Old Credit Card Technology Facilitates Skimming Fraud

Credit and debit cards in the U.S. use old magnetic stripe technology. The magnetic stripe is the black or brown band on the back of your credit or debit card. Tiny, iron-based magnetic particles in this band store data such as your account number. When the card is swiped through a “reader,” the data stored on the magnetic stripe is accessed. Card readers and magnetic stripe technology are inexpensive and readily available, making the technology highly vulnerable to fraud.

One extremely prevalent example of such fraud is ATM skimming. Skimming occurs when a criminal copies the data stored on your card’s magnetic stripe and burns the stolen data onto a blank card, creating a clone can that be used like any normal credit or debit card.

According to the Smart Card Alliance, twenty-two countries, including China, India, Japan, Mexico, Canada, and many in Western Europe and Latin America, are migrating to encrypted microprocessor chip and PIN technology for credit and debit payments. These new “smart cards” contain an embedded microchip and are authenticated using a personal identification number, or PIN. When a customer uses a smart card to make a purchase, the card is placed into a “PIN pad” terminal or a modified swipe-card reader, which accesses the card’s microchip and verifies the card’s authenticity. The customer then enters a four digit PIN, which is checked against the PIN stored on the card.

The U.S. has yet to adopt the new smart card technology, possibly due to the higher cost. According to consulting firm Javelin Strategy & Research, converting to chip and PIN technology would cost the U.S. payment card industry about $8.6 billion, which doesn’t sound so expensive to me, considering that identity theft is a reported $50 billion problem.

U.S. travelers are encountering difficulties when attempting to use old magnetic stripe credit and debit cards abroad, since their cards do not contain the new microchips. This is especially problematic at automated kiosks, which are common in Europe. Vending machines at regional rail stations, bicycle rental racks in Paris, parking meters in parts of London, toll roads, and gas stations only accept chip and PIN cards. Visa claims that most payment terminals in countries that have adopted chip payment technology can still process old magnetic stripe U.S. cards, and, “in the rare instance that a card holder encounters a problem” at a self-service machine, Visa advises American travelers to present their cards to attendants.

My dad has U.S.-based magnetic striped cards, and he travels all over Europe and has yet to encounter a problem paying at a restaurant or in any scenario in which the card is processed by a person. However, CreditCards.com reports that the European Payments Council, the governing body responsible for achieving a single payments market throughout Europe, is considering a ban on old technology magnetic stripe cards. This would cause major commerce problems in Europe and raises the question of whether U.S. credit card merchants will make the switch.

In the meantime, if you travel to Europe, make sure to carry cash. And if you are likely to use a kiosk that can only process cards with chip and PIN technology, do your homework ahead of time to determine whether an alternative payment methods is available.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

5 Tips to Credit Card Identity Theft Prevention

Robert Siciliano Identity Theft Expert

In a recent article in Computer World, Tom Patterson CSO of Magtek, with his Glamor Shot photo, provides “5 counter-fraud tips you’ve never been told”. Anything a consumer can do to reduce their risk for account takeover, they should exercise. While in most cases the consumer isn’t responsible for the losses, as long as you refute the fraud in a specified time frame, and it’s your duty as a citizen to do so. Studies show much of the terrorists funding is coming from card fraud. Card fraud is a breach of national security.

Tip#1 Stare down your waiter, waitress, gas station attendant or anyone who you hand your card. Or at least stare at the card in process. You want to see where that card is going and how it’s being used. The idea here is to make sure the card isn’t being “skimmed” with a skimmer. This is good advice when it’s possible. Most waiters, gas station attendants walk away with the card. This really only works at a POS where the clerk never leaves the terminal. What you should see is the clerk swiping the card through a PC/register based fixed keyboard or terminal. If you see them swipe the card in a handheld skimmer or something on their body, like attached to a  belt or ankle that’s a redflag.

Tip#2 Shield your pin. This is absolutely necessary at any POS or ATM. The public nature of these devices makes it very easy for someone to shoulder surf and grab your pin. A cell phone video cam over your shoulder, a video camera from 50 feet away, binoculars or even a hidden camera attached the to face of the ATM can all compromise your pin. See here as explained in this video I did on ExtraTV demonstrating how I bought an ATM off Craigslist and rolled it all over Boston.

