My Identity Thief Loves Me (PTII)

Robert Siciliano Identity Theft Expert

In “My Identity Thief Loves Me (PTI)” I brought you into my weird world of “research” into online dating scams. Here’s where I fell in love. I have been perused by “Kath Riss Green”. For whatever reason the scammers choose very WASPy names. But her picture was a hot Latina. She sent me a message via a social network I’m on. So I responded via a completely different profile I set up that had nothing to do with the original. And “she” didn’t seem to notice or care: I am “Ronn”.

1/17/10 Scammer: Hi,I saw your profile and wanted to say hello. Your very handsome and Id like to get to know you better.

1/18/10 Me: Hi back, you sent me an email on my profile. You look good to me. What is your name? Ronn.

1/19/10 Scammer: thanks for your email Ronn…..i’m kathline,i live and work in texas..i’m 30years,single and never with no kids,i love kids though.i would like to know more about you,where you from,what you do and many more…hope to read back from you, kathline

See the bad English and punctuation? The criminal hacker I wasted 4 hours with from Ghana wrote the exact same way.

1/19/10 Me: Hi Kath, I’m basically a nice guy… I want a woman to like me for who I am. I like eating pizza and I like to drink beer. I’m a little overweight.  I’m 5′ 2″ and 220 lbs, but my mom says Im handsome. What do you look like? Ronn

1/19/10 Scammer: Hello Ronn, How you doing an how was your day like?SO where you from?what do you do?are you married?got any kids?and what you ooking for?do you have any photo you can send to me?i would like you to tell me everything about yourself……….i’ve added you to my yahoo lit and hope to chat with you later on……attached are my pics.hope you will like them Kathline

1/19/10 Me: Wow, You’re very pretty! I’m from Massachusetts. My day was long I worked hard today. Gotta pay the bills! I work in an office as a word processor. Not married, one kid from when I was younger, his mom has him. Just looking for someone to love me like I love them. My camera dropped over the holidays and I need to get another one.  Do you have kids? Ronn

1/20/10 Scammer: Hi Ronn,sorry to hear about your day….wish i was there to keep your accompany….i’m also single,nerver maried with no kids..i love kids though,and i hope to have some with the right man someday..So tell me since when you’ve been doing online dating and how many woman have you meet online lately?what kind of relationship are you looking foir? Kathline

1/20/10 Me: No kids! Thats OK. Ive been doing the online dating thing for about 6 months. I just got a computer over the summer. i used to go to the library and use their computer, so Im new to this. All the women I have send messages to dont respond all that much. But you were nice to me first… Im looking for a relationship where the woman can be nice to me and treat me with respect, as I am nice to her and treat her with respect. I also wish that she can cook because I like to eat ALOT!!! LOL!!! Truly Ronn xoxoxox

I’m baiting

1/20/10: Hi Ronn,hhmmm….i guess i’m the one you’ve loking for all thiswhile…i’m someone who is loving,caring and God fearing,a down to earth type with great sense of humour..i love the out doors,i enjoy cooking,i like holding hands,kissing and cuddling….i wish things could ork out between us…..

It pisses me off when they weave the God thing in there. Heartless bastards!

1/22/10 Me: OMG THATs SO SWEET! You sound like my soul mate! Im sorry that I have not responded, I had to go away on business.  I would LOVE TO MEEET YOU!!!

1/22/10 Scammer: Ronn,I went to bed last night with a vision of you next to me. I slept like a baby all night, because I was not feeling alone.. When I awoke this morning to see if it was real or if it was a dream, realty hit me that it was only a dream. Very soon, I know that you will be right next me…i will also love to meet you for a weekend or so…..we can plan on meeting if you dont mind,i can come there but thaats if only we can both work the airfares together or what do you think?

Boom, 5 days into it and “airfare” comes up. I sound like a lonely desperate fool, I haven’t sent a picture, I’m built like a walrus. And Kath is dreaming about me. What a !@#$%^ SCUMBAG!

1/22/10 Me: Wow, this is wonderful! im flexible. I’ll do what you wish. Tell me what you would like to do.

