Criminal Hackers Steal Victims Home

A sophisticated scam left an Australian business man with a half million dollars stolen when criminals sold 2 properties and almost a 3rd using his stolen credentials. This kind of scam is happening in the U.S. too.

The business man had been overseas for a while and his neighbor contacted him at one point because his home was on the market and being sold. When the business man started investigating the non-permissioned sale, that’s when he realized the other properties had been sold and were no longer his.

The thieves, were believed to be Nigerian, and had enough information on the man to allow the real estate transactions to go through.  It is believed the criminal hackers got into his email account and obtained his personal identifying information along with his property documents which enabled the criminals to sell the houses.

Reports state the transactions were made virtually via email, telephone and fax, without any physical contact between the owner and anyone else. In this scam the owner, the real estate agent, banks, and various government agencies were all duped.

The system of checking and verifying identities in this case and in others often fails.

Advice to prevent this type of crime is often directed towards real estate agents who are used as the pawn in the transaction and do the dirty deed for the scammer.

In the very least agents should request a photocopy of a driver’s license or passport before listing a home for sale when doing business virtually. Other suggestions might be verify signatures using a notary or checking existing documentation and compare signatures. Look at deeds for alterations and get them from the title company.

More importantly it is essential that the homeowner meet the real estate agent for a face to face meeting. Airfare can’t cost more than a few thousand dollars and when doing a half million dollar transaction it makes sense for everyone involved to make this a priority.

But the best thing and probably the most effective solution when doing a full blown virtual transaction is to contact a lawyer wherever the seller may be and require the seller to verify themselves through a competent lawyer or other professional who can review and certify the sellers credentials.

Homeowners have a different set of responsibilities.

First and foremost make sure to invest in title insurance. Title insurance should cover legal bills associated with this type of scam. Check the policy.

If you plan on leaving your home or investment property vacant for any period of time get friendly with your neighbors and request they alert you in case your property goes on sale.

Do the same with local real estate agents and request they do an occasional drive by. Have that same real estate agent check the MLS listing occasionally looking for your property to show up on the market.

Invest in technology. A home security camera solution that alerts you to any activity on the home can give you a sense of there is any mischief. Motion sensitive cameras can alert you to any activity via text or email and can be viewed remotely via a mobile phone or internet connection.

Robert Siciliano personal security expert to Home Security Source discussing burglar proofing your home on Fox Boston. Disclosures.

Giving Your Credit Card to a Hotel? Watch Your Statements.

Personally, I don’t particularly enjoy staying in hotels. Sure, after a long day of travel, the hotel is a relief, but in most cases, I’d much rather sleep in my own bed. Criminal hackers, on the other hand, love hotels.

According to a recent study, 38% of all credit card breaches occur in hotels. Despite several high profile breaches that recently affected payment processors and banks, the financial services industry only accounts for 19% of breaches. Retailers came in third at 14%, and restaurants fourth at 13%.

Over the past five years or so, I’ve noticed a trend in which criminals go after the most likely targets, and those victims beef up their defenses in response. So the bad guys move on to the next most likely target – one that hasn’t learned from others’ mistakes.

Hotels are easy targets because they are all credit card-based. It is possible to reserve a room without providing a credit card number, but they don’t make it easy. And hotels themselves certainly aren’t fortresses designed to keep bad guys out. They’re designed to be open and inviting, with, at best, a bellman whose focus is assisting guests rather than guarding the front door. Maybe that mentality exists in hotels’ IT security departments, too.

The root of the issue is the hotel industry’s insufficient security measures to prevent data breaches. Many rely on older point of sale terminals and outdated operating systems, which are more vulnerable to hackers. When the recession hit, many hotels cut back and decided to hold off on upgrades. While their defenses were down, hackers slithered into their networks to steal guests’ personal financial data. Once thieves have accessed this data, they can clone cards with the stolen numbers and use them to make unauthorized charges.

As a consumer, your only recourse is to pay close attention to every single penny charged to your credit card, and dispute any fraudulent or incorrect transactions, no matter how small. Check your statements frequently and be sure to dispute all unauthorized charges within two billing cycles, or 60 days.

Canada and Mexico have adopted smart cards, which use “chip and PIN” technology, making the credit card data useless to potential identity thieves. Eventually we may see the adoption of smart cards in the U.S., which would put an end to this madness.

