out a business check to thecraigslist scammers. But once the check was determined a fake by the issuing back the funds would have been removed from his small business account.

To prevent overpayment scams never fall for advanced fee shipping scams. They are so obvious.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Bad Drivers And Insurance Scams Uncovered Online

Some people can’t help bragging and babbling about themselves online. Whether in a blog post, tweet, Facebook status update, or YouTube video, chances are if it happened, it’s going to come out online.

The Internet is making it much easier for fraud investigators to learn everything they need to know about their subjects.

Teenagers and street racers regularly publish accounts and videos of their exploits on Facebook, attracting attention from viewers who forward these reports to police, resulting in fines and arrests.

Fox Business reports, “In one Texas trial, a jury will likely give large weight to a video pulled off YouTube. The video shows a $1.2 million Bugatti Veyron – a limited production French sports car – careering into a saltwater lagoon. The owner, an auto dealer who had increased his insurance to $2.2 million shortly before the incident, claimed he had swerved to avoid a pelican. But Philadelphia Indemnity Insurance Co. argues no pelican can be seen in the video.”

The old adage, “You can run, but you can’t hide,” rings truer than ever with the Internet. Not only can fraud investigators use Internet posts against unwitting criminals, they can also expose criminal activity based on the reputation of the very devices with which they are posting. Whether a person voluntarily shares information through social media, or is captured on video that winds up online, or if the digital device they use has acquired a reputation for cybercrime, it’s harder than ever to escape the truth.

Device reputation analysis examines computers, tablets, and smartphones for a history of suspicious behavior, investigating for characteristics consistent with fraudulent use. This allows online retailers, dating websites, gaming websites, and insurance companies to deny criminals access to their networks, often before their first attempt.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Banks Blame Cybercrime Victims for Hacking

It’s Tuesday morning after a long weekend, the bookkeeper comes in a little late but hits the books right away. She comes into your office and asks you about a series of wire transfers you made over the holiday weekend to new employees who apparently live overseas. And then your heart sinks. Because you have heard about how small business bank accounts are hacked, but didn’t think it would happen to you.

It’s happening to the tune of around 1 billion dollars a year. Small business bank accounts are being hacked and the banks are pointing the finger at their customers. Why? Because in many cases there are no actual data breaches at the banks. Cybercrime is often taking place right in the small businesses offices on their own PCs.

Blooomberg reports “Organized criminal gangs, operating mostly out of Eastern Europe, target small companies, school districts and local governments that maintain fat commercial bank accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren’t covered by insurance as individual accounts are.”

However one bank fought back and won. iovation reports “one Michigan judge recently decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses. A copy of the bench decision is available from Pierce Atwood LLP, and the firm also outlines significant highlights and observations regarding this cybercrime case.

Small businesses are under siege today and must know their bank accounts are being targeted by cyber-thieves. One solution is certainly a secure IT infrastructure and another, in some cases, may be moving to a bigger bank. Some smaller banks simply can’t handle the loss whereas bigger banks may have the resources to absorb them. If you bank with a small bank now is the time for a heart to heart talk.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

Another Way to Investigate Insurance Fraud

Insurance fraud has been around since the dawn of the insurance policy, largely due to its reliance on the honor system. It’s fairly easy to file and process a fabricated claim—just a matter of filling out paperwork online, really. While there are certainly some checks and balances in the claim investigation process, there are often too many variables to make a conclusive determination of a claim’s legitimacy, and with an ever increasing number of policies being created online, the insurance industry needs to take added precautions against fraudsters.

PostOnline.co.uk reports, “Insurers can use indicators and experience of fraud awareness techniques to identify patterns and they are more aware of the possibilities of fraud and exposure they have in the fleet side of the business, but we can’t be complacent.”

According to Damian Ward, head of the fraud team at law firm Halliwells, a more sophisticated variety of fraud involving criminal gangs has been a problem within the industry for quite a while. Ward says fraudsters take advantage of the ease with which motor insurance may be obtained. “With the internet, there is little underwriting control and it is easier for people to set up false policies and claims.”

Insurance fraud investigators may not know what many in the financial, retail and banking sectors are already aware of, which is that the digital devices being used to file claims can be identified as collaborators in a larger conspiracy. Once these PCs, laptops, Macs, tablets, or smartphone are “fingerprinted” and their reputations are established, investigators can begin putting together the pieces of the puzzle in order to take down a criminal enterprise.