1/23/10 Scammer: Jon said it will cost me 560$ to fly there and i cant afford it all…i dont know if you can make and half payment while i had up the rest..

Who the heck is Jon? I don’t even bother asking.

1/24/10 Me: Im happy to pay half. How do you want to do it? Ronn

1/24/10 Scammer: Awwww thanks then, i do appreciate that, just get the half down to jon so he can go ahead with the reservation, and you know we have to book in advance.. below is Jon Details for the payment. send it through western union, and get back to me with the MTCN, the name, of thw sender, and location of where money is sent. hope to read from you soon

Jon ***ardt

1325 ***pe dr,

Paris, TX 75462

One week, 2 idiots, 7 email exchanges, an opportunity to expose a complete azz@#%, PRICELESS.

Turns out, after further research “Jon” is a victim too. He is 54 and divorced. He has been duped by “Kath” as a money mule. So when the wired money goes to Jon, he sends to Kath.  Here is Kath kathlinegreen36@yahoo.com.

1/27/10 Me: Can I call you on the phone?

1/27/10 Scammer: Hello Ronn, WHy did it take you few days to get back to me?you just keep runing through my mind and my heart longfs to be with you….my phone got missing last weekend….so how you doing and how’s work being like?were you able to send the money..

Of course your “phone got missing last weekend” so how YOU doing? Jerk.

1/27/10 Me: Are you a complete scumbag scammer?

Then no more response. Was it something I said?

Protect your identity:

  1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
  3. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Crimeware: Do It Yourself Criminal Hacking

Robert Siciliano Identity Theft Expert

For $400-$700 you too can be a criminal hacker. Phishing hacking and spoofing software has been around for a few years. Heres what may be an example.

The ease and availability of this good for nothing other than crime software has made it easier, cheaper and more user friendly than ever to get into the cybercrime business.

Anyone with moderate computer skills that can navigate around the web and upload or download files is pretty much capable of accessing and implementing the crimeware.

Todays crimeware kits are designed so a person who is new to the criminal hacking business can quickly get up to speed and snare victims rapid fire.

USA Today reports they’ve been blasting out fake e-mail messages crafted to look like official notices from UPS (UPS), FedEx (FDX) or the IRS; or account updates from Vonage, Facebook or Microsoft Outlook (MSFT); or medical alerts about the H1N1 flu virus.

The faked messages invariably ask the recipient to click on a Web link; doing so infects the PC with a banking Trojan, a malicious program designed to steal financial account logons. Often, the PC also gets turned into a “bot”: The attacker silently takes control and uses it to send out more phishing e-mail.

The crimeware software business models the manufacturing and distribution of the legitimate software industry. Criminals are also getting more sophisticated in marketing their wares and doing it openly online. Just because they sell crimeware, doesn’t mean the software is illegal. It only becomes illegal when it’s used to scam people.

The fundamentals of how to prevent phishing are presented here by the Anti Phishing Work Group

  • Be suspicious of any email with urgent requests for personal financial information
    • unless the email is digitally signed, you can’t be sure it wasn’t forged or ’spoofed’
    • phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately
    • they typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc.
    • phisher emails are typically NOT personalized, but they can be. Valid messages from your bank or e-commerce company generally are personalized, but always call to check if you are unsure
  • Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t know the sender or user’s handle
    • instead, call the company on the telephone, or log onto the website directly by typing in the Web adress in your browser
  • Avoid filling out forms in email messages that ask for personal financial information
    • you should only communicate information such as credit card numbers or account information via a secure website or the telephone

    Additionally

  1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
  3. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Meet Raoul Chiesa: UN Interregional Crime & Justice Research Inst.

Robert Siciliano Identity Theft Expert

In my quest to learn more about what makes a criminal hacker tick, I came across Mr Chiesa when he commented on a blog post I wrote “How I Wasted 4 Hours with a Criminal Hacker”. He warned me I was treading on dangerous ground due to the fact that when communicating with the blackhat, I used my real name and provided my web address. His concern was a revenge hack that would clear the hackers name amongst his hacker peers.