Robert Siciliano, personal security adviser to Just Ask Gemalto, discusses hackers hacking hotels on CNBC. (Disclosures)

Adobe a Target for Criminal Hackers

We all know and love Adobe products. Their PDFs have become as ubiquitous as .DOC, .TXT and .XLS. Most PCs include Adobe Reader as a bundled software. The Adobe Flash media player is the easiest most user friendly online video player on the planet and required for the most popular video site YouTube.

Brad Arkin, Adobe’s director for product security and privacy, recently commented, “We’re in the security spotlight right now. There’s no denying that the security community is really focused on ubiquitous third-party products like ours. We’re cross-platform, on all these different kinds of devices, so yes, we’re in the spotlight.”

Adobe, in response is doing everything a responsible software developer should do.

Adobe is the same boat today that Microsoft found itself in years ago. Ground zero. Hack central. Criminal hackers love it. Adobe’s software or files are used on almost every PC and across operating all systems. Every browser requires a program to open PDFs and many websites either have links with PDFs or incorporate Flash to play video or for aesthetic reasons. According to an estimate from McAfee, in the first quarter of this year, 28% of all exploit-carrying malware leveraged a Reader vulnerability.

While attention from the criminal hacking community has certainly been a burden to Adobe, the same attention is now being paid by the white hat hackers, the good guys. The security community is now actively involved in the reporting of bugs and vulnerabilities, which is helping Adobe tighten up. Fortunately, Adobe is learning from their current situation and is actively engaged in resolving these issues. They’ve created a better, more frequent software updating tool for each of their programs, including Flash and Adobe Reader. As difficult a situation as this may be, Adobe is handling it very well.

“Application security” is an often used term when, during the software development cycle, the software or application goes through a series of “penetration tests” designed to seek out vulnerabilities that could be exploited in the field. Adobe’s process now includes their Secure Product Lifecycle (SPLC) to seek out and squash those issues. It is important to understand that flaws, bugs, holes, vulnerabilities, or whatever you call them, are often detected after the launch of software. While both developers and criminals have many of the same tools, the bad guys seem to have an edge and are often able exploit those flaws before developers can find and fix them. Adobe however is beginning to turn the tide on the bad guys.

If you function in a Microsoft Windows environment, you should be aware of “Windows Update” and have it set to automatically download and update your operating system’s critical security patches. Updating Reader and Flash requires manual action, but Adobe’s built-in updater can also be set to automatic. I’d suggest that most users set this to automatic as well. If you have an older version of Reader, which may not include an automatic update option, you should head directly to Adobe.com to download the current software.

Robert Siciliano, personal security and identity theft expert adviser to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. (Disclosures)

Watching Out For Criminal Hacks

Robert Siciliano Identity Theft Expert

We use the web to search out tons of information, to shop online and to connect with friends and family. And in the process criminals are trying to whack us over the head and steal from us. And they’ve become very proficient at their craft while most computer users know enough about protecting themselves today as they did 15 years ago. Which equates to not so much.

Back in the day, a person only had to know not to open a file in an attachment from someone they didn’t know. Maybe even not opening one from someone they knew and making a phone call first. Today there are more ways than ever that your PC can be hijacked.

Today you can simply visit a website thinking you are safe and the bad guy was there before you and injected code on the site and now it infects your out-dated browser. That’s a “drive by” and it’s very common today. Here is a list of likely attacks occurring every day.

Fundamentals:

Update your browser. Internet Explorer and Firefox are the most exploited browsers. Whenever there is an update to these browsers take advantage of it.   Keep the default settings and don’t go to the bowels of the web where a virus is most likely to be. Consider the Google Chrome browser as it’s currently less of a target.

Update your operating system. No matter what brand of computer you are on you have to update the critical security patches for your Windows operating system. Microsoft will no longer support Windows XP after 2014, so start thinking about upgrading to Windows 7 (which is pretty sweet). Go to Windows Update. Why anyone would keep XP running unless they had to is a mystery to me. It’s a dog who has been kicked too many times.

Update Adobe Reader and Flash. Adobe PDFs and Flash Player are ubiquitous on almost every PC. Which makes them a prime target for criminals. To update Reader go to Help then Check for Updates. To update Flash go here.

