Can your Privacy Policy be Read by a 5th Grader?

Zero. The number of people who have ever read word for word—and understood—a website’s privacy policy.

2PWell, maybe not zero, but the actual number is pretty close to it. And this excludes the lawyers who compose these thick walls of tiny text that are filled with legalese.

How many people even open the link to the privacy policy? After all, it’s almost always at the bottom of the site page, called “Privacy Policy,” in a font that doesn’t even stand out.

It’s time that the privacy policy (aka transparency statement) be short, sweet and simple, with an attractive graphic to catch the visitor’s attention. The purpose of a privacy policy seems to be to inform the website visitor/user just how that person’s data will be used by the business or enterprise that the site is for.

But more accurately, the purpose is for the statement to protect the business in the event of a dispute.

Why don’t businesses introduce a short, in-plain-English statement with the sole purpose of explaining privacy and data protocols; right to the point, no legalese filler fluff? And easy to access while they’re at it. The larger, complicated privacy policy could back up the short, simple transparency statement. Over time, the way the big, and the little, statements work in tandem could be refined.

With this upgrade in the “privacy policy,” visitors to sites will be able to make better choices and have a firmer grip on how the site manages their data.

Just think how much smoother things would be if every website had a link titled “Transparency Statement” that took you to a one-page document with a friendly font size and no legalese. Better yet, why not call the “transparency statement” something like, “How we handle your private information.”

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Protect your Cards from Multiple Kinds of Skimmers

PIN may sometimes stand for pilfered identification number if a hacker gets yours. And it’s easier than ever for thieves to get your PIN from an ATM, coming up with clever ways to beat security technology.

2CThe “primitive” way to get your card number is to manually place a phony card reader over an ATM card reader and then come back to retrieve it. Now it’s being done wirelessly via Bluetooth and SMS tech built into the skimmer. Coupled with wireless cameras and keypad overlays, getting your PIN is easier than ever.

They’re also brazen enough to land jobs that will grant them ATM access; they then install malware that can transmit your PIN to their personal device. PIN hacking’s memory chips and transmitters are thinner and lighter these days, making them go undetected.

The crime of ATM skimming racks up $350,000 a day.

  • Wedge skimming. An employee runs a card through a card reader tool that transfers data from the card’s stripe. The crook downloads this to his device, then burns the data onto a phony card or uses the data to place online or phone orders.
  • Fake ATMs. The crook installs the phony machine in a place that will attract users like a saucer of honey will attract bees. The machine will read and copy tons of data.
  • ATM skimming. The thief fits a card reader onto an ATM or gas pump card reader. The very inconspicuous reader may have wireless technology. This crime often comes with installation of secret pinhole cameras nearby to capture the consumer’s PIN.
  • Data intercepting. A thief poses as a gas pump serviceman and unlocks it with special keys, then plants a device inside that reads all the customer cards’ unencrypted information.
  • Point of sale swapping. The skimming device is placed at the terminal where you make a purchase. Even busy places like McDonald’s have been targeted.

These smart criminals can copy skimmed credit card data on gift cards, blank cards, hotel cardkeys or white cards, the latter being quite useful at self-checkouts. Protection comes in the form of:

  • Anti-Skim Security built into the ATM from the factory or as an add-on solution, which is installed inside the machine
  • Checking your statements every day via a smartphone app or every week online or monthly via your paper statement for suspicious transactions
  • Challenging questionable transactions right away
  • When entering your PIN, conceal the keypad with your other hand
  • After handing an employee your card, keeping a close eye on it. Don’t let the employee leave your site with your card.

A crook (often a store employee in this case) can also nab your data with a handheld skimming device like the “wedge” listed above.

The Many Faces of Skimming

  • Remember, the phony skimming device that’s attached to the card reader goes undetected by the consumer, unless the consumer is well-versed in this kind of crime and knows what to look for.
  • The crooked employee gets your information, then sells it.
  • Thieves can now get the data via wireless technology like Bluetooth, eliminating the risk of getting caught at the machine.
  • Pinhole cameras can be placed anywhere close by, such as in a brochure holder.
  • A crook may place a data capturing device over the keyboard to get PINs.

