Shred your Boarding Pass

Apparently there are people who take pictures of their airplane boarding pass…and post it online. I’m dead serious. I’ve heard of toddlers getting excited over scraps of paper, but full-grown adults posting images of their boarding pass online? Don’t get me started.

2DLet’s just only say that this is incredulously absurd. Like, who cares about your bleepity bleep boarding pass, right? OK, you got bumped up to First class. SAVE IT. Well wait a minute. Fraudsters care.

Fraudsters also care about the boarding pass that’s left intact in a rubbish can or lying on a seat somewhere.

Few travelers know that the bar code on the boarding pass MAY contain that individual’s home address, e-mail address, name and contact number. All a crook needs is this basic information (revealed via bar code reader off his cell phone!) to get the fraud ball rolling.

  • Keep your boarding pass out of everyone’s sight except the airport employee who requests it.
  • After you no longer need it, tear it up and flush it down a toilet.
  • When you arrive to your hotel, don’t bring it with you to your hotel room and leave it sitting out in full view. Shred and destroy it prior.  Putting it in the hotel room trash isn’t enough. Realize that when you’re not in the room, maids and other hotel employees can gain access—and I can’t say it enough: You just never know who has a bar code reader app.
  • And for Heaven’s sake, don’t post images of it online, if for no other reason, this makes you come across as less interesting than a doorknob. In fact, don’t even think of taking a picture minus the bar code. You just never know with today’s technology what a crook could get off an image online.

Man, if you still don’t believe me about any of this, check out these two very short but alarming videos. You’ll be flabbergasted at how much information about you a techy thief could get off of your boarding pass! “If a hacker can find it, he can find YOU!”

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

4DFraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?
    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
  4. Any other thoughts?
    It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.

Identity Theft Expert; Fake IDs are as easy as 1,2,3

Robert Siciliano Identity Theft Expert

Do an online search for “fake ids” and you’ll be amazed to discover how easy it can be to obtain an ID allowing you to pose as someone else. Or how easy it can be for someone else to obtain an ID that will allow him or her to pose as you. Some websites peddle poor quality cards, others offer excellent quality, and many websites are simply scams.

The fact is, our existing identification systems are insufficiently secure, and our identifying documents are easily copied. Anyone with a computer, scanner and printer can recreate an ID. Outdated systems exasperate the problem by making it too easy to obtain a real ID at the DMV, with either legitimate or falsified information.

Another glitch is the potential for individuals to completely alter their appearances. Men with facial hair can wreak havoc on the current system. This is sometimes done as a prank. In other cases, the individual is attempting to subvert the system to maintain a degree of anonymity. New technologies, such as facial recognition, should eventually resolve some of these problems, but they are still years away from being fully implemented.

In Indianapolis, Indiana, a man was able to obtain six different IDs. He accomplished this by visiting various different registries throughout the state and using borrowed names and stolen information. He obtained job applicant data from a failed body shop business he had owned. He used the false identities to open checking accounts at multiple banks and write fraudulent checks to himself.  He was caught while applying for his seventh ID, thanks to facial recognition software. But it is disturbing to know that he was able to acquire six different identities, all stolen from real people, without detection. It was a bank employee who eventually noticed that he had two different bank accounts under two different names. If the man hadn’t been so greedy, he would have gotten away with it.

In Indianapolis and other registries the daily photos are compared to millions of others already on file. The system constantly scans the data and presents cases that might match, requiring further investigation by registry employees.

Some of the requirements of improving facial recognition include not smiling for your picture or smile as long as you keep your lips together. Other requirements meant to aid the facial recognition software include keeping your head upright (not tilted), not wearing eyeglasses in the photo, not wearing head coverings, and keeping your hair from obscuring your forehead, eyebrows, eyes, or ears.

The fact is, identity theft is a big problem due to a systematic lack of effective identification and is going to continue to be a problem until further notice. In the meantime it is up to you to protect yourself. The best defense from new account fraud is identity theft protection.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name.

