How Your Smartphone Will Identify You Privately

/in /by

Banks rely on usernames and passwords as a layer of protection and authentication to prevent criminals from accessing your accounts. However researchers now show that your password—even though it may be a relatively “strong” one, might not be strong enough.

When you create a password and provide it to a website, that site is supposed to then convert them to “hashes” as Ars Technica explains “Instead, they work only with these so-called one-way hashes, which are incapable of being mathematically converted back into the letters, numbers, and symbols originally chosen by the user. In the event of a security breach that exposes the password data, an attacker still must painstakingly guess the plaintext for each hash—for instance, they must guess that “5f4dcc3b5aa765d61d8327deb882cf99” is the MD5 hashes for “password”.

But Ars did an experiment with some newbie technologist all the way up to expert hackers to see what they could do to crack the hash.

“The characteristics that made “momof3g8kids” and “Oscar+emmy2″ easy to remember are precisely the things that allowed them to be cracked. Their basic components—”mom,” “kids,” “oscar,” “emmy,” and numbers—are a core part of even basic password-cracking lists. The increasing power of hardware and specialized software makes it trivial for crackers to combine these ingredients in literally billions of slightly different permutations. Unless the user takes great care, passwords that are easy to remember are sitting ducks in the hands of crackers.”

How to get hacked

Dictionary attacks: Avoid consecutive keyboard combinations— such as qwerty or asdfg. Don’t use dictionary words, slang terms, common misspellings, or words spelled backward. These cracks rely on software that automatically plugs common words into password fields. Password cracking becomes almost effortless with a tool like “John the Ripper” or similar programs.

Simple passwords: Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color/song, etc. When 32 million passwords were exposed in a breach last year, almost 1% of victims were using “123456.” The next most popular password was “12345.” Other common choices are “111111,” “princess,” “qwerty,” and “abc123.”

Reuse of passwords across multiple sites: Reusing passwords for email, banking, and social media accounts can lead to identity theft. Two recent breaches revealed a password reuse rate of 31% among victims.

Protect yourself:

  1. Make sure you use different passwords for each of your accounts.
  2. Be sure no one watches when you enter your password.
  3. Always log off if you leave your device and anyone is around—it only takes a moment for someone to steal or change the password.
  4. Use comprehensive security software and keep it up to date to avoid keyloggers (keystroke loggers) and other malware.
  5. Avoid entering passwords on computers you don’t control (like computers at an Internet café or library)—they may have malware that steals your passwords.
  6. Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
  7. Don’t tell anyone your password. Your trusted friend now might not be your friend in the future. Keep your passwords safe by keeping them to yourself.
  8. Depending on the sensitivity of the information being protected, you should change your passwords periodically, and avoid reusing a password for at least one year.
  9. Do use at least eight characters of lowercase and uppercase letters, numbers, and symbols in your password. Remember, the more the merrier.

10. Strong passwords are easy to remember but hard to guess. Iam:)2b29! — This has 10 characters and says “I am happy to be 29!” I wish.

11. Use the keyboard as a palette to create shapes. %tgbHU8*- Follow that on the keyboard. It’s a V. The letter V starting with any of the top keys. To change these periodically, you can slide them across the keyboard. Use W if you are feeling all crazy.

12. Have fun with known short codes or sentences or phrases. 2B-or-Not_2b? —This one says “To be or not to be?”

13. It’s okay to write down your passwords, just keep them away from your computer and mixed in with other numbers and letters so it’s not apparent that it’s a password.

14. You can also write a “tip sheet” which will give you a clue to remember your password, but doesn’t actually contain your password on it. For example, in the example above, your “tip sheet” might read “To be, or not to be?”

15. Check your password strength. If the site you are signing up for offers a password strength analyzer, pay attention to it and heed its advice.

While you must do your part to manage effective passwords, banks are working in the background to add additional layers of security to protect you. For example, financial institutions are incorporating complex device identification, which looks at numerous characteristics of the online transaction including the device you are using to connect. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments. iovation knows the reputations of over 1.3 billion devices in iovation’s device reputation knowledge base. By knowing a devices reputation, banks can better determine whether a particular device is trustworthy before a transaction has been approved.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

8 Ways to Avoid Contractor Fraud

/in /by

Need a new roof, home security system, kitchen, driveway or furnace? At some point, you will. And when you do, you’ll search out reputable contractors who offer fair pricing—via the classified section of the local paper, an online search, Craigslist, or by making some calls to friends and family who know someone. Each resource provides its own set of pros and cons, and scammers use every resource.

