Tax Identity Theft jumps on Payroll Scams

/in , , /by

Do you work for a corporation, especially in the U.S.? You may be at risk for tax return fraud.

9DADP is a payroll provider. Hackers were able to acquire tax information of employees of U.S. Bank from ADP. Now, this doesn’t mean that ADP was directly hacked into. Instead, what happened, it seems, their authentication system was flawed and ADP failed to implement a protection strategy for the personal data to keep it safe from prying eyes.

The crooks registered ADP accounts by using the stolen data of the bank employees. These accounts allowed the crooks to get additional W-2 information—enough to commit tax return fraud. In other words, looks like a W-2 gateway was created to file fraudulent tax returns.

If it happened to U.S. Bank and ADP, it can happen many places else.

ADP says that the breach did not originate from their computer network, but where exactly it did come from is not clear at this point, as there are multiple possibilities including the hacking into of a third party service.

The hackers also used a unique company issued URL. This URL is needed to register an ADP account. It is not known at this point in time if the U.S. Bank URL required credentials to gain access to or not, but since this data breach, U.S. Bank has withdrawn plans to further post the URL online. U.S. Bank has also removed their publicly accessible W-2 form from cyberspace.

Despite the data breach, there were only minimal effects to employees and customers of ADP and U.S. Bank. But the minimal adverse outcome is no reason to let your guard down. Next time, the institutions may not be so lucky.

Solution: Fill out the IRS Identity Theft Affidavit ASAP. Here: http://robertsicilian.wpengine.com/wp-content/uploads/2016/06/f14039.pdf

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Hacking Cars Getting Easier and More Dangerous

/in /by

If your car is in any way connected to the Internet, it can get hacked into. You know it’s only a matter of time before hackers begin infiltrating motor vehicles in droves, being that vehicles are plagued with hundreds to thousands of security vulnerabilities.

11DThis hack is more serious than you think. Drivers and passengers should be aware that “flawed” and compromised vehicles can suddenly be overtaken remotely, forced into shutting down the engine in the middle of a highway or drive the car into other cars.  And it’s not just cars, but 18-wheelers and busloads of people.

In fact, white-hat hackers (the good guys) have even demonstrated that a bad hacker could take control of a motor vehicle, ranging from annoying pranks such as turning on the windshield wipers and radio, to potentially lethal actions like stopping the engine.

Hackers could demand ransom from governments in bitcoins for the return of the vehicles’ control to their drivers. Or, as the Assistant Attorney General for National Safety has indicated, “connected cars are the new battlefield”. Connected cars could be used by terrorist organizations to create havoc on mass scale.  The possibilities are limited by the imagination.

This concern has motivated the FBI, Department of Transportation and the National Traffic Safety Administration to issue a public safety alert, warning consumers to keep their service schedule in order to enable to upgrade cars’ software with remedies to those security vulnerabilities.

Solutions are available and in the works.

  • If your car has any web connecting abilities, do your research for year/make/model. Searched “hacked” along with the cars particulars.
  • Manufacturers that have discovered security vulnerabilities (often because a researcher makes it public) have offered subsequent patches in response. These notices may come in the mail or through a dealership.
  • It’s important to check with your cars manufactures website to determine if a vulnerability exists.
  • A connected vehicle has ECUs: electronic control units. An article in Fortune says Karamba Security’s “Carwall” can detect and thwart cyber attacks. Carwall is like a firewall for your vehicle ECU. It detects anything that’s not permitted to load or run on ECUs.

When the ECU software is being built, security software can be seamlessly embedded, becoming part of the entire process. No change of code, no developers’ know-how, no false positives and no hacks. Problem solved.

Predators hunting Kids on Gaming Sites

/in , /by

As a parent, you may not be crazy about your child spending a lot of time “gaming.” Chances are good that your feelings are fueled by the fact that kids should play outside, be more social, and are getting addicted to tech or maybe the correlation between childhood obesity and excess computer time. It’s not pretty.

12DHowever, there’s another elephant in the room, perhaps squeezing out the obesity threat: the pedophile threat.

