14 Busted In Tax Fraud Identity Theft

Calling all identity thieves, stop wasting your time trying to open new credit card accounts or taking over existing credit card accounts, the money is in IRS tax related identity theft.

The IRS is struggling to keep up with all the fraudulent income tax returns coming in via US postal and online filings. Criminals are obtaining millions of Social Security numbers and filing under the victims personal information and collecting their refunds at an alarming rate.

Reuters reports “Fourteen people were arrested on Wednesday and charged with operating a long-running U.S. identity theft ring that filed thousands of fraudulent federal income tax returns to claim $65 million in illegal refunds, according to the U.S. Attorney’s office in New Jersey.”

Criminals are filing thousands of fake returns using real peoples information and collecting millions. The U.S. Attorney was quoted saying “The defendants in this case allegedly tried to steal $65 million using stolen identities to obtain refunds to which they were not entitled.” But they still managed to get $11.3 million. Many of the refund checks were being sent to the same addresses.

The Treasury Inspector General for Tax Administration reports over 2 billion dollars lost annually to tax related identity theft with victims doubling on 2011 to over 641,000. The Treasury also stated that $26 billion dollars could be lost in the next 5 years if the IRS doesn’t fix the problem. The problem stems from the IRS not being able to effectively determine if a return is being filed in good faith or fraudulently.

One way to determine if an online filing is legitimate is to check the reputation of the device issuing the tax return. If the PC, Mac, tablet or smartphone has a history of online criminal behavior or is exhibiting real-time suspicious behavior, the transaction could be flagged for review before the return is accepted or processed. By using advanced device reputation as the first check in the fraud detection process, the IRS would be able to stop many more fraudulent tax returns as well as downstream fraudulent activities.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discussesidentity theft  in front of the National Speakers Association. (Disclosures)

Preventing Identity Theft of the Deceased

Identity theft of the deceased is so wrong, and so easy, thanks in part to the availability of public records. In the 1990s, a provision in a federal welfare reform law created a loophole allowing swindlers to obtain Social Security numbers of the recently deceased.

Some states’ records and statistics registries include Social Security numbers on all certified death certificates. And for $18, you or anyone else can obtain a death certificate.

Experian, one of the three largest credit bureaus, was asked, “My wife has died. Should I give Experian the details, to prevent her name being used for identity fraud?”

Experian responded, “It is certainly a good idea to alert Experian and the other credit reference agencies to your wife’s passing. Remarkably, some fraudsters do target the identities of the recently deceased. We will check to make sure all her credit agreements have been closed down and also make it clear on our records that she has passed away.” For more details on how to report the death of a relative to prevent social security scams, lease read Experian’s advice HERE.

Deaths are generally reported to the Social Security administration in a relatively timely fashion, but not always. As far as I can tell, there is no IRS form designed specifically for this purpose, although the IRS does demand “a final accounting,” a responsibility that falls to the survivors or executor. When a taxpayer dies, a new taxpaying entity—the taxpayer’s estate——is born to ensure no taxable income falls through the cracks.

The three credit bureaus maintain a list of the deceased based on data from the Social Security Administration. But it can take months for these bureaus to update their databases with the latest social security information and prevent identity theft. By contacting the credit agencies directly, you can report a death with confidence that the information will be recorded immediately.

Robert Siciliano personal and home security specialist toHome Security Source discussing ADT Pulse on Fox News. Disclosures

Social Media Security Risks for Small Business

For more than a decade, cyber criminals have launched countless attacks on banks’ online infrastructure, successfully one-upping security professionals and their clients by creating viruses that bypass existing security measures.

In response, computer security companies have continuously updated their technologies to address new cyber threats.

However, one major variable that technology cannot control is the human element. Sure, many of existing computer security technologies help protect consumers, banks and small businesses from human errors like accidentally downloading a virus, or social engineering tricks designed to fool targets into clicking infected links, by warning users about potentially dangerous webpages and phishing emails. But no computer security technology or privacy policy can prevent people and employees from exposing all their lives’ details on social media websites.

When internet criminals target an organization, they start by looking for vulnerabilities in the network’s infrastructure. Beyond that, they target a business’s employees and customers by using information freely provided on the corporate site and collected through social media.

Once they have gathered enough information about a target, hackers use that data to circumvent all the IT security technologies meant to protect users. Below are some things you can do as a small business owner to reduce your social media security risks.

Implement IT Security Policies.

Social media is a great platform for connecting with existing and potential clients. However, without some type of policy in place that regulates employee access and guidelines for appropriate behavior, social media may eventually be completely banned from every corporate network. Teach effective use by provide training on proper use and especially what not do too.

