Mobile SIMs Hacks Cause Concern

A crook can steal your identity by taking control of your wireless phone account—by pretending to be you in person at the mobile store. The villain can then buy pricey mobiles and sell them—and guess who gets the bill but not the profit.

4DSymptoms of Hijacked Account

  • Suddenly losing service
  • Your carrier says you went to a store, upgraded a few phones, then shut down your old device.
  • Or, the rep will straight-out ask if the problem is with your new iPhone—even though you never purchased one.
  • You were never at the store and never authorized any account changes.

If this happens to you, says an article at nbc-2.com, you’ll need to visit the carrier’s local store, show your ID and get new SIM cards. The carrier absorbs the costs of the stolen new phones.

But it’s not as simple as it sounds. What if in the interim, you need to use your phone—like during an emergency or while conducting business? Or your phone goes dead just as your teen calls and says she’s in trouble?

The thief, with a fake ID, waltzes into a store that does not have tight owner-verification protocols, and gets away with changing the victim’s account and buying expensive phones.

The nbc-2.com report says that this crime is on the increase and is affecting all four of the major mobile carriers: AT&T, T-Mobile, Verizon and Sprint.

Here’s another thing to consider: The thief may keep the new phone, which still has your number, to gain access to your online accounts via the two-factor authentication process—which works by sending a one-time numerical text or voice message to the accountholder’s phone.

The thief, who already has your online account’s password, will receive this code and be able to log into the account. So as innocuous as stolen phones may seem, this can be a gateway to cleaning out your bank account. The thief can also go on a shopping spree with mobile phone based shopping.

We’re all anxiously waiting for mobile carriers to upgrade their store security so that people just can’t strut in and get away with pretending to be an accountholder. Biometrics come to mind. Photo IDs are worthless.

In the meantime, accountholders can create a PIN or password that’s required prior to changing anything on the account.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to digitally detox on Vacation

Many years ago when you were on vacation, before Facebook, Instagram and Twitter were invented (assuming you were an adult then), you had a great time, right? You weren’t “connected,” because there was no social media to be connected with.

2DIf today you can’t imagine being disconnected from social media while on vacation, ask yourself how this can be, if years ago, you never missed what had not yet been invented.

And what about constantly checking e-mail while on vacation? Or constantly perusing various websites with your mobile while at the beach?

Intel did a recent study:

  • 55% of Americans can’t disconnect while vacationing.
  • Two-thirds actually wanted to disconnect (detox), but less than half actually did so.
  • But when they did disconnect, 88% reported feeling okay about it and connecting better with travel mates.

Motivation to Detox

  • Know that cybercrooks are banking that vacationers do not disconnect.
  • Vacationers are especially vulnerable when they use public Wi-Fi, as cyberthieves can “snoop” on login entries and steal login information (such as to your bank, or get your credit card number when you online shop at the coffee house).
  • Can’t stay away from your e-mail when vacationing? Cybercrooks can gain access here, too.
  • Though installation of a virtual private network will prevent cyber snooping, it won’t prevent shoulder surfing, or thieves using high powered cameras to capture what you’re doing across the coffee house.
  • Of course, your devices should have security software that’s always updated.
  • Your devices should be password-protected as well.
  • Before embarking on your vacation (and not a few days before, but a few weeks before), practice disconnecting for 24 hours. If you must check your e-mail daily for business purposes, at least practice disconnecting from social media for 24, even 48 hours. Can you do it?
  • Can you stay off your mobile device while waiting at the dentist’s office or at the motor vehicle agency?
  • These “home” practice sessions can help you overcome withdrawal symptoms of not checking Twitter, Facebook or e-mail every 10 minutes.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Predators use Emojis to target Kids

Who’d ever think those silly little yellow circular faces and other such cyber symbols would become such a worldwide smash? I’m talking about emoticons, also known as emojis. Five years ago Apple put an emoji keyboard on its mobile devices. Six billion of these doggone things are sent every day.

12DBut a story at kdvr.com says this isn’t as innocent as it seems.

The story mentions Sheila Allison and her 12-year-old who regularly communicate via emojis. For instance, Allison’s job means she’s not home when her daughter is going to bed, so she sends emojis for zzzz’s, kisses and princess. (There’s an emoji for everything, and not all of them are faces; some are animals, fruits and other symbols.)

So expansive is the emoji language that a person may be considered fluent in it, knowing the hidden meanings of these icons.