Tip#3 Change your card number. With millions of card numbers hacked over the last few years, chances are yours was compromised. I for one have had 3 changes of credit cards due to card issuers being proactive and sending me a new card whether I liked it or not. Tom suggests voluntarily changing your credit card number every few months. While this is an extra layer of protection, it’s not at all practical and I doubt even Tom does it. I have numerous EFT’s set up with my cards and changing the number means changing them as well. It’s enough of a burden to change it all when the banks issue a new card. But a nice idea if you have the time.

Tip#4 Check your credit card statements every day. This is an extra layer of protection that requires savant like attention. You check your email every day so checking your credit card statements every day is do-able right? Every week is sufficient. Even every 2 weeks is OK. Just make sure to check with your bank to determine what their cutoff date is to refute unauthorized withdrawals. For most credit cards it’s 60 days. For most banks it can be under 30 days. This is the most important tip of all.

Tip#5 Authenticate the card. Or the card holder. Today this is out of the hands of the consumer. There are a number of new technologies that if banks/retailers/industry adopt to identify the actual card/user at the POS or even online then most, if not all of the card fraud problems will be solved. There is a race going on right now to see who gets there first. In the next 1-5 years we may see new cards being issued such as “chip and pin” which are standard in Europe. Or no new cards at all but changes in the system that the card holder is unaware of, or a 2 card system that requires a second swipe of another authenticating card the hacker doesn’t have access to. There are also readily available technologies that will allow the turning on/off of your card with your own preset spend limits too. We will see how this all plays out.

 

Robert Siciliano identity theft speaker discussing credit card fraud on CNBC

10 Tips to Secure Online Holiday Shopping

Robert Siciliano Identity Theft Expert

UK officials shut down an amazing 1200 online retailers who scammed millions from unsuspecting shoppers. Most of the sites originated from identity thieves in Asia who tricked victims into believing they were legitimate sites.  Victims then lost money by entered their credit card data, sending checks or giving up banking details.

The sites sold high end designer items from Tiffany & Co, Ugg and jewelry. In some cases the victims actually received the items, but were counterfeit. Like Mom said, if it’s too good to be true it probably is. Of course nobody running the fake sites has been caught.

Criminals set up fake websites and then go through the same process legitimate eTailers do in regards to search engine optimization, search engine marketing and online advertising via adwords. They use key words to boost their rankings on Internet searches to show up along side legitimate sites. These same processes are also being used to infect unsuspecting users with malware.

Many victims who end up on scam sites generally get there via phish emails with offers for high end products for little money.

  1. It’s easy enough to avoid spoofed websites where phishing is the gateway. Common sense says any time you receive an offer via an email automatically be suspect. The same goes with offers via tweets and messages received in any social media. Scammers are committing social media identity theft every day.
  2. If you aren’t familiar with the eTailer don’t even bother clicking the links, especially if it’s a too good to be true offer.
  3. If it’s a known site sending the email and you decide to click links, make sure the address you end up at is in fact the actual domain of the eTailer. Beware of cybersquatting and typosquatting which may look like the domain of the legitimate eTailer.
  4. When placing an order always look for HttpS is the address bar signifying it’s a secure page. Scammer generally won’t take the time to set up secure sites. Note the closed padlock in your browser to back up the HttpS.
  5. Beware of emails coming for eBay scammers. I’m getting 10 a day. The fact is it’s difficult to tell a real from a fake. If you are seeking deals on eBay go right to the site and don’t bother responding to emails. If there is a deal you see in an email search it on eBay.
  6. Whenever you decide to make an eBay purchase look at the eBayers history. eBay is set up on the honor system and if the eBayer is an established seller with great feedback then they should be legitimate.
  7. Don’t worry about credit card fraud. But do pay close attention to your statements. Check them every two weeks online and refute unauthorized charges within 2 billing cycles, otherwise you will pay for an identity thieves gifts.
  8. Don’t use a debit-card online. If your debit card is compromised thats money out of your bank account. Credit cards have more protection and less liability.
  9. Avoid paying by check online/Mailorder. In person is OK. But to an unfamiliar virtual site is not. Once the money is taken from your account and you don’t receive the goods, you are going to have a difficult if not impossible task of getting it back. Use a uniball gel pen that prevents check-washing.
  10. Do business with those you know like and trust. I for one am guilty of buying from eTailers who have the best deals. But I only buy low ticket items from them, generally under $50.00. It’s best to buy high ticket items from eTailers that also have a brick and mortar locations.

