Protect your USPS Mail from Getting Stolen

/0 Comments/in , , /by

USPSID stands for U.S. Postal Service Informed Delivery. It is a good thing to sign up for because it informs you of your expected deliveries.

But there’s a problem: Someone ELSE could pose as you and sign up for this service, getting your mail before you have a chance to.

In fact, it has already happened. Crooks have signed up as other address owners and collected their mail.

This can lead to credit card fraud if some of that mail includes new credit cards or credit card applications.

And what if the mail includes a check? The thief could find a way to get it cashed. What a thief could do with your mail is limited only by his or her imagination.

Krebsonsecurity.com reports that seven crooks in Michigan used the USPS to, not surprisingly, apply for credit cards via those applications that we all get.

Then they waited for the new cards to arrive. They knew just when they’d arrive, too, and planned to raid the owner’s mailbox on that date. Of course, the owners never even knew that the cards were applied for.

The crooks obtained the cards and spent a total of about $400,000. Needless to say, they didn’t bother stealing the bills.

Though a key on your mailbox will surely help, you can add an extra layer of protection by emailing eSafe@usps.gov to opt out of the service. This will prevent anyone from using it in your name.

KrebsOnSecurity reports that this email address may be inactive. So at least have your mailbox fashioned with a lock – even if you do get a response from that email address.

Another thing you can do is get a credit freeze, though this doesn’t guarantee 100 percent that a thief won’t be able to sign up your address with the USPS, but the freeze will prevent new credit cards being opened in your name.

What Else Can You Do?

  • Check your existing credit card statements every month for any odd or unfamiliar charges and report them immediately even if the amount is small.
  • Contact credit reporting agencies (Equifax, Experian and TransUnion) and sign up for alerts to any changes in your credit report.
  • Can’t be said enough: Get a locking mailbox, there’s simply too much sensitive information not to.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

 

Foreign Bad Actors Hacked Marriott

/0 Comments/in /by

You have probably heard about the latest major data breach, right? The Starwood hotel chain, which is owned by Marriott, was hacked. More than 500 million people were affected by it, and now, we have learned that a hostile, foreign intelligence service is likely behind it.

Most of the data that was compromised is unsurprising, such as emails and names, but other information that was accessed is a bit puzzling. This includes passport information and where people traveled. A U.S. intelligence official, who does not want to be identified, has said that this breach fits the mold of China being behind it.

Though there is nothing specific to point the finger at China, the techniques, tools and procedures that were used are commonly being used by hackers who work for the Chinese government. However, it is important to keep in mind that other hackers would also have access to these tools.

For now, the investigation is continuing into the data breach, and nothing official has been released. The FBI continues to remain on the case, and Marriott has said that it has no idea who or what is behind this hack. At this point, they are choosing not to speculate.

Robert Siciliano Marriott

The hotel chain has both internal and external teams working on exposing the hackers, and the main clue they are focusing on is the type of data that was accessed, such as passport numbers and the times and dates that people checked in and checked out of the hotel. This information could be very valuable to foreign countries, including China, who might want to create counterfeit passports. The State Department, however, has told NBC News that a new passport could not be made by using passport numbers alone.

This hack is part of a series of hacks that have plagued businesses over the past few years and recent months. In fact, this hack went on for four years before Starwood even realized that it was getting hacked! This is a pretty long time when you consider that the average hack goes on for 101 days before it’s discovered. What’s even more disturbing is the fact that the company knew about this hack since September, but it didn’t announce it until the beginning of December.

Marriott has responded to this. It says that it is improving the way it deals with cyber security, and, in addition to working out what happened in this hack, it is analyzing how it can improve the way it deals with customer data.

How to Create Bulletproof Passwords

/0 Comments/in , /by

It is a hassle to keep track of all of your passwords. So, many people use the same username and password combination for all of their accounts. This, however, is a big mistake. All it takes is one hacker getting ahold of one of your accounts, and the rest of your accounts are now compromised. Thankfully, there is a pretty easy way around this…One way is a password manager and for those who don’t trust them, try below.

