Insider Identity Theft Can Be Most Damaging

Robert Siciliano Identity Theft Expert

Earlier this week, an IT employee was indicted for stealing the identities of 150 of his coworkers at Bank of New York Mellon, to the tune of 1.1 million bucks. He bilked almost $140,000 a year over an eight year period by compromising the online bank accounts of numerous employees and wiring money to fraudulent accounts outside the bank.

This is a classic case of the fox watching the hen house. This guy was an insider terrorist, looking his colleagues straight in the eye and lying to them. I rank him with pedophiles and serial killers.

As much as 70% of all identity theft is committed by someone with inside access to organizations such as corporations, banks, or government agencies, or by someone who has an existing relationship with the victim. People with access to sensitive personal data are most likely to commit identity theft. For many, it’s just too easy not to.

An identity thief begins by acquiring a target’s personal identifying information: name, Social Security number, birth date and address, account information etc. If the thief has regular access to a database, this data is right there for the taking. Many credit applications and online accounts request current and previous addresses. So the thief fills out the victim’s current address as “previous” and plugs in a new address, usually a P.O. box or the thief’s own address, where the new credit card or statement will be sent. I’m amazed that a lender or credit card company can be careless enough to send a new credit card to a relatively anonymous P.O. box. The lender just checks the victim’s credit and, since everything matches, no red flags pop up. The card is issued, the account is opened and the fun begins.

In the Bank of New York Mellon case, investigators found dozens of bank and credit statements in the names of the victims at the thief’s home address.

Think for a moment about your house or apartment, and how you might break in if you lost your keys. If a burglar knew what you know about where you hide and store your stuff, how much damage could he do? Insiders pose the same problem. They know the ins and outs of all systems in place, and can wreak havoc on your operation as long as they are employed, and sometimes even after they are let go.

The problems begin when we are forced to trust people with complete access in order to allow them to perform their required duties. Ultimately, this is a people problem and needs to be addressed as such.

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human beings to drive down the street while cars are heading toward you, separated only by a thin painted line. Without trust, we couldn’t get out of bed in the morning.

To protect your business and your data, limit sources as much as possible. Minimize the personnel with access to essential systems. Supervise the supervisors. Even your good apples can eventually go bad, so limit access, even for those who are in a trusted position. And require checks and balances, with multiple layers of authorization. If one person is always watching over another person’s shoulder, bad apples can’t hide or execute scams. Perform due diligence. In the information age, our lives are an open book. Background checks from information brokers are crucial. Failing to do background checks increases your liability. Someone who has been previously convicted of a crime just might do it again. And if a breach of trust does occur, prosecute the guilty. Make an example that other’s won’t forget. Public hangings are a strong deterrent.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.

And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human being to drive down the street while cars are heading toward you only separated by a thin painted line. Without trust we wouldn’t get out of bed in the morning.

Robert Siciliano identity theft speaker discussing identity theft on Fox News

Identity Theft Myths Part 1of3 During PYIW

Identity Theft Expert Robert Siciliano

The National Foundation for Credit Counselors, which sponsors Protect Your Identity Week, has compiled a number of identity theft myths. To support their efforts, the Santa Fe Group Vendor Council Awareness and Education Subcommittee has helped to clarify some common misinformation with regards to this increasingly common crime.

Myth #1: There’s no way to protect yourself from identity theft.

Identity theft is preventable. As with any other crime, the risk will always be there. But there are many things people can do to minimize that risk, both online and offline. Preventative measures include keeping financial records protected and private, shredding junk mail, and tracking who sees your personal information. An identity theft protection service uses a variety of techniques to prevent, detect, and, if necessary, resolve identity theft.

http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/deter.html
http://www.onguardonline.gov/topics/computer-security.aspx

Myth #2: Identity theft is only a financial crime.

While financial identity theft (theft of information for financial gain) is most prevalent, other types of identity theft can be equally dangerous, potentially costly, and time consuming to resolve. For example, with medical identity theft, personal medical records are used to access medical treatment or drugs, or to make false insurance claims. With criminal identity theft, a person uses faulty or stolen identification to avoid prosecution by law enforcement.

Medical identity theft: http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf
Criminal identity theft: http://www.privacyrights.org/fs/fs17g-CrimIdTheft.htm
Employment fraud: http://www.idtheftcenter.org/artman2/publish/v_art_solutions/Solution_27_-_Someone_Working_as_You.shtml

Myth #3: It’s my bank’s fault if I became a victim of identity theft.

