A ‘Whac-A-Mole’ Approach to Preventing Identity Theft

Robert Siciliano Identity Theft Expert

Computerworld illustrates the current state of information security by citing a childhood arcade game: “If you’ve ever played the silly, maddening game known as “Whac-A-Mole,” you know what futility feels like. As you smack one mole with the mallet, up pops another one. Their speed and number escalates as you flail away, trying to keep up. At some point, you realize there’s no hope of winning.” That’s why I hated that game. I was attracted to it at first, because, like Barney Rubbles’ son Bam Bam, I liked hitting stuff with blunt instruments. But that only takes you so far. To win, you need skill and precision.

In today’s world of cyber security and identity theft prevention, it isn’t enough to chase the next mole and whack it with another patch, or shred your own data and hope that someone doesn’t hack your cell phone company. You need to understand the problem and proactively implement a solution.

In the late 90’s and early 2000’s, hackers hacked for challenge, fun, and fame. It made them popular among other hackers. Soon after, consumers began spending more time online. They used their PCs to shop, bank, and manage personal affairs. Now, hackers aren’t just wreaking havoc, deleting files, or making IT administrators miserable, they’re also stealing proprietary data. Now, the real game is illegal financial gain. Hackers’ motivations have changed, which means that you need to change your perceptions of what a computer is, and how to operate it. It’s no longer something to just play Solitaire, or a play where you socialize with friends. Now, it’s a cash register to a hacker. It’s a bank. And it should be treated and respected like a vault.

  1. Run Windows Update, or it may also be labeled “Microsoft Update,” on your PC. If you have Windows XP, you want “Service Pack 3” installed. You can also go to “Control Panel” and then “Security Center” and turn on automatic updates, so Microsoft will install the latest security upgrades automatically. If you have Vista, the process is similar, but you want “Service Pack 1.”
  2. Install antivirus software. Most PCs come bundled with software that runs for free for up to a year. Once it expires, you need to renew the license. If you don’t, every day that your software isn’t updated provides more opportunity for criminal hackers to turn your PC into a zombie that sends viruses to other PCs or sends spam shilling Viagra.
  3. Install anti-spyware software. Most antivirus providers define spyware as a virus now. However, it’s still best to run a spyware removal program once a month or so, to ensure that your PC is rid of software that could allow a criminal hacker to remotely monitor your data, keystrokes, and the websites you visit.
  4. Use Firefox. Internet Explorer is clunky, and the most frequently hacked software that exists. Mozilla’s Firefox is more secure.
  5. Secure your wireless. If you’re running an unsecured wireless connection at your home or office, anyone can jump on the network and access your files from up to 500 feet away. Your router should have instructions on how to set up WEP or WPA security. WPA is better. If this is a foreign language to you, you should either hire someone, or ask your 15 year old for help.
  6. Install a firewall. Microsoft’s operating system comes with a built-in firewall, but it isn’t especially secure. Go with a third party firewall that comes prepackaged with antivirus software.
  7. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  8. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;

Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano, identity theft speaker, discusses criminal hackers targeting wireless devices on Fox News.

Web Based emails Insecurity Leads to Identity Theft

Robert Siciliano identity theft expert

I recently appeared on Fox and Friends to discuss email hacking. Dave Briggs, a FOX & Friends Weekend co-host, lost access to his Hotmail email account when hackers were able to guess either his password or his qualifying question. (He admitted that his password was not as strong as it should have been.) The hackers locked Briggs out of his own account and spammed all of his contacts with a fraudulent email that appeared to be written by Briggs himself, claiming that he was trapped in Malaysia and requesting that someone help him by transferring money via Western Union. Only after persistently contacting Hotmail administrators was Briggs able to regain control of his own email account.

Twitter was targeted by a similar hack, which led to a data breach. It is likely that the hacker guessed the answer to a Twitter employee’s security question and reset the employee’s password. On Wednesday, Twitter co-founder Biz Stone blogged, “About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.”

And of course, Sarah Palin’s Yahoo email account was hacked into last year, during the presidential campaign. The hacker explained how easy it was in Wired.