Creating Passwords that are Unique

The best passwords are 14 characters. Passwords that are shorter are statistically much easier to guess. If a site doesn’t allow a password that is 14 characters, you can adapt the following to fit:

Make a list of all websites you have a username and password for, and then make lists categorizing them. For instance, put all of your social media sites together, your email sites, your shopping sites, and banking sites.

Next, create an eight-character password. This will be used as the first part of every password that you create. For instance, it might look like this:

H76&2j9@

Next, look at your categories. Create a three-character password for those. So, you might do this:

  • Social media sites – SM$
  • Email sites – @eM
  • Shopping sites – $ho
  • Banking sites – BaN

Finally, the last three characters of the 14-character password will be specific to the website.

Let’s say you are creating a password for your Facebook account:

Eight-character + three-character (category) + three-character (unique to site)

So, your password for Facebook would be:

H76&2j9@SMSg5P

This is now a very strong password ad for some of you that is much easier to remember. But not me, above doesn’t work for me. More in a minute…When you have to change your password in the future, you can keep the final six characters and just change the first eight.

So, how do you remember the first part of the password? One way is to just write it down in a secure location. Don’t keep in near the computer, though. Another thing that you can do is to create a passphrase, which makes it easy to remember a password.

Let’s use this phrase

“My sister asked me for milk and butter.” If you take the first letter of all of those words, you would have this:

MSAMFMAB

This could be used as your eight-character common denominator.

You can even go further and make it more secure by swapping out some of the letters with numbers or symbols:

M3AM4MA8

Now, the common part of the password is even more difficult to guess, yet still fairly easy to remember. You can also use this method for the shorter part of the password, or even come up with your own methods for password success.

Oh and that “in a minute” comment…just use a password manager and forget the above madness. My password manager created this: *zWo5j!wUxCVWV and it means nothing and I’ll never remember it because my password manager serves as my memory now.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

What the Hell is a Psychopath?

/0 Comments/in /by

Psychopath, psychotic, sociopath – it’s all the same, right?

WRONG.

The above terms are actual medical terms, used by board certified psychiatrists plus psychologists.

Your Best Friend Could Be a Psychopath

The psychopath isn’t always homicidal. He – or she – can be your workplace manager who makes life miserable for his subordinates, enjoys this power, and steals employees’ ideas and presents them to the company president as his own.

Or he’s the guy next door who one day rescues a kitten from a tree and hands it to its seven-year-old owner, then next night rapes and kills a woman he just met at a bar.

He’s the church-goer who organizes charity events, shovels driveways for elderly neighbors, then decides it’s time to rape and kill another woman.

He’s pretty good at cleaning up the evidence and may evade detection for years, unlike the disheveled, high school dropout sociopath who leaves a mess and is arrested within a few hours.

Traits of a Psychopath

  • Charming, charismatic
  • Skilled at lying and manipulation
  • Puts on convincing fronts
  • Lacks conscience, empathy and remorse
  • Often quite intelligent and highly educated and accomplished, though he may also inflate his achievements to win over potential victims.
  • Considers people as only tools to get what she wants and doesn’t care if they die in the process (e.g., woman whose husbands keep dying under mysterious circumstances while she collects the life insurance payoff).
  • The person whom nobody believes committed all those murders.

The sociopath is a very obviously unhinged individual, often with a drug problem and will kill for the next fix.

Psychiatry tends to believe that psychopaths are born, not made; while sociopathy arises from mostly a rotten childhood.

What about the psychotic?

She’s the person who thinks she’s God or the man who thinks the CIA is transmitting electron beams through his skull to read his mind.

Psychotic adults in the past 50 years haven’t killed as many people as sociopathic and psychopathic teens with guns and knives in the past 12 months.

Psychosis is a detachment from reality, often with delusions and hallucinations.

While the psychopath functions brilliantly in society, mowing down anyone in his way and often getting away with it, and while the sociopath lives on the fringes and struggles day to day, the psychotic may be sitting in a corner communicating with space aliens.

The psychotic who murders may sincerely apologize through tears at the sentencing hearing, because they can experience remorse and guilt.

