Another Identity Theft Ring Busted

/0 Comments/in , , , , , , , , , , , , , , , , , , /by

Identity Theft Expert Robert Siciliano

The feds are getting better at busting criminals every day. Seventeen criminals, many from Eastern Europe, pilfered more than 95,000 stolen credit card numbers and $4 million worth of fraudulent transactions.

The New York Times reports the men were involved in a vast conspiracy known as the Western Express Cybercrime Group, which trafficked in stolen credit card information through the Internet and used it to create forged credit cards and to sell goods on eBay. They used digital currencies like e-gold and Webmoney to launder their proceeds.

Several of the scammers — Viatcheslav Vasilyev, Vladimir Kramarenko, Egor Shevelev, Dzimitry Burak and Oleg Kovelin — were charged with corruption. Vasilyev, 33, and Kramarenko, 31, were arrested at their homes in Prague, have been extradited to Manhattan. Shevelev, 23, was arrested in Greece last year, is still awaiting extradition. Burak, 26, a citizen of Belarus and Kovelin, 28, a citizen of Moldova have not been arrested

Vasilyev and Kramarenko recruited work from home employees to advertise and sell electronics on eBay. When someone would purchase an item, the two men would pocket the buyer’s payment, give a cut to their recruit, then use a stolen credit card number to purchase the item from a retail store and send it to the buyer. In essence, they used eBay to obtain a legitimate buyer’s credit card number through a legitimate channel and didn’t actually “hack” anything. They simply set up pseudo-fake auctions that, in most cases, delivered the product, but also obtained the victim’s credit card number and then made fraudulent charges.

Burak and Shevelev were “carders” who sold stolen credit card information on a website called Dumpsmarket and, probably, in chat rooms. “Dumps” is a criminal term for stolen credit cards and “carders” are the scammers who buy and sell them. Kovelin was a criminal hacker who stole victims’ financial information via phishing emails and more than likely used the victims’ own account information against them.

Protect yourself:

  1. Check your credit card statements often, especially after using an online auction site. Refute unauthorized charged within 60 days to be made whole by the issuing bank.
  2. Don’t just buy the lowest priced product on and auction site. Use auction sellers who have been approved my many and have a solid track record.
  3. Anytime you ever receive an email asking for personal information, credit information, banking etc, do not enter it. Just hit delete. Often victims will receive and email from a trusted source like eBay directly to their account because they have been actively engaging the fraudulent auctioneer. eBays system doesn’t recommend giving your credit card information outside their network in an email.
  4. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  5. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Identity Theft Speaker Robert Siciliano discusses a study done by McAfee on mules bilked in work-at-home scams on Fox News

Big Time Identity Theft Hackers Indicted

/1 Comment/in , , , , , , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

ABC news and a bazillion other outlets report that a former informant for the Secret Service was one of three men charged with stealing credit and debit card information from 170 million accounts in the largest data breach in history. The former informant, Albert Gonzalez of Florida, A.K.A “Segvec”, “SoupNazi,” and “j4guar17,” whose motto was ”Get Rich or Die Tryin'” was alleged to have been the ringleader of the criminal hacking operation of a prolific network that spans over five years of serious criminal activity. Once a criminal, always a criminal.

Gonzalez and two other unidentified hackers believed to be from Russia have been charged with hacking into Heartland Payment Systems, 7-11 and Hannaford Brothers Company, Dave and Busters and TJX Corporation, which involved up to 45 million credit card numbers..

Gonzalez was originally arrested in 2003 by the U.S. Secret Service and began working with the agency as an informant. Federal investigators say they later learned that the hacker had been tipping off other hackers on how to evade detection of security and law enforcement worldwide.

Gonzalez provided “sniffer” software used to intercept the credit and debit card numbers for the Russian hackers. Sniffer software or “malware” malicious software, acts like a virus attaching itself to a network and often spreading. The software allows the criminal hacker backdoor access to all the data in the server and provides remote control functionality.

The NY Times reports according to the indictment, Gonzalez and his conspirators reviewed lists of Fortune 500 companies to decide which corporations to take aim at and visited their stores and used a technique called “wardriving” to monitor wireless networks. The online attacks took advantage of flaws in the SQL programming language, which is commonly used for databases.