Web-based email rocks! Since you’re no longer tethered to a PC-based client, you can access your email from anywhere. And all the data saved in your email account will be safe if your PC crashes. Many web-based email providers offer gigabytes of free storage and other useful tools like documents, RSS readers, and calendars. Life in the cloud is easier and more convenient. But is it secure?

PC Pro reported on a study run by Microsoft Research and Carnegie Mellon University, which measured the reliability and security of the questions that the four most popular webmail providers use to reset account passwords. AOL, Google, Microsoft, and Yahoo all rely on personal questions to authenticate users who have forgotten their passwords. The study found that the “secret questions” used by all four webmail providers were insufficiently reliable authenticators, and that the security of personal question appears much weaker than passwords themselves. Yahoo claims to have updated all their personal questions in response to this study, but AOL, Google, and Microsoft have yet to make any changed.

Once a hacker has your email address, he or she can simply go to the “forgot password” section of your email provider’s website and respond to a preselected personal question that you answered when signing up for the account. With a little research, the hacker has a good shot at finding the correct answer.

Some of the current questions could be answered using information found on a user’s social networking profile, or through a website like Ancestry.com or Genealogy.com. Some answers might be found in the user’s trash. Some questions seek opinions, rather than facts. For example, “Who is your favorite aunt?” requires an opinion in response, but if a hacker knew the names of all your aunts, he or she could enter them all one by one. Some questions would be more difficult to answer. Unfortunately, if you signed up for your web-based email account over a year ago, before these email hacks became more common, your questions may be even easier to answer.

Gmail’s current personal questions are:

  • What is your frequent flyer number?
  • What is your library card number?
  • What was your first phone number?
  • What was your first teacher’s name?
  • Write my own question

Yahoo’s current personal questions are:

  • What is the first name of your favorite uncle?
  • Where did you meet your spouse?
  • What is your oldest cousin’s name?
  • What is your oldest child’s nickname?
  • What is the first name of your oldest niece?
  • What is the first name of your oldest nephew?
  • What is the first name of your favorite aunt?
  • Where did you spend your honeymoon?

I suggest that you check out the “forgot password” section on your own web-based email account, to see your current personal question. If it’s easy to answer, or would only require a little research to solve, update the question with one that you create based on opinion, as opposed to fact. And keep in mind that most people list “pizza” as their favorite food and “liver” as their least favorite. So be creative. You should also beef up your password. Combine uppercase and lowercase letters, as well as numbers. Don’t use consecutive numbers, and never use names of pets, family members, or close friends.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Prevention and Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;

Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano, identity theft speaker, discusses hacked email on FOX & Friends.

Tweets Link to Identity Theft

Identity Theft Expert Robert Siciliano

“Misty Buttons” just started following me on Twitter. She’s curvaceous, bodacious and isn’t getting her needs met. Apparently, she needs me to meet those needs. It is, of course, a tempting offer that someone, somewhere may accept. But I’m going to pass.

Twitter porn and cybercrime are one and the same. Criminal hackers use porn to lure unsuspecting Twitter users into their lairs, where they distribute malicious software and solicit credit card data. In some cases, their victims may deserve to be scammed. Clicking on the links that these ne’er-do-wells post on their Twitter feeds can have a devastating effect on your PC and your bank account.

Internet security software provider McAfee reported a 500% increase in malware in 2008. That’s more than the past five years combined. And the FBI reported a 33% increase in Internet crime last year. According to a survey of 1000 firms, companies coping with data breaches lost an average of $4.6 million in intellectual property. This is all due to insufficient hardware, outdated software and the various ruses, such as those perpetrated by Misty Buttons, that trick technology users into opening a door to criminals.

But it isn’t just obvious Twitter porn that you need to watch out for. It’s also seemingly legitimate links posted by those you follow. Criminals have figured out that Twitter is a social network that brings people together. Strangers follow you, and you often reciprocate, following them back and bringing them into your network. As with email phishing scams, criminals post tweets highlighting current events, with links that lead to malicious sites or direct malware downloads. Numerous news outlets have reported on malicious tweets purporting to point to news about Michael Jackson, Obama, Farrah Fawcett, Iraq and even the Sonia Sotomayor’s Supreme Court confirmation hearings. The shortened URLs that are necessary to keep tweets within the 140 character limit help mask these scams. As explained NextAdvisor:

Whenever a complete URL is too long or cumbersome, many users turn to URL shortening services like TinyURL. Unfortunately, a condensed URL that appears harmless can easily lead to a malware download or phishing site, rather than the destination you were expecting. What appears to be a link to a friend’s home video may actually be pointing you toward the Koobface virus. Hackers can target a single URL shortening service and intentionally misroute millions of users.