Robert Siciliano identity theft speaker discussing holiday scams on Foxes Mike and Juliet Show

Obama; Cybersecurity and Identity Theft Protection Starts at Home

Robert Siciliano Identity Theft Expert

Whether you realize it or not, your computer is one of the biggest threats to your personal security. The Obama administration believes that your computer is also one of the biggest threats to national security.

The message is: Think before you click. Know who’s on the other side of that instant message. What you say or do in cyberspace stays in cyberspace — for many to see, steal and use against you or your government.

The Internet is incredibly powerful and not particularly secure. It is powerful enough to bring people together, to educating, inform, and make life easier. But it’s also used to hurt, scam, and debilitate in so many ways.

The Pentagon’s computer systems are probed 360 million times per day, and one prominent power company has acknowledged that its networks see up to 70,000 scans per day. Every single day, utilities, banks, retailers and just about every computer network are faced with attacks. Many of these hacks are insignificant. Many are conducted with intent to commit crimes such as espionage, financial data theft, or the destruction of crucial information. The criminal hackers could be cyber-terrorists attempting to destroy the U.S. or its economy, malcontents simply wreaking havoc for its own sake, or opportunists looking for a profit.

The U.S. is a prime target for a number of reasons. The most obvious is that we’ve made mistakes that have many in the world hating us. Then there’s our financial system, which offers instant credit to anyone with a Social Security number. And of course, credit card security is an oxymoron, since anyone can use any credit card at any time. We have a bullseye on us and we put it there.

“Weapons of Mass Disruption” are a growing concern. The U.S. and many other countries are electrically and digitally dependent. Our critical infrastructures, including drinking water, sewer systems, phone lines, banks, air traffic, and government systems, all depend on the electric grid. After a major successful attack we’d be back to the dark ages instantly. No electricity, no computers, no gasoline, no refrigeration, no clean water. Think about when the power goes out in your house for a few hours. We’re stymied.

The Pentagon and the Department of Homeland Security are hiring thousands of computer experts to protect our networks. But the weakest link in the chain is not the government, but the citizens. Government has lots of work to do, but moms and pops are the most vulnerable. Enterprise networks have become hardened, while small business and the lowly consumer know enough about information security to get hacked. Awareness is key. You are either part of the problem or the solution.

Read this and every possible blog, article and report you have access to so you can stay on top of what is new and ahead of what is next in technology and the security necessary to keep it safe. Build your IT security vocabulary. Protect yourself and your business.

Those steps include:

Use antivirus software, spyware removal, parental controls and firewalls.

Back up your data locally and in the cloud.

Understand the risks associated with the wireless web especially when using unsecured public networks.

Protect your identity too. The most valuable resource you have is your good name. Allowing anyone to pose as you and let them damage your reputation is almost facilitating a crime. Nobody will protect you, except you.

  • Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.
  • And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.
  • Visit US-Cert here

Robert Siciliano identity theft speaker discussing the mess of data security on Fox News

Carders, Dumps, and Identity Theft

Robert Siciliano Identity Theft Expert

WE DO NOT SELL DUMPS. DO NOT EMAIL OR CALL US.

WE DO NOT SELL DUMPS

Albert Gonzalez and his gang of criminal hackers were responsible for data breaches in retailers and payment processors, with some estimates saying they breached over 230 million records combined. Gonzalez, considered a proficient criminal hacker, provided “dumps,” a term which refers to stolen credit card data, to “carders”. “Carders” are the people who buy, sell, and trade stolen credit card data online. This video provides an example of an online forum where stolen data is bought and sold. Gonzalez pleaded guilty to his crimes and will be serving the next fifteen years in jail. He and his gang used a combination of schemes that have caused a significant increase in counterfeit fraud.

Hackers rely on a variety of techniques to obtain credit card data. One such technique is wardriving, in which criminals hack into wireless networks and install spyware. Another is phishing, in which spoofed emails prompt the victim to enter account information. Phexting or smishing are similar to phishing, but with text messages instead of emails. Some hackers use keylogging software to spy on victims’ PCs. Others affix devices to the faces of ATMs and gas pumps in order to skim credit and debit card data.

Gonzalez and his gang used another, more advanced technique known as an “SQL injection.” SQL stands for “Structured Query Language.”  The term refers to a virus that infects an application by exploiting a security vulnerability. WordPress, a blogging platform, is an example of a commonly used application that has been found vulnerable to these types of attacks. There are hundreds of other applications that can fall victim to an SQL injection.

