Second Hand USB’s Could Have Personal Info Still Inside

An unsurprising study was recently released that found even when a portable USB drive is erased, not all of the documents and images are always removed. That, of course, is frightening.

Here’s how the research was done:

Researchers went online to sites like eBay, to second-hand shops, and even auction stores. They bought 200 used USB drives, half from the US and half from the UK. Almost 2/3 of the devices had data on them! This data was, for the most part, personal data, and it can also be used by cybercriminals to steal someone’s identity. On top of that, these USB drives can contain malware.

Removing All Data is Difficult

When someone tries to delete or remove data from a USB device, they rarely have success. In fact, of the 100 USB devices the researchers bought in the US, only 18 of them were totally wiped clean. The rest of them had data that had been deleted, but someone could certainly recover it. The UK devices were similar. What’s so surprising about this is that it is extremely easy…and free…for someone to fully delete their device. But most people just don’t put in the effort, and that could definitely hurt them in the future.

USB Devices Can Be Risky

Using these devices can be risky, not only for average people, but also for businesses. In 2017, for example, a USB device was lost, and it contained sensitive information about Heathrow Airport. The government investigated, and eventually fined the company. The information was not encrypted, nor password protected, and it was found on the street by a random passerby.

Because of these risks, some companies, like IBM, have banned the use of USB devices. Instead, employees must use the company’s cloud. Other companies still allow them, of course, but they could be going down a dangerous road. These devices are really cheap to buy, and people can save almost anything on them, but they are also very easy to lose.

There are other issues with USB devices too. First, of course, you have the data on these drives to deal with, but there is also the fact that potential malware could be on the devices. Most companies don’t have the same rules that IBM has, and most consumers don’t think of this at all. This makes people and small businesses very vulnerable. So, if you use USB drives, there is one very important step that you need to take: encrypt it.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

How to Protect Fortnite Accounts

If you have tweens or teens, you are probably aware of the popular game Fortnite. Though it might say that it’s free, playing Fortnite can actually be quite expensive, and it could put player’s accounts at risk due to a security flaw.

A bug was recently discovered that allows hackers to obtain the login credentials of Fortnite users if they clicked on a link in a fake email. The company responsible for Fortnite, Epic Games, has acknowledged the bug but won’t say how many people were affected.

Not only could a hacker access a user’s Fortnite account, they could make in-game purchases using the person’s credit card, which is connected to the account. Hackers could also listen in to private chats!

How it Happens

You might wonder how players would actually click on these fake email links. Well, it happens all of the time. In this case, the users clicked on a link that took them to a site that promised to give them “V-Bucks,” which are the in-game currency for Fortnite. Once the players enter their information in, sometimes even asking for credit card information, the hackers have all they need.

Most games like this have an in-game currency, and Fortnite is no exception. Players can buy things like outfits for their players, better weapons, and even bonus items. So, even kids who don’t have their own credit cards will often sweet talk their parents into giving their credit cards, and once that info is in the game, you can use it whenever you want to make purchases.

Fortnite for Money Laundering

Hackers also known as “carders,” who specialize in stealing and selling stolen credit card numbers, are using Fortnite as a bank. They are using stolen credit card numbers to make V-Buck purchases and selling them to other players at a discount. When playing Fortnite in Battle Royale mode and earning “Photons” (a new form of cryptocurrency), it seems the hackers can set up a crypto wallet connected to their account to withdraw the stolen funds.

Protecting Your Card

 If you have given your kids permission to use your credit card for Fortnite, you are not alone, but you should take steps to protect it.

safr.me

Do your kids make digital purchases with you money?

The first thing you should do is set up a passcode, one that your kids can’t guess. This means they cannot buy anything in the game unless you approve it. You will have to do this on the gaming console you use. Xbox, for instance, allows you to set a code for the following actions:

  • Signing in when the console is turned on
  • Updating device settings
  • Making a purchase

Microsoft also advises its users against putting a credit card into the Xbox account of any child or other family member who you don’t want making any in-game purchases. This way, you can keep your family safe, and keep your money safe.

Beware of Phishing

Make sure your kid isn’t providing email addresses (theirs or yours) to anyone on Fortnite. If they do, there’s a strong possibility they might provide it to a criminal phisher. Once this happens, tricky phishing emails that look like they are coming from Fortnite designed to steal passwords are likely to hit your inbox.

Set up Two-Factor Authentication

Any and every account that is considered “critical,” which means it contains personal or sensitive information, should have two-step or two-factor authentication.

Fortnite provides this, and parents MUST enable it. Go to Logins, and open account settings at your username in the top right corner. Then, select password security. At the bottom, click on “two-factor” sign in.