Train IT Personnel.

Effective online security policies begin from the top down. Those responsible for managing technology need to be fully up to speed with social media security risks.

Maintain UpdatedITSecurity.

Whether hardware or software, anti-virus or critical IT security patches make sure your business network is up to date.

Lock Down Online Privacy Settings.

Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave your computer security wide open for attack.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Internet Fraud: Online Dating Scams Cost Millions

All over the world, online dating sites are riddled with internet scammers. For example the Australian government has collected reports from 1600 internet fraud victims who reported losing a total of 17 million dollars to online dating scams in 2011.

“These scams typically involve a genuine user of a dating website being contacted by a potential admirer who is a scammer in disguise. After forming a relationship with the victim, the scammer plays on emotional triggers to get the victim to provide money, gifts or personal details,” said the ACCC, which is encouraging online dating websites to help protect users from these kinds of internet scams by warning them of the risks and verifying dating profiles.

Meanwhile, Mashable reports a 150% increase in global online dating fraud in 2011

If you use an online dating service, be on guard for internet fraud and follow these internet safety tips:

  • Stick to legitimate, well-known online dating sites, and get referrals from friends who have successfully met romantic partners online.
  • When creating your internet dating profile, never post personal information, including your middle name, full address, phone number or entire birth date.
  • To vet potential online dates, look for information about them elsewhere online, and confirm that it matches the information in their online dating profiles.
  • If a potential online date asks for a loan or any financial information, report them to the online dating website immediately. Discussion of money or loans in any capacity is a red flag.
  • When it comes to internet fraud, no matter who someone is, what they say, or how they look, don’t automatically trust them.
  • Don’t let your heart get in the way of basic common sense.

 

Robert Siciliano personal and home security specialist toHome Security Source discussing ADT Pulse on Fox News. Disclosures

How to Defend your Small Business against Cybercrime

Brilliance, historically, is often expressed in the simplest of technologies; the wheel and the light bulb are perfect examples. Today, brilliance is often attributed to advances in technologies that cure illnesses, solve problems, and make our lives easier.

Over the past decade, coders, programmers, and hackers of all kinds have come up with some of the simplest and most brilliant inventions—inventions with the power to transform life as we know it. Unfortunately, when it comes to network security it’s the cyber criminals that seem to be the smartest in the room.

Forbes reports, “ZeuS, SpyEye, Sunspot, OddJob, Gameover. Villains in the next James Bond movie? No. These are names for sophisticated and dangerous crime-ware used by real villains—internationally organized gangs of cyber criminals—to hijack online bank accounts and steal money.” According to the Anti-Phishing Working Group, when it comes to online security an estimated 45% of all computers are now infected with malicious software designed to steal.

When banks began building out their IT infrastructure to allow for online banking, they didn’t anticipate the thousands of ways in which bad guys would scheme to separate banks and their clients from their cash.

One bank actually sued an accountholder who lost $800,000 to a digital heist in order to determine who shoulders the legal responsibility to protect online bank accounts from fraud. (The bank was able to recover $600,000 of the $800,000, which Italian and Romanian hackers had removed via unauthorized wire transfers.) The bank sought a legal acknowledgement of their systems’ security, while the accountholder argued that online security measures were inadequate.

In a similar case, a Michigan judge decided in favor of Comerica Bank customers, holding the bank responsible for approximately $560,000 out of a total of nearly $2 million in unrecovered losses.

Small businesses and banks are losing money via cyber-attacks on their online banking accounts. One way this happens is a cybercriminal send an e-mail with a link to a malicious site or download to employees who handle their company’s bank accounts. These malicious links either install one of the software programs detailed above or steals the username and passwords the employees use to log in to their online banking accounts.

Surfing pornography websites increases your risk, as does frequenting gaming websites hosted in foreign countries. Downloading pirated content from P2P (peer-to-peer) websites is also risky.

Computers with old, outdated, or unsupported operating systems are extremely vulnerable to cybercrime. Systems using old or outdated browsers such as IE 5, 6, or older versions of Firefox offer the path of least resistance.

Follow these essential computer security tips to protect your small business against cybercrime. Update your operating system to XP SP3 or Windows 7. Make sure to set your antivirus software to update automatically. Keep your critical online security patches up-to-date by setting Windows Update to run automatically as well. Don’t engage in risky online activities that invite cyber-attacks.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

It’s National Cyber Security Awareness Month

There are few pseudo holiday celebration days or months that truly get my attention. But National Cyber Security Awareness Month definitely does! It’s the one month a year that consumers are consistently reminded by news reporters, government agencies, non-profits and security companies that security is everyone’s responsibility.  All of us need to take actions to protect our personal security, our nation’s critical infrastructure and be good digital citizens.

