Another Identity Theft Ring Busted

Identity Theft Expert Robert Siciliano

The feds are getting better at busting criminals every day. Seventeen criminals, many from Eastern Europe, pilfered more than 95,000 stolen credit card numbers and $4 million worth of fraudulent transactions.

The New York Times reports the men were involved in a vast conspiracy known as the Western Express Cybercrime Group, which trafficked in stolen credit card information through the Internet and used it to create forged credit cards and to sell goods on eBay. They used digital currencies like e-gold and Webmoney to launder their proceeds.

Several of the scammers — Viatcheslav Vasilyev, Vladimir Kramarenko, Egor Shevelev, Dzimitry Burak and Oleg Kovelin — were charged with corruption. Vasilyev, 33, and Kramarenko, 31, were arrested at their homes in Prague, have been extradited to Manhattan. Shevelev, 23, was arrested in Greece last year, is still awaiting extradition. Burak, 26, a citizen of Belarus and Kovelin, 28, a citizen of Moldova have not been arrested

Vasilyev and Kramarenko recruited work from home employees to advertise and sell electronics on eBay. When someone would purchase an item, the two men would pocket the buyer’s payment, give a cut to their recruit, then use a stolen credit card number to purchase the item from a retail store and send it to the buyer. In essence, they used eBay to obtain a legitimate buyer’s credit card number through a legitimate channel and didn’t actually “hack” anything. They simply set up pseudo-fake auctions that, in most cases, delivered the product, but also obtained the victim’s credit card number and then made fraudulent charges.

Burak and Shevelev were “carders” who sold stolen credit card information on a website called Dumpsmarket and, probably, in chat rooms. “Dumps” is a criminal term for stolen credit cards and “carders” are the scammers who buy and sell them. Kovelin was a criminal hacker who stole victims’ financial information via phishing emails and more than likely used the victims’ own account information against them.

Protect yourself:

  1. Check your credit card statements often, especially after using an online auction site. Refute unauthorized charged within 60 days to be made whole by the issuing bank.
  2. Don’t just buy the lowest priced product on and auction site. Use auction sellers who have been approved my many and have a solid track record.
  3. Anytime you ever receive an email asking for personal information, credit information, banking etc, do not enter it. Just hit delete. Often victims will receive and email from a trusted source like eBay directly to their account because they have been actively engaging the fraudulent auctioneer. eBays system doesn’t recommend giving your credit card information outside their network in an email.
  4. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  5. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Identity Theft Speaker Robert Siciliano discusses a study done by McAfee on mules bilked in work-at-home scams on Fox News

Identity Theft Is Easy Over P2P

Robert Siciliano Identity Theft Expert

Peer to peer file sharing is a great technology used to share data over peer networks. It’s also great software to get hacked and have your identity stolen.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and, frankly, the most fun kind of hacking. I’ve seen numerous reports of government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

The Register reports that a Washington state man has been sentenced to more than three years in federal prison after admitting to using file-sharing program LimeWire to steal tax returns and other sensitive documents. He searched LimeWire users’ hard drives for files containing words such as “statement,” “account,” and “tax.pdf.” He would then download tax returns, bank statements, and other sensitive documents and use them to steal identities.

I did a story with a Fox News reporter and a local family who had four kids, including a 15-year-old with an iPod full of music, but no money. I asked her dad where she got all her music and he replied, “I have no idea.” He had no idea that his daughter had installed P2P software on the family computer and was sharing all their data with the world. The reporter asked me how much personal information I could find on the P2P network in five minutes. I responded, “Let’s do it in one minute.”

There are millions of PCs loaded with P2P software, and parents are usually clueless about the exposure of their data. P2P offers a path of least resistance into a person’s computer, so be smart and make sure you aren’t opening a door to identity thieves.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.
  • Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.
  • And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses P2P hacks on Fox.

Are Cookies An Invason Of Privacy Or Identity Theft Concern?

Robert Siciliano Identity Theft Expert

Ive taken lots of heat for my comments on a Fox News report that the Office of Management and Budget is considering reversing a nine year ban on using “cookies” to track users’ preferences and interests on federal websites. The shift in policy is being billed as a way for government to enter the 21st century and for federal agencies to use the same technology utilized on news sites, retail sites and social media networks.