Recently on a Long Island college campus, a male student was found to be traipsing through gaming sites that are popular with young boys such as Grand Theft Auto and Minecraft. The 21year old predator, convinced three underage boys to take sexually explicit pictures and send them to him.

It’s tempting to question what these boys were thinking, that they would so freely take and send sexually explicit images of themselves to a complete stranger. But the predator played a numbers game in his trolling quest, finding three vulnerable victims and convincing them that he was “Allison Denario” and ask for the photos.

He’d then pose as Allison’s furious boyfriend. Of course, in real life, an angry boyfriend would normally demand that the photos stop. But “Allison”’s boyfriend told the boys his father was a cop or FBI agent. This angry cyber stranger demanded the boys perform sex acts on camera or he’d snitch on them for sending Allison the images. So. Flipping. Dark.

Well, Mt Predators little game was short-lived and he was charged with child pornography.

For Parents

  • Get an activated security suite for the computer before any game playing begins.
  • Create long strong passwords. Please, no 123Gamer or Jayson14. So a long strong password might be a phrase ImaHugeStarWarsfan or a nonsensical jumble like gowkg850(4)2.
  • Before any game playing, check its Entertainment Rating Software Board’s rating.
  • Protecting your kids is more than just great passwords and online security features. Make your children feel that they won’t be judged or blown off by you if they report something peculiar or suspicious.
  • Teach your kids how to make these reports, about “catching the bad guy in real life.” Feel free to refer to the bad guy as a predator, not just “bully.” Many kids think of “bullies” as other kids who call each other names online. But if a child is old enough to play on gaming sites, they’re old enough to be taught about adult male cybersexual predators and how they pose as young girls.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Technology and Home Security wed

/in , , /by

Gone is the day when, while out on a romantic evening with your special someone, you suddenly realize you forgot to turn on your house alarm. You spend the rest of the long evening fretting about this.

2HNowadays, all you need do is whip out your smartphone and activate the alarm. You can even view the interior and exterior of your property in realtime with smarthome security cameras. And rest assured, if someone breaks in while your eyes are glued to the big movie screen, you’ll get a vibration alert.

We are getting closer and closer to a Jetson’s lifestyle; you know, George Jetson, the cartoon character who lives in the future? The Jetson household includes a female-looking robot dressed as a maid.

Robots

A house robot is no longer the thing of science fiction. Google is working on creating a robot that will help protect the house (and cleaning it is already being done with a Roomba). One of the tasks this robot would be able to do is prevent false alarms with the home security system. “What can be conceived can be achieved,” so the saying goes.

Laser Beams

  • Laser beams have been in existence for a while, that can detect motion and set off an alarm.
  • But this technology has much room for advancement in the security world and is growing.

More Advancements

  • Like an airplane on autopilot, your home’s security system will one day truly be on autopilot, with you at the helm no matter where you are.
  • But remember, robots, laser beams and other forms of technology will never replace common sense. You can have the most state-of-the-art technology working to protect your house, car, boat, even your person (with smartphone apps that can sense an unintentional fall, or with one touch of a button, summon an emergency response and give out your GPS coordinates) – but all this may mean zilch if you’re not wearing a seatbelt or if you’re texting while driving. Or if you’re climbing up on the rails of the cruise ship you’re on.
  • So even though the war against home intruders is closing in on them, sometimes our greatest enemy is oneself.
  • In the meantime, take advantage of what the booming home security market has to offer. Home security companies typically offer free consultations.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Mortgage Scams plague Homeowners and Agents

/in , /by

There are things you should know before you purchase your next house—even if you foresee that being years away. Take note of what’s in this article—and keep the notes where you’ll never forget where they are.

3BA hacker could fool you into thinking he’s your agent and trick you into sending him money—which you’ll never get back. It’s so bad the FTC even sent an alert warning consumers that Real Estate Agents email accounts are getting hacked.