IBM Internet Security Systems discovered 50% more web pages infected in the last quarter of 2008 than in the entire year of 2007. In 2005, a now defunct third party payment processor called CardSystems suffered an SQL injection, compromising a reported 40 million credit cards.

While Gonzalez has gone down, carders are still very active. A group of white hat hackers that calls itself War Against Cyber Crime recently succeeded in breaking into Pakbugs.com, a Pakistan-based carder forum, and published a list of members’ login details and email addresses. Pakbugs.com has since dropped offline.

With 213 million cardholders and 1.2 billion credit cards in the U.S., there’s no shortage of opportunity for carders to maintain their current pace. When a carder uses one of your existing credit cards, it’s called “account takeover.” When they use your personal information to open up new credit accounts in your name, it’s called “new account fraud” or “application fraud.”

1. Protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

2. Protecting yourself from new account fraud requires more effort. You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each.

3. Invest in Intelius Identity Protection and Prevention. Because when all else fails you’ll have someone watching your back.

Includes:

·         Triple Bureau Credit monitoring – monitors changes in your credit profiles from Equifax, Experian and TransUnion-includes email alerts of any suspicious changes

·         Social Security Number and Public Record Monitoring – monitors the internet and public sources for fraudulent social security number, aliases, addresses, and phone numbers

·         Junk Mail Reduction – stop identity thieves from using personal information from your mailbox, trash or even phone calls by eliminating junk mail, credit card offers and telemarketing calls

·         Neighborhood Watch – includes a sex offender report, list of neighbors and a neighbor report on each of your neighbors

·          Identity Theft Specialists  – if in the unlikely event you become a victim of identity theft our Identity Theft experts will work with you to restore your identity and good name

·         Credit Report Dispute – if you find errors on your credit report we will help you resolve them quickly

·         Protection Insurance and Specialists -Identity Protect has you covered with up to $25,000 in Identity Theft Recovery Insurance and access to Personal Identity Theft Resolution Specialists.

Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC

Credit/Debit Card Identity Theft Concerns Trump Terrorism

Robert Siciliano Identity Theft Expert

recent Unisys study found that, in the midst of the global financial crisis, American’s primary fear is credit and debit card fraud. 68% of those surveyed are extremely or very concerned about the security of their credit or debit card data, and 66% are extremely or very concerned about identity theft.

Compare that to 58% who are extremely or very concerned about terrorism and war, and 41% who fear the possibility of a serious health epidemic. If we actually had a pandemic, I’m sure the public would favor health concerns over money. But so be it.

Credit card fraud comes in two different flavors: account takeover and new account fraud. Account takeover occurs when an identity thief gains access to your credit or debit card number through criminal hacking, dumpster diving, ATM skimming, or perhaps when you hand it over to pay at a store or restaurant. Technically, account takeover is the most prevalent form of identity theft, though I’ve always viewed it as simple credit card fraud.

Federal laws limit cardholder liability to $50 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. Debit card fraud victims must notify the bank within two days in order to be protected by this $50 limit. After that, the maximum liability jumps to $500. And if a victim doesn’t discover or report the fraud until after 60 days have passed, the liability could be the entire card balance, for a debit or credit card. Once your debit card is compromised, you might not find out until a check bounces or the card is declined. And once you do recover the funds, the thief can just start all over again, unless you cancel the account altogether.

1. Protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

2. Protecting yourself from new account fraud requires more effort. You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each.

3. Invest in Intelius Identity Protect. Because when all else fails you’ll have someone watching your back.

Includes:

