Russian Hackers Make Millions Breaching 7/11 and ATMs

Robert Siciliano Identity Theft Expert

It started simply by hacking 7-Elevens public website using a SQL injection.  SQL is abbreviation of Structured Query Language.  Pronounced  ”Ess Que El” or ”Sequel” depending on who you ask.  This led to 7 elevens main servers compromised which led to ATMs within 7-Eleven hacked.

Wired reports

““The Russians, evidently using an SQL injection vulnerability,  “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.””

The investigation began with noticeable fraud at a Citibank followed by a stakeout and arrest. From there a traffic stop connected a mule to the rest and the name dropping began.

This is brilliant:

“Federal prosecutors in New York had by then charged three more people in the ATM-cashing conspiracy, including 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, and 30-year-old Ivan Biltse.

In addition to looting Citibank accounts, Ryabinin had participated in a global cybercrime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts, issued by St. Louis–based First Bank,  in the fall of 2007. On Sept. 30 and Oct. 1 — just two days — the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world, resulting in $5 million in losses.

At the time of the ATM capers, FBI and U.S. Secret Service agents had been investigating Ryabinin for his activities on Eastern European carder forums. Ryabinin used the same ICQ chat account to conduct criminal business, and to participate in amateur-radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by New York ATM cameras in the Citibank and iWire withdrawals, and determined it was the same man — right down to the tan jacket with dark-blue trim.

When they raided Ryabinin’s home, agents found his computer logged into a carding forum. They also found a magstripe writer and $800,000 in cash — including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe-deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.

Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.”

This is all “account takeover”. All this money comes from consumer accounts who used ATMs at a convenient store and sometimes at a bank. Once the criminal gets your account data and PIN via the processors server they then burn the data to a white card. There’s no way to protect yourself from this crime when the data is breached at the processor level.

Check your statements frequently, at least every week online. Some banks give less than a week to refute unauthorized charges. Check with your bank to find out exactly what their time frame is if your account is compromised. Call the “claims” department and ask them “what’s the cut off date when making a claim?” My bank told me I can make a claim up to a year, but after 60 days there are federal regulations the limit their liability.

I asked my bank what their thoughts were on using a debit card and they said:

  1. Not to use it at a gas pump or a convenient store ATM where you enter your PIN
  2. They suggested using it as a credit card and not as a debit card
  3. Not to use at their own branch after hours to withdraw cash due toi skimming, which wasn’t new information to me but I didn’t expect my bank to say that.

Unfortunately your security, or lack thereof, is in the hands of others. Take control. Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses ATM skimming on NBC Boston

Craigslist ATM I bought Causes Industry Stir

Robert Siciliano Identity Theft Expert

Apparently I raised a hackle or two. Seems my little stunt got the attention of industry insiders, and not all of them believe that I bought a used ATM on Craigslist, which turned out to contain thousands of credit card numbers. Well, it did actually happen, and despite what many say, that the ATM couldn’t have contained 16-digit credit and debit card numbers on it, it did.

The most intense resistance to my experiment came from one Boston cop who watched me plant this thing in Downtown Crossing. He crossed his arms, glared at me, and when I walked away from the ATM, asked what I was doing. When I told him, he yelled for the women who were already using my ATM to stop, then took down my information while screaming at me. He later told me that his main concern was the possibility that the ATM might have contained a bomb!

According to ATMmarketplace.com, the ATM industry is braced for a backlash in the face of security concerns. There should be a backlash. We definitely need some regulation as to who can or can’t buy an ATM. And according to Mike Lee, the chief executive of the ATM Industry Association, “while ATMIA does not condone the auctioning of ATMs, online or otherwise, the association has little control over how they are sold.”

Personally, I think that the association needs to start establishing some control, and throwing your hands up in the air is lame. Both eBay and Craigslist have prohibited certain items. Why can’t I buy an old credit card off eBay, but I can buy an ATM with thousands of credit and debit card numbers on it? I can’t buy a “traffic signal control device” off eBay either. Because someone recognized in the wrong hands, the device can wreak havoc.