Don’t be suckered into scareware. A popup launches and it looks like a window on your PC. Next thing a scan begins. The scan tells you that a virus has infected your PC. And for $49.95 you can download software that magically appears just in time to save the day. Studies show that organized criminals are earning $10,000.00 a day from scareware. That’s approximately 200 people a day getting nabbed. Some “distributors” have been estimated to make as much as $5 million a year. Just shut down your browser and do a scan with your existing anti-virus. Then update your browser because it’s probably outdated, which is why you saw scareware in the first place.

Beware of social media scams. Numerous Twitter (and Facebook) accounts including those of President Obama, Britney Spears, Fox News and others were taken over and used to make fun of, ridicule, harass or commit fraud. Often these hacks may occur via phish email. Worms infiltrating Twitter requesting to click on links would infect user’s accounts and begin to multiply the message. Then your followers and their follower would get it, causing more grief than anything else.

Invest in social media protection @ Knowem.com

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing social media identity theft on CNN

1.5 Million Americans Have Been Victims of Medical Identity

Robert Siciliano Identity Theft Expert

The Smartcard Alliance has released an in-depth report called “Medical Identity Theft in Healthcare.

While identity theft is a global issue that garners much media attention, most do not realize that medical identity theft is a serious and growing threat. Many authorities consider medical identity theft one of the fastest growing crimes in America. With the digital age of healthcare upon us, the risks are expected to increase as electronic medical records become more prevalent and the exchange of this data over expanding networks becomes more pervasive. Heightened concern over personal data security and privacy highlight the importance of having secure electronic medical identities.

According to a recent Ponemon Institute study, nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion–or approximately $20,000 per victim. [1] Further evidence of the significance of the medical fraud problem is the allocation of $1.7 billion for fraud detection in the 2011 U.S. Health and Human Services Department budget. [2] In 2009, 68 reported healthcare data breaches in the U.S. put over 11.3 million patient records at risk of exposure.

Patients whose medical identities are stolen face serious lingering effects. Fraudulent healthcare events can leave erroneous data in medical records. This erroneous information–like information about tests, diagnoses and procedures–can greatly affect future healthcare and insurance coverage and costs. Patients are often unaware of medical identity theft until a curious bill or a surprising line of questioning by a doctor exposes the issue. Then, the burden of proof is often with the patient and it can be difficult to get the patient’s legitimate medical records cleaned up. The consequences can also be life threatening and can lead to serious medical errors and fatalities.

Identity theft prevention services generally will not protect you from medical identity theft. However, if your information is out there on the Net and being scanned constantly by the identity theft protection service, then your risk is lowered. Furthermore, I’m all about layers of protection. If your identity is protected from new account fraud via credit monitoring or credit freezes then the thief may use another identity that has less restrictions.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Medical Identity Theft on the CBS Early Show

Self-revelation Can Help Assemble a Social Security Number

I am not done nor will I ever be done sounding that alarm, ringing that bell and informing you about how ridiculous social media is. I was asked in a radio interview today what it will take to get people to recognize they are sharing too much data. In a word, tragedy. When a home is broken into, they install a home security alarm. When someone is mugged, they take a self defense course. When planes fly into buildings, we get frisked. Being smart is understanding risk and being proactive.

Most people are smart enough to NOT give out a social security number on Facebook. However between what you say, your family, friends and colleagues say and post, your profile is becoming more complete every minute. Even your mom or wife posts her name as “First Maiden Last” because she saw someone else do it and it made sense to allow her old friends/flames to find her.

But today with all this personal information readily available there are now rumblings from academia that they have cracked the code and have assembled technologies to decipher all this information and turn it into hard decipherable data that leads to opening new accounts in your name.

The New York Times reportscomputer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number. So far, this type of powerful data mining, which relies on sophisticated statistical correlations, is mostly in the realm of university researchers, not identity thieves and marketers.”

SearchSecurity.com reports that researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration’s Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people on the east coast had the lowest numbers and those on the west coast had the highest. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

From this point on I’d suggest locking down social media profiles in a way that they are not publicly accessible. Prevent anyone (except those very close to you) from seeing and reading everything about your daily activities, who you associate with and all the names and contact information of all your friends and family.