The psychopath and sociopath are sorry only that they got caught. BASTARDS.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Problems for Quora Keep Building

/0 Comments/in /by

Quora, the popular question-and-answer website, is the latest entity to be affected by a massive data breach. This time, it is estimated that 100 million people could be affected.

Adam D’Angelo, CEO of Quora, released a blog post that explained user account information (like email addresses and user names) as well as encrypted passwords and other data were accessed by the hackers. Additionally, he wrote that comments, public questions-and-answers and even direct messages could have been accessed.

D’Angelo stated that Quora is working quickly to get more information on the breach and that it is taking important steps to ensure that it prevents a breach from happening again.

Quora is a privately held company based in California. Users of the site can ask questions about almost anything, and other users answer these questions. The company claims that it has more than 300 million unique visitors per month. Although this data breach is not as devastating as others, such as the other recent breach announced by Marriott International, it is still concerning. The Marriott breach went on for several years, and more than 500 million people were affected. For about 327million, their passport numbers, birth dates and more were accessed.

The Quora breach was not as serious. The biggest concern for people affected by this breach is the possibility of falling for a phishing scam. Basically, these scams work by tricking people into clicking email links that allow the scammer to get personal info or installing malware onto the victim’s computer. This could be significant, however, as some of the data has come from networks like Facebook, which users can connect to their Quora accounts.

This is a really good reminder to anyone with social media accounts, or other online accounts, to consider a throwaway email account. This is an account that is neither connected to work nor your primary email account. This way, if it gets hacked, you can simply delete it.

To add some insult to injury, Quora also just announced that a “malicious third party”has accessed one of its systems. The company is currently investigating the issue, and it’s working with a security firm to get to the bottom of it. Quora is also in the process of notifying any users who might have been affected by this breach. They are also logging these people out of the site and forcing them to change their passwords.

Last thing: I’m a fan of Quora, and yes, this breach sucks, but it’s less sucky than others. Feel free to ask me a question on my Quora.

10 Ways to Prevent Holiday Shopping Scams

/0 Comments/in , , /by

The winter holidays: a time for festivities and … fraud-tivities.

Gift Card Grab

Never, ever enter your credit card or other sensitive information to claim a gift card that comes via email.

Never Buy Over Public WiFi

Shopping over public WiFi means your credit card, bank account or login data could get picked up by a cyber thief. Use a VPN.

Coupon Cautious

If a coupon deal seems too good to be true, then assume it is. End of story. Next.

Password Housekeeping

  • Change the passwords for all your sensitive accounts.
  • No two passwords should be the same.
  • Passwords should be a random salad of upper and lower case letters, numbers and symbols – at least 12 total.
  • A password manager can ease the hassle.

Two Step Verification

  • A login attempt will send a one-time numerical code to the user’s phone.
  • The user must type that code into the account login field to gain access.
  • Prevents unauthorized logins unless the unauthorized user has your phone AND login credentials.

Think Before You Click

  • Never click links that arrive in your in-box that supposedly linking to a reputable retailer’s site announcing a fantastic sale.
  • Kohl’s, Macy’s, Walmart and other giant retailers don’t do this. And if they do, ignore them.
  • So who does this? Scammers. They hope you’ll click the link because it’ll download a virus.
  • The other tactic is that the link will take you to a mock spoofed site of the retailer, lure you into making a purchase, and then a thief will steal your credit card data.

Bank and Credit Card Security

  • Find out what kind of security measures your bank has and then use them such as caps on charges or push notifications.
  • Consider using a virtual credit card number that allows a one-time purchase. It temporarily replaces your actual credit card number and is worthless to a thief.

Job Scams

Forget the online ad that promises $50/hour or $100 for completing a survey. If you really need money then get a real job.

Monthly Self-Exam

For financial health: Every month review all your financial statements to see if there is any suspicious activity. Even an unknown charge for $1.89 is suspicious, because sometimes, crooks make tiny purchases to gage the account holder’s suspicion index. Report these immediately.