James Phillips, director of North American sales for ATMGurus, a Triton company, says that “an ATM that has old software or one that retains card numbers does not provide enough information for the owner to compromise consumer accounts,” but that my experiment still “has the potential to be so damaging to the industry’s reputation.” First of all, a 16-digit number is enough to turn data into cash. Even without a PIN, the 16-digit number can be used to buy goods online, or encoded on a blank card to buy goods in a store. This is why Visa and MasterCard require new software to block out the numbers. Second, Jim, you’re right, this is damaging. So please, fix it, and don’t allow lame excuses. And my machine is a Triton 9100. She’s a beauty by the way. Works nice off a 12-volt car battery, too.

Wendy Amaral, an account manager at Nationwide Money Services, says that while it’s possible that some companies could provide processing without collecting the required background information about the ATM owner, Visa, MasterCard, and other financial institutions are firm about the rules, and that audits are unlikely but possible. I think “possible audits” sounds like another cop out. For those of us who use ATMs, the idea that we are protected by “possible audits” is a slap in the face.

George McQuain, chief executive of ATM ISO Global Axcess Corp., which provides ATM processing, says he’s skeptical that I was able to set up my ATM for processing without a background check or even any questions. I haven’t revealed the processors who agreed to set up my ATM because they seemed to be small shops, and I don’t intend to destroy their livelihoods in my attempt to point out the inadequacy of the industry’s regulations. But the first processor set me up over the phone, and all I had to do was fill out a PDF and fax it back. The second showed up to my house in a pickup truck to service the ATM in my garage.

McQuain also says that it is rare for an ATM to have such outdated software that it would allow the owner to print so much customer information. But it was easy for me to find one. And even when they are replaced with newer models, where do they go? Where does the data go? I’ll tell you. On Craigslist, and then to the criminals.

There have been tons of reports on my story:

You can protect yourself from these types of scams by paying attention to your statements. Refute unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. Cover your pin!! And invest in Intelius Identity Theft Protection and Prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano Identity Theft Speaker rolling an ATM around on Fox

Lack of Laptop Security Leads to Identity Theft

Robert Siciliano Identity Theft Expert

In 2003, an estimated 1.5 million laptops were stolen worldwide. Today, that number has climbed to 2.6 million. That’s a 70% increase in just a few years. That’s one stolen laptop every 12 seconds.

Laptop computers have been the source of some of the biggest data breaches of all time. 800,000 doctors were recently put at risk for identity theft when a laptop containing their personal data went missing from the Chicago-based Blue Cross and Blue Shield Association.

As the years pass, laptop prices come down and their computing power goes up, making them increasingly vulnerable.

According to yet another interesting Ponemon Institute study, more than half of IT and security professionals worldwide believe their companies’ laptops and other mobile devices pose security risks, and only half of them have CEOs who are strong advocates and supporters of data security efforts. Kelly Jackson Higgins’ article at Dark Reading gives a good summary of these findings.

In the United States specifically, the situation is even worse, with only 40% of IT and security pros believing their CEOs to be security supporters. When it comes to compliance with regulations, “US firms were also less inclined to consider compliance helpful to security of their endpoints.”

This report is both quite troubling and yet unsurprising. It models the philosophies that produce what we see in the real world: data breaches are quite commonplace, decent security is quite achievable, and most businesses just don’t really care, at least until they learn the hard way. It’s akin to a widespread lack of interest in wearing seat belts, with only those who experience accidents deciding that, sure enough, it’s not very hard to buckle a seat belt and the benefits are enormous.

Many businesses have a department, or at least a group or individual, that handles security. (Note that the report also exposes a woeful lack of collaboration with this section of the business.) Yet “the security department,” or the IT department in general, tends to find that upper management just doesn’t “buy in” with security efforts.