  1. Reduce your risk. People don’t do their homework. People are naïve and have no clue that someone may be looking to scam them, and they think they are so smart that nobody can scam them. But if you are smart enough to know that this can happen to you and do your best to prevent it, you reduce the risks associated with contractor fraud.
  2. Do your homework. Read up on what the processes are to do the job at hand. While a new roof or home alarm may not be something you want to learn how to do, there are plenty of “do-it-yourself” (or “DIY”) websites that can teach you. Spending two minutes searching and 20 minutes reading can save you money and make you sound intelligent to the contractor by asking the right questions.
  3. Hire right. Do business with someone you know, like and trust. Use well-known brands that vet contractors and have zero-tolerance policies for shoddy work. Find a friend or other trusted source who does know a contractor and hire that contractor. Use the Better Business Bureau when looking for reputable companies.
  4. Get three bids. Be cognizant of how prospective contractors handle themselves, their level of understanding of the work at hand, and whether or not they voluntarily offer up references. Don’t just automatically trust the guy with the whitest teeth and lowest price. Pay attention to your gut.
  5. Check references. If it makes sense for the job at hand, drive by a house that the contractor referenced and actually look to see the quality of the work that was done. Often, construction jobs costs thousands—and taking the time to check work is worth your time.
  6. Get everything in writing. Make sure the contract that clearly spells it all out.
  7. Buy the stock yourself. Many contractors will request money up front to do the job. Often they need that money as a “commitment” to do the job and motivate them to fill their trucks up with the tools and stock to do the job. I recommend you go with them to whatever supplier they get their stock from and pay for it directly. If they charge a markup on the stock (it’s usually 15 percent), tell them you’ll gladly give that to them.
  8. Pay in thirds. You’ve already paid for the stock, so now all you have to do is pay for labor: one third upon showing up to do the work, one third halfway through the job and one third when they are done.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Banks Sues Client Over Wire Fraud

/in /by

Banks usually have relatively secure systems to maintain and protect online banking activities. They’ve spent billions to ensure that criminal hackers don’t liquidate all of our accounts. But criminals spend all their time seeking vulnerabilities and often find some way to make a fraudulent withdrawal.

Over the past decade as we have all (mostly) banked and bought stuff online, criminals have formed organized web mobs to sniff out transactions and take over existing accounts and in some cases open up new accounts.

American Banker reports an example of what can still go wrong: “the $2 billion-asset bank is suing Wallace & Pittman, a Crosstown law firm, to recover funds the firm relayed electronically to Russia after an email that purported to be from an industry group lured someone at the firm to surrender their user name and network password, the Charlotte Observer reported.”

The fraudsters used the access to install software on at least one of the firm’s computers that allowed them to hijack its account.

“Masquerading as Wallace & Pittman, the thieves instructed Park Sterling to transfer roughly $336,600 through JPMorgan Chase to a recipient in Moscow. The law firm asked Park Sterling to stop the transfer after receiving confirmation of it, but the request allegedly came too late.”

To defend against all of these hacks the Federal Financial Institutions Examination Council (FFIEC) recommends to financial institutions what’s called a “layered approach” of anti-fraud tools and techniques to combat this type of crime. Meaning it’s not simply a matter of applying a firewall and having anti-virus to protect the network, but going much deeper in protecting many interaction points within the banking site (not just login) and using a variety of proven fraud prevention solutions.

That includes sophisticated methods of identifying devices and knowing their reputation (past and current behavior and other devices they are associated with) the moment they touch the banking website. The FFIEC has recognized complex device identification strategies as a viable solution that’s already proven strong at very large financial institutions. ReputationManager360 by iovation leads the charge with device reputation encompassing identification and builds on device recognition with real-time risk assessment, uniquely leveraging both the attributes and the behavior of the device.

Consumers still need to apply antivirus, antispyware and a firewall and must never respond to emails requesting usernames and passwords and avoid clicking links in emails.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

What are the risks of BYOD?