Foreign Bad Actors Hacked Marriott

You have probably heard about the latest major data breach, right? The Starwood hotel chain, which is owned by Marriott, was hacked. More than 500 million people were affected by it, and now, we have learned that a hostile, foreign intelligence service is likely behind it.

Most of the data that was compromised is unsurprising, such as emails and names, but other information that was accessed is a bit puzzling. This includes passport information and where people traveled. A U.S. intelligence official, who does not want to be identified, has said that this breach fits the mold of China being behind it.

Though there is nothing specific to point the finger at China, the techniques, tools and procedures that were used are commonly being used by hackers who work for the Chinese government. However, it is important to keep in mind that other hackers would also have access to these tools.

For now, the investigation is continuing into the data breach, and nothing official has been released. The FBI continues to remain on the case, and Marriott has said that it has no idea who or what is behind this hack. At this point, they are choosing not to speculate.

Robert Siciliano Marriott

The hotel chain has both internal and external teams working on exposing the hackers, and the main clue they are focusing on is the type of data that was accessed, such as passport numbers and the times and dates that people checked in and checked out of the hotel. This information could be very valuable to foreign countries, including China, who might want to create counterfeit passports. The State Department, however, has told NBC News that a new passport could not be made by using passport numbers alone.

This hack is part of a series of hacks that have plagued businesses over the past few years and recent months. In fact, this hack went on for four years before Starwood even realized that it was getting hacked! This is a pretty long time when you consider that the average hack goes on for 101 days before it’s discovered. What’s even more disturbing is the fact that the company knew about this hack since September, but it didn’t announce it until the beginning of December.

Marriott has responded to this. It says that it is improving the way it deals with cyber security, and, in addition to working out what happened in this hack, it is analyzing how it can improve the way it deals with customer data.

Protect Yourself From Gift Card Scams

So maybe Christmas now means the very predictable gift card swap, but hey, who can’t use a gift card? But beware, there are a ton of scams. This includes physical, not just digital, gift cards.

Regardless of who gave you the card, you should always practice security measures. Below are two common ways that fraudsters operate.

Transform Gift Card to Cash Twice.

If someone gives you a $200 gift card to an electronics store and then it’s stolen, you technically have lost money, as this is the same as someone stealing a wad of cash from your pocket.

Nevertheless, you’ll feel the loss just as much. Crooks who steal gift cards have numerous ways of using them.

  • Joe Thief has plans on buying a $200 item with your stolen gift card from your gym locker.
  • But first he places an ad for the card online, pricing it at a big discount of $130 saying he doesn’t need anything, he just needs money.
  • Someone out there spots this deal and sends Joe the money via PayPal or Venmo.
  • Joe then uses the $200 gift card to buy an item and sells it on eBay
  • And he just netted $130 on selling a stolen gift card that he never shipped.

Infiltration of Online Gift Card Accounts

Joe Thief might also use a computer program called a botnet to get into an online gift card account.

  • You must log into your gift card account with characters.
  • Botnets also log into these accounts. Botnets are sent by Joe Thief to randomly guess your login characters with a brute force attack: a computerized creation of different permutations of numbers and letters – by the millions in a single attack.
  • The botnet just might get a hit – yours.

Here’s How to Protect Yourself

  • Be leery of deals posted online, in magazines or in person that seem too good to be true and are not advertised by reputable retailers.
  • Buy gift cards straight from the source.
  • Don’t buy gift cards at high traffic locations, at which it’s easier for Joe to conceal his tampering.
  • Change the card’s security code.
  • Create long and jumbled usernames and passwords to lessen the chance of a brute force hit.
  • The moment you suspect fraudulent activity, report it to the retailer.
  • Spend the card right away.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

2017 Was the Worst year for Data Breaches EVER!

It seems like 2017 broke records for all the wrong reasons…one of them being the worst year for data breaches in history.

According to reports, hacking was the most common way to collect this data, but almost 70% of exposures occurred due to accidental leaks or human error. This came down to more than 5 billion records. There were several well-known public leaks, too, including the Amazon Web Services misconfiguration. More than half of the businesses using this service were affected, including companies like Verizon, Accenture, and Booz Allen Hamilton. The scariest part of this, however, is the fact that the number of breaches and the number of exposed records were both more than 24% higher than in 2016.

Big Breaches of Big Data

Another interesting thing to note is that eight of the big breaches that occurred in 2017 were in the Top 20 list of the largest breaches of all time. The top five biggest breaches in 2017 exposed almost 6 billion records.