Some identity crime does originate with the theft of bank records or is perpetuated by lax security practices. However, the majority of identity theft begins elsewhere. Personal information may be stolen with low tech tools such as a lost or stolen wallet, checkbook, or a debit or credit card, or more high tech methods, such as skimming, phishing, and hacking.

http://www.onguardonline.gov/topics/computer-security.aspx
http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identitytheft.html#whatdothievesdowithastolenidentity

Myth #4: It is safe to give your personal information over the phone if your caller ID confirms that it is your bank.

It is never safe to give personal information to unsolicited callers, no matter who they say they are. Caller IDs are easily spoofed. If you believe the caller is legitimate, hang up and call the bank back at its listed phone number.

http://www.ncpc.org/programs/catalyst-newsletter/catalyst-newsletter-
2009/volume-30-number-1/vishing-a-new-twist-on-identity-theft-threatensconsumers
http://www.onguardonline.gov/topics/computer-security.aspx

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano “Disclosures” Identity Theft Speaker discussing Social Media Identity Theft on Fox Boston

Identity Theft Is Really No Big Deal. Idiot.

Robert Siciliano Identity Theft Expert

I make a portion of my living talking about identity theft. Admittedly, I profit from the crime. I don’t steal identities of course, but I get paid because others steal. I’m not FBI, CIA, Secret Service or a cop. But you wouldn’t disparage any of those entities for doing their jobs to protect you from bad guys.

I talk about this issue all day, every day to whoever will listen. I’m obsessed with this and all issues regarding personal security. It’s what I do, and it seems to be “my purpose.” I may sometimes go a bit overboard in my take on these issues and what people need to do to protect themselves, but sometimes that’s what it takes for people who think it can’t happen to them get off their duff and be proactive.

All that said, it bothers the heck out of me when someone looks me straight in the eye and tells me that identity theft is no big deal, that I should get over it. That’s exactly what Julia Angwin does in this Wall Street Journal article. And she uses a prominent industry professional as the anchor of her article, to confirm her beliefs and trivialize this heinous crime.

The fact is, crime happens all day, every day. Some crimes are more or less common. Some are more or less invasive. All crimes have victims and all victims suffer the consequences of others actions. To trivialize those victims and make little of their burden is a completely incomprehensible act.

I responded to this article with the following comment:

“The author hides under the guise of The Decoder and will not give her name in this article. In another article she is Julia Angwin at julia.angwin@wsj.com. Why not sign your name here?? [Angwin’s name now appears under the article.]

A person is more likely to be a victim of some form of identity theft than to be injured in a motor vehicle accident. But I’ll bet she wears a seat belt and doesn’t trivialize that. A person is more likely to be a victim of identity theft than have their home broken into or car stolen. But I’ll bet she locks up. A person is more likely to be victim of identity theft than be sexually assaulted. But she dare not trivialize that. A person is more likely to be a victim of identity theft than have their child abducted. But I’ll bet she watches her kids close at the park. Sister, just because you don’t understand something doesn’t give you the right to make little of it. Identity theft victims suffer the consequences of fraud every day. Some much more than others. For the victims, identity theft is a living hell. I wouldn’t wish any of the above on anyone and hope identity theft never happens to you. If it does you will sing a different tune and be appropriately empathetic to the victims of this heinous crime.

And Bruce, really, the contrarian thing is very obvious. To say you’re not worried and don’t do anything is a slap in the face to everyone who has been victimized and everyone who cares to prevent it. Your credibility just slipped a notch in this fan’s opinion.”

And because I care and because I’m being paid and because I believe in the following, I’m going to make a couple suggestions to you as to how you should protect yourself. But really, identity theft is no big deal.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Prevention and Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing identity theft on the rise on Fox News.

How to Prevent Phishing Scams

Robert Siciliano Identity Theft Expert

Recent reports abound of consumers email account being phished and American and Egyptian authorities arresting  dozens of people in an online fraud crackdown for phishing scams.  Its time to revisit the fundamentals of how to prevent phishing. Nobody can do this better than the Anti Phishing Work Group

Phishing Defined

Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social‐engineering schemes use spoofed e‐mails purporting to be from legitimate businesses and agencies to lead consumers to counterfeit websites designed to trick recipients into divulging financial data such as usernames and passwords. Technical‐subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using systems to intercept consumers online account user names and passwords ‐ and to corrupt local navigational infrastructures to misdirect consumers to counterfeit websites (or authentic websites through phisher‐controlled proxies used to monitor and intercept consumers’ keystrokes).