Get familiar with the ATM you use—because you should be using the same one so that it will be easier to spot something different about it.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

ATM Skimming, Cyber Fraud Keep Bankers up at Night

Last year there were hundreds of cyber fraud incidents that struck banks and put consumers’ personal data at risk, even though the one involving Target stole the scenes. These crimes included payment card skimming, denial-of-service and web app tampering.

1DAs we’ve discussed, security is a top concern for banks at the board level. It’s not that the criminals are particularly bright and that’s why they’re causing so many problems, but rather, security for banks just cannot keep up with the volume and type of attacks. Security can also be under-resourced and/or putting too much of its attention in the wrong places.

A web app attack is the interference of web applications, (such as sending a phishing e-mail ) that tricks the recipient into revealing their banking information. Another example is cracking passwords.

Web attacks are ubiquitous and can be conducted by mediocre-skilled crooks, hunting for the user names and passwords of online banking customers. Banks are responding by beefing up verification processes for their customers rather than relying on just the one-step authentication.

The denial-of-service attack is the second big threat upon banks, when malicious traffic is heaped upon the institution’s web server to disrupt site operation. A malfunctioning site turns off customers—including potential customers. But a DDoS attack can also be launched to divert attention away from another planned attack that actually steals data.

Payment card skimming hits banks hard. The crook puts a phony card reader over the card-swiping device to collect the card’s data off its magnetic strip. The thief will then create phony ATM cards.

The skimming tool can be made at home with a 3D printer—and the cost of the printer can very quickly be recovered with fraudulent use of the phony cards. Skimmers are not traceable, putting a lot of load on bankers’ backs. The fact that some ATMs are remotely located doesn’t help.

There’s still room for the criminals to become savvier, joining forces and sharing ideas, getting organized etc. However, many still remain solitary, which enhances their ability to go undetected.

As renowned security expert Bruce Schneier recently said “Security is now about resilience – it’s not about defense. Banks must up their security awareness, and have a plan in place to respond quickly and thoroughly should there be a breach.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Data Brokers: Walking the Tightrope

Never mind the government nosing in on your business; there’s a much bigger snooper out there that’s mining to your personal data: thousands of companies whose names you may not even know.

2WThese “data brokers” aren’t “bad”, although a few are irresponsible. They collect and analyze your very personal information, then package it up and sell it for profit to advertisers and the government. Though this rather benign consumer marketing is nothing new, the volume and type of data has changed, thanks to the Internet, making data broking a multibillion dollar venture.

Today’s technology allows data brokers to snatch and sell information about your closest friends, medical conditions, unsavory habits, even your literal footsteps—online and offline.

Data brokers today will classify people into groups such as those with genetic diseases or poverty. These are called vulnerable consumers, with classification names such as Ethnic Second-City Strugglers.

As for medical conditions, there are classifications for particular diseases, such as multiple sclerosis and cancer. There is no legislation that regulates any of this mining into our most private information.

Surprisingly, some of these companies are also in the business of offering identity protection services to consumers.

It’s not known just where the bigger data brokers even harvest their information or to whom they are selling it.

Maybe this is because they consider their client list to be proprietary. One broker even stated that it purchases lists of financially vulnerable people from government agencies so that ultimately, those who are eligible for assistance can be identified. These government clients are public record, said the broker.

The FTC consumer protection head believes that data brokers should be required to allow consumers access to the data that’s been scooped up about them. Meanwhile, data brokers records have become attractive to criminals. Ever since the ChoicePoint breach there have been multiple info/data brokers compromised.

When considering who you choose to do business with, relationships with data brokers, especially any who are also involved with protecting your customers’ identities, should be reassessed.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen.See him knock’em dead in this identity theft prevention video. Disclosures.

Teens’ Online Behavior Can Get Them in Trouble

Do you really know what your kids are doing all the time? Probably not, unless you’re a stalker (just kidding). But really, there has to be some element of trust and you can’t physically be everywhere your kids are. And that also applies to the online world. As parents, we need to be aware of what our kids are doing, teach the “rules of the road,” and help them stay safe, but we can’t always be there with them every moment of every day.

