Gemaltos’ “EMV For a Week Challenge,” starts now!

/in /by

As part of Gemalto’s #ChipAwayAtFraud campaign, I’m being tasked with numerous tasks, some tacky, some essential to living. Gemalto, one of the world’s leaders in digital security, wants a real-world take on the EMV card experience. Which includes the security benefits EMV cards presents. You know EMV; it’s the “chip” credit card that by now, you should have. EMV by the way stands for Euro/MasterCard/Visa. The Euro part essentially means that’s where the card was first deployed.

1CIf you don’t have a chip card by now get on the phone, call your bank and in your loudest, angriest voice scream at them and politely ask why they haven’t sent you one yet.

You, Mr. and Mr.’s credit card holder should support for the new technology in your community by explaining it to people, and encourage its use.

As a Gemalto campaigner I’m deploying two articles, one introductory (this one) and one “wrap-up” piece, detailing my experience during the challenge.

The Challenge:

Complete All Ten Tasks First and Win $400 to a Charity of Your Choice: My Charity is Boston Children’s Hospital

  1. Get coffee at a local (not chain) coffee shop
  2. Make any purchase at a big-box store
  3. Get a meal inside a fast food restaurant
  4. Buy a magazine at a gas station
  5. Get $50 worth of groceries
  6. Buy a tacky t-shirt
  7. Get someone special a bouquet of flowers
  8. Hit a tourist attraction in your town
  9. Buy office supplies for your coworker(s)
  10. Mail us a postcard from your local post office

Easy. Let the games begin!

Beware of Hot and Cold Reading Scams

/in , /by

Many so-called psychics are frauds. But so are some auto mechanics, lenders and roofers. There’s fraud in just about all lines of work.

1SWhat we do know is this: There’s not enough evidence to refute paranormal phenomena. Nor enough to prove it beyond a doubt.

And we also know this: There exist scams involving hot and cold readings.

I could give a scam reading to a flamboyant, colorfully-dressed woman (whom I’ve known for only a minute) with big hair, lots of costume jewelry and a supersonic laugh.

I could tell her she’s attracted to quiet, analytical, detail-oriented, very serious men whose eyes well up during sappy movies. She’ll pay me $100 for my “reading” and think I’m a psychic. What she doesn’t know is that I know that people with “sanguine” temperaments are attracted to the “melancholy” temperament.

I didn’t “read” her based on psychic abilities. I “read” her based on a book about temperaments I read years ago. Some people get really good at cold readings and make money off of this.

Hot Readings

You have an appointment with a woman. You find her Facebook page (because you got enough preliminary information to achieve this). You learn all about her. You look her up on LinkedIn too.

Come appointment (reading) time, you start telling her things about herself, flooring her. Scammers can cunningly extract information via other routes as well, but the bottom line is that the crook gets information ahead of time and pretends it’s only just coming up during the reading.

Cold Readings

The information is gleaned right on the spot—via skilled observational powers. Typically the cold-reader begins broadly, such as, “You’re very sad these days,” watching the customer’s body language and facial reactions, and then making deductions based on those.

The reading is very carefully worded to cover the possibility that the deductions are wrong. The scammer might say, “A person very dear to you is no longer around,” instead of the specific, “A person very dear to you has recently died.”  All possible reasons for the “loss” are covered with the ambiguous statement.

Cold readings to a large group are a joke, because the scammer will announce something that, by the law of averages, will apply to several people in the group. He then narrows it down from there.

There may be many honest, true psychics out there (some police departments use them for missing-persons cases believing if there wasn’t some fire to this smoke).

But beware of the scammers. Don’t pay someone to tell you something about your life that’s already on Facebook or evident in your clothing and mannerisms.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How much is your Data worth online?

/in , /by

Cyber crime sure does pay, according to a report at Intel Security blogs.mcafee.com. There’s a boom in cyber stores that specialize in selling stolen data. In fact, this is getting so big that different kinds of hot data are being packaged—kind of like going to the supermarket and seeing how different meats or cheeses are in their own separate packages.