I’ve danced with the devil a few times in my life and don’t mind the occasional walk on the ledge. And I’ll heed his advice in the future. After a closer look, I learned he is from the United Nations, based in Italy. (Road trip anyone?). That’s a cat I want to talk to who is fighting the battle 24/7/365 against the bad guy.

What do you do?

Since 2005 I’ve worked with the United Nations Interregional Crime & Justice Research Institute (UNICRI), where I am a Senior Advisor on Cybercrime Issues & Strategic Alliances. We develop new strategies, techniques and methodologies in order to support the Member States fighting cybercrime-related issues, supporting policy-makers, end-users and States.

I’m also an entrepreneur in the Information Security arena. I run 2 vendor-neutral consulting firms, specialized in Penetration Testing, Audit & Compliances, while the second firm supplies Digital Forensics services. I’m into IS since 1997, while I began my interest in it – and the hacking’s underground – back in 1986.

Why do you do it?

Mainly it’s because of the passion. I love my job, I love what I do everyday…and this is not so common so…I’m feeling really lucky. Talking about my role at UNICRI, I decided to join them in order to support a neutral organization that is really trying to achieve important goals.

What’s your process?

Mainly building an international network of contacts; attending a huge amount of IT events all around the world, often as a speaker; trying to build an “informal communication and alert network” among LEAs, in order to simplify and speed-up the process of information exchange. We’re working on various R&D projects, that help and benefit the IT and ICT community all around the world. Our main research is HPP – Hackers Profiling Project (http://www.unicri.it/wwd/cyber_crime/hpp.php), where we’ve been able to interview more than 1200 hackers from five different continents. It’s a really huge research program, that will last five years more. It’s something never done before.

What are the “politics” with it world wide?

Politics – especially USA and EU – are driving towards issues related to privacy, Lawful Interception, copyright, etc. I’m a technical guy, with a technical background: I don’t like politics, though it’s clear to me that it’s something we need, somehow.

In my humble opinion, the common mistake when politics meet IT, is that politicians are obviously not IT people, they do not have an IT background, and often they misunderstand the logistics of IT…in this scenario, (big or small) mistakes may always happen.

What is next? What’s the future look like?

We are observing in incredible rise in cybercrime. New profiles of attackers arrived in the so-called “hacking underground”, and the hacking world – sometimes – is meeting with organized crime and State-sponsored attacks. The world is changing and, basically, the keyword is “the information”. In today’s world, “Information is the Power”, that’s the sole reason why all of this is happening.

Sum up a profile of the criminal hacker today vs. 10 years ago.

There are huge differences between hackers in the past and hackers nowadays. Hackers from the past were not “mandatory” criminals. While their actions were illegal (note: during the 80’s and the 90’s, “hacking” was not a crime in many countries of the world. I.e. in Italy it became a crime only in 1993/1994), the global approach was much more on the “challenge”, the “curiosity”, as well as “teens actions”.

21st century hacking has moved towards criminality. This leads us to Cybercrime, that is de-facto composed by many different “subsections”, where hacking is often related. I am talking about spam, carding, zero-day attacks (and all the black-market there connected), obviously Identity Theft, scams & economical fraud, that leads us to the so-called “Underground Economy”.

The on-going economical global crisis too has something to do with this: each time there’s a global crisis, criminality raises up. This is exactly what’s happening now, since 2009, and that will continue in 2010: people that basically are NOT criminals, may be forced/pushed to “accept” a crime deal, linked to cybercrime actions.

This happens because cybercrime does not involve “straight” criminal actions such as killing somebody with a knife or a gun, stealing a mobile phone from somebody’s hands, etc… It’s a not-physical crime, involving actors to think that they are not doing anything “bad”. Also, cybercriminals ALWAYS think that they will “never be busted”, since they rate themselves “much better, more skilled” than LE agents.

Last issue (of a really huge, huge picture!) is related to State Sponsored attacks. Recent attacks from China, Estonia and Georgia are showing us how much hacking techniques are involved in all of this. Governments are starting to hire hackers (USA, UK, China, Korea, Iran….) and set up Information Warfare: this will be one of the hottest keywords in the near future.