How to protect yourself:

  1. Before you click on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny.
  2. Install anti-virus protection and keep it updated.
  3. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses identity theft.


Social Network is Accused of Identity Theft

Robert Siciliano Identity Theft Expert

The state of New York, Office of the Attorney General plans to sue the social-networking site Tagged.com for allegedly using deceptive e-mails in order to gain new users.

It is alleged that the social-networking service stole the identities of more than 60 million Internet users by sending e-mails to people saying that members of the site had tagged them in photos but the photos did not exist and that Tagged raided their private accounts.

The e-mails that people received appeared to come from their friends via the website as an offer to look at the friends pictures and join in. It is believed that Tagged, would then illegally get access to those new users’ e-mail address books and send out more messages without those users’ knowledge. Tagged will be sued for deceptive e-mail marketing practices and invasion of privacy, the office said.

In a statement by their CEO he said “Simply put, it was too easy for people to quickly go through the registration process and unintentionally invited all their contacts.”

I received the same emails from friends, people who were “duped”. I spoke to those people and understand it to be true that, it was too easy for people to quickly go through the registration process and unintentionally invited all their contacts.

I don’t believe identities were stolen at any level and that anyone using terms such as “stolen Identity” or “identity theft” are grossly mistaken, but “email harvesting” and a degree of spam and questionable marketing may have occurred.

Here is exactly what happened. A person receives an email saying their friend wants to show them a picture. They have to visit the site, sign in, and register to view it. In that process they are asked for their user name and password from their web based email account to invite more friends to their new account. Many people have done this in Twitter, LinkedIn and Facebook. The lie told is there is no picture to be seen. That’s deceptive marketing, not identity theft.

Criminal hackers have been using the same ruse to get people to log in to a spoofed Facebook account for the past year. Once logged in the user is requested to download a file to watch a video. This download has a virus that allows a full takeover of their account. It almost looks like Tagged took a page out of the criminal hackers book using the same ruse, but without the virus or the spoofed site.

The fact is whenever you register for a social networking site you are asked to plug in your credentials and invite your address book. Doing this is not a bad thing, unless the company you are trusting is a bad corporate citizen. That said; don’t provide any website your log in credentials to your web based email account if you don’t believe them to be 100% legit. Further, when you have web based cloud accounts that contain email and also have proprietary documents or files within that account NEVER GIVE THAT DATA TO ANY COMPANY.

All that said, regardless, you should still protect yourself from real identity theft.

Here is how;
1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.
2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing social network is accused of identity theft.

Social Security Numbers Cracked, Creates Identity Theft Risk

Robert Siciliano Identity Theft Expert

SearchSecurity.com reports that researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration’s Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people on the east coast had the lowest numbers and those on the west coast had the highest. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

The Carnegie Mellon researchers were able to guess the first five digits of a Social Security number on their first attempt for 44% of people born after 1988. For those in less populated states, the researches had a 90% success rate. In fewer than 1,000 attempts, the researchers could identify a complete Social Security number, “making SSNs akin to 3-digit financial PINs.” “Unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identify theft on mass scales,” the researchers wrote.

While the researchers work is certainly an accomplishment, the potential to predict Social Security numbers is the least of our problems. Social Security numbers can be found in unprotected file cabinets and databases in thousands of government offices, corporations and educational institutions. Networks are like candy bars – Social Security numbers can be hacked from outside the hard chocolate shell or from the soft and chewy inside.

The problem stems from that fact that our existing system of identification is seriously outdated and needs to be significantly updated. We rely on nine digits as a single identifier, the key to the kingdom, despite the fact that our Social Security numbers have no physical relationship to who we actually are. We will only begin to solve this problem when we incorporate multiple levels of authentication into our identification process.

The process of true and thorough authentication begins with “identity proofing.” Identity proofing is a solution that begins to identify, authenticate and authorize. Consumers, merchants, government don’t just need authentication. We need a solution that ties all three of these components together.