Dan Yost, Chief Technology Officer of MyLaptopGPS, states, “It seems good to let the upper management take a serious fall when (not if) breaches happen. They choose not to support the buckling of seat belts, because it’s ‘not important’ or at least not a priority. It’s only fair that their necks be on the line during the next ‘accident’.”

Unfortunately your security, or lack thereof, is in the hands of others. Take control. Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses Laptop Security on The Today Show.

Identity Theft 2010 Top 10 Predictions

Robert Siciliano Identity Theft Expert

I’ve joined forces with the Identity Theft Resource Center to expand the pool of knowledge about identity theft issues. As nationally recognized experts in this crime, we have come up with ten predictions for what the nation can expect in the area of identity theft in 2010 and beyond.

1. More Scams: The recession will lead to more scams. Whenever our nation has faced a difficult time, thieves have found a way to use the problem to their advantage. In my adult life, I’ve never seen more variations of old scams and the degree of sophistication in newer scams.

2. Job Scams: Criminals will take advantage of increasing unemployment rates by tricking desperate people searching for job listings. These fake job listings and work-at-home scams will eventually end with the job seeker providing Social Security numbers to criminals. If the job description is not one that you would see printed on a business card or you are asked to front money, it’s a scam.

3. Newbie Low Tech “Desperate” Identity Theft: Additionally, there will be an increase in the number of individuals – who have no criminal history – beginning to explore the crime of identity theft for financial gain. For these thieves, it will be about quick money. Once desperate people max out their credit limits and wreck their own credit histories; they will start to use Social Security Numbers that they can easily access.

These new identity thieves will take advantage of low tech methods – stealing credit card numbers, dumpster diving, making phone calls, or phishing for credit card numbers. These techniques may also include placing ads in auctions and Craigslist for phantom products for sale to get either credit card numbers or cash.

4. All-in-the-Family ID Theft: Desperation will lead to more child identity theft and “all-in-the-family” cases, as well as the fraudulent use of numbers belonging to close friends, roommates and fellow workers. It has long been documented that a significant percentage of identity theft cases are perpetrated by people close to the victim. We predict that this number will increase during these tough economic times.

5. Child Identity Theft: The ITRC has noted that nearly 10 percent of its case load, for the past six months, involved child identity theft issues. These cases often involve more varied components of identity theft than ever before. Some people have finally realized that a child’s SSN can be used for more than just opening a line of credit.

6. Medical Identity Theft: While not a new crime, this will reflect the distress of those who have become unemployed. High COBRA premiums, growing individual medical insurance costs, or the inability to afford insurance or medical care will cause a spike in this area of identity theft. The Social Security Administration has noted an increase in uninsured people using the coverage of a friend, relative or even a stranger to get medical care.

7. Insider Identity Theft: In the coming year, this will increase due to the failure to follow simple security protocols in the workplace. This will create opportunities for thieves to gain access to personal identifying information retained in databases or paper files. Additionally, the lack of computer security measures and the increasing skill levels of hackers will lead to larger and more financially harmful breaches. Although a few sophisticated hackers have been arrested recently, these large, extremely damaging hacking events will continue to occur. These thieves are educating young protégées on high tech methods to access “secured” information and will likely continue to coordinate malicious attacks from their jail cells.

8. Governmental Identity Theft: More individuals will discover that they have become identity theft victims as they apply for government assistance and/or benefits. Not only will their own SSNs be used, but they may be temporarily denied benefits due to the use of their child’s SSN, which has been used fraudulently. This type of identity theft, identified as “Governmental Identity Theft,” may be associated with complications with the IRS, Social Security Administration, Departments of Motor Vehicles, Medicare and Welfare.

9. Criminal Identity Theft: The number of cases of criminal identity theft will continue to grow. This type of crime is defined as the use of an individual’s personal information to avoid being tied to their own criminal record. In the current environment, the effects of criminal identity theft on the victims will be more apparent with the loss of employment, loss of benefits and the increased number of arrests of victims ranging from failure to appear warrants for traffic citations all the way to felony level crimes. Criminals will continue to exploit the weaknesses of the current system and revictimize the individual whose information has been used.