My comments under fire involve some “scaremongering” and potential inaccuracies in relation to cookies and what they do.

“Without explaining this reversal of policy, the OMB is seeking to allow the mass collection of personal information of every user of a federal government website,” said Michael Macleod-Ball, acting director of the American Civil Liberties Union’s Washington Legislative office. “Until OMB answers the multitude of questions surrounding this policy shift, we will continue to raise our strenuous objections.”

A cookie is a small piece of text or code that is stored on your computer in order to track data. Cookies contains bits of information such as user preferences, shopping cart contents and sometimes user names and passwords. Cookies allow your web browser to communicate with a website. Cookies are not the same as spyware or viruses, although they are related. Many anti-spyware products will detect cookies from certain sites, but while cookies have the potential to be malicious, most are not.

A colleague sent me a note after reviewing my comments regarding cookies and stated:  “Cookies have been around since the mid-to-late ’90’s, and most people still don’t understand what they are or what they do. If you go to http://osvdb.org and do a search for “cookies”, you’ll see there have traditionally been tons of vulnerabilities surrounding them. From a privacy standpoint, they’re also a potential issue depending on how they’re used, but that really depends on a site’s environment. Saying that “cookies store passwords” isn’t really true in most cases based on evidence I’ve seen over the last several years. They might store session IDs or be manipulated to allow admin access to a site, sure… but that’s not true across the board for every (or even most) sites.”

However Informationweek reports Internet users are revealing information that identifies them through the use of social networking sites cookies.

What was said in the video in relation to what cookies do was more of an analogy than stating fact. I was trying to simply give a bit of perspective and explain what the privacy concerns may be. Its a complicated issue that has the ACLU and others up in arms.

The government tracks criminals using specially developed spyware that gathers a wide range of information, including IP and MAC addresses, operating systems, Internet browsers, open ports, running programs, user names, and recently visited URLs. This scares privacy advocates, for good reason.

But cookies are generally not invasive. They are typically used to produce usage statistics within a single site, or to produce anonymous user profiles across multiple sites, in order to determine which advertisements would be most relevant. Many websites become unusable if your browser does not accept cookies. Social networking sites are particularly dependent on cookies.

Federal government agencies have banned cookies in their own sites since 2000 in response to demands from privacy advocates. Some claim that the proposal to reverse the ban comes in response to Google’s recent lobbying efforts. Whitehouse.gov posts YouTube videos that contain Google’s third party cookies. The entire issue requires a bit more transparency for all those involved.

Advertisers have long known that cookies are useful for customizing the user experience. The government seems interested in taking advantage of this benefit as well. If that is the real motivation, it’s great. But privacy advocates aren’t happy, since the government tends to take a mile when given an inch.

There are a few fundamental ways to keep yourself secure. Browsers all give you the option of simply turning cookies off.  Make sure that yourInternet security software is updated, and install spyware removal software if it isn’t included in your basic security suite. Lock down your wireless connection. Use strong passwords that include upper and lowercase letters as well as numbers, and never share them. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. In most cases, this prevents new accounts from being opened in your name. Download CCleaner, a free system optimization, privacy and cleaning tool that removes unused files including cookies from your system, which frees up disk space and allows Windows to run faster. It also cleans traces of your online activities. And invest in Intelius identity theft protection. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses a proposal to allow the use of cookies on federal websites on Fox News, and again on Breitbart.tv.

College Students At Risk For Identity Theft

Identity Theft Expert Robert Siciliano

Why? Because they don’t care! September is National Campus Safety Awareness Month, and I’m teaming up with Uni-Ball pens to urge college students to protect their personal safety and security. Uni-Ball pens and the Identity Theft Resource Center surveyed 1,000 college students and 1,000 parents. This Campus Security Survey revealed that while about 74% of parents believe students are at a moderate to high risk for identity theft, and 30% of all identity theft victims are between 18 and 29, only 21% of students are concerned about identity theft.

It’s no surprise that most college students are indifferent when it comes to their personal and information security. When you are in your late teens or early twenties, you feel a sense of invincibility. However, once you have a few years under your belt, you begin to mature and gradually realize the world isn’t all about keg parties and raves. Hopefully if all goes well, you adopt some wisdom by the time you’re 30.