·         Triple Bureau Credit monitoring – monitors changes in your credit profiles from Equifax, Experian and TransUnion-includes email alerts of any suspicious changes
·         Social Security Number and Public Record Monitoring – monitors the internet and public sources for fraudulent social security number, aliases, addresses, and phone numbers
·         Junk Mail Reduction – stop identity thieves from using personal information from your mailbox, trash or even phone calls by eliminating junk mail, credit card offers and telemarketing calls
·         Neighborhood Watch – includes a sex offender report, list of neighbors and a neighbor report on each of your neighbors
·          Identity Theft Specialists  – if in the unlikely event you become a victim of identity theft our Identity Theft experts will work with you to restore your identity and good name
·         Credit Report Dispute – if you find errors on your credit report we will help you resolve them quickly
·         Protection Insurance and Specialists -Identity Protect has you covered with up to $25,000 in Identity Theft Recovery Insurance and access to Personal Identity Theft Resolution Specialists.
·         Triple Bureau Credit monitoring – monitors changes in your credit profiles from Equifax, Experian and TransUnion-includes email alerts of any suspicious changes
·         Social Security Number and Public Record Monitoring – monitors the internet and public sources for fraudulent social security number, aliases, addresses, and phone numbers
·         Junk Mail Reduction – stop identity thieves from using personal information from your mailbox, trash or even phone calls by eliminating junk mail, credit card offers and telemarketing calls
·         Neighborhood Watch – includes a sex offender report, list of neighbors and a neighbor report on each of your neighbors
·          Identity Theft Specialists  – if in the unlikely event you become a victim of identity theft our Identity Theft experts will work with you to restore your identity and good name
·         Credit Report Dispute – if you find errors on your credit report we will help you resolve them quickly
·         Protection Insurance and Specialists -Identity Protect has you covered with up to $25,000 in Identity Theft Recovery Insurance and access to Personal Identity Theft Resolution Specialists.

Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC

Another Identity Theft Ring Busted

Identity Theft Expert Robert Siciliano

The feds are getting better at busting criminals every day. Seventeen criminals, many from Eastern Europe, pilfered more than 95,000 stolen credit card numbers and $4 million worth of fraudulent transactions.

The New York Times reports the men were involved in a vast conspiracy known as the Western Express Cybercrime Group, which trafficked in stolen credit card information through the Internet and used it to create forged credit cards and to sell goods on eBay. They used digital currencies like e-gold and Webmoney to launder their proceeds.

Several of the scammers — Viatcheslav Vasilyev, Vladimir Kramarenko, Egor Shevelev, Dzimitry Burak and Oleg Kovelin — were charged with corruption. Vasilyev, 33, and Kramarenko, 31, were arrested at their homes in Prague, have been extradited to Manhattan. Shevelev, 23, was arrested in Greece last year, is still awaiting extradition. Burak, 26, a citizen of Belarus and Kovelin, 28, a citizen of Moldova have not been arrested

Vasilyev and Kramarenko recruited work from home employees to advertise and sell electronics on eBay. When someone would purchase an item, the two men would pocket the buyer’s payment, give a cut to their recruit, then use a stolen credit card number to purchase the item from a retail store and send it to the buyer. In essence, they used eBay to obtain a legitimate buyer’s credit card number through a legitimate channel and didn’t actually “hack” anything. They simply set up pseudo-fake auctions that, in most cases, delivered the product, but also obtained the victim’s credit card number and then made fraudulent charges.

Burak and Shevelev were “carders” who sold stolen credit card information on a website called Dumpsmarket and, probably, in chat rooms. “Dumps” is a criminal term for stolen credit cards and “carders” are the scammers who buy and sell them. Kovelin was a criminal hacker who stole victims’ financial information via phishing emails and more than likely used the victims’ own account information against them.

Protect yourself:

  1. Check your credit card statements often, especially after using an online auction site. Refute unauthorized charged within 60 days to be made whole by the issuing bank.
  2. Don’t just buy the lowest priced product on and auction site. Use auction sellers who have been approved my many and have a solid track record.
  3. Anytime you ever receive an email asking for personal information, credit information, banking etc, do not enter it. Just hit delete. Often victims will receive and email from a trusted source like eBay directly to their account because they have been actively engaging the fraudulent auctioneer. eBays system doesn’t recommend giving your credit card information outside their network in an email.
  4. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  5. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Identity Theft Speaker Robert Siciliano discusses a study done by McAfee on mules bilked in work-at-home scams on Fox News

Big Time Identity Theft Hackers Indicted

Robert Siciliano Identity Theft Expert

ABC news and a bazillion other outlets report that a former informant for the Secret Service was one of three men charged with stealing credit and debit card information from 170 million accounts in the largest data breach in history. The former informant, Albert Gonzalez of Florida, A.K.A “Segvec”, “SoupNazi,” and “j4guar17,” whose motto was ”Get Rich or Die Tryin'” was alleged to have been the ringleader of the criminal hacking operation of a prolific network that spans over five years of serious criminal activity. Once a criminal, always a criminal.

Gonzalez and two other unidentified hackers believed to be from Russia have been charged with hacking into Heartland Payment Systems, 7-11 and Hannaford Brothers Company, Dave and Busters and TJX Corporation, which involved up to 45 million credit card numbers..