/in /by

As companies cut costs, and employees desire more freedom of choice, they increasinglybring their own mobile  devices to work. . The opportunity to eliminate the significant expenses associated with corporate mobile devices excites even the most staid CFO, and the IT guys are told to “make it work.” This development has come to be known by its acronym“BYOD” (Bring Your Own Device).

Sometimes there is no enforced policy in place. Employees do what they want, and permission happens later, if at all. The nurse brings her personal iPad to the hospital and uses it to record patient data she sends via email to the doctor, in addition to reading a book during precious downtime. The salesperson plugs a smartphone into their work PC to charge or sync something, or check personal email over the corporate Wi-Fi.

Using your personal device in the office is convenient and simple, but it’s not secure. Do you have anti-virus installed? Is your iPad’s wireless connection encrypted? Is the app being used secure? What if the device is lost on the bus on the way home—the device with confidential patient information, emails, or presentations on it?

One of the IT Department’s deepest concerns is regulated data. Almost all businesses operate under some form of regulation where fines or penalties are imposed in the event of a data breach: the leak of personally identifiable information like names, addresses, account numbers, and health records.

Then there’s the issue of your device breaking something else on the network. While your company’s IT guyhas a relative lock on all the work laptops, desktops, and even some of the mobiles, the IT department quickly loses control if you bring your new Droid or iPad and then connect it to the corporate network. Now the IT guy has to worry if that last app you downloaded will infect other computers on the network.

No matter what you do, make sure whenever you use your BYOD on a wireless network that the device is protected.  I use VPN specifically when I’m on my portable wireless devices. If I’m on my PC laptop, iPhone or iPad and I’m traveling on business, I know I’m going to be connecting to various free public Wi-Fi services at the airport and in my hotel or at a coffee shop. Before I connect to any Wi-Fi, I launch Hotspot Shield VPN. It’s a free VPN, but I prefer the paid version; the expanded paid option is a little quicker and offers a cleaner interface. Either way, it’s agreat option that will protect your entire web surfing session, securing your connections on all your devices and eliminating some of the potential headaches for your IT department.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Portland Company Keeps Ringing the Bell Of Success

/in /by

iovation, protects businesses from Internet fraud by identifying good online customers with its device reputation technology, recently announced that its ReputationManager 360 solution won gold in the security services category for Network Products Guide’s 8th Annual 2013 Best Products and Services Award. The award honors and recognizes the achievements and positive contributions of organizations and IT professionals worldwide.

Additionally, iovation announced that its Chief Financial Officer, Doug Shafer, has been named CFO of the year by the Portland Business Journal. Shafer was recognized for iovation’s company performance as well as community involvement over the past year. The award is given each year to professionals in Oregon and Southwest Washington who have excelled in their roles as financial executives.

This is the second time in four years that iovation has been awarded a gold by Network Products Guide and this year the company joins other best products and services winners like Cisco Systems, Inc., Yahoo, Inc., Samsung, and NETGEAR.

With its ReputationManager 360 solution, iovation tracks the online behavior of more than 1.3 billion devices from around the world; everything from desktops to laptops, mobile phones to tablets, and gaming consoles to smart TVs by utilizing iovation’s device reputation intelligence.

Device reputation spots online evildoers by examining the computer, smartphone, or tablet they are using to connect to any website. If a device is recognized as having previously committed some type of unwanted behavior, the website has the opportunity to reject the transaction, preventing damage before it occurs.

In the physical world, as the saying goes, “You are only as good as your word.” And when somebody says one thing and does another, we no longer trust them.

Online, people say and do things they never would in the real world. Internet anonymity fuels bad behavior. Websites’ comments sections are filled with vitriol that you’d never hear real people utter. Scammers create accounts in order to con people and businesses into forking over money. And identity thieves use your personal information to fill out online applications for credit.

Robert Siciliano, personal security and identity theft expert contributor to iovation. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! See him knock’em dead in this identity theft prevention video. Disclosures.

Barefoot Burglar Gets His Final Sentence

/in /by

You may recall the story about Colton Harris-Moore, who as a teenager was busted for committing over 100 burglaries in the Pacific Northwest. He stole cars, speedboats and airplanes and is known as the “Barefoot Burglar” because he kicked off his shoes running through the woods from the police.

After two years of running, Harris-Moore was busted in a chase that involved police, boats and bullets. Most of these stories usually end up with the perpetrator being dead. But this now-20-year-old will live to tell another tale—from prison. Last summer, he signed a movie deal to make $1.3 million with 20th Century Fox. However, he won’t earn any money from this, as all the funds will go to restitution.