Here are a few more interesting statistics from the Campus Security Survey.

  • 89% of parents have discussed safety measures with their kids, yet kids continue to engage in risky behavior
  • 40% of students leave their apartment or dorm doors unlocked
  • 40% of students have provided their Social Security numbers online
  • 50% of students shred sensitive data
  • 9% of students share online passwords with friends
  • 1 in 10 have allowed strangers into their apartments
  • Only 11% use a secure pen (which can prevent check washing fraud) when write checks

College students have always been easy marks because their credit is ripe for the taking. Students’ Social Security numbers have traditionally been openly displayed on student badges, testing information, in filing cabinets and databases all over campus. Landlords and those involved in campus housing also have access to students identifying information.

The study concluded, “Students who ignore their own personal security are not only putting themselves at risk for identity theft, they are also putting their parents at risk. While getting established in the real world, it’s common practice among college students to use their parents’ names, bank account numbers and other personal information to co-sign loans and leases, write tuition and housing checks, register online to receive grades and more. So when online criminals strike, they are often manipulating parents’ personal data, not just the students’.” Any parent sending their children off to college should be concerned.

How to protect yourself:

  1. Lock your doors! The transient nature of college life means people are coming and going and thievery is more likely to happen. Just because you may come from a small town and do not lock your doors, that doesn’t make it okay at school.
  2. Limit the amount of information you give out. While you may have to give out certain private data, refuse whenever possible.
  3. Shred everything! Old bank statements, credit card statements, credit card offers and other account number bearing documents need to be shredded when no longer needed.
  4. Lock down your PCs. Make sure your Internet security software is up to date. Install spyware removal software. Lock down your wireless connection. Use strong passwords that include upper and lowercase letters as well as numbers. And never share passwords.
  5. Secure your signature. Use Uni-Ball gel pens to write rent checks and sign documents. They cost as little as $2 and contain Uni “Super Ink,” which is specially formulated to reduce document fraud and check washing, a popular form of identity theft.
  6. Be alert for online scams. Never respond to emails or text messages that are purportedly coming from your bank. Always log into your bank account manually via your favorites menu.
  7. Invest in Intelius Identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.
  8. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. In most cases, this prevents new accounts from being opened in your name.

Robert Siciliano, identity theft speaker, discusses identity theft protection and check washing on TBS’s Movie and a Makeover.

Government Officials Contributing to Identity Theft

Robert Siciliano Identity Theft Expert

Government officials are posting our Social Security numbers on the web, but corporations are required to keep them under lock and key.

Congressman Robert Wexler was recently targeted by a Ghanaian extortionist who supposedly obtained Wexler’s Social Security number, as well as his wife’s, from a public record posted at The Virginia Watchdog. Betty Ostergren, founder of The Virginia Watchdog, has spent the past seven years trying to put an end to the public exposure of our Social Security numbers, which are often posted online by elected or appointed state government officials. Virginia and other states apparently want this personal information online, since they have yet to pass any laws mandating the removal of Social Security numbers.

State officials posts these records online because they are public records. This is already happening in every state. Records containing extensive personal information are available on the Internet, and the elected officials that post this information put individuals at risk by failing to remove or black out Social Security numbers and other sensitive data.

The fact that Congressman Wexler and his wife were extorted should not be the big story. The big story should be the fact that these records, with Social Security numbers exposed, are made available on the Internet, thanks to elected officials.

Betty Ostergren recently found the same documents for one major U.S. corporation and their top brass on twelve different state government websites. The same list of Social Security numbers and home addresses for the top executives appeared on government websites in in Arizona, Colorado, Florida, Indiana, Iowa, Kentucky, Massachusetts, Michigan, Mississippi, New Hampshire, North Carolina, and South Dakota. And each year that the company filed a report within those states, the same 40+ Social Security numbers showed up on the documents, which are available to anyone in the world. (North Carolina did unsuccessfully attempt to redact the numbers.) The Social Security numbers of many top executives from many corporations are available on the Internet, on public records published on state websites. And so are the Social Security numbers of plain old Joe Shmoes, too. But most of them don’t realize it, and when their identities are compromised, they’ll wonder how their Social Security numbers got into the wrong hands.