But we do need to understand that our kids are doing things online that could expose them to risk. McAfee’s 2014 Teens and Screens study showed that tween and teens continue to interact with strangers online and overshare information, even though they realize that these activities can put them at risk.

So what else did the study unveil? About 75% of tweens and teens friend people whom they know in the real world, however, 59% engage with strangers online. And one out of 12 meet the online stranger in real life. This could be because 33% of them say they feel more accepted online than in real life.

Additional facts to understand:

  • Our tweens and teens overshare personal information – 50% posted their email address, 30% their phone number and 14% (which is 14% too many) posted their home address, even though 77% know that what is posted online can’t be deleted and 80% have had a conversation with their parents on how to stay safe online
  • Social media friends are not always friendly – 52% have gotten into a fight because of social media, 50% have gotten into trouble at home or at school and 49% have regretted posted something.
  • Our kids are still hiding things from us – Although 90% believe their parents trust them to do what is right online, 45% would change their online behavior if they knew their parents were watching, 53% close or minimize their web browsers when their parents walk into the room and 50% clear the history of their online activity

Alarmingly, 24% said that they would not know what to do in the event of cyberbullying (how about stay away from the bully’s page and block the bully from your page?). A whopping 87% have witnessed cyberbullying and 26% have been victims themselves.

So with all these, how do we ensure we help our kids stay can enjoy the benefits of being online, while staying safe online. Here’s my top tips:

  • Establish rules: Parents should establish pinpointed rules about computer activities including sites the kids can visit and what is and isn’t appropriate behavior online, including the fact that online is forever.
  • Check in: Kids should be told to immediately report cyberbullying. whether they are witnessing it or being a victim.
  • Meet their “friends”: If it’s not possible to meet that person in person, then your child shouldn’t be chatting with them online.
  • Learn their technology: You should know more about the various devices that your kids use than your kids do, not the other way around.
  • Get their passwords: Parents should have full access to their kids’ devices and social media accounts at all times; they need the passwords.
  • Have security software on all their devices: Make sure all your kids’ devices and yours have comprehensive security software, like McAfee LiveSafe™ service.

Or you can just relegate your kids to their rooms and never let them out—like I’ve told my girls. Just kidding. But on a serious note – parents, it’s time to make this a priority, for you and your kids.

To join the conversation online, use #TeensNScreens or follow @McAfeeConsumer or like McAfee on Facebook.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

10 Ways to protect your Gmail Account

Protecting your Gmail account means you must activate some tools that Google offers, and you must increase your scam savvy intelligence in order to spot phishing scams. If you do both, you can have a very well-protected Gmail account.

2D#1. Google 2 Step Verification. This is the Holy Grail of account security. Not really, but it’s the best they have available. With 2 Step you get a onetime log in code to a secondary device like a mobile phone via text or the “Google Authenticator” app. I like text best. This will surely protect your Gmail account because a hacker would need access to this secondary device to bust into your account, since Google would require a six-digit unique code for this second device to access your account.

Speaking of codes, you can generate a number of one-time codes that you can use in the event of a mishap such as losing your device; you can use these codes to access your account from a temporary device.

#2. Stay out of Googles spam folder. Learn to ignore spam.Must you open every e-mail? Google does a pretty good job of spam/phish filtering. Leave the phishy/spammy messages alone and you’ll be in good shape.

Most malicious or “phishing” e-mails are very obvious, with any of the following in their subject lines:

–       Get back to me

–       Your money is waiting

–       If you don’t read this now you’ll hate yourself

–       Claim your reward

However, some subject lines look less suspicious, like “Your Amazon.com order has shipped.” If you use a unique e-mail account solely for Amazon or eBay, and then promise yourself never to click on a link inside the e-mail, you’ll be fine.

#3. Never give out your password.

Remember: If someone requests your Google account password, it’s malicious. If you think Google wants your password, don’t give it via any link in an e-mail. Instead go to https://www.gmail.com or https://accounts.google.com/ServiceLogin and login.

#4. Account recovery options: Keep up to date. Always keep your mobile phone number current because it’s what Google uses to send you a security code. So if a hacker gets your Gmail account password, it’s useless unless they have your smartphone number, which Google will use to send you that code to prove your identity.