Jeff Maynard, President and CEO of Biometric Signature ID, provides a simple answer to a complicated issue in four parts:

Identify – A user must be identified when compared to others in a database. We refer to this as a reference identity. A unique PIN, password or username is created and associated with your credential or profile.

Authenticate – Authentication is different than verification of identity. Authentication is the ability to verify the identity of an individual based specifically on their unique characteristics. This is known as a positive ID and is only possible when using a biometric. A biometric can be either static or dynamic (behavioral). A static biometric is anatomical or physiological, such as a face, a fingerprint or DNA. A dynamic biometric is behavioral, such as a signature gesture, voice, or possibly gait. This explains why, when authentication solutions incorporate multiple factors, at least two of the following identifiers are required: something you have, such as a token or card, something you are, meaning a biometric identifier, and something you know, meaning a pin or password.

Verify – Verification is used when the identity of a person cannot be definitely established. These technologies provide real time assessment of the validity of an asserted identity. When we can’t know who the individual is, we get as close as we can in order to verify their asserted identity. PINs, passwords, tokens, cards, IP addresses, behavioral based trend data and credit cards are often used for verification. These usually fall into the realm of something you have or something youknow.

Authorize – Once the user has passed the identification test and authenticated their identity, they can make a purchase or have some other action approved. Merchants would love to have a customer’s authenticated signature to indicate his or her approval of a credit card charge. This is authorization.

Effective identification results in accountability. It is being achieved in small segments of government and in the corporate world, but not systematically. Unfortunately, we are years away from full authentication.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;
Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano Identity Theft Speaker discussing identity theft

Identity Theft Expert; Fake IDs are as easy as 1,2,3

Robert Siciliano Identity Theft Expert

Do an online search for “fake ids” and you’ll be amazed to discover how easy it can be to obtain an ID allowing you to pose as someone else. Or how easy it can be for someone else to obtain an ID that will allow him or her to pose as you. Some websites peddle poor quality cards, others offer excellent quality, and many websites are simply scams.

The fact is, our existing identification systems are insufficiently secure, and our identifying documents are easily copied. Anyone with a computer, scanner and printer can recreate an ID. Outdated systems exasperate the problem by making it too easy to obtain a real ID at the DMV, with either legitimate or falsified information.

Another glitch is the potential for individuals to completely alter their appearances. Men with facial hair can wreak havoc on the current system. This is sometimes done as a prank. In other cases, the individual is attempting to subvert the system to maintain a degree of anonymity. New technologies, such as facial recognition, should eventually resolve some of these problems, but they are still years away from being fully implemented.

In Indianapolis, Indiana, a man was able to obtain six different IDs. He accomplished this by visiting various different registries throughout the state and using borrowed names and stolen information. He obtained job applicant data from a failed body shop business he had owned. He used the false identities to open checking accounts at multiple banks and write fraudulent checks to himself.  He was caught while applying for his seventh ID, thanks to facial recognition software. But it is disturbing to know that he was able to acquire six different identities, all stolen from real people, without detection. It was a bank employee who eventually noticed that he had two different bank accounts under two different names. If the man hadn’t been so greedy, he would have gotten away with it.

In Indianapolis and other registries the daily photos are compared to millions of others already on file. The system constantly scans the data and presents cases that might match, requiring further investigation by registry employees.

Some of the requirements of improving facial recognition include not smiling for your picture or smile as long as you keep your lips together. Other requirements meant to aid the facial recognition software include keeping your head upright (not tilted), not wearing eyeglasses in the photo, not wearing head coverings, and keeping your hair from obscuring your forehead, eyebrows, eyes, or ears.

The fact is, identity theft is a big problem due to a systematic lack of effective identification and is going to continue to be a problem until further notice. In the meantime it is up to you to protect yourself. The best defense from new account fraud is identity theft protection.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name.

2. Invest in Intelius Identity Protect. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.
Includes;

Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano Identity Theft Speaker discussing identity theft

Identity Theft Scammers Targeting Online Classifieds

Robert Siciliano identity theft expert

Throughout the past week or so, scammers from Nigeria, Belgium and the UK have been coming after me in full force, via Craigslist. Unfortunately, the popular online classifieds website has become a launchpad for criminal activity. Everything from online affinity or advance fee scams to baby killers and the Craigslist killer have hampered the website’s reputation.