  • Let’s say your Realtor’s name is Bill Baker.
  • Bill Baker’s e-mail account gets hacked.
  • The hacker observes Baker’s correspondences with his clients—including you.
  • Ahhh, the hacker sees you have an upcoming closing.
  • The hacker, posing as Bill Baker, sends you an e-mail, complete with instructions on where to wire your closing funds.
  • You follow these instructions.
  • But there’s one last step: kissing your money goodbye, as it will disappear into an untraceable abyss overseas.
  • This scam can also target your escrow agent.

It’s obvious that one way to prevent this is to arrange a home purchase deal where there are zero closing costs.

The scam is prevalent, perhaps having occurred thousands of times. It was just a matter of time until scammers recognized the opportunity to target real estate agents and their clients.

The lax security defenses of the real estate industry haven’t helped. Unlike the entire financial industry who have encrypted communications, the real estate industry is a hodgepodge of free e-mail accounts and unprotected communications.

In addition:

  • Realtors, so often on the go and in a hurry, frequently use public Wi-Fi like at coffee houses.
  • Anyone involved in a real estate transaction can be hacked, such as lawyers.

Preventing the Scam

  • Eliminate e-mail as a correspondence conduit—at least as far as information on closings and other sensitive information.
  • On the other hand, you may value having “everything in writing,” and e-mail provides a permanent record. In that case, use encrypted email or some setup that requires additional login credentials to gain access to the communication.
  • For money-wiring instructions, request a phone call. And make this request over the phone so that the hacker doesn’t try to pose as your Realtor over the phone.
  • Any e-mailed money instructions should be confirmed by phone—with the Realtor and the bank to send the money to.
  • Get verification of the transfer ASAP. If you suspect a scam, have the receiving bank freeze any withdrawal attempt of the newly deposited funds—if you’ve reached the bank in time, that is.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Anonymous Begins a 30 Day Assault Against Central Banks

/in /by

“Anonymous” is an activist hacking group that has recently boasted that it will engage in 30 days of cyber assaults against “all central banks,” reports an article on cnbc.com.

2DAnd their bite is as big as their bark, as this announcement came soon after several major banks around the world were struck—and Anonymous proudly claimed credit. The banks that were apparently breached by Anonymous include:

  • Bangladesh Central Bank
  • National Bank of Greece
  • Qatar National Bank

Anonymous put up their plans on a YouTube video: a “30-day campaign against central banks around the world.” The hacking group calls their endeavor Operation Icarus, bragging about how they crumbled the Bank of Greece with a denial of service attack.

Anonymous has stated that it will target the following financial institutions:

  • Visa
  • MasterCard
  • Bank for International Settlements
  • London Stock Exchange
  • And of course, “all central banks” and “every major banking system”

Anonymous has a real gripe against banks, because they further state, “We will not let the banks win,” continues the report at cnbc.com. The hacking group wants everyone to know that their operation will be “one of the most massive attacks” ever committed in Anonymous’s history.

The article adds that another media outlet, Gulf News, reports that the hackers who infiltrated Qatar National Bank attacked yet another bank and intend on making the stolen data public for this second attack—very soon. It’s possible that this leaked data will be used for ransom.

For you, every day bank customer, don’t worry about any of this, BUT, always pay close attention to bank activity and make sure all transactions have been authorized by you. Sign up for alerts and notifications via text and email so you see every transaction in real-time.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Phishing Protection 101

/in /by

Phishing-type e-mails are designed to trick the recipient into either downloading a virus (which then gives the hacker remote control of the computer) or revealing enough information for the thief to open credit cards in the victim’s name, get into their bank account, etc.

13DThere are many ways the crook can trick the victim. Here are telltale signs:

  • The message wants you to “verify” or “confirm” your password, username or other sensitive information.
  • And why must you do this? Because “suspicious activity” has been detected on your account, or, your account “is at risk for being compromised.”
  • Your name may or may not be in the message. Always be suspect.
  • Financial institutions will never ask you to enter your login information in an email and be suspect on a website.
  • Another ploy is the subject line: There’s a sense of urgency, such as, “Your account is about to be suspended.” A business will contact you by phone or snail mail if there’s a problem.
  • Even if the e-mail seems to have come from your boss at work and addresses you by name, and includes a link…realize that a hacker is capable of learning enough about someone from their LinkedIn page and Facebook to then convincingly impersonate someone they know.