More info on our book on Hackers Profiling: http://www.amazon.com/Profiling-Hackers-Science-Criminal-Applied/dp/1420086936

Raoul Chiesa, OPSA, OPST, ISECOM International Trainer, CLUSIT, ISECOM, TSTF, OWASP Italian Chapter: Board of Directors Member Osservatorio Privacy & Sicurezza – OPSI-AIP, Comitato Esecutivo

Thank you Raoul. We appreciate your contributions.

  1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
  3. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

10 Business Identity Theft Risks in 2010

Robert Siciliano Identity Theft Expert

Advancements in technology over the past decade have created a tremendous amount of opportunity for the savvy businessperson. Whether it’s mobility, streamlined processes, marketing, or the ability to sell to a global market, there’s never been a better time to be in business.

Like anything good, there is always a negative. While there are certainly many negatives in technology, like the headaches when something doesn’t work correctly and the constant learning curve we must all endure, the biggest negative is security issues.

So for the SMB (that’s you, the savvy businessperson), here are ten considerations for the new decade:

Back up your back up. Numerous reports of cyber-war, thousands of new viruses weekly, and even Mother Nature reeking havoc on the Internet, have caused concern among industry professionals. Doing business in the cloud is fantastic; however, make sure you have redundant local backups of your data.

Anti-virus will not fully protect you. The sheer volume of attacks and new viruses created will keep the anti-virus vendors busy. But there is no way they can keep up the pace 100% of the time. There are numerous technologies that will immunize your PC and make whatever virus or spyware impotent, and any data on your machine typed in a browser useless to the thief.

Social media identity theft is the act of creating a blog or social media site that models your day to day operations. At any time someone can register domains or social media sites with your brand as the face. They then sell product that they never ship and/or do things to damage your brand. Scoop up your social media identities with Knowem.com

Social network nitwits. One of the easiest ways into your companies’ networks is via social media. The explosion of “I just made a tuna” communications has brought out the dumb in many people. The simple act of setting up a group on Facebook and getting your employees to join can open up a treasure trove of data that can facilitate social engineering attacks. Create policies and procedures that involve appropriate use.

Social engineering, the ruse of a confidence man, is back in full force. It never really went away, but with the amount of security in place, sometimes the path of least resistance is simply asking your cleaning crew for the keys to the building. By gaining the trust of employees over the phone, via email or in person, a con-man can get almost anything he needs to get whatever he wants. The best defense is effective policies coupled with ongoing awareness training.

Insider identity theft can ruin your business. Most companies have done their due-diligence to keep the bad guy from hacking from the outside. But many organizations have neglected the risks associated with employees gone bad and the internal damage that can be done. Numerous technologies monitor and control access to sensitive information. But preventing bad employees from doing bad things starts with not hiring bad people.

Phishing scams still work. Despite consumer and employee awareness, a carefully crafted and well designed email that looks like its coming from another employee is probably the most effective spear phish. Going after the CEO or high level executive or “whaling” can often be even more successful. The bigger they are the harder they fall as they say. From my experience it’s often the smartest ones in the room that lack all common sense. Test your employees; see what they will fall for. Then test them again.

Tighten up employee remote access. Allowing Suzy Admin to access the companies VPN from a home PC that Suzy’s son Steve uses to play games on servers hosted in North Korea will end up bad. Malware on a home computer can compromise usernames and passwords resulting in spyware on the network. Set up Suzy with her own laptop that’s fully locked down and prevents Steve from doing anything fun.

Peer to Peer (P2P) file sharing is a fantastic way to leak company and client data to the world. Obamas helicopter plans, security details and notes on congress members being deposed were all leaked on government controlled computers via P2P. Setting admin privileges and installing numerous technologies that will prevent P2P is essential.