I use Craigslist to find renters for an apartment that I own. Last year, scammers copied my advertisement verbatim, except for the contact information, which they replaced with their own, and the price, which they reduced by half. The scammer, who claimed to be the property owner, informed potential renters that he was in Austria, and instructed them to drive by the apartment, and to send him a deposit check if they liked the look of the place. Fortunately, I happened to be present when a couple came by, per the scammer’s instructions. We discovered the ruse and contacted Craigslist. The fake ads continued popping up, but after numerous emails to Craigslist, they were all removed.

Last week I posted a new ad, and within minutes, I received the following email:

Subject: RENTAL INQUIRY!!hope to hear from you soon

Hello Robert,

Let me know if the room/apt you advertise on craigslist.com is still available and let me know if you can accept certified cashier check as mode of payment..And the last price for the space.

I’m presently in Belgium.I will be coming immediately the place is vacant for me to move in.But the issue is that because of the distance i wont be able to come to see the place.Meanwhile let me tell you a ill about myself..I don’t smoke and I don’t have boyfriend.Am Sarah Smith and my nick name is SERA and am 26years old i lost my dad some years back when i was young so my mom had to remarry so she married to Mr Scott Michael who is my step dad now..He has been the one who has been taking care of me all this while i believe he is a God sent to me cux i have never regretted moment with him..Things i like are as follows reading,swimming and chatting with people around me and also make them happy..I have always been thinking of how i will affect peoples life positively by making donations to the less privileges cus when i looked at my pass when i lost my dad from the story my mom told me..I noticed it is not easy for people that as no parent.Well i hope when we meet in person you will know more about me..Meanwhile my step dad will need the followings to make payment to you ASAP..

1.Your name and surname.
2.Address in full with the zip code..
3.I will need your phone number

I wait to have this information from you so that my step dad can make payment for the rental fee and security deposit in advance … I Await to hear from you….

Hope to hear from you pretty soon.

Thanks, SARAH

It’s easy to dissect this scam. The person who sent this email has two goals. First, the scammer wants to build a relationship with his or her mark. He or she provides a (horribly written) story in an attempt to establish trust. The victim is then more likely to fall for the scam, following the scammer’s instructions and conducting the necessary financial transactions. Many victims are foolish enough to provide account numbers or other personal identitifying information. Second, the scammer is setting up an affinity, or advance fee scam. In such a con, the scammer mails you a check. You deposit this check in your bank account, and it temporarily clears. In that limited window of time, the scammer will request that you return some or all of the money. He may claim to have changed his mind about renting or buying from you, or that he accidently made the original check out for more than the agreed upon sum. So you wire the money back. Within a day or two, the bank calls to let you know that the original check was counterfeit. So you’ve lost the money you wired to the scammer.

How can you protect yourself from scams like this, or other scams that take advantage of online classified ads? Use common sense, be smart, and pay attention. If you do that, you won’t fall for these types of cons.

When we were young, our parents told us not to talk to strangers. Strangers are not yet part of our trusted circle. So don’t trust them! There’s no benefit to paranoia, but being a little guarded can prevent you from stumbling into a vulnerable situation.  Since predators use online classifieds to lure unsuspecting victims, you should find out as much as possible about strangers who contact you. Use Google or iSearch.com to investigate names and email addresses.

Whenever possible, deal locally. People who cannot meet you in your town are more likely to be scammers. And even when you do meet in person, you should be wary.

Never engage in online transactions involving credit cards, cashier’s checks, money orders, personal checks, Western Union, MoneyGram or cash, that require you to send money to a stranger in response to money they have sent you. This is an advance fee scam.

Be smart. Don’t disclose your financial information, including account or Social Security numbers, for any reason. Scammers will say anything in order to get this information.

Prevent check fraud. When sending checks in the mail, you want to prevent “check washing,” which occurs when they recipient alters the name of the payee and increases the dollar amount, draining your checking account. Something as simple and inexpensive as a select uni-ball pen can help. These pens contain specially formulated gel ink (trademarked Uni-Super Ink™) that is absorbed into the paper’s fibers and can never be washed out.