10DHere are some packages available on the Dark Net:

  • Credit/debit card data
  • Stealth bank transfer services
  • Bank account login credentials
  • Enterprise network login credentials
  • Online payment service login credentials

This list is not complete, either. McAfee Labs researchers did some digging and came up with some pricing.

The most in-demand type of data is probably credit/debit card, continues the blogs.mcafee.com report. The price goes up when more bits of sub-data come with the stolen data, such as the victim’s birthdate, SSN and bank account ID number. So for instance, let’s take U.S. prices:

  • Basic: $5-$8
  • With bank ID#: $15
  • With “fullzinfo” (lots more info like account password and username): $30
  • Prices in the U.K., Canada and Australia are higher across the board.

So if all you purchase is the “basic,” you have enough information to make online purchases—and can keep doing this until the card maxes out or the victim reports the unauthorized charges.

However, the “fullzinfo” will allow the thief to get into the account and change information, thwarting the victim’s attempts to get things resolved.

How much do bank login credentials cost?

  • It depends on the balance.
  • $2,200 balance: $190 for just the login information
  • For the ability to transfer funds to U.S. banks: $500 to $1,200, depending on the balance.

Online premium content services offer a variety of services, and the login credentials to these are also for sale:

  • Video streaming: $0.55 to $1
  • Cable channel streaming: $7.50
  • Professional sports streaming: $15

There are so many different kinds of accounts out there, such as hotel loyalty programs and auction. These, too, are up for sale on the underground Internet. Accounts such as these have the thief posing as the victim while carrying out online purchases.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Data security policies need teeth to be effective

/in , /by

Bottom line: If you have a data security policy in place, you need to make sure that it’s up to date and contains all of the necessary elements to make it effective. Here are 10 essential items that should be incorporated into all security policies:

4H1. Manage employee email

Many data breaches occur due to an employee’s misuse of email. These negligent acts can be limited by laying out clear standards related to email and data. For starters, make sure employees do not click on links or open attachments from strangers because this could easily lead to a ransomware attack.

2. Comply with software licenses and copyrights

Some organizations are pretty lax in keeping up with the copyrights and licensing of the software they use, but this is an obligation. Failing to do so could put your company at risk.

3. Address security best practices

You should be addressing the security awareness of your staff by ensuring that they are aware of security best practices for security training, testing and awareness.

4. Alert employees to the risk of using social media

All of your staff should be aware of the risks associated with social media, and consider a social media policy for your company. For example, divulging the wrong information on a social media site could lead to a data breach. Social media policy should be created in line with the security best practices.

5. Manage company-owned devices

Many employees use mobile devices in the workplace, and this opens you up to threats. You must have a formal policy in place to ensure mobile devices are used correctly. Requiring all staff to be responsible with their devices and to password protect their devices should be the minimum requirements.

6. Use password management policies

You also want to make sure that your staff is following a password policy. Passwords should be complex, never shared and changed often.

7. Have an approval process in place for employee-owned devices

With more employees than ever before using personal mobile devices for work, it is imperative that you put policies in place to protect your company’s data. Consider putting a policy in place which mandating an approval process for anyone who wants to use a mobile device at work.

8. Report all security incidents

Any time there is an incident, such as malware found on the network, a report should be made and the event should be investigated immediately by the IT team.

9. Track employee Internet use

Most staff members will use the Internet at work without much thought, but this could be dangerous. Try to establish some limits for employee Internet use for both safety and productivity.

10. Safeguard your data with a privacy policy

Finally, make sure that all staff members understand your company’s privacy policy. Make sure that data is used correctly and within the confines of the law.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses.

How Glass Break Sensors work

/in , , /by

Your home should have multiple layers of protection. You’ve certainly heard that before. Motion detection is a critical layer of protection, and this is comprised of the simple act of unauthorized movement sensed as the result of breaking and entry. Glass break is similar in concept. One detects movement the other detects sound. 3B

  • Motion: The sensor detects when someone is moving about inside the house.
  • Entry: The sensor detects when a door or window is opened.
  • Breaking into: The glass break sensor detects when a burglar smashes through a window with a crowbar.

Many people don’t know that the sensor for breaking into exists. This special kind of sensor detects the unique sound (in terms of frequency) of window glass being hit and then shattering. The sensor then sets off the alarm.

