Credit Card Theft increasing for Banks and Retailers

2013 was the year of 740 million records involving data breaches. And that number may be erring quite on the conservative side, according to the Online Trust Alliance. The records come from a list on the Privacy Rights Clearinghouse Chronology Data Base.

2CThe list is that of publically disclosed breaches, including the alleged 110 million that struck the big retailer December 13. Many of the listed breaches are of a non-descript number.

The more electronically connected everything becomes, the greater the potential for data breaches—it’s almost as though all this advancement in online data storage and transmission is setting us backwards.

Cybercriminals are good at keeping pace with the progression of online security tactics, matching every leap and bound. This is why organizations must put security and data protection at the top of their priorities and be ready to handle a major breach.

Unfortunately, no one-size-fits-all defense against cyber-fraudsters exists. Nevertheless, there do exist best practices that can optimize a company’s protection against cybercrime.

Let’s take a look at some highlights of the data breaches of 2013.

  • Though that conservative 740 million records was disclosed, 89 percent of the breaches and loss of data incidents could have been thwarted.
  • 76 percent of breaches were due to stolen or weak account credentials.
  • In 2013 alone, 40 percent of the top breaches were recorded.
  • Insider mistakes or threats accounted for 31 percent of insiders.
  • Social engineering was responsible for 29 percent of breaches.
  • Physical loss such as forgetting where one placed a device, flash drive, etc., was responsible for 21 percent of the data loss incidents.

The 2014 Data Protection & Breach Readiness Guide can help service providers and app developers for businesses grasp the issues, factors and solutions that will fire up data protection tactics and bring about a development of strategies for managing a data breach incident.

Smart businesses think proactively:

Smart businesses are investing in their client’s security. Consumers want to know they are being protected before, during and after a transaction.

ID Theft, Medicare Fraud Prevention in People Over 45

My job as a security analyst is to educate people on the prevalence of ID theft, and this especially includes those over 45, and I also must point out that scams involving Medicare are on the rise.

3DAccording to Reuters, Identity theft led the list of top consumer complaints once again in 2013, with U.S. consumers reporting that they lost over $1.6 billion to various types of fraud. Of the 2 million consumer complaints that the commission received last year, 290,056, or about 14 percent, were related to identity theft, the FTC said.

People over 45 attract identity thieves because often the 45-plus crowd is more trusting, and have more wealth and disposable income built up. They’re not too eager to report identity theft for fear their families will think they’ve lost control. Crooks know all this. Learn how people over 45 can protect against identity theft and Medicare scams.

Identity Theft Prevention for the 45-Plus Crowd

  • Know that those closest to you (family members, caregivers) can be a thief waiting for a prime opportunity. Be leery of anyone asking for even a small loan or giving a sob story.
  • ID information and other personal data and documents should be locked up in a safe.
  • Get a PO box for your mail—to receive and to take outgoing to.
  • Shred personal documents you no longer need.
  • Thieves like to rummage through trash for discarded direct mail and credit card offers. Call the FTC OPTOUT at 1-888-567-8688 to stop these offerings.
  • Memorize your SSN so you don’t have to bring it in public.
  • Thin out your wallet.
  • Cancel unused cards.
  • Never have any personal information printed on your checks except your PO box address. Have only your first and middle initial with your last name printed on checks.
  • Have your bank issue an ATM-only card rather than an ATM debit card.
  • Don’t wait till you’re a victim of crime to have a handy list of all your financially related contact information already composed.
  • Update your devices operating systems
  • Update your devices antivirus, antispyware, antiphishing and firewall.
  • Lock up your devices with a password.
  • Use string passwords including upper/lower case and numbers.
  • Use a passwords manager. Never use the same passwords twice.

Credit Card Scams

  • Don’t be phishing bait. An e-mail comes to you claiming you must make a payment and includes a link where to do this. These scam e-mails make gullible people think they’re from banks, retailers, even what seems like the IRS. The link to a phony website entices victims into typing in their bank account or credit card numbers: a done deal for the thieves.
  • Review bank and credit card statements promptly. Reporting something suspicious within two days means minimal liability with bank accounts. Wait too long and you may never recover your loss.
  • Never lose sight of your debit card. Always watch clerks swipe it. Don’t hand it to anyone else at the store.
  • Consider ditching the debit/credit card. Use an ATM card and a separate credit card rather than the combo.
  • Never give your card to anyone. This means a caregiver, nanny, dog sitter, relative—you never know what they may do.
  • Never give your card or account information to someone who phones you.
  • See more “credit card security tips HERE