Fox News reports, “The young man known as the ‘Barefoot Bandit’ pleaded guilty to burglary Wednesday in a Washington County court, perhaps closing the lengthy saga involving a run from the law in stolen cars, boats and airplanes. Judge Rickert acknowledged Harris-Moore’s difficult childhood and lack of parental support that led him to start breaking into cabins and stores as a teenager and that ended with dozens of felony convictions.

“’This is the high cost of low living,’ the judge said. ‘If you can fly an airplane by a manual,’ the judge said, ‘I guess you can pass a GED in three weeks.’ Browne said it wouldn’t be the last chapter in the Harris-Moore story, ‘because you’re going to hear a lot more from Colton, but in positive ways.’”

There is only one Barefoot Burglar, but there are thousands of others breaking into the business every day.

  • Lock your doors and windows.
  • Install a monitored alarm system.
  • Give your home that lived-in look.
  • Leave the TV on LOUD while you are gone.
  • Install timers on your lights—both indoor and outdoor.
  • Close the shades to prevent peeping inside.
  • Use defensive signage.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Who the Heck is This Credit Card Charge From?

/in /by

If you travel as much as I do and use your credit card for every purchase from apples to zebras, you know it’s rare to recognize the name of a merchant listed on your credit card statement. For example, you may go to a restaurant by the name of Dave’s Bar and Grill and get a charge on your card a day later from Smith Enterprises—and you know you didn’t buy anything from a Mr. Smith.

So the way this works is, the bar was set up by Dave Smith’s parent company, Smith Enterprises, which owns a bunch of restaurants. When establishing merchant status, which is the ability to accept Visa, MasterCard and American Express, Dave filled out the parent company’s name, Smith Enterprises, in the merchant status application because the bar and grill is only a DBA (“doing business as”). This, of course, causes lots of problems.

The New York Times reports, “Every time someone initiates a dispute, the bank that issued the card must look into it. Someone has to contact the merchant and wait for a reply that may include a receipt or other documentation.

“Merchants must carve out time to respond to each dispute. They also pay one-time fees for the privilege and may end up paying higher overall fees to accept cards if disputes are too frequent. Or they just get cut off from accepting cards altogether.

“The true cost per dispute to the banks of all of this back and forth ranges from $10 to $40, according to a 2010 estimate by the consultants at First Annapolis.”

And you say, “Anyway,how is that my problem?” Because you still have a confusing statement and don’t know if your card was fraudulently charged or the merchant is making you work hard to determine what you bought. This costs you time and energy.

There are generally three things you can do to figure this out:

  • Google the name of the company that charged you. Chances are, many others have the same issue and the answer to your question is right there.
  • Call your credit card company and see if it has any inside info. If not, you may need to start a dispute.
  • Sign up for BillGuard. It’s free and has a system that allows you to see what banks and credit card companies might not. You can search the name of any mystery merchants here to find out who the heck they are.

Robert Siciliano is a personal security expert & advisor to BillGuard and is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video. Disclosures.

What is a mobile wallet?

/in /by

Some say there will be a day when the wallet you carry in your pocket or purse will become obsolete. Technology is evolving in a way that will likely eliminate all our credit cards, store cards, and IDs. We will use our mobile devices as our primary means of commerce and identification. The technology behind mobile wallet combines near field communications (NFC) and applications. Depending on which is used, a user might need to wave their phone near a reader to make a payment or verify identification, or they may open an app and simply click a button.

Mobile wallet is still in its infancy but the technology is quickly gaining steam. Google introduced Google Wallet, a mobile app that turns your Android phone into a wallet by securely storing your credit cards on your phone, and it has gained popularity by using promotional offers. When you make a purchase from a brick-and-mortar store that accepts Google Wallet, you not only pay but you can also redeem discount and promotional offers quickly by simply tapping your phone at the point of sale.

Google Wallet facilitates online shopping by securely storing your credit cards for use on the Internet as well. Paying is quick, easy, and safe when you make a purchase from an online merchant that accepts Google Wallet. If you choose to make your phone a wallet, I seriously suggest a mobile security product as a companion to help protect your device against viruses and malware.