2. Invest in Intelius Identity Protect. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.
Includes;

Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano Identity Theft Speaker discussing identity theft

Judge Rules; It is legal to post Social Security numbers on Web sites

Robert Siciliano Identity Theft Expert

B.J. Ostergren is a proud Virginian. She’s known as “The Virginia Watchdog,” but I like to call her “The Pit Bull of Personal Privacy.” She is relentless in her efforts to protect citizens’ privacy, and she is primarily concerned with the posting of personal information online. So in order to make this point, she finds politicians’ personal information on their own states’ websites, and republishes that information online.

Publicly appointed government employees known as Clerks of Courts, County Clerks or Registrars are responsible for handling and managing public records, including birth, death, marriage, court, property and business filings for municipalities. Every state, city and town has its own set of regulations determining how data is collected and made available to the public.

The Privacy Act of 1974 is a federal law that establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.

Over the years, many have interpreted this law to allow public information, including Social Security numbers, to be posted online. I’ve seen Social Security numbers for Jeb Bush, Colin Powell, former CIA Director Porter Goss, Troy Aiken, and Donald Trump, all published on the Internet.

Years ago, B.J. discovered that several states, including her home state of Virginia, were posting our records online, and she immediately saw how this could contribute to identity theft. She has downloaded as many as 22,000 Social Security numbers from deeds, mortgages, tax liens from the websites of circuit courts, registers of deeds and secretaries of state. She made a concerted effort to inform each agency that what they were doing was unethical, at the very least, and possibly even criminal. But she was often rebuked. That’s when she decided to fight back. When government agencies stopped listening, she started posting politicians’ personal information on her own website, “The Virginia Watchdog.” This certainly attracted the attention of officials, but it also created a backlash against her.

Some states resolved the issue by redacting the Social Security numbers, but Virginia did not. B.J. persisted in informing them of the problem and, as the Richmond Times Dispatch put it, “the state decided that the person who brought the problem to their attention was the problem.”

A 2008 Virgina state law prohibited disseminating information taken from public records, and thus, prohibited B.J. from posting publicly available information on her own website. So legally, it was okay for the County Clerk to do it, but nobody else was allowed. U.S. District Court Judge Robert E. Payne recently ruled that this 2008 state law is a violation of First Amendment rights. It’s a win for B.J., but this doesn’t resolve the initial privacy issue.

So how does this impact you? This means that while you can do everything possible to protect yourself from fraud and identity theft, your local government may be circumventing your security efforts by posting your personal data online. B.J.’s fight has led to the resolution of some issues and prompted some states to redact data, but the battle is far from over.

Visit B.J.’s site, The Virginia Watchdog, to become more informed about one woman’s quest to point out what’s wrong and to fight for what’s right.

Next, protecting yourself from new account fraud requires a credit freeze, or setting up your own fraud alerts. This provides an extra layer of protection. In most cases it prevents the opening of new credit.

Consider making an investment in Intelius Identity Protect. Because when all else fails you’ll have someone watching your back. Includes a Free Credit Report, SSN monitoring, Credit & Debit Card monitoring, Bank Account monitoring, Email fraud alerts, Public Records Monitoring, Customizable “Watch List”, $25,000 in ID theft insurance, Junk Mail OptOut and Credit Card Offer OptOut.

Robert Siciliano Identity Theft Speaker discussing availability of Social Security numbers

Perez Hilton is a Hater and Social Media Suffers

Robert Siciliano Identity Theft Expert

I was on CNN this week and CNN also featured Perez Hilton, who was hired by Donald Trump, to judge a beauty contest and Hilton made hateful remarks about Miss Californias beliefs. Perez is a hateful sardonic celebrity critic, and his actions are parallel to others who rant and hate, spew racist comments and even kill. Perez Hilton posts numerous videos of himself in the media, but he hasn’t posted this video on CNN to his site, because he knows he’s wrong. He is right now downgrading the story on his own site because of the heat is he getting.

CNN invited me to discuss the murder of a young woman who was stalked and harassed via social media, specifically YouTube and Facebook. She was eventually shot and killed in her college classroom by her stalker, who then put the gun in his own mouth.

Anyone who reads this blog does so because they are intent on improving their personal safety by way of information security. With almost 50,000 reads a month on a variety of portals, I’ve come to understand the reader a bit. You guys want and need news that’s going to help save you time and money by preventing criminals and scammers from trying to take it.