The National Cyber Security Alliance (NCSA), a non-profit public-private partnership focused on cyber security awareness and education for all digital citizens, partnered with McAfee on a new survey to examine U.S. residents’ online safety posture.  The findings reveal a substantial disconnect between our respective online security perceptions and our actual practices while on the Internet. The online safety survey shows that all of us can increase our efforts to make the Internet safer in light of such notable statistics:

90% of Americans agree that a safe and secure Internet is crucial to our nation’s economic security

50% say their job is dependent on a safe and secure Internet and 79% say losing Internet access for 48 consecutive hours would be disruptive

90% of us do not feel completely safe from viruses, malware and hackers while on the Internet

25% of us have been notified by a business, online service provider or organization that our personally identifiable information (e.g. password, credit card number, email address, etc.) was lost or compromised because of a data breach

This data shows that Americans can improve their online safety practices in a number of areas, especially when it comes to accessing the Internet from their personal devices. We can all increase our online safety practices by starting with these simple ways to stay safe online:

Keep your machine clean
Use up-to-date comprehensive security software and use the latest versions of your Web browser, and operating systems.

Own your online presence
When available, set the privacy and security settings on websites to your comfort level for information sharing—it’s good practice limit who you share information with.

Make passwords long, strong and unique
Use a combinations of upper and lowercase letters, numbers and symbols create a more secure password and don’t use the same password for all your sites.

Protect all your devices that connect to the Internet
Along with your PC, make sure to protect your Macs, smartphones, tablets and other Internet-enabled devices.

Connect with care
Get savvy about Wi-Fi hotspots and the potential risks of using them. Also, when banking and shopping, check to be sure the site’s security is enabled.

Robert Siciliano is an Online Security Evangelist to McAfee. Watch him discussing information he found on used electronic devices YouTube. (Disclosures)

What Security Benefits Does Contactless Technology Offer?

Contactless technology offers many benefits, including faster and easier transactions, versatility to be incorporated into various personal devices including mobile phones, and improved data security over the magnetic stripe technology.

According to the Smart Card Alliance, “Contactless smart card technology includes strong security features optimized for applications involving payment and identities. Every day tens of millions of people around the world safely use contactless technology in their passports, identity cards and transit fare cards for secure, fast and convenient transactions. Multiple layers of security protect these transactions, making them safe for consumers and merchants. Some of these features are in the contactless smart card chip and some are in the same networks that protect traditional credit and debit card transactions.”

Nicely put.

Contactless technology improves data security in several potential scenarios.

ATM skimming: It’s difficult to skim a card that doesn’t actually come into physical contact with the reader. With the old magnetic striped cards, a card must be physically swiped through a reader device. These point-of-sale readers are found in retail environments, gas stations, and on ATMs. Countless skimming devices installed by criminals have been found in all of these environments.

Data breaches: In recent years, there have been hundreds of data breaches resulting in the loss or theft of more than a half billion records. Companies whose databases have been compromised have spent or lost millions of dollars as a result of these breaches. Contactless payment methods incorporating chip and PIN technology encrypt data to prevent it from being read in plain text.

Lost cards: If your wallet is stolen or you lose a credit card, it is highly probable that a thief will take advantage of the opportunity to rack up charges on your magnetic stripe credit card. A contactless chip and PIN card, on the other hand, can’t be used by just anyone, since any transaction requires a PIN.

So there you have it. These are just a few of the security benefits offered by contactless technology.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

Phishing Remains Popular and Effective

Phishing, where a scammer sends an email that appears to come from a trusted source in order to trick recipients into clicking malicious links, has been around for quite a while now. Although phishing has become fairly well known, the scam continues to be a successful and widely used as a method of stealing bank credentials and other personal information.

Cyber security experts recently reported to the House Financial Services panel that criminals have tweaked their phishing tactics. Until recently, most phishing messages purported to be from a bank. But in the latest versions of this scam, the phony emails claim to be from the National Automated Clearing House Association, the Electronic Federal Tax Payment System, the U.S. Postal Service, private delivery firms, telecommunications companies and social networking websites.

According to testimony from the Financial Services Information Sharing and Analysis Center, phishing “remains the most popular attack method that criminals use to infect victims’ machines.”