Identity theft will get worse before it gets better. And whether it’s your identity, your families or your employee’s identity that is stolen, it can be a huge time suck and a costly event. The best defense involves a 3 legged stool. First, awareness training of all the scams that lure people in, and how to appropriately respond to numerous communications. Second involves a little time and investment in a “credit freeze” or “security freeze”. Learn how to do it HERE. Third is an annual investment in identity theft protection. In today’s cyber crime climate, and with the recession making people desperate to make money any way they can, NOT investing in identity theft protection is, in my opinion, irresponsible. The worst thing you can do is nothing.

Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Forget Privacy, Think Security

Robert Siciliano Identity Theft Expert

Everywhere you go there is a privacy advocate screaming to protect your privacy. Privacy advocates, bless them, are a dying breed. They fight for whatever privacy rights there are left and do their best to remain watchdogs. If your gig is privacy, my guess is you have lost all your hair and are popping Prozac to relieve the stress of todays anti-private society. And you are fully employed and very very busy.

My gripe, people are freaking about full body scanners at the airports and the privacy issues involved. This isn’t a privacy issue, it’s a security issue. If you have to show a black and white image of your bum bum to avoid the plane from being blown up, so be it. Otherwise don’t fly.

“Privacy is dead, deal with it,” Sun MicroSystems former CEO Scott McNealy was widely reported to have declared over a decade ago. Scott hit the nail on the head and shortly after Tila Tequila became a famous lesbian pinup on MySpace, the Real World of reality TV was born, and we’ve been tweeting tuna sandwiches ever since.

Mark Zuckerberg CEO of Facebook who was around 13 years old when McNealy made his statement recently re-affirmed it by saying  “… in the last 5 or 6 years, blogging has taken off in a huge way and all these different services that have people sharing all this information. People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that’s evolved over time.”

The fact is, “Privacy is an illusion, said Robert Siciliano CEO of IDTheftSecurity.com, “the focus today should be security, not privacy” he continued. That right there is a ready made quote for you to copy/paste and make me a sage like my two counterparts :)~

Think of it like this: from birth you have a medical and birth record. These docs follow you everywhere in life and are filed and viewed by many. You can’t get admissions to schools, jobs or insurances without presenting these records. You are granted a Social Security number shortly after birth and that IS your National ID. Nine numbers that are connected to every financial, criminal and insurance record that makes up who you are and what you’ve done. But none of these docs are connected to you physically, which results in identity theft, a security issue.

Further, every time you visit a website with cookies enabled, use an ATM, credit card, RFID transponder on the highway toll, public transportation pass, make a call on a mobile phone, order a pizza over a home phone or simply use a computer to denote you ate that tuna, chances are – someone, somewhere – is recording that transaction and determining your location.

If you want to participate in society you have no choice but to give up your privacy. Fundamentally this is a trust issue. Humans lie and can’t be automatically trusted. We have considerable checks and balances in place to prevent lying from going unnoticed. Anonymity is dead due to the fact that bad guys try to hide or not pay. Transparency makes their chances of getting caught more likely. If you kill someone then drive down the highway, your chances of getting caught increase because your license plate is recorded through the toll. This is a good trade off for the family of the victim.

Knowing all this and understanding technologies impact on what you thought was privacy, should make you resigned to the fact that privacy is in-fact dead and an illusion. Now your focus needs to be security. Secure your financial identity so no-one can pose as you. Secure your online social media identity so no-one can pose as you. Secure your PC so no-one can take over your accounts.  And please, there is no sense in telling the world what you are doing and where you are every minute of the day. When you do this, you aren’t relinquishing privacy; you are compromising your personal security.

  1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
  3. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing cookies and privacy issues on FOX News

Google Gets Hacked & What It Means to You

Robert Siciliano Identity Theft Expert

Google disclosed that it had been breached by Chinese hackers, who were apparently targeting Chinese dissidents:

“The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.”

McAfee found evidence that the attack exploited a vulnerability in Internet Explorer. Google Enterprise president Dave Girouard blogged to inform Google App clients their data was safe: “This incident was particularly notable for its high degree of sophistication. This attack may understandably raise some questions.” Girouad stated, “We believe our customer cloud-based data remains secure.”