How to Avoid Phishing Scams

The number and sophistication of phishing scams sent out to consumers is continuing to increase dramatically. While online banking and e-commerce is very safe, as a general rule you should be careful about giving out your personal financial information over the Internet. The Anti-Phishing Working Group has compiled a list of recommendations below that you can use to avoid becoming a victim of these scams.

  • Be suspicious of any email with urgent requests for personal financial information
    • unless the email is digitally signed, you can’t be sure it wasn’t forged or ‘spoofed’
    • phishers typically include upsetting or exciting (but false) statements in their emails to get people to react immediately
    • they typically ask for information such as usernames, passwords, credit card numbers, social security numbers, date of birth, etc.
    • phisher emails are typically NOT personalized, but they can be. Valid messages from your bank or e-commerce company generally are personalized, but always call to check if you are unsure
  • Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t know the sender or user’s handle
    • instead, call the company on the telephone, or log onto the website directly by typing in the Web adress in your browser
  • Avoid filling out forms in email messages that ask for personal financial information
    • you should only communicate information such as credit card numbers or account information via a secure website or the telephone
  • Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser
    • Phishers are now able to ‘spoof,’ or forge BOTH the “https://” that you normally see when you’re on a secure Web server AND a legitimate-looking address. You may even see both in the link of a scam email. Again, make it a habit to enter the address of any banking, shopping, auction, or financial transaction website yourself and not depend on displayed links.
    • Phishers may also forge the yellow lock you would normally see near the bottom of your screen on a secure site. The lock has usually been considered as another indicator that you are on a ‘safe’ site. The lock, when double-clicked, displays the security certificate for the site. If you get any warnings displayed that the address of the site you have displayed does NOT match the certificate, do not continue.
  • Remember not all scam sites will try to show the “https://” and/or the security lock. Get in the habit of looking at the address line, too. Were you directed to PayPal? Does the address line display something different like “http://www.gotyouscammed.com/paypal/login.htm?” Be aware of where you are going.
  • Consider installing a Web browser tool bar to help protect you from known fraudulent websites. These toolbars match where you are going with lists of known phisher Web sites and will alert you.
    • The newer version of Internet Explorer version 7 includes this tool bar as does FireFox version 2
    • EarthLink ScamBlocker is part of a browser toolbar that is free to all Internet users – download at http://www.earthlink.net/earthlinktoolbar
  • Regularly log into your online accounts
    • don’t leave it for as long as a month before you check each account
  • Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate
    • if anything is suspicious or you don’t recognize the transaction, contact your bank and all card issuers
  • Ensure that your browser is up to date and security patches applied
  • Always report “phishing” or “spoofed” e-mails to the following groups:
    • forward the email to reportphishing@antiphishing.org
    • forward the email to the Federal Trade Commission at spam@uce.gov
    • forward the email to the “abuse” email address at the company that is being spoofed (e.g. “spoof@ebay.com”)
    • when forwarding spoofed messages, always include the entire original email with its original header information intact
    • notify The Internet Crime Complaint Center of the FBI by filing a complaint on their website: www.ic3.gov/

In addition you must:1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Prevention and Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing identity theft on the rise on Fox News

Obama; Cybersecurity and Identity Theft Protection Starts at Home

Robert Siciliano Identity Theft Expert

Whether you realize it or not, your computer is one of the biggest threats to your personal security. The Obama administration believes that your computer is also one of the biggest threats to national security.

The message is: Think before you click. Know who’s on the other side of that instant message. What you say or do in cyberspace stays in cyberspace — for many to see, steal and use against you or your government.

The Internet is incredibly powerful and not particularly secure. It is powerful enough to bring people together, to educating, inform, and make life easier. But it’s also used to hurt, scam, and debilitate in so many ways.

The Pentagon’s computer systems are probed 360 million times per day, and one prominent power company has acknowledged that its networks see up to 70,000 scans per day. Every single day, utilities, banks, retailers and just about every computer network are faced with attacks. Many of these hacks are insignificant. Many are conducted with intent to commit crimes such as espionage, financial data theft, or the destruction of crucial information. The criminal hackers could be cyber-terrorists attempting to destroy the U.S. or its economy, malcontents simply wreaking havoc for its own sake, or opportunists looking for a profit.