Mike Harris hunts down pedophiles for a living, says the article. He’s fluent in emoji, knowing over 1,200 of the icons. He points out that one emoji may have three or four different meanings.

There’s even a Speak Emoji app that translates “emojiese.” The symbols can be used to bully and threaten. They can be used to communicate any number of messages, such as, “Got any crack?”

There are emojis with very concrete meanings, such as bomb, gun and knife symbols. Others are a bit more cryptic, though sending the emoji of a frog to someone you recently called “ugly” should have an obvious interpretation.

More Meanings

  • Dog (even cute) emoji = b–ch.
  • Pile of poop = sh*t.
  • Harris explains that the sequence of a running-man emoji and a bowling ball emoji means “I’m going to hit you.”
  • Guess what a scared face, knife and shower means.
  • Harris adds that a peach can mean erotic. So can raindrops.
  • Context is important; two people discussing the weather and sending raindrop emojis are meaning rain, nothing more.
  • Anyone whose head is in the gutter will use the banana emoji.
  • Meanings can be invented spur of the moment: sending the pig emoji to an overweight person or when discussing cops. An emoji of a shark (I’m sure there’s one) can refer to a lawyer.
  • But a very non-contextual emoji is footprints; this can mean beer.

Sorry, don’t shoot the messenger! Just giving all those over 30 a heads up!

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Another Successful Ransomware Attack

Ransomware thieves sure know how to pick their victims—institutions that store loads of highly critical data that they need on a daily basis, that without—even just 24 hours without—can have crippling effects. This form of cybercrime is growing by leaps and bounds.

11DRecently a ransomware attacker struck the network of the University of Calgary. An article at arstechnica.com says that the institution’s IT experts have made some headway in isolating the ransomware infection and making some restoration progress.

Why not just pay the thief and get the “key” back to the scrambled data? Because there is never any guarantee that these thieves will provide the cyber key after they are paid the ransom. And even when they do provide this key, there’s no guarantee it will release all of the hijacked data, but only some of it.

“Ransomware attacks and the payment of ransoms are becoming increasingly common around the world,” says a statement out of the arstechnica.com report. Decrypting the scrambled data “is time-consuming and must be performed with care,” continues the report. “A great deal of work is still required by IT to ensure all affected systems are operational again,” and this process requires patience.

The University of Calgary is a research institution that absolutely cannot afford to lose its data, points out the university’s vice president, Linda Dalgetty, in an article from The Globe. She explains, “We are conducting world class research daily and we don’t know what we don’t know in terms of who’s been impacted and the last thing we want to do is lose someone’s life’s work.”

Ransomware crimes have become so commonplace that some thieves have set up call centers for victims who don’t know how to navigate their data hostage situations, such as how to pay in bitcoins—the highly preferred payment methods by the criminals.

Often, the thief imposes a deadline for the payment, and if it’s not met by that deadline, the payment escalates.

This is actually really stupid. Meaning, if the last thing anyone wants to do is lose someone’s life’s work, then BACK IT UP. That’s “Data 101”.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

You need Two-Factor Verification for your Amazon Account

If you have a strong password for your Amazon account, you may still want to consider beefing up the security with two-factor verification (or authentication), which will prevent a thief from accessing your account (which is possible if he gets ahold of your password and username somehow).

2D

  • Log onto your Amazon account.
  • Have your mobile phone with you.
  • Click “Your Account.”
  • Scroll down where it says “Settings—Password, Prime & E-mail.”
  • Click “Login & Security Settings.”
  • Go to “Change Account Settings” and at the bottom is “Advanced Security Settings.” Hit “Edit” there.
  • You are now on the page for setting up two-step verification. Hit “Get Started.”
  • You will see two options. For ease of setting up the two-factor, choose the text message option.
  • Follow the instructions and wait for the texted code.
  • Enter the code and click the “continue” button.
  • You will now be on a page for adding a backup number—which is required.
  • You cannot use the same phone number you just did for your initial setup. If you do not have a landline for the backup number, and your only phone is a “dumbphone,” you will not be able to use the two-factor service from Amazon.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

How to protect your Mobile Phone from Hackers and Thieves

Let’s cut to the chase:

  • Regularly back up the phone’s data! If this is done every day, you won’t have to worry much about losing important information if something happens to the phone—such as a ransomware attack.
  • Keep the phone’s software and applications updated.
  • Delete apps you no longer use, as these can reveal your GPS coordinates and garner data about you.
  • Never post about your vacation while you’re on vacation.