Social Media Scams

  • Friend only those who you actually know, like and trust.
  • Remember the Internet is forever—Even if you have the highest privacy settings, it’s good practice to consider anything you do on the Internet as public knowledge, so be careful what you share online or via your mobile device.
  • Don’t reveal personal information—Seriously consider why it’s needed before you post your address, phone number, Social Security number, or other personal information online.
  • Put a PIN on it—Make sure you have your smartphone and tablet set to auto-lock after a certain time of unused and make sure it requires a PIN or passcode to unlock it. This is especially helpful to protect any information you do not want seen should your device be lost or stolen.
  • Manage your privacy settings—At most, only friends you know in real life should be able to see details of your profile.
  • Change your passwords frequently—In addition to choosing passwords that are difficult to guess (try to make them at least eight characters long and a combination of letters, numbers, and symbols), remember to regularly change your passwords.

Medicare Card Scams

  • The weak link in Medicare is that the SSN can be used as the identifying information on the insurance cards.
  • After the first visit to a doctor, copy your Medicare card, ink out every thing but the last four numbers of the SSN, then use the copy for subsequent visits.
  • A Medicare representative will never call you to verify information so that medical bills can be paid. A call like this is a scam.
  • If somebody other than your physician asks for Medicare information, call 1-800-MEDICARE to report this. Only when you’re in your doctor’s office should your doctor request such information. If in doubt, never give your Medicare number out.

If You Are a Victim

What should people over age 45 do if they suspect identity theft?

  • Call one of these three credit reporting agencies to put a fraud alert out on your credit report:
  • Experian: 888-397-3742; Equifax: 800-525-6285; TransUnion: 800-680-7289
  • Contact only one company because they’re legally required to contact the other two.
  • Contact local law enforcement, banks and credit card companies if you suspect ID theft.
  • Call the FTC ID theft hotline: 877-438-4338; or online at www.consumer.gov/idtheft

Identity theft protection:

  • Does Identity Theft Protection Really Work? YES.
  • How effective are their scanning/monitoring methods? It all depends on the service. Check out BestIDTheftCompanys.com ratings.
  • Can they truly protect consumers? The answers may vary. Identity theft protection is designed to protect you from new lines of credit being opened in your name—and along with the recovery/restoration component; it’s designed to clean up the mess.

Read our blog post on “Identity theft protection HERE

Can Home Invasion of Elderly Cause Heart Attack?

I’m a home security expert and have given many speeches on how to protect your home from an invasion, but one of the topics that doesn’t seem to get much attention is the possibility of a heart attack being triggered in an elderly homeowner by the stress of an intrusion.

2BHere are two alarming cases of heart attack in the elderly apparently caused by the stress of a home invasion.

Mildred Pollock, age 89, suffered fatal heart failure a week after two men robbed her inside her house, as reported by WALB News 10 of Mitchell County, GA.

Here’s how it all went down: Two men posed as salesmen and showed up at the elderly victim’s door at about 4:30 pm. The men ended up inside her house. (The report doesn’t say if she invited them in; if they invited themselves in and she accepted; or if they forced their way in.)

But for sure, they removed the elderly woman’s alert pendant and held her to a chair, taking her phones away. The men wanted money, found none, and then left.

Pollock called for help with a backup alert button, was taken to the hospital, and succumbed to heart failure a week later. The home invaders face felony murder charges, even though an autopsy showed clogged arteries in her heart.

However, leehighvalleylive.com reports the case of another elderly victim, age 76, who suffered a mild heart attack the night of a home invasion, after which her health rapidly declined and she died several weeks later.

The forensic examiner attributes the heart attack to the stress of the home invasion/robbery, even though the victim had a pre-existing heart condition.

Tips for Preventing a Home Invasion

  • Always speak to strangers through a locked door, never a screen door, let alone open door.
  • Forbid children to respond to knocks and doorbells.
  • Keep a burglar alarm on at all times, but you must remember to deactivate it every time you open a door or window.
  • Install a video surveillance system: a marvelous deterrent to home invasion.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Top Security Techniques That Work For The Masters

Banks know security just about better than anyone. Find out what they can teach you about safeguarding your small business.

8DSecurity is a journey, not a destination. This is a security industry axiom that means we can strive for security, and by making this effort, we can put ourselves on a path to security. But while we may achieve a relative degree of security, our businesses will never be 100 percent secure—the destination we all strive for. Even Fort Knox, the White House and the New York Stock Exchange are vulnerable.

But that doesn’t mean we shouldn’t strive to reach our destination. In order to protect our businesses, we can apply strategies that significantly reduce our risk level. One of the best security techniques is layering. Layers of security make a criminal’s job more difficult, as they are forced to address all the vulnerabilities in our business.