The most successful techniques of Chinese hackers involve phishing and social engineering. These hackers determine their targets, then send a “spear phish,” or targeted email, to a specific employee, in which they pose as a coworker or a vendor. Once the target clicks a link, a remote control or malicious software is automatically downloaded. On a broader scale, hackers may send a blast to everyone in the company and ultimately hook a few employees, giving them access to company accounts.

The recent Google attack indicates that criminal hackers with financial incentives aren’t necessarily the only ones attempting to penetrate your networks. There is a strong possibility that hacking is being sponsored by foreign governments with a much bigger agenda.

  1. Never click on links in the body of an email. NEVER!
  2. Always be suspect of any external or internal communications. You could be a target of a phish.
  3. Before you go divulging usernames and passwords to anyone in response to an email, pick up the phone to verify the need
  4. Make sure your PC is fully and automatically updated with its critical security patches.
  5. Anti-virus must be run automatically and fully up to date.
  6. Its not enough to just run anti-virus. Run a program that immunizes your PC against keyloggers
  7. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  8. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and social engineering invasions on the Montel Williams Show

Why Am I Logged Into Someone-else’s FriendFeed?

Robert Siciliano Identity Theft Expert

I have pretty tight controls over my network and access to my 510 usernames and passworded accounts. Yes he just said “510”…and counting. I have full administrative rights over every PC and nobody else has access to my home or office. So it came as a surprise to me when I went to log into my FriendFeed account to make an adjustment and I discovered I was logged into someone-else’s account. Serious, no joke, I’m not stupid. I have FULL access.

The account is owned by Canadian who sells diet pills and skin care. There are 3 feeds coming into the account all being sent from Ping.fm. I am able to access the full dashboard and change the picture, email associated and add or delete feeds. The dashboard provided me with the existing email address of its owner, and of course I emailed him to let him know of my access. But of course he hasn’t responded. I’m probably in a spam folder.

My first thoughts were that I have spyware and someone is able to remotely access my machine and use it as their own. I did a full system scan and there is nothing on my machine. There is no other strange activity going on so I’ve narrowed the issue down to this one account.

Meanwhile ABCNews.com reports that A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers’ accounts with full access to troves of private information.

The glitch — the result of a routing problem at the family’s wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.

In each case, the Internet lost track of who was who, putting the women into the wrong accounts. It doesn’t appear the users could have done anything to stop it. The problem adds a dimension to researchers’ warnings that there are many ways online information — from mundane data to dark secrets — can go awry.

Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else. It’s not clear whether such episodes are rare or simply not reported. But experts said such flaws could occur on e-mail services, for instance, and that something similar could happen on a PC, not just a phone.

If this is what’s happening to me then it can happen to anyone. There is a logical explanation for this, and I don’t have it. If someone does, please chime in.

Like there aren’t enough security issues we now have to deal with hiccups on the internet that log us into someone else’s account because of switching errors. At least if it was a virus we could point a finger at someone. But now, based on what’s happening here, we can only point the finger at the “Internet” as a culprit. This is freaking me out.

All the more reason to protect your identity.

  1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
  3. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discusses lack of security in online banking on CBS Boston

Protect Yourself from Social Engineering

Robert Siciliano Identity Theft Expert

Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. But in many cases the attacker certainly does come in contact with the victim.

You may be doing all you can and should to protect yourself from hackers and scammers. But a response to a simple email that looks exactly like your expected monthly bank e-statement can completely drain your bank account.  On its face there is no way to tell if the communication is real of fake. While hovering over the link may provide a clue, there’s really no way in differentiating all the 1’s and zeros in a typosaquatted domain.

It amazes me that my bank and credit card company still put links in monthly e-statements.

Social engineering has always been a “person to person” confidence crime. Once the conman gains the marks trust, the victim begins to “throw up” all kinds of information or begins to fork over cash and credit. Trust seems to be an inherent trait we all have from birth. I would suppose we would need to trust in order to survive as an interdependent communal species’, otherwise fear of others and not trusting would prevent us from relying on others to nurture us until we are tossed out of the nest.