We live in an ignorant country, where people pay more attention to sports and entertainment than the actions of our legislators.

Go to The Virginia Watchdog and read everything you can to become fully informed about the identity theft crisis fueled by public records.

1. Prevent new account fraud.  Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing Social Security numbers on Fox News

Florida Congressman Robert Wexler Targeted in Identity Theft Extortion

Identity Theft Expert Robert Siciliano

Sun Sentential reports that Congressman Robert Wexler, of Florida, was targeted by an extortionist who threatened to turn his Social Security number over to identity thieves. Wexler refused to give in to the extortionist’s demands, and reported the plot to the Secret Service and Capitol Police. Other members of Congress were targeted, as well. The alleged extortionist has been arrested and remains in custody in Ghana.

Wexler’s attorney, Pamela J. Marple, issued a statement:

“Congressman Wexler greatly appreciates the professionalism and ongoing assistance of the United States Secret Service and Capitol Police regarding a matter where he was targeted as a member of Congress and was the victim of crime involving extortion and attempted identity theft. This remains an ongoing legal matter that will be closely monitored.”

The Ghanaian telephoned Wexler this month while President Barack Obama was visiting Ghana, guarded by Secret Service agents. Wexler reported the matter to the Secret Service while they were in the country, which helped the investigation. The congressman, while understandably shaken that he was being extorted, should have already known that his Social Security number is out in the wild. Our Social Security numbers are in public records, databases, file cabinets, school records and, quite possibly, for sale on the Internet.

  1. Be aware that your Social Security number has already been compromised. Over the past five years, hundreds of millions of records have been stolen in major data breaches.
  2. Do everything you can to prevent your own data breaches by making sure to install and update Internet security software.
  3. Never use public PCs where spyware might be installed.
  4. Recognize that when using wireless in a hot spot, your personal information is available for the taking.
  5. Do a scan in the public records in your state to see if your Social Security number is posted anywhere.
  6. Invest in Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.
  7. Get a credit freeze. Search “state credit freeze laws” online and lock down your credit to prevent new account fraud.

Identity theft speaker Robert Siciliano discusses Social Security numbers on Fox News.

Debit Cards at Risk for Identity Theft

Robert Siciliano Identity Theft Expert

There are 437,000,000 debit cards in circulation, and their use is on the rise. Criminal hackers are paying attention. Credit cards offer some measure of protection, but when a debit card is compromised, the stolen money is taken directly from the victim’s bank account.

Federal laws limit cardholder liability to $50.00 in the case of credit card fraud, as long as the cardholder disputes the charge within 60 days. Debit card fraud victims must notify the bank within two days in order to maintain this $50.00 limit. After that, the maximum liability jumps to $500.00. And if a victim doesn’t discover or report the fraud until after 60 days have passed, the liability could be the entire card balance, for a debit or credit card. Once your debit card is compromised, you might not find out until a check bounces or the card is declined. And once you do recover the funds, the thief can just start all over again, unless you cancel the account altogether.

There are a few known scams that can make you vulnerable to debit card fraud.

There’s the bait and switch. When making a purchase online, you may be prompted to make an additional purchase that appears to be a one time fee, but is actually an ongoing monthly debit that is nearly impossible to cancel. That’s when canceling your card is the only way out. While this isn’t technically criminal hacking, it is very slimy marketing. The best way to protect yourself from this one is to always read the fine print before making an online purchase. Just be smart.

Unless you have been living in a cave, you’ve probably received a phishing email at some point. Criminal hackers, assisted by teams of psychologists and sociologists, are designing and selling phishing kits to one another. They know what makes you tick and they know what will convince you to click on a link. These people are professionals. There used to be a day when phish emails contained obvious misspellings and but now they are organized and sophisticated. And as more people go paperless and get their bank statements online, it is becoming more common for criminals to take advantage of that process, sending emails that appear to be statement notifications. If you think an email might be phishing, delete it immediately. And don’t click on links in emails. Either manually type the link into the address bar, or use your bookmarks menu.