10. Social Media Identity Theft: The meteoric rise in social media use has also created a launch pad for identity thieves. Social media identity theft happens when someone hacks an account via phishing, creates infected short URLs or creates a page using photos and the victims identifying information. My prediction for 2010 is that the increase in social networking activity, along with a user’s failure to implement security and privacy settings and protocols, will lead to an increased exposure of not only the user’s personal information but possibly that of their “friends.”

Bottom line, there will be an increase in identity theft crimes and the number of victims over the next two years unless significant changes are made in information security. Our most important asset is our identity. And we are functioning under a completely antiquated system of identification with wide open credit and few safeguards to protect the consumer. When state governments agree with federal agencies on effective identification and industry comes together, not to profit from the problem but to solve it, only then will we prevail.

Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing social media identity theft on  on Fox Boston

Facebook Newest Portal for Social Media Identity Theft

Robert Siciliano Identity Theft Expert

Imagine trying to log into your online accounts one after the other and being locked out. At first you think the site you are visiting screwed up but then it keeps happening over and over again no matter where you go.  Then you start receiving messages from friends and family asking you why you are behaving so freakishly online.

This is what happened to Matasha Allen as described in the Eastern Michigan Universitys Eastern Echo.

“Allen, 28, was a substitute teacher at the time, teaching music as well as elementary classes. Her only outlet to the Internet was limited to libraries and public computer labs, where she would check her accounts, look through e-mail and stay in touch with friends on Facebook. It was during one of these trips to the computers that it happened, Allen deduced. She thinks her Facebook account wasn’t completely logged off, or the computer didn’t log out. However it happened, someone found their way onto Allen’s accounts and took complete control.

“Social media is built on the honor system. There are no checks and balances to prove who is who. Anyone can pose as you and blog as you. This makes for social media identity theft,” said Robert Siciliano, a security consultant for Intelius.com and a speaker on preventing identity theft.

“The problem with social media identity theft is that when it takes over your account, all the people that you communicate with within your account may believe the identity thief is you. And when that identity thief begins to ask for money, from your friends and from your family and your coworkers, then they may actually pull money out of their pocket and send it via Western Union to the imposter. They think that you’ve actually come into the trouble that the identity thief is saying you’re in.”

In Allen’s case, her identity theft didn’t escalate to the thief asking for money from friends, but the thief was malicious. Messages were sent to friends and family, using profanity and insults. One of the incidents Allen related was toward an organization focusing on eliminating poverty in children. The identity thief sent the organization a message reading, “I hate children. I hope they all starve.””

  1. Steer clear of public computers whenever possible, or at least not accessing accounts or sites that require passwords.
  2. If you use a public PC get a USB drive that has a built in browser that allows you to surf securely
  3. No matter what PC you use to access accounts always log out when your are done
  4. Register your name at as many social media sites as possible. Use Knowem.com to do it for you.

Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing social media identity theft on  on Fox Boston

Child Identity Theft Protection

Robert Siciliano Identity Theft Expert

In a blog I guest contribute to called “NextAdvisor” they offer the following advice on child identity theft protection:

The following post in our Reader Question series is an actual user submitted question.

Q: I found out that someone used my grandson’s Social Security number to get phone service. How can I stop this? He’s only 11 years old.

A: If someone has used or is using a child’s Social Security number to secure a service, the child is a victim of identity theft. You should file a report with a local police department immediately. Having a police report will make it easier to have the fraudulent item or items removed from the child’s credit report. You should also file a complaint with the Federal Trade Commission.

You should also call the phone company to inform them that the service has been fraudulently obtained using a minor’s Social Security number. If you are your grandson’s legal guardian, you can request a copy of his credit report from all three credit bureaus, and ask that fraudulent items be removed and that his credit report be frozen until he turns 18. If you are not your grandson’s legal guardian, one of his parents will need to make this request.