Threat Level, by Wired magazine, reported that Gonzalez had lived a lavish lifestyle in Miami, once spending $75,000 on a birthday party for himself and complaining to friends that he had to manually count thousands of $20 bills when his counting machine broke.

Protect yourself;

1. You can’t prevent this type of credit card fraud from happening to you when the retailer isn’t protecting your data. Eventually credit card protection solutions will  be available. For now, protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

2. Prevent new account fraud.  Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

3. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing credit card data breaches and the sad state of cyber security on Fox News

Identity Theft Is Easy Over P2P

/0 Comments/in , , , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Peer to peer file sharing is a great technology used to share data over peer networks. It’s also great software to get hacked and have your identity stolen.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and, frankly, the most fun kind of hacking. I’ve seen numerous reports of government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

The Register reports that a Washington state man has been sentenced to more than three years in federal prison after admitting to using file-sharing program LimeWire to steal tax returns and other sensitive documents. He searched LimeWire users’ hard drives for files containing words such as “statement,” “account,” and “tax.pdf.” He would then download tax returns, bank statements, and other sensitive documents and use them to steal identities.

I did a story with a Fox News reporter and a local family who had four kids, including a 15-year-old with an iPod full of music, but no money. I asked her dad where she got all her music and he replied, “I have no idea.” He had no idea that his daughter had installed P2P software on the family computer and was sharing all their data with the world. The reporter asked me how much personal information I could find on the P2P network in five minutes. I responded, “Let’s do it in one minute.”

There are millions of PCs loaded with P2P software, and parents are usually clueless about the exposure of their data. P2P offers a path of least resistance into a person’s computer, so be smart and make sure you aren’t opening a door to identity thieves.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.
  • Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.
  • And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses P2P hacks on Fox.

A Glorious Week of Identity Theft

/0 Comments/in , , , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

If there was ever a week to get high, totally drunk, on information security and identity theft scammers and hackers, then this is it! Media outlets everywhere have been pumping out story after story of data breaches, identity theft, criminal hackers and indictments! Yeah team! For a criminal hacker groupie, this is Woodstock!

Dark reading reports Eight defendants were arraigned in a Brooklyn court for allegedly using the stolen identities of AT&T, T-Mobile, and Asurion customers to steal some $22 million worth of wireless equipment and services. An indictment was unsealed in Brooklyn federal court yesterday morning charging Courtney Beckford and seven other defendants. When identity theft defendants named Courtney, Gabe, Marsha, Saul and Ron are involved in a $22 million identity theft scheme, then you know it’s just a matter of time until someone named Britney or Brad will get busted too! It’s the identity theft apocalypse!

ABC News reports that a former informant for the Secret Service was one of three men charged with stealing credit and debit card information from 170 million accounts in the largest data breach in history. The former informant, Albert Gonzalez of Florida, A.K.A “Segvec”, “SoupNazi,” and “j4guar17,” whose motto was ”Get Rich or Die Tryin’” was alleged to have been the ringleader of the criminal hacking operation of a prolific network that spans over five years of serious criminal activity.

Information week reports in the first half of 2009, the number of computer users affected by malware engineered to steal personal information has risen by 600% compared to the January through June period in 2008, according to PandaLabs. In quantitative terms, Panda reports identifying 391,406 computers infected with identity-theft malware in the first six months of the year. Identity thieves are also seeking sensitive information through a more diverse set of targets. Where previously financial data thieves focused on spoofing online bank sites to dupe users into entering login information, they have recently been targeting a variety of services where payment account information may be stored or entered, like PayPal, Amazon, eBay, or charity sites.

Cnet reports Rogue Facebook apps steal log-in data, send spam. Security firm Trend Micro warned on Wednesday that a handful of rogue Facebook apps are stealing log-in credentials and spamming victims’ friends. So far, six malicious applications have been identified: “Stream,” “Posts,” “Your Photos,” “Birthday Invitations,” “Inbox (1),” “Inbox (2)” according to a blog post by Trend Micro researcher Rik Ferguson. The activity started earlier in the week with a Facebook notification Ferguson says he got from an app called “sex sex sex and more sex!!!,” which has more than 287,000 fans. The notification said that someone had commented on one of his posts. That app doesn’t appear to be malicious and may have been compromised somehow to begin the distribution of the spam, he said.