Part of the reason for the big numbers is because huge amounts of data were exposed from huge companies, like Equifax. There was also a huge breach at Sabre, a travel systems provider, and the full extent of the breach isn’t even known at this point. All we do know is that it was big.

When looking at all of the known 2017 data breaches, almost 40% of the breaches involved businesses. About 8% involved medical companies, 7.2% involved government entities, and just over 5% were educational entities. In the US, there were more than 2,300 breaches. The UK had only 184, while Canada had only 116. However, until now, companies in Europe were not forced to report breaches, so things could change now that reporting is mandatory.

What were the biggest breaches of all time?  Here they are, in order:

  • Yahoo (US company) – 3 billion records
  • DU Caller Group (Chinese company) – 2 billion records
  • River City Media (US company) – 1.3 billion records
  • NetEase (Chinese company) – 1.2 billion records
  • Undisclosed Dutch company – 711 million records

Though none of this is great news, there is a silver lining here: none of the breaches of 2017 were more severe than any other breach in history, and overall, the occurrence of breaches dropped in the fourth quarter.

Because of so many breaches occurring due to human error, it’s very important that businesses of all sizes enact security awareness training, including helping staff understand what makes a business a target and what type of info the hackers want.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Mainstream Email and Data Services Might Be Spying on You

The Internet nowadays flourishes on personal data. Many of the world’s largest companies rely on this intangible commodity that users have been too willing ‘donating’ as an exchange for a ‘free’ service.

As data replaces oil as the new premium commodity, buying and selling data is big business. While some companies do it legitimately, some entities do it illicit.

Let’s look at some stats:

  • Every day, there are more than 10 million hacker attacks
  • Every hour, more than 228,000 data records are lost or stolen
  • In 2017, thousands of data breaches exposed most everything from log-in names and passwords to Social Security numbers

But what is even more alarming, mainstream email and data services collect and then sell the data, such as: location, Internet search history, photos, files, and of course, more sensitive personal information. Sometimes they are compelled to give this information to the authorities without informing the owner of the data.

So, everyone is at risk of being monitored and lose valuable personal data.

However, there are ways to protect your data online.  One of the ways of doing it is by using Secure Swiss Data free encrypted email. This company has created easy-to-use secure email which has the following benefits:

  • End-to-end encryption – data is always encrypted, encryption is happening on a user’s device and data is stored encrypted on the Secure Swiss Data servers.
  • Swiss protection of the data – The servers are located in Switzerland under 320m of granite in the Swiss Alps. In addition, users’ data is protected by Swiss laws. In fact, Switzerland has some of the most stringent privacy laws in the world.
  • No Ads – another benefit is that they never display ads. This means the company has no reason to collect your data. They are not able to reador scan emails nor tracks any location information.
  • Privacy by Design – They use this approach which ensures that privacy is considered throughout the engineering process.

You can download Secure Swiss Data an Android or iOS app, and register a FREE account. With all the updates, so far, you can:

  • Send encrypted emails with attachmentsnot only to Secure Swiss Data users, but also to other third party email users.
  • Set expiration timer for emails so that they are automatically deleted from your and your recipients’ mailboxes after a set period of time.

One system to protect communications online with integrated blockchain

However, it seems that Secure Swiss Data team don’t want to stop there. They want to do more to secure communications and protect privacy online. At the same time they don’t want to depend on any third party or government investment. So, they are now starting a crowdfunding campaign:

To provide the world with a unique single encrypted communications and collaboration system that will include the following features: end-to-end encrypted email, calendar, notes, tasks, file storage, collaboration in encrypted files, and end-to-end encrypted messenger. 

On top of the end-to-end encryption, the Secure Swiss Data team will integrate blockchain in the system and therefore add another layer of security, which would increase customer convenience and quality of data protection online.

The cause – Take control over your data, and protect your Online Privacy

One of the best parts of using the Secure Swiss Data services is that you know where the company stands. They have clearly stated that they believe in privacy as a human right and civil liberty. User’s data should be kept private, and no one should be able to get into those personal accounts unsolicited.

Furthermore, they say: “Privacy is not about having something to hide, it’s about the right to control what you want to share and what you want to keep to yourself.”

So, have an opportunity to make the decision on what to share and what not.

And using services like the one from Secure Swiss Data, you can do just that: have control over your online data and communications.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

The Equifax 2017 Exposed: What Half of America Needs to Do Right Now

Equifax has been hacked. As one of the three major credit bureaus in the United States, this is seriously bad. It is considered by many to be the worst security breach in the history of the internet. The extent (about 143 million Americans) and the sensitivity of the data is a rude awakening in a year when cyber has been in the center of the news.