#5. Have a recovery e-mail address that’s also up-to-date because Google uses this strictly for sending security codes for when you forget a password. You should have this second e-mail address also because Google will use it to send important security information.

#6. Secondary e-mail address. This is in addition to the recovery address mentioned prior because you can use this alternate to sign into your Gmail account. Note, however, that this alternate address must not be part of your Gmail account or even associated with a second Google account.

#7. Use secure connections. Gmail should always be set to use a secure connection, denoted by HTTPS before the URL. Go to Settings, General, Browser Connection to set it up. Use a secure VPN for logging in. Hotspot Shield protects and encrypts your wireless connections.

#8. Strong & long is the name of the game. Enough of passwords like Puppylover1, carfiend1979 and Darlingmama. Don’t use words that can be found in a dictionary. Include symbols like #, * and $. The more nonsensical and longer the password, the better. Next, do not ever use your Google password for any other account. Your e-mail passwords should be equally nonsensical.

#9. Incognito. Use the “incognito” or “private” mode in browsers when you’re on a public or shared computer such as at a hotel. These modes will prevent cookies, web history and other data formation from getting stored. If these modes are not available, clear your cookies and browsing history when you LOG OUT.

#10. Finally, to protect your Gmail account, keep your system up-to-date and secure with anti-virus and anti-malware.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Your Customers’ High Cost of Privacy

This writer has said numerous times that privacy is waning and dying. Partly because we have allowed it with our bazillion posts to social and partly because of the shift from print advertising to digital. During that shift, lots of creative types figured out how to figure you out and get inside your digital head. But all at a cost of your privacy.

1PArwa Mahdawi in the Gurdian brilliantly posed “Privacy isn’t dead, but it’s getting very expensive.” So true.

Ask yourself: as a decision maker for your business or employer, when it comes to protecting your organization’s customers’ or clients’ personal data, how proactive are you? And even if you’re proactive, are you aware of just what is involved on the part of the customer/client to ensure that their personal information doesn’t get into the wrong hands?

Or perhaps you’re not very active in this realm at all, figuring that it’s “up to the customer” to figure out how to secure their data, or that it’s the responsibility of the banks and credit card companies.

I contend that businesses who collect valuable data from customers and profit from it – from email addresses, to credit cards to SSNs – have the responsibility to protect the data collected. Otherwise customers inclined to do so must pay a fee to have their personal information protected. That business is booming.

It’s fair to speculate that if businesses, such as retailers and healthcare organizations, had an excellent history of keeping customers’ data airtight, the protection of privacy wouldn’t have become something that people must pay for.

Of course, there are ways that consumers can protect their privacy without paying for it, such as giving up the use of credit and debit cards, always remembering to disconnect their mobile device in public when they don’t need to be online, never seeing doctors, disabling their cookies, etc.

But let’s face it, these free approaches are impractical or even impossible. How many Internet users even know how to disable their cookies, or even what a cyber cookie is? How many know what a VPN is?

Consumers should not have to be tech savvy or have a lot of money or make impractical lifestyle changes in order for their private information to be leak-proof.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

15 tips to Protect your Digital Life

How much of “you” is stored inside your smartphone? For some of you, the answer will be “My entire life.” And that’s practically true. For many, all sorts of highly private, sensitive information, including photos, are stored in that little device called a smartphone.

7WBut here is a better question: Did you know that “you” can be hacked into or in some other way stolen? And remotely at that? And some hacking methods can be very sly and sneaky. Even if your device is tethered to your waist every second, you still need to protect it from remote thieves. Here’s how to protect your smartphone.