Links in E-mails

  • Typically there’s a link (when there’s not, there’s a malicious attachment).
  • Never click links inside e-mails even if the sender seems to be your employer, health plan carrier or other enterprise you’ve done business with.
  • Hover the mouse over the link. If the URL is different than what’s there, assume it’s a scam.
  • Generally, only click links in emails when you have to actually click the link to verify an email address once you have just signed up for a new website.

Additional Telltale Signs

  • Just weird stuff. For example, a person who edits for a living receives an unexpected e-mail explaining there’s an attachment that needs to be proofread; wow, a paying gig!
  • Not so fast. The accompanying letter is very poorly constructed, including misspellings of common words, and includes very irrelevant information, such as “I’m a single mom with three wonderful kids.” Why would THIS be included in a legitimate proofreading job?
  • Yet how did the scammer know you’re an editor? Because the crook’s software somehow found your e-mail on the editing gig site you registered with two years ago.
  • The subject line says you’ve won something, or you’ll lose something.
  • If you go to a website and don’t see your site key (if you registered with one), leave. But you shouldn’t have gone to the website in the first place!
  • Always beware of emails purportedly from FedEx, UPS, Amazon, Ebay or anything in your spam folder.

Embrace the idea of deleting reams of UNREAD e-mails without having opened them. If a subject line has you worried, such as “You owe back taxes” or “Your shipment was lost,” then phone the appropriate personnel to see if this is true.

If you suspect you’ve been scammed:

  • Log into whatever account might be compromised and check messages, contact customer service.
  • Place a fraud alert on your credit if your SSN was exposed.
  • Update your security software; run a full system scan.
  • If you revealed any login information, change that account’s login data.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Home Security Cameras 101: the Audio Element

/in , /by

Before buying a security camera, ask yourself:

  • Where do you intend on placing it?
  • How well-hidden can/will the unit be?
  • Are you familiar with laws pertaining to surveillance of people without them knowing about it and the associated audio recordings?

1HLaws vary from state to state regarding the audio element of a surveillance camera, but on a federal level, the requirement is that one person needs to be aware of the recording. Because this is the federal law, it makes it impossible for any state to allow zero people being aware.

So what this means is that it’s illegal to audio record in the form of eavesdropping. It’s prohibited, for instance, to secretly record a conversation that two people, without them being aware, are having across the room at a coffee house that you’re all in.

However, that federal rule that one person needs to be aware of the recording means that you can get away with “secretly” recording those two people—as long as you’re part of their conversation, sitting right with them. So if those two people learn you recorded them, they can gripe all they want, but you’re protected by federal law since you sat and talked with them.

The law for audio recording isn’t the same as for visual, in which the latter is allowable for publically seen environments. This is where “Dual Consent” comes into play for ANY audio recording. Some states require both parties need to consent to audio recording in order for the recording to commence.

These rules apply to phone conversations as well as cameras, which is why you often get an alert that your customer service call “may be recorded for training purposes.”

Loopholes

  • If one of those two people is informed you’re recording them, then all is well, though once at least one of them knows this, it’s sure to influence the conversation (unless it’s dual consent state).
  • What seems to be a contradiction of that aforementioned federal rule is that you CAN secretly record those two people—provided that you don’t intend to use the recording for any illegal purposes (unless it’s dual consent state).
  • So it looks as though you can secretly record a conversation between your wife and the man she’s cheating on you with, then present it to her later as evidence you caught her. Nothing illegal about that (unless it’s dual consent state).
  • But if you covertly record your boss conversing with his secret mistress, then threaten you’ll give the recording to his wife unless he gives you a $1,000 bonus, then that’s illegal.
  • This is NOT legal advice. Consult your attorney and local laws.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Government risks Consumers’ Identities

/in /by

Guess who may be compromising the security of your Social Security Number.