What does this mean for you? It means that your Social Security number, and possibly even your driver’s license information, could be in the hands of hackers. Some are already calling this the worst breach of data in history.   

How Did This Happen?

On September 7th, Equifax announced that a security breach occurred that could impact as many as 143 million people. Though this isn’t the largest breach to occur, it could be the most devastating. The data that was accessed included Social Security numbers, address, birth dates, and driver’s license numbers. All of these can be used for identity theft.

Equifax also announced that the credit card numbers of more than 200,000 people were accessed, as were documents containing personal identifying information for more than 180,000 people. With this information, the hackers can commit credit card fraud. This isn’t as bad as identity theft, as credit card fraud is usually simple to fix, but these thieves could still open new credit card accounts in your name with your Social.

According to Equifax, the company discovered the data breach on July 29. Apparently, the hackers accessed the files from around mid-May all the way through July.

Richard F. Smith, the chairman and CEO of Equifax, admits that this is a “disappointing event” and that it “strikes at the heart” of the goals of the company. He also apologized to customers who work with Equifax and consumers. Boo hoo. I cry for you.

Why Did It Take So Long to Announce This?

You might be wondering why it took so long to announce that there was a data breach at Equifax. After all, the company discovered it on July 29, and didn’t announce it until September 7. Their Director of Social Media, has an answer. She said that as soon as the company discovered the breach, they stopped the intrusion. The company also hired a cybersecurity firm, which did a full investigation. This investigation was time consuming, and they wanted to have all of the information available before informing the public. Makes sense.

But Wait…There’s More

To add to this story, Bloomberg News announced that three executives from Equifax sold shares worth about $1.8 million. What’s shocking is that they did this AFTER the company discovered the breach. This will come back to bite them.

You can check to see if you are affected by the breach by using an online tool that Equifax has set up. FYI, I checked out my info, I’m a victim.

You should go there, enter your last name and the last six digits of your Social Security number, and the system will tell you if your information has been compromised. If it has, Equifax is offering a complimentary enrollment into the TrustedID program. However, there is language in the terms of service that may restrict your ability to have your day in court if you were to join a class action and the NY Attorney General is pissed. According to USA Today, a class action lawsuit has already been filed against Equifax. This class action suit seeks to secure all records associated with the breach and fair compensation for those who were affected.

Read the NYT.

You don’t have to have done any type of business with Equifax to be affected by this. If you have ever applied for a mortgage, loan, or credit card, the company likely has your information. The TrustedID program is going to be free for an entire year for anyone affected. It gives consumers the ability to lock and unlock their credit reports. They also get internet scans for their Social Security numbers and identity-theft insurance. You can also call Equifax at 866-447-7559.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Top 12 Tips to Destroy Your Sensitive Data

Believe it or not, you just can’t shred too much. If you aren’t destroying your sensitive data, my best advice is for you to start now. There are people out there who make a living diving into dumpsters in search of credit card info, bank account number, mortgage statements, and medical bills; all things they can use to steal your identity.  

Here are 12 tips that you can use to help you destroy your sensitive data:

  1. Buy a shredder. That said, I don’t own a shredder. I’ll explain shortly. There are a number of different brands and models out there. Some even shred CDs. This is important if you keep your documents saved on a computer, which you then saved to a CD. Don’t, however, try to shred a CD in a shredder that isn’t equipped to do this job. You will definitely break it.
  2. Skip a “strip-cut” shredder. These shredders produce strips that can be re-constructed. You would be surprised by how many people don’t mind putting these pieces together after finding them in trash. Yes, again, people will go through dumpsters to find this information. Watch the movie “Argo” and you’ll see what I mean.
  3. Shred as small as you can using a cross cut shredder. The smaller the pieces, the more difficult it is to put documents together again. If the pieces are large enough, there are even computer programs that you can use to recreate the documents.
  4. Fill a large cardboard box with your shreddables. You can do this all in one day, or allow the box to fill up over time.
  5. When the box is full, burn it. This way, you are sure the information is gone. Of course, make sure that your municipality allows burning.
  6. You should also shred and destroy items that could get you robbed. For instance, if you buy a huge flat screen television, don’t put the box on your curb. Instead, destroy, shred, or burn that box. If it’s on the curb, it’s like an invitation for thieves to come right in.
  7. Shred all of your documents, including any paper with account numbers or financial information.
  8. Shred credit card receipts, property tax statements, voided checks, anything with a Social Security number, and envelopes with your name and address.
  9. Talk to your accountant to see if they have any other suggestions on what you should shred and what you should store.
  10. Shred anything that can be used to scam you or anyone. Meaning if the data found in the trash or dumpster could be used in a lie, over the phone, in a call to you or a client to get MORE sensitive information, (like a prescription bottle) then shred it.
  11. Try to buy a shredder in person, not online. Why? Because you want to see it and how it shreds, if possible. If do buy a shredder online, make sure to read the reviews. You want to make sure that you are buying one that is high quality.
  12. Don’t bother with a shredder. I have so much to shred (and you should too) that I use a professional document shredding service.