The U.S. is a prime target for a number of reasons. The most obvious is that we’ve made mistakes that have many in the world hating us. Then there’s our financial system, which offers instant credit to anyone with a Social Security number. And of course, credit card security is an oxymoron, since anyone can use any credit card at any time. We have a bullseye on us and we put it there.

“Weapons of Mass Disruption” are a growing concern. The U.S. and many other countries are electrically and digitally dependent. Our critical infrastructures, including drinking water, sewer systems, phone lines, banks, air traffic, and government systems, all depend on the electric grid. After a major successful attack we’d be back to the dark ages instantly. No electricity, no computers, no gasoline, no refrigeration, no clean water. Think about when the power goes out in your house for a few hours. We’re stymied.

The Pentagon and the Department of Homeland Security are hiring thousands of computer experts to protect our networks. But the weakest link in the chain is not the government, but the citizens. Government has lots of work to do, but moms and pops are the most vulnerable. Enterprise networks have become hardened, while small business and the lowly consumer know enough about information security to get hacked. Awareness is key. You are either part of the problem or the solution.

Read this and every possible blog, article and report you have access to so you can stay on top of what is new and ahead of what is next in technology and the security necessary to keep it safe. Build your IT security vocabulary. Protect yourself and your business.

Those steps include:

Use antivirus software, spyware removal, parental controls and firewalls.

Back up your data locally and in the cloud.

Understand the risks associated with the wireless web especially when using unsecured public networks.

Protect your identity too. The most valuable resource you have is your good name. Allowing anyone to pose as you and let them damage your reputation is almost facilitating a crime. Nobody will protect you, except you.

  • Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.
  • And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.
  • Visit US-Cert here

Robert Siciliano identity theft speaker discussing the mess of data security on Fox News

70 Million Veterans at Possible Risk For Identity Theft

Robert Siciliano Identity Theft Expert

Wired reports the inspector general of the National Archives and Records Administration (NARA) is investigating a potential data breach affecting 70 million records of U.S. military veterans. The issue involves a defective hard drive the agency sent back to its vendor for repair without first destroying the data. Once the drive was diagnosed and found to be faulty, it was sent out for recycling. With millions of records still on it.

A NARA IT manager says 70 million veterans are at risk for identity theft, and that NARA’s practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America’s record-keeping agency.

A $2000.00 hard drive with millions of social security numbers is worth millions, maybe billions of dollars if it gets into the hands of a criminal. The “loss” of data like this can cost a government agency or corporation millions to respond to the breach. The hard drive should have never left the facility and should have been destroyed. The Pentagon requires that old or defective drives be de-magnified or destroyed.

We have seen breaches like this before. A Veteran’s Administration laptop was stolen from the home of an employee of the Department of Veterans Affairs containing personal records of 26.5 million veterans in 2005 and eventually settled a class action suit over the breach by paying out $20 million. NARA also lost a hard drive including 100,000 Social Security numbers.

The risks associated with this kind of a breach generally revolve around new account fraud. New account fraud occurs when someone gains access to your personal identifying information, including your name, address and, most importantly, your Social Security number. With this data, a thief can open a new account such as a credit card and have the card sent to a different address. This is true identity theft. New account fraud destroys the victim’s credit and is a mess to clean up.

Government intervention to protect you from new account fraud is probably not going to happen any time soon, if ever. The responsibility is the citizens to protect themselves.

1. Protecting yourself from new account fraud requires effort. You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each.

2. Invest in Intelius Identity Protection and Prevention. Because when all else fails you’ll have someone watching your back.

Robert Siciliano Identity Theft Speaker discussing identity theft on the rise on Fox News

Couples Online Bank Account Hacked Leads to Identity Theft

Robert Siciliano Identity Theft Expert

In 2007, a U.S. couple fell victim to identity theft when a criminal accessed their online bank account and stole $26,500 from a home equity credit line. The money was transferred to an Austrian bank that refused to return the funds to Citizens Financial Bank. So Citizens Financial informed the couple that they were liable for the loss. When the couple refused to pay, the bank notified the credit bureaus that their account was delinquent and threatened to foreclose on their home. So the couple sued the bank, claiming violations of the Electronic Funds Transfer Act and the Fair Credit Reporting Act, as well as accusing the bank of negligence.