So in other words, the sensor doesn’t wait for the glass to shatter. The detection starts when the crowbar or baseball bat makes heavy contact with the glass. This initial detection can be thought of as phase one. And phase two, the actual breaking of the glass, occurs just milliseconds later, setting off the alarm.

In a house full of windows, one sensor per room may be sufficient, covering three or more windows and even glass doors. And fortunately, it’s not necessary to have your kid hit a baseball into a window to test out the sensor.

The device has a “test mode.” You should produce a clapping sound (preferably with your hands). At the bottom of the sensor, a small light will blink, in response to the sound of the clapping, which simulates the sound of a window being struck.

Now if you don’t see the light blinking, the sound wasn’t detected. Make sure the sensitivity setting is on “high” in the device, and also check your windows; are they blocked by heavy curtains or furniture? If your hand clapping is weak, do you have a few wooden boards to smack together?

After you make the necessary adjustments, create the clapping sound again. If the unit is correctly installed, the light should blink.

If your child thinks he could trip the alarm by banging cymbals or dropping a glass on the kitchen floor, tell him don’t even think about it. The break-into sensor system has already taken false alarms into account. So if a glass or china plate crashes to the floor, or the sound of windows breaking is coming from the TV, these noises will not trip the alarm.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Sorry, stop posing Kids’ Photos online

/in , /by

Frankly, naked babies shouldn’t be a big deal. If you don’t have naked baby pictures of your kids in the kitchen sink then you aren’t human. BUT….the world has changed. If you compare posting your children’s photos online with whipping out a wallet photo of your toddler daughter in the bathtub to your dinner party guests, I will have a bird.

This is because people just love to post images of their partially or completely naked toddlers and preschoolers online: in bathtubs, those inner tube swimming pools, on beaches or wherever.

Awww, ain’t they purty little young’uns! Well, here’re the problems:

  • One particular image snatches the attention of a roaming pedophile, and he becomes hell-bent on getting his hands on that child—who’s yours.
  • Years after the image goes up, your child is suddenly being ridiculed in school over it.
  • Your child, when older, feels humiliated over the scads of revealing or even gross images (fingers shiny from a thick coat of saliva because they’re halfway in the toddler’s mouth; food smeared all over the mouth; slimy drool hanging from the mouth—yes some parents think this is adorable).

It’s not only not safe to become a post-a-holic of your child’s images, but it’s not smart. Isn’t the whipping out of the print photo at the dinner party or at the workplace break room enough? Must the images go online, where they’ll stay forever, for the entire planet to see?

Many parents don’t bother with Facebook’s privacy settings. And why? Hell if I know. These same parents would never run up to every single person at the grocery store and shove in their face the latest photo of little Mikey in the bathtub. So why share it with the whole world including Mikey’s future classmates?

Would you ever approach the seedy looking man on the street corner and show him a photo of half-naked little Maddelynn on the beach? I didn’t think so. Yet pedophiles really DO peruse Facebook for revealing images, and depending on what else you have up there including the image’s GPS data, the perv can get your home address.

  • Learn Facebook’s privacy settings and set them at their highest.
  • Find out whom your “sharing” images with. Do all of these people meet your approval? Do you know whom they’re sharing them with?
  • It’s not a crime to build old-fashioned photo albums—stored safely on a living room shelf that only visitors to your house can view.

When in doubt, don’t post it. Once it’s up, it’s there forever.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Protect from Personal Loan Scam

/in , /by

Are you thinking of getting a personal loan? Hopefully you have a high credit score, as this will give you a better chance of getting the loan through a legitimate company. But even if your credit is excellent, you need to be aware of the personal loan scams out there.

2DNot Respecting Your Limit

  • You don’t want to do business with a lender that pressures you into borrowing more than you can handle

Upfront Payment

  • You should never have to pay any fees for the application process. If you’re requested to do this, move on.

Pumped up Interest Rate

  • Know what the going interest rate is. A good lender will quote you near this average rate.
  • A bad lender will recognize the desperation of the applicant with bad credit and try to sock them with an abnormally high interest rate.