1PThe Social Security Administration!

Yep, that’s right. Did you know that 66 percent of the mail the SSA sends out contains someone’s Social Security number? This is what the inspector general of the SSA, Kimberly Byrd, says, and I believe it.

How many pieces of mail is this? Over 230,000,000. This situation is problematic.

  • The SSA claims it will cost over $19 million to reduce these mailings.
  • It also won’t happen anytime soon.
  • The SSA can’t even give a time estimation for when these mailings will be cut back, and Byrd says that security should trump convenience.
  • It is not known what percentage of the mail-outs reach their intended addresses, and this includes the not-so-uncommon problem of mail carriers delivering to the wrong address. Imagine that the wrong recipient is also an identity thief, and sees that Social Security number upon opening someone else’s mail…
  • Another reason many mail-outs may end up in the wrong hands is that the addresses are no longer accurate for the recipient.
  • And then of course there is mail theft. Or someone can easily change your mailing address. It’s maddening actually.
  • Though some mailings do require the SSN, others don’t, and many other entities, such as private businesses, have found a way around this sticky problem, though this doesn’t mean they’ve eliminated 100 percent of it.
  • Another plan to help reduce the number of SSNs flying around out there is the use of the Beneficiary Notice Control Number—used on a case-by-case basis, says the Social Security Administration.

Nevertheless, it’s maddening that the Administration has failed to yield a deadline range for these changes. Let’s face it, the SSN is responsible for the judicious handling of our Social Security numbers, and 230 million mailings—without verification that the addresses match the recipients—is hardly judicious.

Think of how often, over the past five years, you’ve accidentally received someone else’s mail. This is common and a gateway for crooks to steal somebody’s identity.

The Fix

  • The SSA should make deletion of SSNs from their correspondence a top priority—and once they do that, things will start falling more together.
  • Revisit the estimated cost it would take to implement the reduction of mail containing SSNs.
  • YOU need to getting a locking mailbox.
  • YOU need to get a credit freeze and invest in identity theft prevention. These two solutions make your SSN relatively less attractive to a thief.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How the FBI hacks You

/in , /by

In a recent Wired.com expose’, they expose how the FBI has been secretly hacking civilian computers for about 20 years, but thanks to Rule 41, their ability to hack has been expanded.

11DNevertheless, effective record keeping for these hacking incidents doesn’t exist. For instance, search warrants that permit hacking are issued using elusive language, and this makes it difficult to keep track of when the feds hack.

Also, it’s not required for the FBI to submit any reports to Congress that track the FBI’s court-sanctioned hacking incidents—which the FBI would rather term “remote access searches.”

So how do we know this then? Because every so often, bits of information are revealed in news stories and court cases.

Carnivore

  • Carnivore, a traffic sniffer, is the FBI’s first known remote access tool that Internet Service Providers allowed to get installed on network backbones in 1998.
  • This plan got out in 2000 when EarthLink wouldn’t let the FBI install Carnivore on its network.
  • A court case followed, and the name “Carnivore” certainly didn’t help the feds’ case.
  • Come 2005, Carnivore was replaced with commercial filters.

The FBI had an issue with encrypted data that it was taking. Thanks to the advent of keyloggers, this problem was solved, as the keylogger records keystrokes, capturing them before the encryption software does its job.

The Scarfo Case

  • In 1999 a government keystroke logger targeted Nicodemo Salvatore Scarfo, Jr., a mob boss who used encryption.
  • The remotely installed keylogger had not yet been developed at this time, so the FBI had to break into Scarfo’s office to install the keylogger on his computer, then break in again to retrieve it.
  • Scarfo argued that the FBI should have had a wiretap order, not just a search warrant, to do this.
  • The government, though, replied that the keylogger technology was classified.

Magic Lantern

  • The Scarfo case inspired the FBI to design custom hacking tools: enter Magic Lantern, a remotely installable keylogger that arrived in 2001.
  • This keylogger also could track browsing history, passwords and usernames.
  • It’s not known when the first time was that Magic Lantern was used.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.