Protect it. Just like your leather wallet, your mobile wallet is portable, it is subject to being lost or stolen and the data contained can be accessed or the applications running may have access to additional information, resulting in your data being compromised. Any time you are using a mobile wallet remember that wireless is inherently insecure. Use a secure virtual private network (VPN) such as the free Hotspot Shield VPN that protects your identity by ensuring that all web transactions (shopping, filling out forms, downloads, etc.) are secured through HTTPS.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning AmericaDisclosures.

Florida Retirees Frequent Identity Theft Targets

/in /by

A lot of Floridians are retirees who spend their days around the pool or at the beach. The warmer weather attacks both golden agers and unfortunately identity thieves. Criminals know that retirees have money in the bank, retirement accounts and credit cards with high limits.

TechNewsDaily reports, “On a per capita basis, 361 Floridians out of every 100,000 were the victims of identity fraud in 2012, according to the Federal Trade Commission’s latest figures. Georgia ranked second, with 194 reports per 100,000, and California ranked No. 3 at 123 per 100,000—a third the rate of victims in Florida.”

Two types of identity theft often affect retirees: new account fraud and account takeover.

New account fraud refers to financial identity theft in which the victim’s personal identifying information, often a Social Security number and good credit standing, is used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

Since the thief typically submits a different mailing address when applying for new accounts, the victim never receives the bills and may remain unaware of their existence until creditors come seeking payment for debts the thief has accumulated in the victim’s name.

Account takeover is discovered when victims notice suspicious charges on a credit card statement, or the credit card company may notice charges that seem unusual in the context of the victim’s established spending habits. Protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks.

Protecting yourself from new account fraud requires more effort than account takeover. You can attempt to protect your own identity by getting yourself a credit freeze or setting up your own fraud alerts. There are pros and cons to each.

One cool company that’s watching your back is iovation. iovation spots cyber criminals by analyzing the device reputation of the computers they use to connect to a website. They investigate for suspicious history and check for characteristics consistent with fraudulent users. And the best part is that iovation can prevent a criminal from using stolen data to open a new account in the first place—saving your nest egg for your golden years.

 

Fight or Flight: What Would You Do?

/in /by

First, I’m a big believer in running away from a predator. If some whack job breaks into your home and wants to hurt you, RUN out the nearest door. But if you are backed into a corner or a loved one needs protecting, then you may have to fight.

Mom and Dad teach us not to hurt others. As children, we are taught kindness and manners. This is called civilized conditioning. Civilized conditioning is what allows us to inhabit a civilized society without having to worry every second about violence. .

But, as you know, violence is an everyday occurrence somewhere. The fact is, there are plenty of people out there who are uncivilized and capable of doing awful things to others.

Civilized conditioning is a double-edged sword. The good part is, it prevents us from being violent toward others for no reason. The bad part is, it prevents us from being physical with another person in the event we do need to protect ourselves. Civilized conditioning is known to contribute to making a person freeze up, stop breathing and panic when someone attacks.

What would you do if confronted by a bad guy? How would you respond? Freeze up? Run? Fight?

As a parent, if someone were to walk up to your child and put his hands on her, without hesitation you would respond with a vengeance—because the parental instinct to defend one’s child never goes away. So you do have it in you; your job is to access those instincts when it comes to saving your own life.

Tools to overcome civilized conditioning when necessary:

  • Realize that no one has a right to hurt or harm you at any time or for any reason.
  • Know that fighting back and offering resistance is the most effective way to remove yourself from a dangerous situation.
  • Ask “What if” questions like, “What if, as I rounded this corner, there was someone there to attack me?” to prepare your mind and body to respond in the event of danger.
  • Use visualization to see potential scenarios in your mind and act out in your head how you would respond.
  • Take as many self-defense classes as you can afford. Self-defense is a life-enhancing experience that gives you an enormous amount of perspective.
  • Develop an acute awareness of your environment (also known as situational awareness), no matter where you are or what you are doing. If something feels wrong, something IS wrong.
  • When attacked, always run to safety, such as to inside a store, someone’s home or any populated place. The worst thing you can do is nothing.
  • Incorporate technology like home alarm systems to give yourself an edge over predators.

Robert Siciliano, personal and home security specialist to BestHomeSecurityCompanys.com, discussing burglar-proofing your home on Fox Boston. Disclosures.