To protect yourself from phishing scams, malware, and identity theft, follow these guidelines adapted from the Anti-Phishing Working Group:

  1. Be suspicious of any email that demands personal financial information. Call your bank directly to determine if they legitimately need information from you.
  2. Certain red flags can help you spot a phish, such as upsetting or exciting statements designed to elicit an immediate reaction.
  3. Phishing messages typically ask for usernames, passwords, credit card numbers, Social Security numbers, your date of birth, or other similar personal details.
  4. If you suspect that an email or chat message may not be authentic, or you don’t recognize the sender, do not click any links included in the message.
  5. If possible, avoid filling out any form within an email that requires you to enter personal financial data.
  6. Consider installing a toolbar in your Web browser to help protect you from fraudulent websites. These toolbars match compare online addresses against a lists of known phishing websites and will alert you before it’s too late.
  7. The latest versions of Internet Explorer, Chrome, and Firefox include optional anti-phishing protection.
  8. Check your bank, credit, and debit account statements regularly for any unauthorized transactions.
  9. If you notice any suspicious or unfamiliar transactions, contact your bank and/or card issuer immediately.
  10. Make sure to keep your browser up-to-date and install any necessary security patches.

Banks can help protect their customers by using iovation’s ReputationManager 360, which helpsbusinesses avoid fraud loss by detecting high-risk behavior and stopping cybercriminals in their tracks. The device identification and device reputation technology from iovation assesses risk as activities take place at various points within an online site, such as account creation, logging in, updating account information, attempting a purchase or transferring funds. These checks can be customized and fine-tuned to suit the needs of a particular business, detecting fraudulent and risky behavior in order to identify and block cybercriminals for good.

Where Will I See Contactless Technology in My Everyday Life?

As contactless technology embeds itself into the fabric of everyday transactions all over the world, numerous industries are fine-tuning integration of this latest payment technology into their operations.

Employee Badges: Organizations all over the world are using contactless technology to verify individuals’ authenticity before granting access to a restricted facility, computer system, or electronic device.

For example, a government employee might be required to use a “proximity” card in order to enter a secure facility. Where that employee might have once swiped a magnetic stripe card through a reader, she can now use a contactless card that is more secure and allows her to pass through the access control gate more efficiently.

Or a financial institution might have employees processing sensitive client information. If an employee steps away from his computer for a coffee break, a proximity device he is wearing might trigger his computer to perform a system lockdown until he returns.

Public Transportation: Planes, trains, buses, automobiles, and even shared bicycle services are implementing some form of contactless technology. In fact, multiple citywide transportation services now employ contactless payment methods and many more are making the move to contactless, allowing riders to carry one less card in their wallets by effectively rolling the transit card into the bankcard.

Your local retailers: Before you know it, most, if not all, of your payment cards will offer a contactless option. And once mobile companies and handset providers hash out the best and most efficient way to use mobile payment via contactless on your mobile phone, we will see thousands of mobile payment applications for every possible retailer emerge.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

“Operation High Roller” Makes Banks Cringe

According to a McAfee and Guardian Analytics report dubbed “operation High Roller,” an international ring of cybercriminals has been attacking banks around the world. They have been siphoning roughly $78 million from bank accounts in Columbia, Germany, Italy, the Netherlands, the United Kingdom and the U.S.

In the report, McAfee Director of Advanced Research and Threat Intelligence Dave Marcus writes that this organized crime ring built on tactics established with previous malware is coming up with innovations including: “bypasses for physical ‘chip and pin’ authentication, automated ‘mule’ account databases, server-based fraudulent transactions, and attempted transfers to mule business accounts as high as €100,000 (US$130,000).”

These hackers’ methodology represents a shift from traditional man-in-the-browser attacks on victims’ PCs to server-side automated attacks. Where they once used multipurpose botnets, they now rely on dedicated servers built for the express purpose of processing fraudulent transactions.

Like most financial fraud rings, this one had previously focused on European targets, but McAfee found that their thefts have gone global, spreading to Latin America and more recently to the U.S.

This threat impacts commercial accounts, high-net-worth individuals, and financial institutions of all sizes. The new methodology allows criminals to operate more quickly and to attempt a wider variety of transactions. It is a purpose-built, multiple-strategy approach that helps the criminals’ servers avoid detection, which keeps them live for longer, facilitating even more fraud.

Consumers can begin to protect themselves with antivirus, anti-spyware, anti-phishing, and firewall protection.

Banks and other financial institutions can improve their fraud detection rates even more by incorporating device reputation management into their layered defense. Many leading financial institutions use iovation’s ReputationManager 360 to helps stop new account fraud, detect fraud at user login, detect fraudulent credit applications and also to stop check deposit fraud from mobile phones.