Helen Keller once said, “Security is an illusion; life is either a daring adventure or nothing at all.” Her quote has significance, although it’s not entirely accurate. That’s because security is part illusion and part theater. The illusion, like a magic act, seems believable in many cases.

Security theater, on the other hand, refers to security intended to provide a sense of security while not entirely improving it. The theater gives the illusion of impact. Both play a role in deterring criminals, but neither can provide 100 percent security, as complete security is unattainable. Hence, security is a journey, not a destination.

Banks know security, both the illusion and the theater. They have to, because robbers target these buildings daily. Because banks want to promote a friendly and inviting environment, consumers are mostly oblivious to the various layers of security that financial institutions utilize to protect their bank accounts. And that’s not a bad model to follow.

What Banks Know About Security

Banks have multiple layers of security. The perimeter of most banks are often designed to include large windows, so passersby and law enforcement can easily see any problems occurring inside. The bank’s doors also have locks. There is, of course, an alarm system, which includes panic buttons, glass-break detectors and motion sensors. These are all layers, as are the security cameras, bulletproof glass and armed guards. Ideally, the tellers and members of management should have robbery-response training. Many banks also use dye packs or GPS devices to track stolen cash.

All banks have safes, because banks know that a well-constructed safe is the ultimate layer of security. A safe not only makes it extremely difficult for a bank robber to steal the bank’s money, but it also protects the cash in the event of a fire.

And then there are the multiple layers of computer security. The basics include antivirus, antispyware, antiphishing and firewalls. However, there are numerous additional layers of protection that monitor who is accessing data and why, and numerous detectors that look for red flags which indicate possible identity theft.

Banks also recognize that a simple username/password is insufficient, so they require their clients to adopt multifactor authentication. Multifactor authentication is generally something the user knows, such as a password or answers to knowledge-based questions, plus something the user has, such as a smart card, token or additional SMS password, and/or something the user is, such as identification through a biometric fingerprint, facial recognition, hand geometry or iris scan. In its simplest forms, multifactor authentication occurs when a website asks for a four-digit security code from a credit card or installs a cookie on your machine, or when a bank requires a client to add a second password to his or her account. Some institutions also offer or require a key fob that provides a changeable second password (a one-time password) to access accounts, or it might require a reply to a text message in order to approve a transaction.

Every layer of protection the bank adds is designed to make it harder for a criminal to get paid.

Consider a layered approach for your small-business security plan. Think about the current layers of business protection you have in place, and then consider how many more layers you might want to install to ensure a seamless customer experience and a security-minded culture.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Businesses fail in Customer Privacy

The U.S. Consumer Confidence Index, released by TRUSTe®, shows an alarming trend: A high percentage of U.S. people over age 18 are unnerved about their online privacy, and this trend is worsening.

2PThis survey was conducted online among 2,019 U.S. adults and reveals that 92 percent of the participants are on edge, at least some of the time, concerning online privacy. Nearly three-quarters of Internet users in the U.S. are worried about privacy more so than a year ago. And more users worry about business data collection versus government surveillance programs.

Many businesses are not taking measures to mitigate this concern among users. This can backfire on businesses, e.g., more people not willing to download apps or click on ads. Protecting consumers is crucial to a company’s success—not just with customers but with competitors; companies should not cut corners here.

What are the top reasons for privacy concerns? The top two responses: 1) Businesses sharing personal data, and 2) Businesses tracking online behavior.

More specific findings:

  • 58 percent of respondents were worried about businesses giving out their personal information with other businesses
  • 47 percent worried about businesses tracking their online actions
  • Only 38 percent named media attention to government surveillance programs as a cause for concern.

What are consumers doing about all this?

  • 83 percent are leery of ad clicking.
  • 80 percent won’t use smartphone apps that apparently don’t protect privacy.
  • 74 percent aren’t comfortable enabling location tracking on their smartphone.

Other findings of the TRUSTe survey:

  • User concerns over online privacy are climbing: 92 percent of users worry about privacy.
  • Trust with businesses is declining, coming in at 55 percent currently.
  • 89 percent of consumers will refrain from conducting business with a company they don’t feel is protecting their online privacy.

The public wants more:

The tides of privacy are turning and the public is waking up. Businesses who fail to take action will surely be met with customer defection.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

7 Ways to Tell If It’s a Fake

Unfortunately in today’s world, scammers are coming at us from all angles to try and trick us to get us to part with our hard earned money. We all need to be vigilant in protecting ourselves online. If you aren’t paying attention—even if you know what to look for—they can get you.