Secure your PC. Make sure your PC is protected with McAfee anti-virus software and all your critical security patches in your operating system are up to date.

Protect your identity. You can’t prevent all forms of identity theft. However you can significantly reduce your risk by making a small investment in your personal security by investing in Intelius Identity Protect or considering the options described in this blog post.

Robert Siciliano identity theft speaker discussing advanced fee scams

Check Fraud Identity Theft is Rising

Robert Siciliano Identity Theft Expert

As opening new lines of credit becomes more difficult, identity thieves are gravitating toward check fraud.

Check fraud is a billion dollar problem. As predicted by the Identity Theft Resource Center, check fraud, which accounted for 12% of financial crimes in 2007, increased to 17% in 2008. According to the American Bankers Association Deposit Account Fraud Survey Report, $969 million were stolen via check fraud in 2006, up from a reported $677 million in 2003. Of the $969 million dollars lost to check fraud, 38% was stolen through return deposit scams, 27% was stolen using cloned checks, 28% was stolen using counterfeit checks,  and 7% was stolen by altering or washing checks.

In an article in The New York Post, a brazen ring of thieves enlisted crooked bank tellers to run a check fraud scheme that was brought down when the crooks made the mistake of forging checks from a NYPD account. Two criminal hacker ringleaders organized the counterfeit scam, using 950 “soldiers,” or “mules,” to deposit and cash counterfeit checks, netting them millions of dollars. Three bank tellers were involved, stealing and selling customer profiles which included names, Social Security numbers, and account numbers. Insider identity theft of this kind accounts for up to 70% of all instances of identity theft.

Check fraud victims include banks, businesses and consumers themselves. Our current system for cashing checks is somewhat flawed. Checks can be cashed and merchandise can be purchased even when there is no money in the checking account.

I presented a program on motivation and self-improvement at a women’s prison in Massachusetts a few years back. I requested a little background on the women I was speaking to, just because I watch too many movies and I wanted to know if there was any possibility I’d get shanked. The case worker informed me that about 80% of the women were incarcerated for check fraud and shoplifting. It seems that when some people get a checkbook, they consider it an opportunity to print money.

There are numerous forms of check fraud:

Forged signatures are the easiest form of check fraud. These are legitimate checks with a forged signature. This can occur when a checkbook is lost or stolen, or when a home or business is burglarized. An individual who is invited into your home or business can rip a single check from your checkbook and pay themselves as much as they like. Banks don’t often verify signatures until a problem arises that requires them to assign liability.

Forged endorsements generally occur when someone steals a check and cashes or deposits it. There’s really nothing anyone can do to protect themselves from this, aside from guarding their checks and going over their bank statements carefully.

Counterfeit checks can be created by anyone with a desktop scanner and printer. They simply create a check and make it out to themselves. In order to prevent your checks from being counterfeited, make sure you shred all canceled checks before throwing them away, and be sure to lock up any checks in your home or office. Consider a locked mailbox so nobody can access your bank statements. You should also seriously consider using online banking exclusively, and discontinuing paper statements.

Check kiting or check floating usually involves two bank accounts, where money is transferred back and forth, so that they appear to contain a balance which can then be withdrawn. A check is deposited in one account, then cash is withdrawn despite the lack of sufficient funds to cover the check. In this case, it’s generally the bank or whoever cashed the check that gets burnt, unless they are able to go after the person who used their own account.

Check washing involves altering a legitimate check, changing the name of the payee and often increasing the amount. This is the sneakiest form of check fraud. When checks or tax-related documents are stolen, either from the mail or by other means, the ink can be erased using common household chemicals such as nail polish remover. This allows the thieves to endorse checks to themselves. In this case, something as simple and inexpensive as a select uni-ball pen can help. Select uni-ball pens contain specially formulated gel ink (trademarked Uni-Super Ink™) that is absorbed into the paper’s fibers and can never be washed out. The pen costs two bucks and is available at any office supply store.

If you write a check to pay a bill and then put it in your mailbox for the postal carrier to deliver, you put yourself at a higher risk for check fraud. Thieves see that red flag up and go phishing for checks. I suggest using a uni-ball pen and taking checks directly to the post office, or dropping them in a big blue mailbox.