Gonzalez was originally arrested in 2003 by the U.S. Secret Service and began working with the agency as an informant. Federal investigators say they later learned that the hacker had been tipping off other hackers on how to evade detection of security and law enforcement worldwide.

Gonzalez provided “sniffer” software used to intercept the credit and debit card numbers for the Russian hackers. Sniffer software or “malware” malicious software, acts like a virus attaching itself to a network and often spreading. The software allows the criminal hacker backdoor access to all the data in the server and provides remote control functionality.

The NY Times reports according to the indictment, Gonzalez and his conspirators reviewed lists of Fortune 500 companies to decide which corporations to take aim at and visited their stores and used a technique called “wardriving” to monitor wireless networks. The online attacks took advantage of flaws in the SQL programming language, which is commonly used for databases.

Threat Level, by Wired magazine, reported that Gonzalez had lived a lavish lifestyle in Miami, once spending $75,000 on a birthday party for himself and complaining to friends that he had to manually count thousands of $20 bills when his counting machine broke.

Protect yourself;

1. You can’t prevent this type of credit card fraud from happening to you when the retailer isn’t protecting your data. Eventually credit card protection solutions will  be available. For now, protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

2. Prevent new account fraud.  Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

3. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing credit card data breaches and the sad state of cyber security on Fox News

Identity Theft Is Easy Over P2P

Robert Siciliano Identity Theft Expert

Peer to peer file sharing is a great technology used to share data over peer networks. It’s also great software to get hacked and have your identity stolen.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and, frankly, the most fun kind of hacking. I’ve seen numerous reports of government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

The Register reports that a Washington state man has been sentenced to more than three years in federal prison after admitting to using file-sharing program LimeWire to steal tax returns and other sensitive documents. He searched LimeWire users’ hard drives for files containing words such as “statement,” “account,” and “tax.pdf.” He would then download tax returns, bank statements, and other sensitive documents and use them to steal identities.

I did a story with a Fox News reporter and a local family who had four kids, including a 15-year-old with an iPod full of music, but no money. I asked her dad where she got all her music and he replied, “I have no idea.” He had no idea that his daughter had installed P2P software on the family computer and was sharing all their data with the world. The reporter asked me how much personal information I could find on the P2P network in five minutes. I responded, “Let’s do it in one minute.”

There are millions of PCs loaded with P2P software, and parents are usually clueless about the exposure of their data. P2P offers a path of least resistance into a person’s computer, so be smart and make sure you aren’t opening a door to identity thieves.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.
  • Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.
  • And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses P2P hacks on Fox.

Identity Theft Attempt at Defcon

Identity Theft Expert Robert Siciliano

Hackers hacked hackers at the annual Defcon conference in Las Vegas this past weekend. Defcon is a conference for hackers of all breeds. There are good guys, bad guys, those who are somewhere in between, plus law enforcement and government agents. All kinds of inventive people with an intuition for technology decend on Las Vegas to learn, explore, and hack.

At this year’s Defcon, someone planted a real, rigged, malicious ATM right outside the security office of the Riviera Hotel and Casino. For some reason, the area outside the security office doesn’t have any security cameras, which made it an easy place to attempt a scam. Scams like this are common in Las Vegas, due to the city’s transient nature and frantic pace. Everyone is looking for a quick buck, and what better place to pull of an ATM scam than Vegas?

ATM skimming comes in two flavors. In the first scenario, a device called a “skimmer” is placed on the face of an operational ATM. When a card is swiped, the skimmer records the data on the card, and a hidden camera generally records the PIN. Usually, money is dispensed. In the second scenario, a used ATM is rigged to record data, and placed in a public area. These ATMs are only semi-operational, and do not dispense cash. This is the type of ATM that was found in Las Vegas.

A conference attendee uncovered the scam when he attempted to use the machine and recieved an error message. Upon further investigation, a computer was discovered where the security camera should have been. The computer was recording all the victims’ details. That’s when the alarm was sounded and the area became a crime scene.

You can protect yourself from these types of scams by paying attention to your statements. Refute unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. (Of course, just outside the security office isn’t exactly the middle of nowhere, so always be alert.) Use strong PINs, with both upper and lowercase letters, as well as numbers. And invest in Intelius Identity Theft Protection and Prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker discussing ATM skimming on Fox News