When a parent or legal guardian contacts a credit bureau on their child’s behalf, they need to provide the child’s complete name, address, and date of birth, and copies of the child’s birth certificate and Social Security number. The parent or guardian must also provide a copy of their own drivers license or other government-issued proof of identity, including their current address, and a utility bill containing the current address.

Here is the contact information for the three credit bureaus:

Experian
(888)397-3742
http://www.experian.com

Experian
PO Box 9532
Allen , TX 75013

Equifax
(800) 658-1111
http://www.equifax.com

Equifax
P.O. Box 105069
Atlanta , GA 30348

TransUnion
(800) 916-8800
http://www.transunion.com

TransUnion
PO Box 6790
Fullerton , CA 92834”

And my advice. For your own good, protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing child identity theft on NBC Boston


Merchant Credit Card Transaction Monitoring

Robert Siciliano Identity Theft Expert

Security professionals  intuitively think proactively. Our job  is to predict and prevent what the bad guy will do next. My job specifically is to instill this mindset into you, the consumer,  SMB or large corporate enterprise.

Bob Russo, General Manager and Rockstar of the PCI Security Standards Council reminds us all in this Business Week article that it’s not all about prevention. Sage advice below.

“Many businesses are familiar with the PCI Security Standards Council’s requirements, yet many card fraud incidents go undiscovered for long periods of time. In fact, according to Verizon’s 2009 Data Breach Investigations Report, 75% of compromises were discovered at least weeks after the compromise.

Data security is not all about prevention; it also requires detection and monitoring. In the event of a breach or card fraud, proper monitoring can detect and eliminate additional fraud quickly. Thus, with the holiday season in full swing, it’s a great time to reconsider your company’s log management and monitoring. Consider the following tips:

1. Ensure your organization keeps timely, accurate, and unaltered records of what has taken place within the cardholder data environment (who, what, when, and how) to protect it in the event of a data compromise and resulting investigation.

2. Monitoring also can include physical surveillance. Closed-circuit monitoring of POS terminals can detect suspicious or fraudulent behavior.

3. Even when you are at your busiest, you simply cannot afford to overlook monitoring as a primary detector of card fraud and the trigger to eliminating ongoing criminal activity.”

And my advice. For your own good, protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing holiday scams on Foxes Mike and Juliet Show

10 Tips to Secure Online Holiday Shopping

Robert Siciliano Identity Theft Expert

UK officials shut down an amazing 1200 online retailers who scammed millions from unsuspecting shoppers. Most of the sites originated from identity thieves in Asia who tricked victims into believing they were legitimate sites.  Victims then lost money by entered their credit card data, sending checks or giving up banking details.

The sites sold high end designer items from Tiffany & Co, Ugg and jewelry. In some cases the victims actually received the items, but were counterfeit. Like Mom said, if it’s too good to be true it probably is. Of course nobody running the fake sites has been caught.

Criminals set up fake websites and then go through the same process legitimate eTailers do in regards to search engine optimization, search engine marketing and online advertising via adwords. They use key words to boost their rankings on Internet searches to show up along side legitimate sites. These same processes are also being used to infect unsuspecting users with malware.

Many victims who end up on scam sites generally get there via phish emails with offers for high end products for little money.