The conman knows this and the heartless bastard takes full advantage of our trusting nature. Heck, I pulled it off on 2 woman by saying I was from the water company and walked right into there homes.

In the IT world social engineering is a huge problem because the conman doesn’t just access one bank account as in a one on one scam, he accesses thousands by scamming one IT admin or the secretary.

There is a tremendous amount of redundant security in place today that is often completely bypassed because of a simple lie and one naïve gullible person. The path of least resistance isn’t through an unpatched network, or an unsecured wireless connection, it’s via the phone, email, snail mail, social media or in person with a wink and a smile.

Check out this very comprehensive article by Computerworld and these two recent posts here and here.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief. Invest is a social media identity theft protection toll such as Knowem.com.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and home invasions on the Montel Williams Show

Data Breaches: The Insanity Continues

Robert Siciliano Identity Theft Expert

The Identity Theft Resource Center Breach Report also monitors how breaches occur.  This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches.  For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009.  This was a change from all previous years, where human error was higher than malicious attacks.  One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information.  For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Insider Theft 16.9%
Hacking 19.5%
Data on the Move 15.7%
Accidental Exposure 11.8%
Subcontractor 7.2%

Insanity might well be defined as repeating the same action again and again, and expecting a different outcome.  With that in mind:

Insanity 1 – Electronic breaches:  After all the articles about hacking, and the ever growing cost of a breach, why isn’t encryption being used to protect personal identifying information?  Proprietary information almost always seems to be well protected.  Why not our customer/consumer personal identifying information (PII)?

Insanity 2 – Paper breaches:  Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII?  Do we dare ask that those laws be actually enforceable?  Perhaps we are waiting for paper breaches to reach 35% of the total.

Insanity 3 – Breaches happen:  Deal with it!  You will get notification letters.  Breach notification does not equal identity theft.  Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website.  This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.

Insanity 4 – A Breach is a Breach:  Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.”  If it is your #$@%2 SSN that is out on the Internet, do YOU think there is “risk of harm?”  Some companies might say “no.”

Insanity 5 – Data on the Move:  You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years.  But, really!  This is 100% avoidable, either through use of encryption, or other safety measures.  Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.”  With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace.”

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News


2009 Data Breaches: Identity Theft Continues

Robert Siciliano Identity Theft Expert

The Identity Theft Resource Center® Breach Report recorded 498 breaches, less than the 657 in 2008, more than the 446 in 2007. Are data breaches increasing or decreasing? That is the question no one can answer. This fact will not change until there is a single data breach list requiring mandatory public reporting. With some breaches not being reported publicly, and some state Attorneys General not allowing public access to reported breaches, we doubt that anyone is in a position to answer the question above. When we allow laws to be created requiring breach reporting but not disclosure, and provide minimal enforcement or penalty for non-compliance, we can expect a lack of public disclosure. Counting breaches becomes an exercise in insanity.

ITRC collects information about data breaches made public via reliable media and notification lists from various governmental agencies. There are breaches that occurred in 2009 that never made public news. So rather than focus on a question without an answer, ITRC used percentages to analyze the 498 breaches recorded this year looking for any changes or new trends. (Both raw numbers and percentages have been provided in all charts)

The main highlights are:
• paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
• business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
• malicious attacks have surpassed human error for the first time in three years
• Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

In 2009, the business sector increased to 41% of all the publicly reported breaches. While there are some small statistical changes in the other sectors, business continues to increase for the fifth year in a row. The financial and medical industries, perhaps due to stringent regulations, maintain the lowest percentage of breaches.

Business 41.2%

Educational 15.7%

Government/Military 18.1%

Health/Medical 13.7%

Banking/Credit/Financial 11.4%

The ITRC Breach Report recorded more than 222 million potentially compromised records in 2009. Of those, 200 million are attributed to two very large breaches. Before obsessing with record count, however, one should be aware that in more than 52% of the breaches publicly reported, NO statement of the number of records exposed is given. Therefore, it is unknown how many total records may have been exposed due to breaches in 2009.”

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News