Https vs. http

  • The “s” at the end means the site is secure.
  • Do all your shopping off of https sites.
  • In line with this, update your browser as well.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Beware of Rogue Cell Phone Charging Stations

/0 Comments/in , , /by

Humans have evolved a new body part: the cell phone. One day it will be part of anatomical illustrations of the body in health and medical books probably an appendage on your head. I’m not a Dr. so don’t quote me.

For now, we have to figure out a way to keep this appendage juiced up without being lured into a data-sucking battery-charge station.

There’s even a name for this kind of crime: juice jacking. The kiosk is designed to appear like a legitimate battery charging station, when in fact, it will steal your phone’s data while it’s hooked up.

Worse yet, sometimes the thief will set the station to deposit malware into your phone. The crook will then have access to all the sensitive information and images that you have on the device.

These fraudulent stations are often set up at locations where users would be in a rush and won’t have time to check around for signs of suspicion or even think about the possibility of getting their personal life transferred out of their phone and into the hands of a stranger.

Are these thieves smart or what?

But you can be smarter.

Prevent Juice Jacking

  • Before leaving your house, make sure your phone is fully charged if possible.
  • Buy a second charger that stays with you or in your car at all times, and make a habit of keeping your phone charged while you drive.
  • Of course, there will be times when you’re out and about, and before you realize it, your device has gotten low on power. And it’s time to hunt for a public charging station.
  • Have a cord with you at all times. This will enable you to use a wall socket.
  • Turn off your phone to save batt. But for many people, this will not happen, so don’t just rely only on that tactic.
  • Plug your phone directly into a public socket whenever you can.
  • If you end up using the USB attachment at the station, make a point of viewing the power source. A hidden power source is suspicious.
  • If bringing a cord with you everywhere is too much of a hassle, did you know you can buy a power-only USB cord on which it’s impossible for any data to be transferred?
  • Another option is an external battery pack. This will supply an addition of power to your device.
  • External batteries, like the power-only USB cord, do not have data transfer ability, and thus can be used at any kiosk without the possibility of a data breach.
  • Search “optimize battery settings” iPhone or Android and get to work.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Protect Yourself From Gift Card Scams

/0 Comments/in , , , , /by

So maybe Christmas now means the very predictable gift card swap, but hey, who can’t use a gift card? But beware, there are a ton of scams. This includes physical, not just digital, gift cards.

Regardless of who gave you the card, you should always practice security measures. Below are two common ways that fraudsters operate.

Transform Gift Card to Cash Twice.

If someone gives you a $200 gift card to an electronics store and then it’s stolen, you technically have lost money, as this is the same as someone stealing a wad of cash from your pocket.

Nevertheless, you’ll feel the loss just as much. Crooks who steal gift cards have numerous ways of using them.

  • Joe Thief has plans on buying a $200 item with your stolen gift card from your gym locker.
  • But first he places an ad for the card online, pricing it at a big discount of $130 saying he doesn’t need anything, he just needs money.
  • Someone out there spots this deal and sends Joe the money via PayPal or Venmo.
  • Joe then uses the $200 gift card to buy an item and sells it on eBay
  • And he just netted $130 on selling a stolen gift card that he never shipped.

Infiltration of Online Gift Card Accounts

Joe Thief might also use a computer program called a botnet to get into an online gift card account.

  • You must log into your gift card account with characters.
  • Botnets also log into these accounts. Botnets are sent by Joe Thief to randomly guess your login characters with a brute force attack: a computerized creation of different permutations of numbers and letters – by the millions in a single attack.
  • The botnet just might get a hit – yours.

Here’s How to Protect Yourself

  • Be leery of deals posted online, in magazines or in person that seem too good to be true and are not advertised by reputable retailers.
  • Buy gift cards straight from the source.
  • Don’t buy gift cards at high traffic locations, at which it’s easier for Joe to conceal his tampering.
  • Change the card’s security code.
  • Create long and jumbled usernames and passwords to lessen the chance of a brute force hit.
  • The moment you suspect fraudulent activity, report it to the retailer.
  • Spend the card right away.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.