Us and Only Us

  • Be suspicious of lenders that don’t like the idea of you shopping around for better rates.
  • This is a red flag that they have questionable loan practices.

Location, Location

  • An honest, legitimate lender or bank has a verifiable physical address. Get this confirmed with Google maps.
  • If you can’t, move on. But know that even a predatory lender may have a very solid physical address.

Solicitations

  • As in ones you didn’t request. Watch out for banks that send you unsolicited invitations for a personal loan application.

 

Don’t Be Intimidated

  • Because a seedy outfit may want to scare you into closing on their loan. But they can’t do anything to you, even if they use the term “legal action.”
  • If you want to reject their loan offer, then do so.

SSN

  • Does the lender want your Social Security number? This is fine if they’re wanting to do a credit check.
  • If they’re not doing a credit check but want your SSN, move on.

Signing Empty Documents

  • Do not sign anything that does not have the interest rate, terms, loan amount, monthly payment and other crucial information.
  • Before signing anything, make sure there are no blank areas that can be filled in later.
  • Run if the lender wants you to sign something that’s missing information.

Guaranteed!

  • Is a bank guaranteeing your personal loan? Sounds great, right?
  • Not so fast. They cannot do this if they have not verified your financial history or credit history.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

2016 Information Security Predictions

/in , , , , /by

No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off…

4WWearable Devices

Cyber crooks don’t care what kind of data is in that little device strapped around your upper arm while you exercise, but they’ll want to target it as a passageway to your smartphone. Think of wearables as conduits to your personal life.

Firmware/Hardware

No doubt, assaults on firmware and hardware are sure to happen.

Ransomware

Not only will this kind of attack continue, but an offshoot of it—“I will infect someone’s device with ransomware for you for a reasonable price”—will likely expand.

The Cloud

Let’s not forget about cloud services, which are protected by security structures that cyber thieves will want to attack. The result could mean wide-scale disruption for a business.

The Weak Links

A company’s weakest links are often their employees when it comes to cybersecurity. Companies will try harder than ever to put in place the best security systems and hire the best security personnel in their never-ending quest for fending off attacks—but the weak links will remain, and cyber crooks know this. You can bet that many attacks will be driven towards employees’ home systems as portals to the company’s network.

Linked Stolen Data

The black market for stolen data will be even more inviting to crooks because the data will be in sets linked together.

Cars, et al

Let’s hope that 2016 (or any year, actually) won’t be the year that a cyber punk deliberately crashes an Internet connected van carrying a junior high school’s soccer team. Security experts, working with automakers, will crack down on protection strategies to keep cyber attacks at bay.

Threat Intelligence Sharing

Businesses and security vendors will do more sharing of threat intelligence. In time, it may be feasible for the government to get involved with sharing this intelligence. Best practices will need hardcore revisions.

Transaction Interception

It’s possible: Your paycheck, that’s been directly deposited into your bank for years, suddenly starts getting deposited into a different account—that belonging to a cyber thief. Snatching control of a transaction (“integrity attack”) means that the thief will be able to steal your money or a big business’s money.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

11 Ways to Mitigate Insider Security Threats

/in , , , /by

Companies are constantly attacked by hackers, but what if those attacks come from the inside? More companies than ever before are dealing with insider security threats.Here are 11 steps that all organizations should take to mitigate these threats and protect important company data:11D