USA Today reports Hackers harness Twitter to do their dirty work.  A cyber gang has begun experimenting with setting up free Twitter accounts, then sending out Tweets from the popular micro-blogging service that are really coded instructions to botted PCs to carry out criminal activities. Anti-virus maker Symantec has isolated several samples of infected PCs carrying a unique new infection, dubbed “Sninfs.”

The PCs most likely got infected when their users unwittingly clicked to a tainted web page or on a corrupted link carried in an email or social network message, says Marc Fossi research and development manager at Symantec Security Response.

Protect yourself;

Don’t just sit back and get hacked. Arm yourself with anti-virus that runs automatically in the background and prevents “Courtney, Marsha and SoupNazi” from stealing your identity. Pick up McAfee’s Total Protection software and take control of your PC security.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano identity theft speaker discussing the sad state of cyber security on Fox News and check washing and campus security on ABC News.

Social Media Banned, Creates Identity Theft Risk

/0 Comments/in , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

The Marines recently banned soldiers from using social media sites such as MySpace, Facebook and Twitter. This is for two reasons. First, because they fear that these sites’ lack of security may allow malware to infiltrate government computers. And second, they’re concerned about the potential for leaked military data. Military personnel are often prohibited from informing friends and family of their locations or missions, regardless of whether they’re communicating with handwritten letters, email, or the telephone. These measures are necessary to prevent leaks that would impede the soldiers’ missions and safety.

It’s no surprise that they have now banned social media.  I recently reported on Sir John Sawers, the incoming head of MI6, the British equivalent of the CIA. His wife posted sensitive personal information to her Facebook page, including the address of the couple’s London apartment and the locations of their children and Sir John’s parents. Military personnel should held to a higher standard. We are talking about national security here, and we can’t risk leaks that could jeopardize lives.

Anyone who thinks this is absurd need only look at sporting events for confirmation of why this type of communication should be banned. Every time I watch a baseball or football game, when I see the coaches talking to players, or the pitcher talking to the catcher, they cover their mouths with a hand, glove or paperwork. Why? Because there are thousands of “lip readers” watching the event who are happy to report on what was just said in order to give the opposing team an advantage. You’d think after all these years covering their mouths, lip readers would just give up. But no, that’s not the case at all. There’s always someone watching, waiting, hoping for someone to screw up so they can give the other team an advantage.

Today, social media gives scammers an advantage. Somebody is always watching and waiting for an opportunity. Social media is built on trusting relationships. Scammers can exploit that trust to gather information that could be used in password attacks. If you ever forget your password and have to reset it, the answers to several of the security questions might already be available in your profile. And in many cases, the default privacy settings leave profiles open to anyone.

Security professionals were able to create a virus called ZombieSmiles, which gains control of the victim’s browser and allows the hacker to access supposedly private data through the Facebook API, including friends, groups, wall postings and applications. Facebook applications allow a third party to access your data, which opens a Pandora’s box of possibilities for hackers. So if you send me a Facebook application and I refuse, it isn’t because I’m being rude, it’s because I think that the potential risks simply outweigh the benefits. No offense. I just don’t want my identity stolen.

If you use social media and regularly update your status or profile with pictures, video, or information about your whereabouts or daily routines, please keep the following advice in mind:

  1. Before you post anything online, think about what a hacker, stalker, employer, or potential employer could do with that data. Could an ex, who’s fighting for custody, use the data against you in court?
  2. Don’t give away specifics. Don’t post your address, date of birth, kids’ names, pets’ names, phone numbers, or any account numbers or financial information of any kind. You really shouldn’t even post childrens’ photos online.
  3. Do not tell the world you are going on vacation! Or if you’re just going to dinner or the beach and won’t be at your house for several hours, why would you let potential burglars know that you’re away?
  4. If you’re a “partier” and like to imbibe, informing the world that you just smoked a joint is not only one of the worst things you could do for your career, it also makes all your friends guilty by association. And don’t announce that you’re hungover, because after the age of 23, you ought to know better.
  5. Before posting pictures or videos, consider what a criminal or potential employer might see. Could they be used against you in any way?
  6. If you let your kids use social media, you must monitor every aspect of their Internet activities. Pick up McAfee’s Family Protection software and take control of your childrens’ Internet use.
  7. Take advantage of privacy settings and lock down your profile, so that only those who you approve can view everything.
  8. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  9. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker discusses a Facebook Hack on CNN

Identity Theft Attempt at Defcon

/0 Comments/in , , , , , , , , , , , , , /by

Identity Theft Expert Robert Siciliano

Hackers hacked hackers at the annual Defcon conference in Las Vegas this past weekend. Defcon is a conference for hackers of all breeds. There are good guys, bad guys, those who are somewhere in between, plus law enforcement and government agents. All kinds of inventive people with an intuition for technology decend on Las Vegas to learn, explore, and hack.