If you plan to do any online banking, which millions do, make sure your PC is protected with McAfee anti-virus software and all your critical security patches in your operating system are up to date.

Robert Siciliano identity theft speaker discussing identity fraud and security

Requests For Social Security Numbers Leads to Identity Theft

Robert Siciliano Identity Theft Expert

A patient at a Washington state medical clinic was asked for his Social Security number numerous times. Many of us have endured this familiar process. Considering the recent buzz about identity theft, this patient became concerned about releasing his own sensitive personal data, and requested that the facility remove his Social Security number from their records. The clinic refused, the patient put up a stink, and was ultimately ejected from the facility. The clinic considered his request unreasonable, and a violation of their rules and regulations. So, who’s right and who’s wrong in this scenario?

One Saturday afternoon, years ago, my spouse and I went to a major chain that rents videos. Without naming them, let’s just say they rent some block buster movies. The account was under my wife’s name, but she didn’t have her card with her that day. Upon checkout, the pimply faced 17-year-old clerk said, “No problem,” and asked for her Social Security number, which appeared on the screen in front of him. I freaked out and was ejected from the store. So, who’s right and who’s wrong?

In both cases, the customer is wrong. That may not be the answer you were expecting. I was wrong and the patient was wrong.

In general, routine information is collected for all hospital patients, including the patient’s name, address, date of birth, Social Security number, gender and other specific information that helps them verify the individual’s identity, as well as insurance enrollment and coverage data. And due to federally mandated laws like HIPAA, they are careful to maintain confidentiality of all patient information in their systems.

Corporations such as banks, credit card companies, automobile dealers, retailers and even video rental stores who grant credit in any form are going to ask for your name, address, date of birth, Social Security number and other specific information that helps them verify your identity and do a quick credit check to determine their risk level in granting you credit.

The Social Security Administration says, “Show your card to your employer when you start a job so your records are correct. Provide your Social Security number to your financial institution(s) for tax reporting purposes. Keep your card and any other document that shows your Social Security number on it in a safe place. DO NOT routinely carry your card or other documents that display your number.” But beyond that they have no advice and frankly, no authority.

Over the past fifty years, the Social Security number has become our de facto national ID. While originally developed and required for Social Security benefits, “functionality creep” occurred. Functionality creep occurs when an item, process, or procedure designed for a specific purpose ends up serving another purpose, which it was never intended to perform.

Here we are decades later, and the Social Security number is the key to the kingdom. Anyone who accesses your number can impersonate you in a hospital or bank. So what do you do when asked for your Social Security number? Many people are refusing to give it out and quickly discovering that this creates a number of hurdles they have to overcome in order to obtain services. Most are often denied that service, and from what I gather, there is nothing illegal about any entity refusing service. Most organizations stipulate access to this data in their “Terms of Service” that you must sign in order to do business with them. They acquire this data in order to protect themselves. By making a concerted effort to verify the identities of their customers, they establish a degree of accountability. Otherwise, anyone could pose as anyone else without consequence.

So where does this leave us? I have previously discussed “Identity Proofing,” and how flawed our identification systems are, and how we might be able to tighten up the system. But we have a long way to go before we are all securely and effectively identified. So, in the meantime, we have to play with the cards we are dealt in order to participate in society and partake in the various services it offers. So, for the time being, you’re going to have to continue giving up your Social Security number.

I give up mine often. I don’t like it, but I do things to protect myself, or at least reduce my vulnerability:

How to protect yourself;

  • You can refuse to give your Social Security number out. This may lead to a denial of service or a request that you, the customer, jump through a series of inconvenient hoops in order to be granted services. When faced with either option, most people throw their arms in the air and give out their Social Security number.
  • You can invest in identity theft protection.
  • You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. You can use Google news alerts to sweep the net and take precautions to prevent social media identity theft.
  • Protect your PC. Regardless of what others do with your Social Security number, you still have to protect the data you have immediate control over. Make sure to invest in Internet security software.

Robert Siciliano, identity theft speaker, discusses the ubiquitous use of Social Security numbers.

What have you done in the past when asked for your SSN? Did you refuse? What happened?

mCrime; Hacking Mobile Phones for Identity Theft

Robert Siciliano Identity Theft Expert

History indicates that we are at the forefront of an era in which criminal hackers develop tools and techniques to steal your money using your own cell phone.