9DThere are numerous ways to detect fake sites or emails, phishing, etc. Here are 10 you should know about:

  1. Incorrect URL. Hackers use fake sites to steal your information. Watch to make sure the URL is actually the one you want to be going to— if you notice the URL is different, that’s a good indication that the site is fake and you should NOT enter your information. There’s a number of ways you can protect yourself from this:
    1. If you’re on a computer, hover your mouse over the link to see a preview of the link URL in the status bar. Then check to see if the link site matches the site that it should be from. So for example if your email comes from North Bank or you type in North Bank into the Google search bar and the link is not going to www.northbank.com but something like www.banking-north.com you should not click.
    2. If you’re on a mobile device, use a link preview to see the actual URL before you click.
    3. You can also use McAfee® SiteAdvisor® on both your computer and mobile device to make sure the links you are going to are not bad links.
  2. Nosy Requests. Your bank won’t ask via email for your PINs or card information. Be suspicious of sites (or emails) requesting your Social Security number, identification number or other sensitive information.
  3. Sender’s Email Address. You can also check who sent the email by looking at the send address. It may say it’s from North Bank, but the email may be something strange like northbank@hotmail.com. The sender’s email should not be using a public Internet account like Hotmail, Gmail, Yahoo!, etc.
  4. Your Name. A legitimate email from your bank or business will address you by name rather than as “Valued Customer” (or something similar).
  5. Typos. Misspellings or grammatical errors are another sure sign that the message or site is fake.
  6. Fake Password. If you’re at a fake site and type in a phony password, a fake site is likely to accept it.
  7. Low Resolution Images. A tip-off to a false site is poor image quality of the company’s logo or other graphics.

Additionally…Hit delete. How about just hitting the delete button whenever an email comes to you from an unfamiliar sender? After all, if any legitimate entity needs to contact you about something urgent or crucial, they would have your phone number, right? They know your name, too. Remember, “just say no” to opening unfamiliar or suspicious looking emails.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

WiFi Security Truths and Falsehoods

Security truths evolve—meaning, they change, and you must keep up with this, particularly with wireless security. Advice for wireless security can quickly become outdated. There are actually three big wireless security myths swirling around.

3W#1. Limit the IP address pool to restrict number of devices that can connect.

Even if your cable company tech recommends this, it’s no good. The unfounded idea is that when the range of allowable IP addresses is limited, this makes it hard for hackers to connect. However, the size of the pool doesn’t matter because hackers can just determine which IP addresses are open and use those.

#2. Hide your network’s SSID to conceal it from hackers.

Nope, this won’t work either. Wireless routers broadcast their service set identifiers (SSIDs); your device shows these so you can see which Wi-Fi options are in range. The idea is to hide your network’s SSID to prevent hackers passing by from using them.

However, most devices today see networks even if the SSID is concealed. An apparently unavailable SSID won’t stop a hacker. If you think there’s no harm in blocking the SSID nevertheless, think again: Hiding it may make your network more appealing to the criminal, kind of like hiding the cookie jar—something must be pretty rewarding in there.

#3. Enable MAC address filtering to select who can connect.

Sounds like a plan, but it isn’t: Using router settings to enter the MAC (media access control) address of every device that connects to your network; entering the MAC address will permit only users with these addresses to gain access to your router, thereby keeping hackers off-limits.

But forget this hassle because all a hacker need do is analyze a network, identify allowable MAC addresses, and he’s in.

Security that actually works

  • Go for encryption—and the best, at that—for your router. The best currently is WPA2. Coupled with a strong password, this is a winning security plan. A strong password has at least 12 characters combining letters (upper and lower case), numbers and symbols. Get new hardware if your router doesn’t support WPA2.
  • VPN—a virtual private network such as Hotspot Shield VPN provides private communication over a public network. Transmissions of sensitive data will be private, such as between you (at home) and your employer.
  • VPN again, but this time, one you can use for when you’re using your device in unprotected public realms such as an airport or coffee shop. Using your device in public makes your data vulnerable to hijacking. This type of VPN protects you from hackers and other voyeurs from peeping in on your web surfing activities, credit card information, messages, etc.

Protect all your web surfing activities with a VPN, which secures your connection not only at home but in public (wired and wireless). Your identity is protected with a free proxy by providing HTTPS to secure all of your online transactions.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Banks and Retailers fight it out over Who’s at fault

The duking out between banks and retailers was launched this past December when a credit card data breach occurred to an estimated 110 customers of a big retail store.