Robert Siciliano personal security expert to Home Security Source discussing cracking the code and wireless security on Fox Boston.

Is That Portable Device a Data Hazard?

Robert Siciliano Identity Theft Expert

According to a survey of London and New York City taxi companies last year revealed that more than 12,500 devices, such as laptops, iPods and memory sticks, are forgotten in taxis every six months. Portable devices that may have troves of sensitive data.

Recent reports of identity data including names, addresses, Social Security numbers on 3.3 million people with student loans was the largest-ever breach of such information and could affect as many as 5% of all federal student-loan borrowed. A company spokesperson said the stolen information was on a portable media device. “It was simple, old-fashioned theft, it was not a hacker incident.” Lovely. That’s just ducky spokesboy.

The survey further reached out to 500 dry cleaners who said they found numerous USB sticks during the course of a year. Multiplying that by the number of dry cleaners they got a figure of approximately 9000 USBs lost and found annually.

Computerworld reports a 2007 survey by Ponemon of 893 individuals who work in corporate IT showed that: USB memory sticks are often used to copy confidential or sensitive business information and transfer the data to another computer that is not part of the company’s network or enterprise system. The survey showed 51% of respondents said they use USB sticks to store sensitive data, 57% believe others within their organization routinely do it and 87% said their company has policies against it.

It’s not just lost portable devices that are an issue. Found ones can be scary too.

Dark reading reports an oldie but goodie from Steve Stasiukonis, a social engineering master, he says those thumb drives can turn external threats into internal ones in two easy steps.

When hired to penetrate a network he says “We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.

The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented. It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems”

I did a program recently for a client where I presented in front of other security professionals. I had my laptop set up on the stage with my presentation loaded. The client was introducing me and asked if he could load a quick file onto my laptop to assist in his opening remarks. I inserted the drive for him and my anti-virus went NUTS! Seems his flash drive had a nice little virus on it. His boss, standing right next to him said “that’s why we are phasing out non-military grade security enabled flash drives as soon as we get back.”

I checked out BlockMaster SafeStick® 4.0 – a fast and user-friendly secure USB flash drive, which streamlines military-grade security and meets those standards to protect your data. The SafeStick hardware controller encrypts all data using AES256-bit encryption in CBC-mode. Encryption keys are generated on board at user setup, and all communications are encrypted. SafeStick is protected against autorun malware, and onboard active anti-malware is available. Once unlocked, SafeStick is as simple to use as a standard USB flash drive.

The one I got just plugs in, initializes, then launches a program requiring the user to set up a password. From that point on any time the user has to access the data, a password needs to be entered.

Flash drives can be a security mess. Organizations need to have policies in place requiring secure flash drives and never plugging a stray cat into the network.

Disclosures: I have no financial ties to BlockMaster. I just like this thing.

Robert Siciliano Identity Theft Expert discussing good ole fashion identity theft on Good Morning America.

Top 10 Cities for Cyber Crime

Robert Siciliano Identity Theft Expert

I love that dirty water, oh Boston you’re my home. Boston Legal, “Cheers,” Boston Bruins, Red Sox, Celtics, Chowda, Lobsta, Pahkin the Cah in Havad Yahd and home to the second worst ranking of cyber crime in America. Lovely! Seems whatever advice I give in Boston media, means squat. After all, I am a Proper Bostonian. Boston missed first place by a lousy 11 points. I blame the college kids. Boston has the highest concentration of college students on the planet. It’s their fault. Seattle took first place. What’s your excuse Seattle? Microsoft?

1. Seattle
2. Boston

3. Washington, D.C.

4. San Francisco

5. Raleigh, N.C.

6. Atlanta
7. Minneapolis
8. Denver
9. Austin, Texas

10. Portland, Ore.

Cities with high concentrations of “spam zombies” placed the highest. Becoming a Zombie and part of a Botnet happens to PCs that aren’t properly secured, coupled with user behavior that invites attacks.

If you are surfing porn all day or gaming on distant websites in foreign countries then you are at a higher risk. Downloading files from P2P sites or seeking software cracks or pirated content is also risky. Remember frat boy, there is no honor among thieves.