At this year’s Defcon, someone planted a real, rigged, malicious ATM right outside the security office of the Riviera Hotel and Casino. For some reason, the area outside the security office doesn’t have any security cameras, which made it an easy place to attempt a scam. Scams like this are common in Las Vegas, due to the city’s transient nature and frantic pace. Everyone is looking for a quick buck, and what better place to pull of an ATM scam than Vegas?

ATM skimming comes in two flavors. In the first scenario, a device called a “skimmer” is placed on the face of an operational ATM. When a card is swiped, the skimmer records the data on the card, and a hidden camera generally records the PIN. Usually, money is dispensed. In the second scenario, a used ATM is rigged to record data, and placed in a public area. These ATMs are only semi-operational, and do not dispense cash. This is the type of ATM that was found in Las Vegas.

A conference attendee uncovered the scam when he attempted to use the machine and recieved an error message. Upon further investigation, a computer was discovered where the security camera should have been. The computer was recording all the victims’ details. That’s when the alarm was sounded and the area became a crime scene.

You can protect yourself from these types of scams by paying attention to your statements. Refute unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. (Of course, just outside the security office isn’t exactly the middle of nowhere, so always be alert.) Use strong PINs, with both upper and lowercase letters, as well as numbers. And invest in Intelius Identity Theft Protection and Prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker discussing ATM skimming on Fox News

Government Officials Contributing to Identity Theft

/0 Comments/in , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Government officials are posting our Social Security numbers on the web, but corporations are required to keep them under lock and key.

Congressman Robert Wexler was recently targeted by a Ghanaian extortionist who supposedly obtained Wexler’s Social Security number, as well as his wife’s, from a public record posted at The Virginia Watchdog. Betty Ostergren, founder of The Virginia Watchdog, has spent the past seven years trying to put an end to the public exposure of our Social Security numbers, which are often posted online by elected or appointed state government officials. Virginia and other states apparently want this personal information online, since they have yet to pass any laws mandating the removal of Social Security numbers.

State officials posts these records online because they are public records. This is already happening in every state. Records containing extensive personal information are available on the Internet, and the elected officials that post this information put individuals at risk by failing to remove or black out Social Security numbers and other sensitive data.

The fact that Congressman Wexler and his wife were extorted should not be the big story. The big story should be the fact that these records, with Social Security numbers exposed, are made available on the Internet, thanks to elected officials.

Betty Ostergren recently found the same documents for one major U.S. corporation and their top brass on twelve different state government websites. The same list of Social Security numbers and home addresses for the top executives appeared on government websites in in Arizona, Colorado, Florida, Indiana, Iowa, Kentucky, Massachusetts, Michigan, Mississippi, New Hampshire, North Carolina, and South Dakota. And each year that the company filed a report within those states, the same 40+ Social Security numbers showed up on the documents, which are available to anyone in the world. (North Carolina did unsuccessfully attempt to redact the numbers.) The Social Security numbers of many top executives from many corporations are available on the Internet, on public records published on state websites. And so are the Social Security numbers of plain old Joe Shmoes, too. But most of them don’t realize it, and when their identities are compromised, they’ll wonder how their Social Security numbers got into the wrong hands.

We live in an ignorant country, where people pay more attention to sports and entertainment than the actions of our legislators.

Go to The Virginia Watchdog and read everything you can to become fully informed about the identity theft crisis fueled by public records.

1. Prevent new account fraud.  Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano Identity Theft Speaker discussing Social Security numbers on Fox News

Identity Thieves Gather Data From Social Networks

/1 Comment/in , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

There’s a lot of excessive trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. Apparently, they see no reason to distrust. Generally, your “friends” are people who you “know, like and trust.” In this world, your guard is as down as it will ever be. You can be in the safety of your own home or office, hanging with people from all over the world, in big cities and little towns, and never feel that you have to watch your back.