Who should be held responsible? Well, the jury’s out. Literally.

Did the couple accidentally give their data to a phisher? Were they dumb, or was it just bad luck? Was their Internet security software up to date? Does that matter? Should the bank activate their zero liability policies and simply chalk it up to a loss? I’m a big believer in personal responsibility. However, if the bank offered a system that can be easily defeated then maybe they should take some responsibility.

White hat hackers are struggling to stay one step ahead of the criminals. There are more ways to compromise data today than ever before. Viruses quadrupled in one year, from just over 15,000 in 2007 to nearly 60,000 in 2008. Black hat hackers are out in full force.

In 2000, the white hats were supposedly about a year ahead of the black hats in technology, meaning that it should take about a year for the black hats to hack the white hats. Other research shows that by 2004, the black hats were about two weeks behind the white hats. And now here we are in 2009. In many cases, the black hats are years ahead of the white hats. The good guys are losing.

Many new viruses may already be on your hard drive, dormant, waiting for a signal to activate. They may be Trojans, waiting to strike when you log on to your online bank account.

We tend to have numerous viruses in our own bodies, which take control once our immune system is weak, or when they come into contact with one another. Similarly, your PC may have viruses lurking within. It’s easy for a PC to catch a virus when we simply visit a website, click on a link or download a program that we believe to be safe.

The technology of the criminal hacker has evolved, and is continuing to evolve faster than that of the white hats. This means you have to be on your game. Stay informed, and don’t let your guard down.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

3. Make sure your McAfee anti-virus is up to date and set to run automatically.

4. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

5. Check your bank statements often, online, at least once a week.

Robert Siciliano Identity Theft Speaker discussing online banking insecurity

Big Time Identity Theft Hackers Indicted

Robert Siciliano Identity Theft Expert

ABC news and a bazillion other outlets report that a former informant for the Secret Service was one of three men charged with stealing credit and debit card information from 170 million accounts in the largest data breach in history. The former informant, Albert Gonzalez of Florida, A.K.A “Segvec”, “SoupNazi,” and “j4guar17,” whose motto was ”Get Rich or Die Tryin'” was alleged to have been the ringleader of the criminal hacking operation of a prolific network that spans over five years of serious criminal activity. Once a criminal, always a criminal.

Gonzalez and two other unidentified hackers believed to be from Russia have been charged with hacking into Heartland Payment Systems, 7-11 and Hannaford Brothers Company, Dave and Busters and TJX Corporation, which involved up to 45 million credit card numbers..

Gonzalez was originally arrested in 2003 by the U.S. Secret Service and began working with the agency as an informant. Federal investigators say they later learned that the hacker had been tipping off other hackers on how to evade detection of security and law enforcement worldwide.

Gonzalez provided “sniffer” software used to intercept the credit and debit card numbers for the Russian hackers. Sniffer software or “malware” malicious software, acts like a virus attaching itself to a network and often spreading. The software allows the criminal hacker backdoor access to all the data in the server and provides remote control functionality.

The NY Times reports according to the indictment, Gonzalez and his conspirators reviewed lists of Fortune 500 companies to decide which corporations to take aim at and visited their stores and used a technique called “wardriving” to monitor wireless networks. The online attacks took advantage of flaws in the SQL programming language, which is commonly used for databases.

Threat Level, by Wired magazine, reported that Gonzalez had lived a lavish lifestyle in Miami, once spending $75,000 on a birthday party for himself and complaining to friends that he had to manually count thousands of $20 bills when his counting machine broke.

Protect yourself;

1. You can’t prevent this type of credit card fraud from happening to you when the retailer isn’t protecting your data. Eventually credit card protection solutions will  be available. For now, protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

2. Prevent new account fraud.  Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

3. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing credit card data breaches and the sad state of cyber security on Fox News

Identity Theft Is Easy Over P2P

Robert Siciliano Identity Theft Expert

Peer to peer file sharing is a great technology used to share data over peer networks. It’s also great software to get hacked and have your identity stolen.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and, frankly, the most fun kind of hacking. I’ve seen numerous reports of government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

The Register reports that a Washington state man has been sentenced to more than three years in federal prison after admitting to using file-sharing program LimeWire to steal tax returns and other sensitive documents. He searched LimeWire users’ hard drives for files containing words such as “statement,” “account,” and “tax.pdf.” He would then download tax returns, bank statements, and other sensitive documents and use them to steal identities.