  1. Always encrypt your data If you want to minimize the impact of an insider threat, always encrypt data. Not all employees need access to all data and encryption adds another layer of protection.
  2. Know the different types of insider threatsThere are different types of insider threats. Some are malicious, and some are simply due to negligence. Malicious threats may be identified by employee behavior, such as attempting to hoard data. In this case, additional security controls can be an effective solution.
  3. Do background checks before hiringBefore you hire a new employee, make sure you are doing background checks. Not only will this show any suspicious history, it can stop you from hiring any criminals or those associated with your competitors. Personality tests can also red flag the propensity for malicious behavior.
  4. Educate your staffEducating your staff on best practices for network security is imperative. It is much easier for employees to use this information if they are aware of the consequences of negligent behavior.
  5. Use monitoring solutionsThere are monitoring solutions that you can use, such as application, identity and device data, which can be an invaluable resource for tracking down the source of any insider attack.
  6. Use proper termination practicesJust as you want to be careful when hiring new employees, when terminating employees, you also must use proper practices. This includes revoking access to networks and paying attention to employee actions on the network in the days before they leave.
  7. Go beyond the IT departmentThough your IT department is a valuable resource, it cannot be your only defense against insider threats. Make sure you are using a number of programs and several departments to form a team against the possibility of threats.
  8. Consider access controlsAccess controls may help to deter both malicious and negligent threats. This also makes it more difficult to access data.
  9. Have checks and balances for all staff and systemsIt is also important to ensure there are checks and balances in place, i.e. having more than one person with access to a system, tracking that usage and banning shared usernames and passwords.
  10. Analyze network logsYou should collect, store and regularly analyze all of your network logs, and make sure it’s known that you do this. This will show the staff that you are watching what they are doing, making them less likely to attempt an insider attack.
  11. Back up your data Employees may be malicious or more likely they make big mistakes. And when they do, you’d sleep better at night knowing you have redundant, secure cloud based backup to keep your business up and running.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. See him discussing identity theft prevention.Disclosures.

Everything You need to know about Door Security

/in , /by

“I don’t need to lock my doors all the time; this neighborhood is very safe.” And I have some land in the Caribbean I’d like to sell you.

1BBurglars know that every “safe neighborhood” has a certain percentage of fools who think they’re immune to break-ins. And thieves would rather intrude upon a home with lots of nice things—and these homes are usually in “nice neighborhoods.” Hello?

Big mistakes:

  • Leaving doors unlocked
  • Keeping doors locked—but the lock system sucks

I hope you don’t fall into either of the above categories.

What you see on TV is true: Locked doors CAN be kicked open. Builders of homes don’t have the future resident’s security in mind. They cut corners whenever possible. You can bet a new home has a crappy door lock. And an old home, for that matter. Any determined thief could get past these doors even when they’re locked.

But there’s hope. Lots of it. First of all, keep your doors locked. Even if the lock isn’t too great. After all, many times a thief will give up after learning the door is locked. Many burglars are very impatient and want a quick, quiet job. But since you can’t read the mind of the next crook who prowls your neighborhood, it’s best that you get optimal door security.

 First-Line Door Security

  • The door frame on the lock and hinge sides should be reinforced.
  • Think “door reinforcement” Metal plates reinforcing the door jam is fundamental to door security See Door Devil.
  • Wood doors should be solid hardwood all around.
  • Getting a peephole.
  • Don’t answer the door. Don’t feel you must answer the door every time someone’s there. It’s not a crime to ignore the visitor. If you’re not expecting anyone, it’s safest to just ignore them. It’s extremely unlikely that they’re about to die from dehydration or hemorrhaging; assume whatever they want is not a matter of life and death.
  • If you have a door that’s not visible to people passing by, this door especially needs optimal security.
  • A steel-clad door should have 24-guage steel and a wood lockblock core.
  • Hardened steel deadbolts are a must and should have a five-pin tumbler. Associated screws should be as long as they come for deadbolts. Deadbolts should have wrap-arounds.
  • Consider a vertical deadbolt or multi-lock deadbolt for maximal security.
  • Another layer of maximal security is the grade of door hardware, whereas grade 1 is the highest; grade 2 is moderate; and grade 3 is so-so.
  • Beware of flimsy screws!

Adjuncts to Door Security

  • Use a door brace (metallic pole that has one end fitting under doorknob and the other end securely on the floor, out at an angle, to prevent the door from opening).
  • A door stop or wedge will probably not stop a brute-force push-in, but a door stop can be equipped with an alarm that will trip if someone tries to push their way in.
  • Don’t bother with the door chains that you so often see on TV. We’ve all seen it: The bad guy is on the other side of the door while the apprehensive woman is speaking to him through that small opening. He then pushes on the door and breaks the chain. This can really happen!

Robert Siciliano is a home and personal security expert to DoorDevil.com discussing Anti-Kick door reinforcement on YouTube. Disclosures.