PC World reports that a third of social networkers have at least three pieces of information posted on their pages that could lead to identity theft. Names, addresses, birth dates, mothers’ maiden names, kids’ names, pets’ names and phone numbers are among the various types of data that could help a criminal piece together your identity. Social networkers are simply making it too easy for thieves.

Almost 80% of those polled are concerned about privacy issues on social networks, yet almost 60% are unaware of what their privacy settings are and who can see their data. One third of social networkers admitted that they use the same password for all their social networking accounts.

Most social networks have privacy settings that many users never venture to manage. It is imperative to spend a few minutes and lock down your profiles so they can’t be seen by everyone in the world.

It is not unusual for a potential identity thief to “friend” a potential victim. The thief poses as someone the target may know, or someone who is known within the target’s social circle. Once the thief has been accepted as a friend, he or she is in the target’s inner circle and gains a great deal of insight into the target’s daily life.

People often try to “friend” me, and I can see that they are “friends” with people I know. But I don’t know them. And the mutual friends often tell me that they don’t know the person, but were “friends” with someone else they knew, and they accepted based on that! That’s nuts! Next thing you know, they are trolling through your “friends” and befriending people in your network, who accept based on their trust in you! Dizzy yet? The point is, stop the madness! Don’t allow these trolls into your life. Mom told you not to talk to strangers. I’m telling you not to “friend” strangers, because they could be scammers.

Scammers are watching. They know that once they are on Facebook, your guard goes way down.

Regardless of all this craziness protect your identity.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection and Prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;

Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano Identity theft speaker discusses Facebook scams on CNN

Web Based emails Insecurity Leads to Identity Theft

/0 Comments/in , , , , , , , , , , , , , , /by

Robert Siciliano identity theft expert

I recently appeared on Fox and Friends to discuss email hacking. Dave Briggs, a FOX & Friends Weekend co-host, lost access to his Hotmail email account when hackers were able to guess either his password or his qualifying question. (He admitted that his password was not as strong as it should have been.) The hackers locked Briggs out of his own account and spammed all of his contacts with a fraudulent email that appeared to be written by Briggs himself, claiming that he was trapped in Malaysia and requesting that someone help him by transferring money via Western Union. Only after persistently contacting Hotmail administrators was Briggs able to regain control of his own email account.

Twitter was targeted by a similar hack, which led to a data breach. It is likely that the hacker guessed the answer to a Twitter employee’s security question and reset the employee’s password. On Wednesday, Twitter co-founder Biz Stone blogged, “About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.”

And of course, Sarah Palin’s Yahoo email account was hacked into last year, during the presidential campaign. The hacker explained how easy it was in Wired.

Web-based email rocks! Since you’re no longer tethered to a PC-based client, you can access your email from anywhere. And all the data saved in your email account will be safe if your PC crashes. Many web-based email providers offer gigabytes of free storage and other useful tools like documents, RSS readers, and calendars. Life in the cloud is easier and more convenient. But is it secure?

PC Pro reported on a study run by Microsoft Research and Carnegie Mellon University, which measured the reliability and security of the questions that the four most popular webmail providers use to reset account passwords. AOL, Google, Microsoft, and Yahoo all rely on personal questions to authenticate users who have forgotten their passwords. The study found that the “secret questions” used by all four webmail providers were insufficiently reliable authenticators, and that the security of personal question appears much weaker than passwords themselves. Yahoo claims to have updated all their personal questions in response to this study, but AOL, Google, and Microsoft have yet to make any changed.

Once a hacker has your email address, he or she can simply go to the “forgot password” section of your email provider’s website and respond to a preselected personal question that you answered when signing up for the account. With a little research, the hacker has a good shot at finding the correct answer.

Some of the current questions could be answered using information found on a user’s social networking profile, or through a website like Ancestry.com or Genealogy.com. Some answers might be found in the user’s trash. Some questions seek opinions, rather than facts. For example, “Who is your favorite aunt?” requires an opinion in response, but if a hacker knew the names of all your aunts, he or she could enter them all one by one. Some questions would be more difficult to answer. Unfortunately, if you signed up for your web-based email account over a year ago, before these email hacks became more common, your questions may be even easier to answer.

Gmail’s current personal questions are:

  • What is your frequent flyer number?
  • What is your library card number?
  • What was your first phone number?
  • What was your first teacher’s name?
  • Write my own question

Yahoo’s current personal questions are:

  • What is the first name of your favorite uncle?
  • Where did you meet your spouse?
  • What is your oldest cousin’s name?
  • What is your oldest child’s nickname?
  • What is the first name of your oldest niece?
  • What is the first name of your oldest nephew?
  • What is the first name of your favorite aunt?
  • Where did you spend your honeymoon?

I suggest that you check out the “forgot password” section on your own web-based email account, to see your current personal question. If it’s easy to answer, or would only require a little research to solve, update the question with one that you create based on opinion, as opposed to fact. And keep in mind that most people list “pizza” as their favorite food and “liver” as their least favorite. So be creative. You should also beef up your password. Combine uppercase and lowercase letters, as well as numbers. Don’t use consecutive numbers, and never use names of pets, family members, or close friends.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Prevention and Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;

Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano, identity theft speaker, discusses hacked email on FOX & Friends.

ATM Fraud Increases Identity Theft Risk

/3 Comments/in , , , , , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

A spate of recent news reports highlight growing ATM fraud. Law enforcement in New York City reported a gang had stolen $500,000 from bank accounts via ATM skimming. They installed cameras and skimming devices on the machines, and recorded the magnetic strips and the PIN numbers.

A recent survey points towards ATM fraud rising 5-9 percent. Seventy percent of those poled experienced a jump between 2007 and 2008. Many of the large data breaches that have occurred over the past few years may have contributed to the fraud.

It’s simple enough to hack into a database and compromise cards and pins. It’s even easier to affix hardware to the face of an ATM machine and do the same. Once the data is compromised the identity thieves clone cards and turn the data into cash as quickly.

Bankinfosecurity.com recently published “7 Growing Threats to Financial Institutions”. This post is a play on that; “7 Growing Threats to You”

#1 Skimming; Hardware readily available online that is attached to the face of an ATM records user card information and pin codes. In this case you may still be able to perform a transaction.

#2 Ghost ATMs; A card reader is blocked off and replaced with hardware that supersedes the machine and records all your data without allowing a transaction. The machine reads “Can’t complete transaction”.

#3 Dummy ATMs; In some cases an ATM is bought off of eBay (do a search) or elsewhere and installed anywhere there is foot traffic. The machine is set up for one purpose; read data. The machine might be powered by car batteries or plugged in the nearest outlet.

#4 Ram Raids; ATMs built into a wall or stand alone are being rammed by a truck and/or wrapped with chain and pulled out then loaded onto a truck. Once removed the thieves blow torch the machine taking the cash. This is a hot topic in Mexican banks, buy certainly happens everywhere. A bank would be smart to install battery backed GPS in any machine.

#5 PIN ID’s; Sophisticated criminal hackers break into a database or skim magnetic strips. They then go to an online banking site with a hacking software that plugs in various well known PINs. These PINs might be consecutive numbers, peoples names, pets names, birthdates, or other various simple pass phrases people use. When it finds a match it gives the criminal access to your account.

#6 Automated PIN Changes; Criminals go through the banks telephone banking system to change the customers PIN. They may try to change the customers ANI (Automatic Number Identification) is a system utilized by telephone companies to identify the DN (Directory Number) of a caller. This might be accomplished via “Caller ID Spoofing”. They use publicly available data on the card holder such as name, card account number and last four digits of the social security number to “verify” them as the banks customer.

#7 SMS Attacks; AKA Smishing or Phexting – phish texting. Customers receive a text from a bank on their smartphone requesting login information.

#8 Malware or Malicious Software; Researchers found a virus that specifically infects ATMs and takes over the machine logging card numbers and pins.

How to protect yourself;

First and foremost; Pay attention to your statements every two weeks. Refute unauthorized transactions within a 30-60 day time frame.

1. Pay close attention to everything you do at an ATM. Look for “red flags”, anything out of place. If your card sticks, odd looking configurations on the ATM, wires, two sided tape.
2. Use strong PINs, uppercase lower case, alpha and numeric online and when possible at an ATM and for telephone banking.
3. Don’t reply to phishing or phexting emails. Just hit delete.
4. Don’t just use “any” ATM. Choose ATMs at locations that are “more secure” than in the middle of nowhere.
5. Make sure your McAfee anti-virus is up to date.
6. Invest in Intelius identity theft protection and prevention. Because when all else fails its good to have someone watching your back.

Robert Siciliano Identity Theft Speaker discussing ATM skimming