I did a story with a Fox News reporter and a local family who had four kids, including a 15-year-old with an iPod full of music, but no money. I asked her dad where she got all her music and he replied, “I have no idea.” He had no idea that his daughter had installed P2P software on the family computer and was sharing all their data with the world. The reporter asked me how much personal information I could find on the P2P network in five minutes. I responded, “Let’s do it in one minute.”

There are millions of PCs loaded with P2P software, and parents are usually clueless about the exposure of their data. P2P offers a path of least resistance into a person’s computer, so be smart and make sure you aren’t opening a door to identity thieves.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.
  • Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.
  • And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses P2P hacks on Fox.

A Glorious Week of Identity Theft

Robert Siciliano Identity Theft Expert

If there was ever a week to get high, totally drunk, on information security and identity theft scammers and hackers, then this is it! Media outlets everywhere have been pumping out story after story of data breaches, identity theft, criminal hackers and indictments! Yeah team! For a criminal hacker groupie, this is Woodstock!

Dark reading reports Eight defendants were arraigned in a Brooklyn court for allegedly using the stolen identities of AT&T, T-Mobile, and Asurion customers to steal some $22 million worth of wireless equipment and services. An indictment was unsealed in Brooklyn federal court yesterday morning charging Courtney Beckford and seven other defendants. When identity theft defendants named Courtney, Gabe, Marsha, Saul and Ron are involved in a $22 million identity theft scheme, then you know it’s just a matter of time until someone named Britney or Brad will get busted too! It’s the identity theft apocalypse!

ABC News reports that a former informant for the Secret Service was one of three men charged with stealing credit and debit card information from 170 million accounts in the largest data breach in history. The former informant, Albert Gonzalez of Florida, A.K.A “Segvec”, “SoupNazi,” and “j4guar17,” whose motto was ”Get Rich or Die Tryin’” was alleged to have been the ringleader of the criminal hacking operation of a prolific network that spans over five years of serious criminal activity.

Information week reports in the first half of 2009, the number of computer users affected by malware engineered to steal personal information has risen by 600% compared to the January through June period in 2008, according to PandaLabs. In quantitative terms, Panda reports identifying 391,406 computers infected with identity-theft malware in the first six months of the year. Identity thieves are also seeking sensitive information through a more diverse set of targets. Where previously financial data thieves focused on spoofing online bank sites to dupe users into entering login information, they have recently been targeting a variety of services where payment account information may be stored or entered, like PayPal, Amazon, eBay, or charity sites.

Cnet reports Rogue Facebook apps steal log-in data, send spam. Security firm Trend Micro warned on Wednesday that a handful of rogue Facebook apps are stealing log-in credentials and spamming victims’ friends. So far, six malicious applications have been identified: “Stream,” “Posts,” “Your Photos,” “Birthday Invitations,” “Inbox (1),” “Inbox (2)” according to a blog post by Trend Micro researcher Rik Ferguson. The activity started earlier in the week with a Facebook notification Ferguson says he got from an app called “sex sex sex and more sex!!!,” which has more than 287,000 fans. The notification said that someone had commented on one of his posts. That app doesn’t appear to be malicious and may have been compromised somehow to begin the distribution of the spam, he said.

USA Today reports Hackers harness Twitter to do their dirty work.  A cyber gang has begun experimenting with setting up free Twitter accounts, then sending out Tweets from the popular micro-blogging service that are really coded instructions to botted PCs to carry out criminal activities. Anti-virus maker Symantec has isolated several samples of infected PCs carrying a unique new infection, dubbed “Sninfs.”

The PCs most likely got infected when their users unwittingly clicked to a tainted web page or on a corrupted link carried in an email or social network message, says Marc Fossi research and development manager at Symantec Security Response.

Protect yourself;

Don’t just sit back and get hacked. Arm yourself with anti-virus that runs automatically in the background and prevents “Courtney, Marsha and SoupNazi” from stealing your identity. Pick up McAfee’s Total Protection software and take control of your PC security.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano identity theft speaker discussing the sad state of cyber security on Fox News and check washing and campus security on ABC News.