1CIs the retailer responsible? Should the credit card issuers or banks take the brunt of preventive action? What about the consumer? Lawmakers are trying to figure out what can be done to keep the consumer’s data safe from hackers.

The 110 million breach aside, the generality is that the big tripod (banks, retailers, credit card issuers) doesn’t seem to grasp the concept of shared responsibility when it comes to protecting consumers’ data.

James Reuter of the American Bankers Association points out that banks tend to take the brunt of the responsibility with data breaches, way more than what banks are even accountable for. Banks “are making customers whole,” he says.

Meanwhile, retailers are all banding together saying that the customers have zero liability. Retailers know that the banks will swoop in and bear much more financial burden than they’re actually responsible for.

Reuter believes whichever entity—be it a retailer, card company or even bank—is responsible for hacking due to lame protection strategies, should take full responsibility.

Banks really want retailers to step up to the plate too. Forty-six states already have standards for businesses to inform customers of data breaches. However, banks would like a federal standard. Senators Tom Carper and Roy Blunt have introduced such a bill.

After a breach may be too late:

The customers of the breached retailer in December didn’t just have their credit card numbers taken, but other data such as e-mail addresses and phone numbers. Once hackers have these, they have more tools with which to drum up identity theft schemes—something they can’t do with just a credit card number.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

IRS announces a 66% Increase in Tax Identity Theft Investigations

Tax related identity theft is reaching nightmarish and epidemic proportions. Heed the following to minimize your risk.3D

  • File taxes early. ‘Tis the season for tax fraud, and scammers like to get a jump start from the beginning. File early before the fraudsters file.
  • Use electronic filing. Paying the IRS via e-filing is fast and more secure than the paper method. You’ll also get an e-confirmation of receipt. E-filing also lets you know promptly if another person has filed under your own information.
  • An IRS e-mail is probably a fake. You’ll never get an unsolicited e-mail from Uncle Sam asking for your SSN, date of birth or other private information. Don’t open these e-mails. If you accidentally open one, do nothing more than forward it to phishing@irs.gov.
  • Fake web sites. Telltale signs of a fraudulent site are typos and grammatical mistakes, odd page layouts, an unprofessional appearance and other oddities. Be suspicious if there’s not a tiny yellow padlock and “https” to the left of the URL.
  • Be careful where you store. Never store tax information on an Internet drive or cloud. If it must be stored on a computer, encrypt the drive. Better yet, store it on an external drive or disk that’s encrypted or password protected, and store this in a locked safe.
  • Strong, long passwords and usernames. Use an assortment of characters (letters, numbers, symbols like # and *).
  • Check your annual Social Security statement. It shows all income from U.S.-workers under your SSN.
  • Your tax preparer. Use a reputable, licensed tax preparation firm. There exist many tax fraudsters.
  • Be on red alert. Services that claim to have no or very low tax liability often sock you with very high fees, or divert refunds or take money from returns.
  • Snail mail alert. Monitor reception of tax forms. Take notice if any are late or seem to have been opened. If anything is awry, notify the provider at once to find out when they were sent out.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Tips on Getting a Dog for Home Protection

As a security analyst, I have always endorsed getting a dog for home protection. I’m going to provide some tips on what to look for in a home security dog, but first I want to briefly share a riveting true story that was reported on Madison.com.

2H“Slim” is a police dog. Police in Madison, WI, responded to a church’s burglar alarm and saw a man, Gordon Sullivan, sweating and short of breath. Sullivan denied any involvement with the church break-in. Slim couldn’t do anything at the crime scene where a window was pushed in without something to work with. Sullivan handed over his shoe to the police to take to Slim who was at the church crime scene. Slim then led his handler down the street to where Sullivan was sitting inside a squad car. Good dog! Sullivan was arrested on the spot.

Tips on Getting a Dog for Home Protection

The first tip is knowing what a home security dog is, and is not. It’s a myth that such a canine is always snarling, baring its teeth and ready to pounce and bite. A true protection dog is a very alert animal, loyal at responding to the call of duty.

A true protection dog is trained for this task, even though some breeds are more easily trained in this realm than are others. Breeds like Dobermans and German shepherds have “prey drive.”

Additional tips for getting a home protection dog:

  • Make sure that the animal is safe for family members to be around.
  • Your new pet should also be safe for strangers.
  • The dog should have a sense of when there is a threat looming.
  • You do not want an animal that bites or aggresses for no reason; this isn’t security  —  it’s a potential lawsuit.
  • Do your homework on this entire issue, with the help of these tips. Be a great master and your dog will protect you and your house.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.