I got my legs in personal security as it pertains to violence prevention. I started doing this in 1992, teaching self defense. My background as a scrawny, greasy Italian kid growing up in the Boston area, fighting my way though life and meeting other victims along the way brought me to a place where teaching others how to protect themselves gave my life a purpose. As my business grew, I needed more technology. I also needed “merchant status,” which is the ability to accept credit cards, which led to even more technology. In the early 90s, I set up my IBM PS1 Consultant PC, Windows 3.1, 150mb hard drive, and became hooked on technology. Soon after, I was plugged into the Internet. Within weeks, my business was hacked. Thousands of dollars in orders and credit card information went out the window. Now, personal security meant self defense from a different kind of predator: identity thieves and criminal hackers.

My passion is personal security as it relates to violence and fraud prevention. It’s all encompassing. I talk about the things that mom and dad didn’t teach you. Lately, I’ve been discussing broad issues that no parent is prepared to discuss. Really, neither am I. But somebody’s go to do it.

I love technology. But it has a very dark side to it. And predators have rapidly figured that out. I’m not blaming technology for this. Just its users.

Social networking is changing the world. Everybody’s information is everywhere, and access is instant. Predators use these tools more than ever to stalk children online. Stalkers can anonymously harass and harangue women or men, and law enforcement’s hands are tied.

Anyone can post relatively anonymous rants and raves, saying anything they like with little or no repercussions. Simple online newspaper articles meant to provide information about some innocuous issue devolve into hateful rants against the author or the source, thanks to the first few comments on the thread. A single comment can lead people in this dangerous direction. Newspapers need eyeballs, so they rarely police these comments, and the public puts up with them. Hate, racism, sexism and overall ignorance permeate every online newspaper and social network. Not a day goes by that I don’t see something entirely inappropriate for public consumption.

With social media, everyone gets a say. The KKK used to be a bunch of cross burning hillbillies. Terrorists lived in caves. Militias and skinheads were small groups that held an occasional rally. Now, they have an international platform, which they use to promote their agendas and recruit believers. Lots of people have very bad things to say and it’s hurting a lot of people. Words incite. What we say leads to action. We become what we think about. If we are fed hate, we act hatefully.

Most school shooters have read the manifests of what occurred at Columbine. Many serial killers study other serial killers. Every story we read about the Craigslist Killer and others like him reveals a bag with a knife, duct tape, rope, and wire ties. They all consume this information.

Coming from a personal security perspective, I am seeing lots of bad things happening to good people. Bad things are being said and bad things are happening. Totally unacceptable and hateful rants have become acceptable, when 10 years ago those kinds of rants would have been unheard of. Let’s get this straight, I’m no puritan. I’m certainly no saint. I’ve been there, done that, and have plenty of skeletons in my closet. I’m capable of saying anything and doing almost anything, and nothing offends me. I’ve lived a hard life and danced with the devil on plenty of occasions.

The meteoric rise of Perez Hilton is a direct sign of what’s wrong with social media and web 2.0. Web 2.0 can be used for good, or for very bad. Perez Hilton is a hateful person with an agenda. He says horrible things and uses social media as a platform to distribute his agenda no differently than a terrorist. What’s worse is millions of people follow him. For him, its not “all in fun”, its hate.

We all need leaders to take charge. Everyone needs direction on some level. Perez Hilton leads a flock of misguided and lost souls. And he empowers them no differently than Hitler, Mussolini, Pol Pot, Saddam, Stalin, David Koresh or Jim Jones did.

Hurtful, hateful ranting isn’t freedom of speech. It’s irresponsible and it’s bad karma. It will only lead to hurt and hate. Its okay to have beliefs, but when those beliefs have a tonality of hate and you express hate in your words, the problem mushrooms.

I spend more energy not saying what I want to say. My mother and father taught me tact. And it’s taken a lifetime to apply it, believe me. I use social media to spread what I hope is a better message, tactfully. I hope you rise against what is happening here and spread a better word. Lead. Don’t be led.

Robert Siciliano Identity Theft Speaker discussing Hate on CNN