According the the Secret Service, Skimming is one of the financial industry’s fastest growing crimes. The ATM Industry Association reports over one billion dollars in annual global losses from credit card fraud and electronic crime associated with ATMs. A skimmer is a hardware device that a thief places on the face of an ATM, which matches the machine itself. It’s almost impossible for a civilian to notice the difference unless the skimmer is of poor quality, or the civilian has a unique eye for security. Often, the thieves will mount a small pinhole camera somewhere near the ATM, perhaps in a brochure holder, to record the victim’s PIN. Gas pumps are equally vulnerable to this scam. Pay very close attention during ATM and gas pump transactions. If something seems wrong, it is wrong. Look for double stick tape, removable features on the face of the ATM, a card sticking inside the reader, or additional mirrors or brochure holders that could contain a small camera.

1. Prevent new account fraud.  Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing ATM skimming on Fox News Here and credit card fraud on CNBC Here

XX

Child Identity Theft Victims

Robert Siciliano Identity Theft Expert

Jason Truxel was denied a mortgage because of bad credit. He had no idea that his credit scores were low, so he pulled his credit reports. He discovered a tremendous amount of debt, and accounts he had never opened. One such account showed that a credit card had been opened in his name when he was 13 years old. Jason found out the hard way that he was a victim of child identity theft. When Jason was a child, his father was convicted of credit card fraud. So he went to his father’s house and found a stack of credit cards with his name on them in a dresser drawer. When confronted, Jason’s dad said that Jason would never be able to prove anything. That’s a bad dad, if I’ve ever heard of one.

Diamond Daye is 11 years old. He’s going through the same problem. Except his mother is the identity thief. She’s 31, and owes thousands in rent and cell phone and cable bills.

Child identity theft is a growing problem. The Federal Trade Commission estimates that there are 500,000 new victims every year. The culprits are often parents, since they have direct access to their kids’ personal information. Irresponsible parents who have screwed up their own credit apply for credit in their childrens’ names, once they discover how easy it is. All a parent needs is a child’s Social Security number, and the fun begins. Creditors often fail to verify the applicant’s age, and simply accepts the application. Children rarely discover that they are victims of identity theft until they are adults, and are denied credit or employment because of their negative credit history. Sometimes the custodial parent discovers that his or her ex committed identity theft when the bill collector notices begin to arrive.

There’s not much a person can do to prevent child identity theft, other than regularly requesting fraud alerts and ensuring the credit hasn’t been issued under your child’s name.

What you should do to protect yourself and your children:

Protecting yourself from new account fraud requires a credit freeze, or setting up your own fraud alerts and in your childs’ name too. This provides an extra layer of protection. In most cases it prevents the opening of new credit.

Consider making an investment in Intelius Identity Theft Protection and Prevention. Because when all else fails you’ll have someone watching your back. Includes a Free Credit Report, SSN monitoring, Credit & Debit Card monitoring, Bank Account monitoring, Email fraud alerts, Public Records Monitoring, Customizable “Watch List”, $25,000 in ID theft insurance, Junk Mail OptOut and Credit Card Offer OptOut.

Robert Siciliano Identity Theft Speaker discussing availability of Social Security numbers on Fox News

Identity Thieves Gather Data From Social Networks

Robert Siciliano Identity Theft Expert

There’s a lot of excessive trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. Apparently, they see no reason to distrust. Generally, your “friends” are people who you “know, like and trust.” In this world, your guard is as down as it will ever be. You can be in the safety of your own home or office, hanging with people from all over the world, in big cities and little towns, and never feel that you have to watch your back.

PC World reports that a third of social networkers have at least three pieces of information posted on their pages that could lead to identity theft. Names, addresses, birth dates, mothers’ maiden names, kids’ names, pets’ names and phone numbers are among the various types of data that could help a criminal piece together your identity. Social networkers are simply making it too easy for thieves.

Almost 80% of those polled are concerned about privacy issues on social networks, yet almost 60% are unaware of what their privacy settings are and who can see their data. One third of social networkers admitted that they use the same password for all their social networking accounts.

Most social networks have privacy settings that many users never venture to manage. It is imperative to spend a few minutes and lock down your profiles so they can’t be seen by everyone in the world.

It is not unusual for a potential identity thief to “friend” a potential victim. The thief poses as someone the target may know, or someone who is known within the target’s social circle. Once the thief has been accepted as a friend, he or she is in the target’s inner circle and gains a great deal of insight into the target’s daily life.