6WBut there’s more:

  • Employ the device’s password-protect function (which may even be a biometric like a fingerprint).
  • If the phone has more than one type of protection, use both.  You just never know if the phone will get lost or stolen.

Public Wi-Fi

  • Never use public Wi-Fi, such as at airports and coffee houses, to make financial transactions.
  • Though public Wi-Fi is cheaper than a cellular connection, it comes with risks; hackers can barge in and “see” what you’re doing and snatch sensitive information about you.
  • If you absolutely must conduct sensitive transactions on public Wi-Fi, use a virtual private network or a cellular data network.

And yet there’s more:

  • Switch off the Wi-Fi and Bluetooth when not in use. Otherwise, your physical location can be tracked because the Wi-Fi and Bluetooth are constantly seeking out networks to connect to.
  • Make sure that any feature that can reveal your location is turned off. Apps do collect location information on the user.
  • What are the privacy settings of your social media accounts set to? Make sure they’re set to prevent the whole world from figuring out your physical location. This is not paranoia. As long as you’re not hearing voices coming from your heating vents, you’re doing fine.
  • Are you familiar with the remote wipe feature of your mobile device? This allows you to wipe out its contents/files without the phone being in your hand—in the event it’s lost or stolen. Enable it immediately.
  • And also enable the “find my phone” feature. You may have lost it inside your car’s crevasses somewhere.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Fake Realtor scams Children and their Parents

Ever peruse Craigslist for a new home? Nothing against Craigslist for doing that, but that’s where Coty Houston and David Yost happened to find a very alluring four-bed home for sale; looked perfect for their five young kids.

12DThen they all got squashed by a bomb: The man who sold it to them was not a licensed Realtor. Matthew Boros, however, used to be a real estate agent, but he never renewed his license. But this time, he had climbed through the house’s window (after placing an ad for it on Craigslist) and pretended to be the owner, with the plan of bilking the couple out of $5,000.

The couple was fooled by Boros’s charm. They had no idea that this kindly man, who had met their children several times, had been busted in the past for renting the same house out. They gave him a down payment and an additional $4,000, that day—in the name of expediting the sales transaction.

Yost remodeled houses for a living, so he had no problem starting the remodeling on this particular house, which definitely needed some repair and cleanup. He even replaced its electrical wiring.

Not long after, while he was working on the house, a man arrived asking why he was there. The vacant house had a real Realtor, who told Yost he was going to contact the police to report him for breaking and entering.

Next day, Yost found the house’s locks to be changed, his equipment still inside.

Houston visited the Second District Headquarters, armed with the payment and contract records from Boros. She and Yost then demanded their money back from Boros. Boros, though, told them he could prove with additional paperwork that the transaction was legal.

They met, and Boros refused to give a refund, but the police were waiting nearby and arrested the slug.

The couple is out $5,000, but may get their money back pending the judge’s decision. Boros pleaded not guilty. His lawyer claims to not have had sufficient time to study the case.

The ending is not all that bitter for the parents of five, however. They bought the house for real this time, with a reduced down payment.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Beware of these 4Scams

IRS

  • The e-mail (or phone call) says you owe money; if you don’t pay it immediately, you’ll be put in jail or fined.The scammer may know the last four digits of the victim’s Social Security number.
  • Caller ID will be spoofed to look like the call is from the IRS.9D
  • The e-mail will include an IRS logo and other nuances to make it look official.
  • The scammer may also have an accomplice call the victim pretending to be a police officer.
  • The victim is scared into sending the “owed” money—which goes to the thief. Or, the thief gets the victim to reveal credit card information.
  • Another version is that the IRS owes the victim. The victim is tricked into revealing bank account information to receive the refund.
  • Know that the IRS will never contact you via e-mail or phone; will never threaten jail time, a fine or other threats like a driver’s license revocation.
  • If you owe, the IRS will send you snail mail, certified.
  • The IRS will never threaten to have you arrested.
  • If the subject line of an e-mail appears to be from the IRS, delete it.
  • If a phone call appears to be from the IRS, hang up.

Bereavement

  • Scammers scan obituaries for prey.
  • They then contact someone related to the deceased and claim something against the estate or that they’ll reveal a family secret scandal unless they’re paid.
  • If one of these scams comes your way, request written documentation of the claim.
  • Tell the sender you’ll send this documentation to the executor.
  • If you’re blackmailed, contact a lawyer.
  • Never arrange to meet the sender.