The Boston Business Journal stated another factor is the Hub’s many unsecured WiFi hotspots — 53.6 per 100,000 residents — where cyber criminals may lurk, trolling for unwitting users. While high-profile or widespread computer attacks are relatively rare, small-scale attacks like these threaten even savvy computer users, the report noted.

Hey Top 10, pay attention:

Computers that are old and have outdated unsupported operating systems like Wind 95/98/2000 are extremely vulnerable.

Systems using older outdated browsers such as IE 5, 6 or older versions of Firefox are the path of least resistance.

Update your operating system to XP SP3 or Wind 7. Make sure to have automatic updates for anti-virus. Don’t engage in risky web-based behaviors.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing ATM Skimming on Fox Boston.

Report 1.8 Billion Cyber Attacks Per Month

You read that right. While the US government sits high on its perch, snipers are taking aim 60 million times a day. The Senate Security Operations Center alone receives 13.9 million of those attempts per day.

The US National Security Agency is probably the most sophisticated group of security hackers in the world. Many will argue this point. The fact is, without NSA, US STRATCOM, which directs the operation and defense of the military’s Global Information Grid, and US CERT, attacks on our critical infrastructures would be successful. We’d be living in the dark, telephones wouldn’t work, food wouldn’t be delivered to your supermarket and your toilet wouldn’t flush.

“Like in the rest of the world, the attacks are increasingly targeted and using application flaws, including Office and Acrobat. “In the last five months of 2009, 87 Senate offices, 13 Senate committees and seven other offices were attacked by spear-phishing attacks, which appeared as e-mail messages to staffers, urging them to open infected attachments or click on bad links.” No matter how good their defenses are, nothing’s 100% effective. Some attacks get through.”

The Adobe Reader and Acrobat is a cross platform application that opens and its the Portable Document Format (PDF) ubiquitous on most PCs. Criminal hackers discovered a flaw that allows for an injection of hostile code into unprotected systems.  Studies show in the last quarter of 2009 as many as 80% of all web-based attacks were directed at PDFs.

Adobe Flash is also vulnerable software becoming standard on most PCs where multimedia is present. The Register reports Adobe advises users to upgrade to Acrobat version 9.3.1 and Reader version 9.3.1, as explained in a bulletin here.

Run Windows Update, Install Anti-Virus, Install Spyware Removal Software, Run Firefox, Secure Your Wireless, Install a Firewall, Use Strong Passwords.

Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Identity Theft Ring Busted on MSNBC

National Identity Card Focuses on US Workers & Immigrants

Robert Siciliano Identity Theft Expert

The Wall Street Journal reports under the potentially controversial plan still taking shape in the Senate, all legal U.S. workers, including citizens and immigrants, would be issued an ID card with embedded information, such as fingerprints, to tie the card to the worker.

There are too many forms of identification floating around right now that lack standards and overall security. The Social Security card is currently our national identification card that’s not supposed to be used for identification. From a NY Times article from 1998 it states: WASHINGTONFOR many years, Social Security cards carried an admonition that they were to be used ”for Social Security and tax purposes — not for identification.” That assurance rings hollow today. Congress has authorized so many uses of the nine-digit number, and Americans use it for so many unauthorized purposes, that it has just about become a national identifier. Today your social is connected to everything.

Security Management reports that all workers and mariners attempting to access secure maritime and port areas nationwide will have to flash a government-approved Transportation Worker Identification Credential (TWIC), which includes a biometric identification card before entry. HSPD-12, or Homeland Security Presidential Directive 12, set universal identification standards for federal employees and contractors, streamlining access to buildings and computer networks. Then there is old and new versions of the passport, as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card.

Government has tried hard to create identification that will once and for all standardize the process under the REAL ID Act which is most likely going to be squashed under Homeland Security Secretary Janet Napolitano who is proposing the repeal of the Real ID Act.

“A person familiar with the legislative planning said the biometric data would likely be either fingerprints or a scan of the veins in the top of the hand. It would be required of all workers, including teenagers, but would be phased in, with current workers needing to obtain the card only when they next changed jobs, the person said.”

Many oppose biometrics and New Hampshire has even proposed legislation against it. My money is on biometrics creeping into our lives in the form of a national ID. Like it or not biometrics are coming.

Meanwhile, until there is assigned accountability, which means nobody can pose as you and work as you and open new accounts as you, protect your identity.

Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Social Security numbers on Fox News