People often try to “friend” me, and I can see that they are “friends” with people I know. But I don’t know them. And the mutual friends often tell me that they don’t know the person, but were “friends” with someone else they knew, and they accepted based on that! That’s nuts! Next thing you know, they are trolling through your “friends” and befriending people in your network, who accept based on their trust in you! Dizzy yet? The point is, stop the madness! Don’t allow these trolls into your life. Mom told you not to talk to strangers. I’m telling you not to “friend” strangers, because they could be scammers.

Scammers are watching. They know that once they are on Facebook, your guard goes way down.

Regardless of all this craziness protect your identity.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;

Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano Identity theft speaker discusses Facebook scams on CNN

Web Based emails Insecurity Leads to Identity Theft

Robert Siciliano identity theft expert

I recently appeared on Fox and Friends to discuss email hacking. Dave Briggs, a FOX & Friends Weekend co-host, lost access to his Hotmail email account when hackers were able to guess either his password or his qualifying question. (He admitted that his password was not as strong as it should have been.) The hackers locked Briggs out of his own account and spammed all of his contacts with a fraudulent email that appeared to be written by Briggs himself, claiming that he was trapped in Malaysia and requesting that someone help him by transferring money via Western Union. Only after persistently contacting Hotmail administrators was Briggs able to regain control of his own email account.

Twitter was targeted by a similar hack, which led to a data breach. It is likely that the hacker guessed the answer to a Twitter employee’s security question and reset the employee’s password. On Wednesday, Twitter co-founder Biz Stone blogged, “About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.”

And of course, Sarah Palin’s Yahoo email account was hacked into last year, during the presidential campaign. The hacker explained how easy it was in Wired.

Web-based email rocks! Since you’re no longer tethered to a PC-based client, you can access your email from anywhere. And all the data saved in your email account will be safe if your PC crashes. Many web-based email providers offer gigabytes of free storage and other useful tools like documents, RSS readers, and calendars. Life in the cloud is easier and more convenient. But is it secure?

PC Pro reported on a study run by Microsoft Research and Carnegie Mellon University, which measured the reliability and security of the questions that the four most popular webmail providers use to reset account passwords. AOL, Google, Microsoft, and Yahoo all rely on personal questions to authenticate users who have forgotten their passwords. The study found that the “secret questions” used by all four webmail providers were insufficiently reliable authenticators, and that the security of personal question appears much weaker than passwords themselves. Yahoo claims to have updated all their personal questions in response to this study, but AOL, Google, and Microsoft have yet to make any changed.

Once a hacker has your email address, he or she can simply go to the “forgot password” section of your email provider’s website and respond to a preselected personal question that you answered when signing up for the account. With a little research, the hacker has a good shot at finding the correct answer.

Some of the current questions could be answered using information found on a user’s social networking profile, or through a website like Ancestry.com or Genealogy.com. Some answers might be found in the user’s trash. Some questions seek opinions, rather than facts. For example, “Who is your favorite aunt?” requires an opinion in response, but if a hacker knew the names of all your aunts, he or she could enter them all one by one. Some questions would be more difficult to answer. Unfortunately, if you signed up for your web-based email account over a year ago, before these email hacks became more common, your questions may be even easier to answer.

Gmail’s current personal questions are:

  • What is your frequent flyer number?
  • What is your library card number?
  • What was your first phone number?
  • What was your first teacher’s name?
  • Write my own question

Yahoo’s current personal questions are:

  • What is the first name of your favorite uncle?
  • Where did you meet your spouse?
  • What is your oldest cousin’s name?
  • What is your oldest child’s nickname?
  • What is the first name of your oldest niece?
  • What is the first name of your oldest nephew?
  • What is the first name of your favorite aunt?
  • Where did you spend your honeymoon?

I suggest that you check out the “forgot password” section on your own web-based email account, to see your current personal question. If it’s easy to answer, or would only require a little research to solve, update the question with one that you create based on opinion, as opposed to fact. And keep in mind that most people list “pizza” as their favorite food and “liver” as their least favorite. So be creative. You should also beef up your password. Combine uppercase and lowercase letters, as well as numbers. Don’t use consecutive numbers, and never use names of pets, family members, or close friends.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Prevention and Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;

Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano, identity theft speaker, discusses hacked email on FOX & Friends.