Computer Hijack

  • This may come as a phone call: A person claiming to be a Microsoft rep informs you that your computer has been hacked and he’ll fix it—or you’ll lose everything.
  • He wants to convince you to let him have remote control or “sharing” of your computer…and from there he’ll try to get your credit card number…

Investment Scam

  • Someone halfway around the world has chosen YOU to handle a large amount of money, and you’ll be paid richly for this.
  • The sender often has a foreign sounding name, but even common names are used.
  • Often, there’s some smaltzy message in the e-mail subject line like “God bless you” or “Need your help.”
  • Delete e-mails with any subject lines relating to investments, inheritances, mentions of money, princes, barristers or other nonsense.
  • If you feel compelled to open one, don’t be surprised if there are typos or that it’s poorly written. Do NOT click any links!

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Will Biometrics replace Passwords?

The days of using a computer to access your bank account, using a password, may be coming to an end, to be replaced entirely (as some experts believe) with a fingerprint or face scan using a smartphone.

8DThe smartphone employment of such biometrics will drastically reduce hacking incidents, but will be problematic for those who do not own a mobile device. Major banks are already offering the fingerprint scan as a login option.

Other biometrics currently in use by banks are the eye scan, facial recognition and voice recognition. Banks are sold on the premise that biometrics offer significantly more protection of customers’ accounts than does the traditional means of accessing accounts, what with all the hundreds of millions of data pieces (e.g., SSNs, e-mail addresses) that have been leaked thanks to hackers.

Though biometric data can be stolen, pulling this off would be much more difficult than obtaining a password and username. For instance, only a specific mobile device may work with the owner’s biometrics; a crook would have to have possession of the phone in order to hack into the owner’s bank account.

Nevertheless, biometrics aren’t foolproof even for the rightful owner, in that, for instance, poor lighting could skewer facial recognition.

Unlike the once-venerable password, banks do not keep customers’ biometrics in storage; your fingerprint is not in some secret cache of your bank. Instead, banks store templates in the form of numerical sequences that are based on the customer’s biometrics.

Can hackers obtain these templates? It’s possible, but with additional security layers, banks say that it would be very difficult, nothing compared to the ease of getting someone’s traditional login data.

For instance, an extra security layer might be that the biometric of eye recognition requires a blink—something that a thief can’t do when using a photo of the accountholder’s eye for the scanning recognition process.

Doubling up on login requirements—biometric plus password—is an even stronger defense against hackers. And banks are doing this with the fingerprint biometric.

In a world where it seems that the hackers are getting closer to taking over, the time for biometrics as being a part of the login process has arrived—and not too soon.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

What is Malvertising?

Malevolent advertising is called malvertising. The “ad” is placed on a website by cybercriminals who want control of your computer for financial gain.

11DAnd the real scary thing about malvertising is that these trick-ads have appeared on trusted, popular websites like the Weather Network, BBC, NFL and the New York Times.

Oh, and it gets worse: The malicious ad can be hidden, unseen by the site visitor, thanks to a special html code that allows the bad ad to be inside legitimate content. This trick-code is usually hidden in what are called iframes—without affecting the rest of the site appearance.

The type of cybercriminal who succeeds at this needs to be patient and clever.

  • Legitimate advertisers place their ads with ad networks, bidding for ad placement.
  • Ad networks, which handle the bidding, serve the ads to websites.
  • Crooks may place legitimate ads with these networks to gain a good reputation, or, crooks run networks.
  • After building trust with placement of legit ads, the crooks graduate to ad placement on high traffic sites, and then they put in their malicious code in the iframes: malvertisements.
  • When you’re on one of these infected pages, the ad will release malware to your computer that can do a whole host of damage.

What to do?

  • Keep all your software and systems up to date.
  • Install an ad blocker, but be judicious, because ad blockers can disrupt the presentation of some sites, e.g., blocking some content, not just the ads. You may not mind this inconvenience, but also realize that an ad blocker will not block every malvertisement, either.
  • Install antivirus software or an anti-exploit kit that will snuff out exploit kits, a favorite tool of the malvertiser.
  • Exploit kits prowl your computer for vulnerabilities, and the right software will detect and neutralize them.
  • Uninstall browser plugins you have no use for, especially if they’re the vulnerable Adobe Flash and Java.
  • Set the remaining plugins to click to play, which will give you the option to run a plugin when a site you’re visiting wants to load one.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.