Fifteen years ago, cell phones were so bulky and cumbersome, they had to be carried in bags or briefcases. Then they became chunky, heavy bricks. Calls dropped every other minute. Clearly, cell phones have evolved since then. Today’s cell phone is a lot more than a phone. It’s a computer, one that rivals many desktops and laptops being manufactured today. A cell phone can pretty much do everything a PC can do, including online shopping, banking, and merchant credit card processing.

The personal computer started out slow and stodgy, and was mainly used for things like word processing and solitaire. Today, PCs are fast, multimedia machines, capable of performing amazing tasks.

There are consequences to the rapid evolution of these technologies.

A decade ago, during the slow, dial up era, hackers (and, in the beginning, phreakers) hacked for fun and fame. Many wreaked havoc, causing problems that crippled major networks. And they did it without today’s sophisticated technology.

Meanwhile, the dot-com boom and bust occurred. Then, as e-commerce picked up speed, high speed and broadband connections made it easier to shop and bank online, quickly and efficiently. Around 2003, social networking was born, in the form of online dating services and Friendster. PCs became integral to our fiscal and social lives. We funneled all our personal and financial information onto our computers, and spent more and more of our time on the Internet. And the speed of technology began to drastically outpace the speed of security. Seeing an opportunity, hackers began hacking for profit, rather than fun and fame.

Now, iPhones and other smart phones have become revolutionary computers themselves. For the next generation, the phone is replacing the PC. AT&T recently announced that they’ll be upping the speed of the latest version of their 3G network, doubling download speeds. It has been reported that the next iPhone will have 32 gigabytes. That’s more hard drive than my three year old laptop.

So naturally, criminal hackers are considering the possibilities offered by cell phones today, just as they were looking at computers five years ago.

Two things have changed the game: the speed and advancement of technology and spyware. Spyware was created as a legitimate technology for PCs. Spyware tracks and records social network activities, online searches, chats, instant messages, emails sent and received, websites visited, keystrokes typed and programs launched. It can be the equivalent of digital surveillance, revealing every stroke of the user’s mouse and keyboard. Parents can use spyware to monitor their young children’s surfing habits and employers can make sure their employees are working, as opposed to surfing for porn all day.

Criminal hackers created a cocktail of viruses and spyware, which allows for the infection and duplication of a virus that gives the criminal total, remote access to the user’s data. This same technology is being introduced to cell phones as “snoopware.” Legitimate uses for snoopware on phones do exist: silently recording caller information, seeing GPS positions, monitoring kids’ and employees’ mobile web and text messaging activities. Criminal hackers have taken the snoopware and spyware technology even further. Major technology companies agree that almost any cell phone can be hacked into and remotely controlled. Malicious software can be sent to the intended victim disguised as a picture or audio clip, and when the victim clicks on it, malware is installed.

One virus, called “Red Browser,” was created specifically to infect mobile phones using Java. It can be installed directly on a phone, should physical access be obtained, or this malicious software can be disguised as a harmless download. Bluetooth infared is also a point of vulnerability. Once installed, the Red Browser virus allows the hacker to remotely control the phone and its features, such as the camera and microphone.

While this may sound improbable, I’ve consulted and appeared on television (Tyra Banks and Fox) with an entire family that seems to have been victimized by every aspect of snoopware. The Kuykendalls, of Tacoma, Washington, found that several of their phones had been hijacked in order to spy on them. They say the hacker was able to turn a compromised phone on and off, use the phone’s camera to take pictures, and use the speakerphone as a bug. Ever since the program featuring the Kuykendalls’ story aired and continues to repeat, I’ve received dozens of emails from people around the world who have experienced the same thing. Many of these people seem totally overwhelmed by what has happened to them, and some are beginning to suffer financial losses.

If history is any indication of the future, mobile phones, just like computers, will soon be regularly hacked for financial gain. Prepare for mCrime in the form of credit card fraud, identity theft and data breaches.

Some Internet security software providers are beginning to offer software specifically for mobile phones. In the meantime, identity theft protection services are one line of defense against the latest cybercrime techniques.

Robert Siciliano, identity theft speaker, discusses hacked cell phones.