  1. Customize your mobile so that if some smart-azz at a party snatches it, they won’t be able to figure out how to get your information. Use a custom lock screen and ambiguous icons for nameless applications—the dork-head won’t have a clue. Do you really want to have an icon sitting on your screen labeled “Finances,” “Banking Info” or “Hot Pics”? Remove default apps too. This won’t stop a skilled hacker, but it will stop the typical doofus in his tracks.
  2. Avoid public Wi-Fi such as at airports, hotels and coffee houses unless you are using a VPN from Hotspot Shield.
  3. Disable your GPS to keep your location hidden.
  4. Stay clear of unofficial versions of the popular applications. These are often found on 3rd party sites.
  5. If you use Google maps, disable or don’t enter your home address.
  6. If you’re not using the Internet, get offline.
  7. Keep far from applications that require some kind of strange permission.
  8. Don’t save your passwords in your browser, even though this is convenient. Instead use a password manager; this is more secure.
  9. Enable a passcode on your device. If you have an Android, customize your lock screen. For the iPhone, use a longer passcode, not a PIN.
  10. Go through all of your apps to make sure that they don’t have access to personal information that you don’t want them to have access to. Pay close attention to all of those checkboxes you click for the “agreement” portions of installing apps. Every month, audit your apps.
  11. Never save a password in a very private application like that of your bank’s. Having to log in every time is a small fee to pay for the security this brings. Similarly, always log out completely from your e-mail every time you’re done using it.
  12. Use cloud encryption for your personal information. The Android allows encryption for all data on the device.
  13. Keep the phone’s operating system and app software updated. Don’t get lax with this.
  14. Anti-theft software. Enable the remote wipe function. This kind of app will help you locate a lost or stolen smartphone, but don’t delay in setting this up.
  15. Keep a backup of all of your device’s data.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Leaky WiFi leaks App data

Recently a settlement was obtained between 2 companies with the FTC. The charge was that these organizations failed to secure their mobile apps, which put consumer’s private data at risk.

5WThe FTC says that these companies disabled the SSL certificate validation. This default process confirms that an application’s communications are secure.

Because the SSL was disabled, the apps were made prone to cyber attacks, in which crooks could steal data like SSNs, home addresses and credit card information.

These attacks are the man-in-the-middle type and are a particular threat to unprotected public Wi-Fi (hotels, coffee houses, etc.).

If you use your mobile on an unguarded network, a crook can get in between you and the site you want to visit, and pose as you and communicate with the intended site. Posing as you, he can then manipulate your data. The scoundrel can also make your mobile visit a fraudulent site that you think is legitimate and lure you into entering personal information.

A website is secure if the site address begins with “https.” However, the smartphone’s small browser discourages users from checking this. And crooks know this.

Of particular interest to criminals is texting between banks and companies that utilize a one-time password. The crook can intercept this transaction and gain access to sensitive data. He can actually redirect an intended wire transfer to his account.

All of this can be avoided by avoiding online financial transactions with a mobile device on public Wi-Fi. Don’t even visit your bank’s site. Also don’t send personal information via e-mail on public Wi-Fi. If you must conduct mobile transactions in public, buy a Wi-Fi device, get a VPN like Hotspot Shield or use your carrier’s 3G or 4G network.

Finally, install anti-malware programs on your mobile, especially if it’s an Android. Don’t just sit back and assume that the app makers, app sellers and other businesses are going to take care of all of this for you.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Stupid Criminal of the week stages fake Burglary

Mondays are the pits for many people, because this day starts their work week. Dwayne Yeager was no exception; so badly did he want to avoid going in to the job on Monday, that he did something really dumb to get out of it.

3BThat’s because, according to deputies, his wife didn’t want him to miss work doing fabrication at a plant, which is actually what he did to avoid going into work: He fabricated a burglary of his house. Stupid.

Yeager, 31, called authorities a bit after 7 a.m. and said, “I need a sheriff in Brandon.” He told a dispatcher he’d been gone for a short while, then returned to see his door and windows open, TVs on the floor.

Deputies showed up to an apparently ransacked house, but saw no signs of forced entry. A neighbor reported that Yeager was gone from 6:30 to 7:15, went through the front door, opened the front bedroom window and lifted the blinds. Then he stepped outside and waited for deputies. The neighbor said there was no car on the property before Yeager returned.

Yeager admitted the lie to avoid going to work. He was arrested and charged with one count of giving false information to the police, then released later that day on $500 bail.

What a doofus. All he had to do was fabricate a stomach ache from the previous day’s “bad meat” or a migraine headache or something like that. But you didn’t hear it from me.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.