ReputationManager 360, by iovation Inc., can re-recognize devices and share the reputation of those devices, plus assess transaction risk in real-time for insurance companies. Hundreds of online businesses use this software-as-service to detect fraud upfront, reduce financial losses and protect their brand reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Analysts Expect Explosion in Mobile Malware

As consumers have overwhelmingly flocked to purchase smartphones—149 million were shipping in Q4…a 37% increase over Q4 2010—mobile operating systems from the likes of Apple, Google, and Microsoft are becoming big targets.

Malware, which consists of virusesspyware, scareware, and other digital infections designed to steal data, is known to be a serious issue for PCs. And in response, there are complete security solutions that include antivirus, anti-spyware, anti-phishing protection, anti-spam and firewall protection. As smartphones gradually eclipse PCs in usage volume, criminals will direct their malware efforts toward mobile devices. But at present, the world of mobile security offers very few options.

According to McAfee Labs™, “nearly all the types of threats to desktop computers that we have seen in recent years are also possible on mobile devices (parasitic viruses may be a notable exception for modern mobile OS’s, more on this below). Moreover, we are bound to see threats readapted to mobile environments and, unfortunately, we are also likely to see new kinds of malware that target smartphone capabilities that are not available on desktops.”

Now would be a good time to install a mobile security product on your smartphone.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Data Back-Up Strategies for Your Business

Do you backup data? One would hope you do, and can’t imagine you don’t, but sad to say, many find data backup overwhelming and tedious so they nix it. One of the problems with getting a small businesses to secure data is they think they need to load up thumbdrives, DVDs or tape devices manually. This is in fact tedious and overwhelming.

I’ve got news for you, data backup is easy. With onsite software/hardware and offsite cloud based servers, business data backupis a complete no brainer.

There are many databackup options. New PCs often come bundled with backup options. Microsoft Windows 7 comes with “Windows Restore/Back Up” accessible via the Control Panel, and Macs offer a data protection option called Time Machine. You can buy an external hard drive to copy your files too, or invest in a remote backup service.

I suggest backing up twice on local drives and once in the cloud.

Cloud backup options include Mozy, and Carbonite among others.

Mozy online backup costs $6 per month to back up 50 gigabytes of data on one computer, or $110.00 a year for 125 gigabytes on up to three computers. Mozy offers an easy to use interface and quick, effortless backups of every file type, including files on external drives. If you have over 110 gigabytes, though, it gets pricey.

Carbonite online backup offers unlimited storage from one computer for under $5 per month. Carbonite is inexpensive with an easy-to-use interface that allows you to access your data via an iPhone app, which is very cool. Unfortunately, Carbonite won’t back up external drives, backing up certain media, like videos, is slow, and you have to manually check your folders to make sure everything has successfully been backed up. Also, certain files like software programs with a variety of unusual file extensions, have to be zipped beforehand, since Carbonite won’t back up the individual files with odd extensions.

Local drives: For many small businesses 1-2 TB is all the backup you need. Install a secondary 2TB drive and for $20 install Goodsync. Goodsync automatically backs up your data locally from an internal drive to many external drives.

Goodsync automatically syncs my internal E: drive and external F: drive every two hours. I do this because, while all my data is stored in the cloud, if my internal drive does crash, downloading it all would be a chore, plus, I’d need a drive to download it anyway.

The cloud is ideal for mitigating major data losscatastrophes, but not practical for accessing data on a daily basis.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussingADT Pulse on Fox News. Disclosures

How will NFC change the mobile wallet?

NFC is an acronym for near field communication, a wireless technology that allows devices to talk to each other. In the case of a mobile wallet application, those devices would be a mobile phone and a point of sale device at a checkout counter.

USA Today reports that the number of NFC handsets is set to increase from about 34 million this year to about 80 million next year. Gartner estimates that growth in handsets will exceed 100 million in 2012, and that that 50% of smartphones will have NFC capability by 2015.

The short list of big players, which includes Google, Citibank, MasterCard, Gemalto, First Data, VeriFone, Samsung, Sprint, AT&T, T-Mobile, Verizon and  Isis, are all deploying some version of a mobile wallet. Isis’s website promises, “Mobile wallet will eliminate the need to carry cash, credit and debit cards, reward cards, coupons, tickets, and transit passes, fundamentally changing how you shop, pay, and save. All with your phone.” And all powered by NFC.

NFC can also be used to connect online gamers. Within social networking websites, NFC can facilitate the distribution of coupons that can be scanned at in-store terminals.

Soon, we will see online retailers embrace the potential benefits of NFC in order to create effective loyalty programs, supported by online advertising and social media campaigns

With full deployment, near field communication will make every day transactions incredibly convenient. If you think your cell phone is your everything today, wait until you see what’s coming next!

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures