Biggest Botnet Goes Bust

/in , , , , , /by

Robert Siciliano Identity Theft Expert

News of the Spain based Mariposa botnet reveals close to 13 million Zombie PCs in more than 190 countries affected.  Further investigation determined half of the Fortune 1000 companies had PCs on the Bot. Three men have been arrested and a 4th is sought. The sole purpose of the Bot was to gather user names and passwords for banks and email services.

In an example of good vs. evil, whitehats vs. blackhats, representatives from US and Canadian based corporations, along with the FBI and Spain’s Guarda Civil took down the Boat after almost 10 months of investigations.

The Register reports Mariposa (Spanish for butterfly) botnet malware spread through P2P networks, infected USB drives, and via MSN links that directed surfers to infected websites. Once infected by the Mariposa bot client, compromised machines would have various strains of malware installed (advanced keyloggers, banking trojans like Zeus, remote access trojans, etc) by the hackers to obtain greater control of infected systems”.

There are more than 70 types of malware, each doing something different, all in the name or stealing data. Mariposa’s technology was built on the “Butterfly” botnet kit, which is available online. This crimeware doesn’t require the criminal hacker to be highly skilled.

The criminals in this operation ran the Bot through anonymous virtual private network servers which made it impossible for law enforcement to trace back to the ringleaders. But in December of 2009, the Bot was dismantled by authorities who targeted the Bot’s control centers.

When this event unfolded, the Bots controller, a man dubbed “Netkairo” used his home PC to try and regain control of the Bot which revealed his internet protocol address, which is connected to his home address. This led to his capture. Nice job guys! This is a great plot for a movie! I want to be the dude who sees Netkairo’s IP address and busts him in a high speed chase after he flips his car. Just sayin’.

The problem of Botnets persist. There could be thousands out there with untold millions of Zombie PCs infected.

Becoming a Zombie and part of a Botnet happens to PCs that aren’t properly secured, coupled with user behavior that invites attacks.

If you are surfing porn all day or gaming on distant websites in foreign countries then you are at a higher risk.

Downloading files from P2P sites or seeking software cracks or pirated content is also risky. Remember, there is no honor among thieves.

Computers that are old and have outdated unsupported operating systems like Wind 95/98/2000 are extremely vulnerable.

Systems using older outdated browsers such as IE 5, 6 or older versions of Firefox are the path of least resistance.

THEREFORE:

Update your operating system to XP SP3 or Wind 7. Make sure to have automatic updates for anti-virus. Don’t engage in risky web-based behaviors.

AND:

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Get my book as an iPhone App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Botnets on CBS Radio.

Pay-at-the-Pump Skimming Using Bluetooth

/in , , , , /by

Robert Siciliano Identity Theft Expert

Skimming data off of debit and credit cards has been happening at ATMs, gas pumps and electronic funds transfer point of sale terminals for quite some time.

When criminals plant skimming devices, they have to physically attach a skimming device that fits over the face of the ATM’s card slot. Then they install a small camera that shoots video of the pinpad which allows them to extract user PIN codes. The camera is often housed inside of a brochure holder or little box that may have a mirror glued to its face. The mirror is made to loom like a security feature preventing shoulder surfing.

Once the criminals attach the devices, they have to wait it out for someone to then use the ATM or gas pump before they can remove the device and download the data. It is in the best interest of the criminal to leave the skimmer on the machine for as long as possible to skim as many cards as possible. Because every time the skimmer is removed and replaced it becomes another opportunity for the thief to get caught or for something to go wrong.

In Utah, a group of criminals one-upped other ATM scammers by installing Bluetooth enabled skimming devices that broadcast the skimmed data to a nearby storage devise, probably a laptop. Bluetooth’s range can be just a few feet to as much as a city block. So the criminals had to be in a car nearby.

What makes these devices even more sophisticated is that they skim the card data and grab the PIN code via the all-in-one combo skimmer and PIN pad device affixed to the face of the pump.

This entire process allows the criminal to steal data on demand and immediately turn it into cash. Further, it provides the criminal with the freedom to decide whether or not they want to retrieve the skimming device, thereby lessening their chances of being caught.

You can’t protect yourself from this kind of skimmer by covering your PIN entry due to the fact that the device is the PIN pad. So if you use a device like this you may be screwed. Ultimately, you must pay close attention to your statements. Also, pay close attention to details, and look for anything that seems out of place. Refute unauthorized transactions within 60 days. Check with your bank to determine what their timeframe is to refute unauthorized withdrawals. In some cases it can be as early as a week.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Get my book as an iPhone App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Pay-at-the-Pump skimming on Fox News.

Hacking Humans Naiveté

/in , , , , /by

Robert Siciliano Identity Theft Expert

Naiveté: A lack of sophistication or worldliness. That sums up a lot of people I know. “There’s a sucker born every minute” is a phrase often credited to P.T. Barnum (1810 – 1891), an American showman. It is generally taken to mean that there are (and always will be) a lot of gullible people in the world.

Predator: A predator is an organism that feeds on another organism. That also sums up a lot of people I know. I observe them in person and in the news daily.

There are many ways how, and motivations why, a predator stalks their prey. Often it is just their nature to do so. Control and money top the list of motivations.

In the world of Information Security the “how” is “social engineering”.

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques (essentially a fancier, more technical way of lying).

Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network. Smart organizations train their employees to be aware of and resist the most common attempts to trick them into letting down their guard.

The Register reports that pentesters, a.k.a ethical hackers, “regularly send client employees emails informing them that the strength of their login passwords is being tested through a new website. They are then instructed to follow a link and enter their credentials. The success rate: as high as 50 per cent.”

As the article points out, humans have a tendency to trust one another. It’s a survival instinct built on millions of years of evolution. “When one person saw that a group of his peers ate a particular berry and didn’t die, he ate the same fruit – and survived as a result.” That’s trust, and it’s exploitable.

This is where we throw around words like “naïve” and “sucker.” You don’t really need to be naïve, a sucker or stupid to respond to emails like this. Really, you just need to be nice, helpful and trusting.

I found a website called “Hacks4Sale” (a site which Norton Internet Security deems unsafe, so go there at your own peril) which employs similar tactics, but they claim are for different reasons:

A very large portion of our clients are the victims of spousal infidelity, nowadays the primary means people employ to communicate with their lover are e-mails and social networking websites, both of witch we can help you gain access to through our software. Our software solutions enable our clients to retrieve (no physical access to the user’s computer is required) the login credentials to accounts at all the major e-mail and social networking providers (Yahoo,Gmail,Hotmail,Myspace,Facebook and many others).

Recognize that the predator uses these tactics to get what they seek. They will stop at nothing and consider you their natural prey.

Always question authority or those who claim authority.

Don’t automatically trust or give the benefit of the doubt.

When the phone rings, an email comes in or you are approached, proceed with caution.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Get my book as an iPhone App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News.

Biometrics: To Be or Not to Be?

/in , , , /by

New Hampshire, USA. “Live Free or Die,” baby. The official state motto emblazoned on every NH license plate has always intrigued. The thought of someone from NH might bring to mind revolutionaries or America militia sympathizers. New Hampshire has come a long way since its motto was created in 1945 and is not much different than most states today.

I live in Boston, one click south of Newy, and all those NH people work in Boston. I see them every day driving their fancy new fanlge auto-mo-biles with their fancy stereo phonic systems. Pleeeze. If any state should adopt the “Live Free or Die” motto it’s Montana, USA. I’ve been to MT bunches of times. They sell guns and beer and fishing rods and meat at gas stations.  NH ain’t gut nuthin’ on MT.  Plus MT had Evel Knievel and he lived in Butte. Now that’s a” Live Free or Die” town.

But it comes as no surprise that Newy is back to its shenanigans again and acting out of concerns for residents’ privacy. The New Hampshire Legislature is considering a bill that would ban the use of biometrics data in identification cards. “Acting out” being the operative term. Or are they rightfully concerned?

As noted in SC, “The bill would prohibit biometrics data, including fingerprints, retinal scans and DNA, from being used in state or privately issued ID cards, except for employee ID cards. In addition, it would ban the use of ID devices or systems that require the collection or retention of an individual’s biometric data. Under the bill, biometric data would also include palm prints, facial feature patterns, handwritten signature characteristics, voice data, iris recognition, keystroke dynamics and hand characteristics.”

That doesn’t leave much left. Why don’t they just ban them-thar fo-toe-grafs too? Come on NH, the world has evolved beyond cow tipping and flaming bags of poop on your neighbor’s door step.

In response, the Security Industry Association stated “SIA firmly believes that the broad restrictions proposed by [the bill]… reflects a significant misunderstanding of the security features and privacy safeguards of this widely-adopted technology,”

I’d say that’s more than a misunderstanding. Some believe biometrics to be the “Mark of the Beast”.

“Some have suggested biometrics, themograms, or bodily ID systems, such as iris scans, fingerprints, voice patterns, facial features, etc. as the mark of the beast. Biometrics ID could not be the mark of the beast because the mark of the beast is something you “receive“. An iris scan, voice scans, fingerprints, biometrics are NOT something you receive. It’s simply part of a person’s bodily features. In this case, every one would “have” the “mark”.”

With this kind of resistance to security, it’s amazing we get anything done. Biometrics is not an invasion of privacy. I also doubt the devil plays any role in them either. They are a tool to identify. Could they be abused? Yes. Should we be concerned? Of course. Should we ban them? Of course not.

In other parts of the world effective identification is actually embraced. Privacy concerns seem to take a back seat to security interests.

Effective use of biometric data could have prevented the apparent theft of Anglo-Israelis’ identities, MK Meir Sheetrit (Kadima), the architect of the country’s Biometric ID Law, and a former minister of intelligence services, told The Jerusalem Post” This statement is in reference to a mess of a story regarding an assassination and the use of fake passports. The Register states that “all passports now issued contain ‘biometric’ details “which are unique to you – like your fingerprint, the iris of your eye, and your facial features”. In addition, “the chip inside the passport contains information about the holder’s face – such as the distances between eyes, nose, mouth and ears” which “can then be used to identify the passport-holder”.

And they were tampered with, which means a failure of epic proportions. So, is NH right?

Meanwhile, CNN reports “in the name of improved security a hacker showed how a biometric passport issued in the name of long-dead rock ‘n’ roll king Elvis Presley could be cleared through an automated passport scanning system being tested at an international airport. Using a doctored passport at a self-serve passport machine, the hacker was cleared for travel after just a few seconds and a picture of the King himself appeared on the monitor’s display.”

Some stuff to chew on. Identity Proofing is the “ultimate” solution. Identity proofing simply means proving that individuals are who they say they are. Identity proofing often begins with personal questions, like the name of a first grade teacher or the make and model of a first vehicle that only the actual person would be able to answer. Of course, this technique is not foolproof, and now that personal information is so readily available over the Internet, knowledge-based authentication is probably on its way to extinction. The next step is documentation, such as a copy of a utility bill or a mortgage statement. These types of identifying documents can be scavenged from the trash, but they are more effective proof when combined with personal questions. Biometric features, such as fingerprints or iris scans, can help further authenticate an individual’s identity.

Authentication is the ability to verify the identity of an individual based on their unique characteristics. This is known as a positive ID and is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples of each are: Static – iris, fingerprint, facial, DNA. Dynamic – signature gesture, voice, keyboard and perhaps gait. Also referred to as something you are.

Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don’t know who the individual is but we try to get as close as we can to verify their asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.

Allz I know is we guts to do something to fix this thing.

Protect your financial identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Assassin or Identity Theft Victims?

/in , , /by

It made a little buzz in the States, but over in  Dubai, as more details become available about the assassination of senior Hamas terrorist Mahmoud al-Mabhouh in Dubai, it is becoming apparent to some (depending on which side of the wall you live on) that the assassins stole the identities of several Israelis carrying foreign passports.

Apparently, the purported identity theft stems the accessibility of passport data from Israelis who hold dual citizenship from Israel, Britain, Australia and other countries. “Six more Britons had their passports cloned by the killers of a senior Hamas official, “ Dubai police said yesterday as they revealed a total of 15 new suspects in the assassination. One of the victims/accused assassin stated “I was in total shock. I don’t know what’s happening – I don’t know how they got to me or my information. I haven’t left the country in about two years, and I’ve never been to Dubai. I don’t know who was behind this. It’s just scary, because powerful forces are involved in this.”

The Dubai police went ahead and released information on 26 suspects in the assassination. The pictures of the suspects were also released. One of the accused, after his mother saw him on the news stated, “Even my mother asked if I’d been abroad.”

Freaky Stuff.

I was interviewed in a yet to be released AP story from Jerusalem about how something like this can happen. It seems simple to me. If in fact the accused are what I would label as criminal identity theft victims, then we are all susceptible to this type of crime. I’ve always believed this to be the scariest of all identity theft and if the above story concludes as factual, then it’s a perfect example.

In the USA, we have as many as 200 forms of ID circulating including passports from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. These are paper and plastic documents that can be recreated with a PC, scanner, printer and laminator. We use numerical identifiers that aren’t physically associated with us. Pictures are attached to some documents that may not look like us. Especially if there are eye glasses involved, beards, hair coloring or hair removal, weight gain or loss. Some identification documents are absent of a photo.  This is not effective authentication. World wide, the system isn’t much more secure.

This is criminal identity theft waiting to happen.

At least protect your financial identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

The $6.75 Million Dollar Laptop

/in , , , , , , , /by

Robert Siciliano Identity Theft Expert

Dan Yost Chief Technology Officer of MyLaptopGPS brought attention to the Ponemon Institute, with sponsorship from PGP, has released their “Fifth Annual U.S. Cost of Data Breach Study.” As usual, the report is a treasure trove of great data (just like most people’s laptops are).

The average cost per breached data record rose $2 in 2009, to $204. That’s actually not too bad. The average cost of a breach was $6.75 million, compared to $6.65 million in 2008.

PC World has a good article to summarize, and thanks to lyger at DataLossDB for the pointer.

Not very many businesses are taking serious note of the fact that, on average, they have $6.75 million laptops walking around out there. For those who are, our hats are off.

Here’s an interesting excerpt:

“Overall, 42% of all cases in the Ponemon data-breach study involved third-party mistakes and flubs. In addition, more than 82% of the cases in the Ponemon study were organizations that had more than one data breach in 2009 involving the loss or theft of more than 1,000 records containing personal information. At about 40% of the companies that participated in the study, the chief information security officer (CISO) was in charge of managing the response related to the data breach.”

And how about the maximum data breach cost in the study? $31 million.

That’s a rather expensive laptop, and probably worth a few dollars to protect instead. (Note: the breach may actually have been the result of something other than a lost/stolen laptop, such as a network break-in).

The least expensive breach? $750,000. That beats $31 million, but $750k is still a pretty penny to pay, compared to protection.

Many thanks to Ponemon and PGP for another excellent study.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing laptop security on The Today Show

Is Chip and PIN the Future?

/in , , , , , , /by

Robert Siciliano Identity Theft Expert

Chip and PIN is the name of a government-backed initiative in the United Kingdom to implement the EMV standard for secure payments.

There have been rumblings from Europe over the past year  about American based credit cards that solely rely on the magnetic strip not being accepted in the future due to security issues.  Australia recently stated they were getting rid of all magnetic strip based cards and going Chip and PIN within the next few years.

Meanwhile ZDNet reports Researchers at Cambridge University have found a fundamental flaw in the EMV — Europay, MasterCard, Visa — protocol that underlies chip-and-PIN validation for debit and credit cards. As a consequence, a device can be created to modify and intercept communications between a card and a point-of-sale terminal, and fool the terminal into accepting that a PIN verification has succeeded.

“Chip and PIN is fundamentally broken,” Professor Ross Anderson of Cambridge University told ZDNet UK. “Banks and merchants rely on the words ‘Verified by PIN’ on receipts, but they don’t mean anything.”

This new research has shown that a PIN still needs to be entered, but any PIN code would be accepted. That’s not good. The researchers who cracked the code stated that the ability for the badguy to do this in the future is probable due to the fact that the attack itself is “elementary”.  That’s got to warm the cockles of organized crime.

The US has not adopted CHIP and PIN and many argue it is due to the costs involved. With 213 million cardholders and 1.2 billion credit cards in the U.S., there’s no shortage of opportunity for carders to maintain their current pace. However, an investment in a flawed technology isn’t wise.

You can’t protect yourself from these types of scams. However, by paying attention to your statements and refuting any unauthorized transactions within 60 days, you can recover your losses. When using any POS or ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, or error messages, don’t use it.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing ATM skimming on NBC Boston

Fostering Awareness & Improving Security Education

/in , , , , , , , /by

Robert Siciliano Identity Theft Expert

Financial institutions have the most to lose and the most to gain by improving security education of their clients and employees.

A while back  I appeared on a local TV show talking about phishing. Amazingly, still, not everyone knows what phishing is. A good friend saw the show and was shocked by what she learned….about her bank.

She received a phishing email and didn’t know what it was. The email asked her to update her account. It was confusing so she called her bank. She spent 20 minutes on the phone with a bank rep discussing her account and the bank could find no record of the communication or any issues with her account. At the conclusion of the call the bank rep said, “I don’t know why you received this email, your account information is in order.” Click.

That night she saw my phishing clip and wondered why the bank never mentioned a single word about phishing. Her bank failed her. They failed to educate her and therefore failed to protect her. She is no longer a client of that bank.

The mindset of financial institutions needs to change drastically when it comes to educating their clients about identity theft and security issues. Old school “sweep it under the rug” don’t discuss it because it will scare people school of thought is dead. People want, need and require information to protect themselves.