I talked to Harold Paicopolos at Highland Shredding, a Boston Area, (North shore, Woburn Ma) on demand, on-site and drop off shredding service. Harold said “Most businesses have shredding that needs to be done regularly. We provide free shredding bins placed in your office. You simply place all documents to be shredded in the secure bin. Your private information gets properly destroyed, avoiding unnecessary exposure.”

Does your local service offer that? Shredding myself takes too much time. And I know at least with Highlands equipment (check your local service to compare) their equipment randomly rips and tears the documents with a special system of 42 rotating knives. It then compacts the shredded material into very small pieces. Unlike strip shredding, this process is the most secure because no reconstruction can occur.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Three ways to beef up security when backing up to the cloud

Disasters happen every day. Crashing hard drives, failing storage devices and even burglaries could have a significant negative impact on your business, especially if that data is lost forever. You can avoid these problems by backing up your data.

Backing up means keeping copies of your important business data in several places and on multiple devices. For example, if you saved data on your home PC and it crashes, you’ll still be able to access the information because you made backups.

A great way to protect your files is by backing up to the cloud. Cloud backup services like Carbonite allow you to store data at a location off-site. You accomplish this by uploading the data online via proprietary software.

Cloud backup providers have a reputation for being safe and secure. But you can’t be too careful. Here are a few ways to beef up security even more when you use a cloud backup system:

  • Before backing up to the cloud, take stock of what data is currently in your local backup storage. Make sure that all of this data is searchable, categorized and filed correctly.
  • Consider taking the data you have and encrypting it locally, on your own hard drive before backing up to the cloud. Most cloud backup solutions – including Carbonite – provide high-quality data encryption when you back up your files. But encrypting the data locally can add an additional layer of security. Just remember to store your decryption key someplace other than on the computer you used to encrypt the files. This way, if something happens to the computer, you’ll still be able to access your files after you recover them from the cloud.
  • Create a password for the cloud account that will be difficult for any hacker to guess. However, make sure that it’s also easy for you to remember. The best passwords are a combination of numbers, letters and symbols.

Cloud backups are convenient and have a good record when it comes to keeping your data safe. It doesn’t require the purchase of additional equipment or the use of more energy. You can also restore data from anywhere, to any computer, as long as there is an Internet connection available.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

How much is your Data worth online?

Cyber crime sure does pay, according to a report at Intel Security blogs.mcafee.com. There’s a boom in cyber stores that specialize in selling stolen data. In fact, this is getting so big that different kinds of hot data are being packaged—kind of like going to the supermarket and seeing how different meats or cheeses are in their own separate packages.

10DHere are some packages available on the Dark Net:

  • Credit/debit card data
  • Stealth bank transfer services
  • Bank account login credentials
  • Enterprise network login credentials
  • Online payment service login credentials

This list is not complete, either. McAfee Labs researchers did some digging and came up with some pricing.

The most in-demand type of data is probably credit/debit card, continues the blogs.mcafee.com report. The price goes up when more bits of sub-data come with the stolen data, such as the victim’s birthdate, SSN and bank account ID number. So for instance, let’s take U.S. prices:

  • Basic: $5-$8
  • With bank ID#: $15
  • With “fullzinfo” (lots more info like account password and username): $30
  • Prices in the U.K., Canada and Australia are higher across the board.

So if all you purchase is the “basic,” you have enough information to make online purchases—and can keep doing this until the card maxes out or the victim reports the unauthorized charges.

However, the “fullzinfo” will allow the thief to get into the account and change information, thwarting the victim’s attempts to get things resolved.

How much do bank login credentials cost?

  • It depends on the balance.
  • $2,200 balance: $190 for just the login information
  • For the ability to transfer funds to U.S. banks: $500 to $1,200, depending on the balance.

Online premium content services offer a variety of services, and the login credentials to these are also for sale:

  • Video streaming: $0.55 to $1
  • Cable channel streaming: $7.50
  • Professional sports streaming: $15

There are so many different kinds of accounts out there, such as hotel loyalty programs and auction. These, too, are up for sale on the underground Internet. Accounts such as these have the thief posing as the victim while carrying out online purchases.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.