The game has changed. People are concerned for their personal security and are hungry to learn. The fact that you or anyone reads this blog is a testament to society as a whole wants to learn. Soccer moms are now security moms.  I’ve seen major industry players in the anti-virus space catering to these mommy bloggers and others because they understand the public is hungry for this. Banks, well, not so much.

Engage the public and they will respect you and want to do further business with you.

Linda McGlasson, Managing Editor at BankInfoSecurity.com interviewed me for a segment on this issue. Listen to the Podcast here It requires a login but its worth your time.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing the lack of security in online banking on CBS Boston

mCrimes Morph Into mBotnets

/in , , , , , /by

Robert Siciliano Identity Theft Expert

Botnets are robot networks of computers connected to the Internet that sit in our homes and offices. A botnet is generally banks of multiple PC’s from the 10’s to 10,000’s to millions. There are no hard numbers on botnets but last figure I saw was somewhere between 3-5 million. Another stat is 25 percent of all US based PC’s are on a botnet. That’s just insane.  Botnets PC’s are called Zombies. Zombies all generally share a virus in common that allows for a remote control component. The criminal hacker controls the zombies on the botnet via an IRC control server or via a peer to peer network.

The combined power of the zombies on the botnet allows the criminals to commit all kinds of crimes such as denial of service attacks, mass spam campaigns of blasting viruses to millions.

Often botnets are used to store stolen data or to host spoofed websites that collect that data.

Now comes “Sexy Space,” an infected text message containing a link that when clicked downloads a file making that phone part of an mBot. mBots are made up of “Zobiles”.  The download then infects the users contact list and in typical virus multiplication fashion, sends the Sexy Space text to them too.

It is believed that infected phones could then be used in similar ways as traditional zombies are.  The extra twist with a zobile is its ability to take pictures, video, and used as a covert audio listening device. It can also sniff out wireless connections to the Internet and gather additional data to be used to hack.

History indicates that we are at the forefront of an era in which criminal hackers develop tools and techniques to steal your money using your own cell phone. Fifteen years ago, cell phones were bulky and cumbersome, they had to be carried in bags or briefcases. Then they became chunky, heavy bricks. Calls dropped every other minute. Clearly, cell phones have evolved since then. Today’s cell phone is a lot more than a phone. It’s a computer, one that rivals many desktops and laptops being manufactured today.

Never click on links in text messages unless you are 100 percent sure it’s a legitimate communication from a trusted source.

Follow your phones manufacturers and carriers recommendations on securing your phone. A search on “mobile phone security” turns up options/downloads/security to consider.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing mobile phone crimes and hacking on the Mike and Juliet Show

EFT Point of Sales Hackers Net $50 Million

/in , , , , , /by

Robert Siciliano Identity Theft Expert

Readers of these posts are familiar with ATM skimming. ATM skimming is a billion dollar problem and growing. A relatively new scam over the past few years is electronic funds transfers at the point of sale (EFTPOS ) skimming. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets. In Australia, Fast-food, convenience and specialist clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted.

Last year, legitimate EFTPOS devices at McDonald’s outlets across Perth Australia were replaced with compromised card-skimming versions, with 3500 customers cheated of $4.5 million. They actually replaced the entire device you see at the counter when you order your Big Mac!

Officials say the problem is so bad they urged people to change credit and debit card pin numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

In the United States a similar scam was pulled off at the Stop and Shop Supermarket chain.

“One reason POS machines are so vulnerable is that nearly all of the estimated 12 million devices in the U.S. employ a 40-year-old magnetic stripe technology that industry experts say is largely defenseless against the high-tech wizardry available to fraudsters today. These experts say that thieves can buy skimming gadgetry on the open market. Right now you can walk into a computer store in Malaysia and buy one of these devices for about $200”

The solution to this type of crime may be with authenticating the card or the card holder. Today this is out of the hands of the consumer. There are a number of new technologies that if banks/retailers/industries adopt to identify the actual card/user at the POS or even online, then most, if not all, of the card fraud problems will be solved. There is a race going on right now to see who gets there first. In the next 1-5 years we may see new cards being issued such as “chip and pin” which are standard in Europe. Or no new cards at all but changes in the system that identifies a fraudulent card making the data useless to the thief, or a 2 card system that requires a second swipe of another authenticating card the hacker doesn’t have access to. We will see how this all plays out.

You can’t protect yourself from these types of scams. However, by paying attention to your statements and refuting any unauthorized transactions within 60 days, you can recover your losses. When using any POS, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, or error messages, don’t use it.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing ATM skimming on ExtraTV