  1. It’s easy enough to avoid spoofed websites where phishing is the gateway. Common sense says any time you receive an offer via an email automatically be suspect. The same goes with offers via tweets and messages received in any social media. Scammers are committing social media identity theft every day.
  2. If you aren’t familiar with the eTailer don’t even bother clicking the links, especially if it’s a too good to be true offer.
  3. If it’s a known site sending the email and you decide to click links, make sure the address you end up at is in fact the actual domain of the eTailer. Beware of cybersquatting and typosquatting which may look like the domain of the legitimate eTailer.
  4. When placing an order always look for HttpS is the address bar signifying it’s a secure page. Scammer generally won’t take the time to set up secure sites. Note the closed padlock in your browser to back up the HttpS.
  5. Beware of emails coming for eBay scammers. I’m getting 10 a day. The fact is it’s difficult to tell a real from a fake. If you are seeking deals on eBay go right to the site and don’t bother responding to emails. If there is a deal you see in an email search it on eBay.
  6. Whenever you decide to make an eBay purchase look at the eBayers history. eBay is set up on the honor system and if the eBayer is an established seller with great feedback then they should be legitimate.
  7. Don’t worry about credit card fraud. But do pay close attention to your statements. Check them every two weeks online and refute unauthorized charges within 2 billing cycles, otherwise you will pay for an identity thieves gifts.
  8. Don’t use a debit-card online. If your debit card is compromised thats money out of your bank account. Credit cards have more protection and less liability.
  9. Avoid paying by check online/Mailorder. In person is OK. But to an unfamiliar virtual site is not. Once the money is taken from your account and you don’t receive the goods, you are going to have a difficult if not impossible task of getting it back. Use a uniball gel pen that prevents check-washing.
  10. Do business with those you know like and trust. I for one am guilty of buying from eTailers who have the best deals. But I only buy low ticket items from them, generally under $50.00. It’s best to buy high ticket items from eTailers that also have a brick and mortar locations.

Robert Siciliano identity theft speaker discussing holiday scams on Foxes Mike and Juliet Show

Holiday Temps Make The Best Identity Thieves

Robert Siciliano Identity Theft Expert

This is the absolute best time of the year to be a dishonest temporary worker. Holiday hustle and bustle overwhelms managers and supervisors and they can’t possibly see everything their employees are doing. It has been said that only 10% of employees are honest, 10% of employees will always steal and 80% will steal based on circumstances. Hiring temps during the holidays becomes the perfect storm for employee theft.

Estimates reveal that 40-50% of all business losses are due to employee theft. Employers need to first vet potential hires so as not to invite a thief into the workplace.

Prescreening

  • Either use a prescreening service or become a master interviewer. Watch for incongruities.
  • Resumes are often “false advertising,” sometimes including outright lies. Look for red-flags and exaggerations.
  • Appearance is telling. To be disheveled and unkempt at an interview is a reflection of one’s character.
  • Interviewees who are well-spoken and ace the interview process may have had lots and lots of jobs.
  • Use employment applications, and check and verify everything.
  • Background checks are only one small, but necessary, element of the screening process.
  • Criminal records checks are insufficient and do not detect employee theft unless prosecuted and convicted.
  • Juvenile convictions do not show on a criminal records check.
  • Drug and alcohol testing.
  • Reference checks.
  • Credit reports.
  • Physical exams.

Hire honest people.

Honest people live by the golden rule, “Do as to others as you would have them do unto you.” Honest people see stealing as demeaning. Honest people believe in karma. Honest people think of the consequences of their actions over a lifetime, not just in the moment. Hire honest people.

Perception is reality.

Assume that after an apparently honest person has been hired, there is still potential for stealing to begin. Orientation is the first place to discourage this behavior. Policies must be openly discussed. Employees are shown aspects of loss prevention and physical security in place. They are further told incidences of theft will be prosecuted under the fullest extent of the law. They are reminded that previous employees were caught and the expenses in fines and to lawyers in a criminal defense cost far more than the goods or cash that were stolen. In Singapore, Iran, Saudi Arabia, they put an average of 500 people a year to death for various nonviolent crimes. That’s perception equaling reality.

Understand the theft probability equation.

Chance of getting caught + consequences of action taken = Level of risk & probability of theft.

  • Low risk: high probability of theft
  • High risk: low probability of theft
  • A reputation for non-action breeds theft. If you fire thieves without prosecution, you will hire thieves in the future.

Increase technology to reduce threats.

ComputerWorld suggests bolstering physical security around temporary cash registers and handheld scanners. It’s easy to install a card-skimming device on a satellite register. Install additional video cameras to monitor the use of such devices.

Review log data daily. System and transaction logs can reveal a lot of information about the security of a payment system. Check them daily for red flags.

Implement “hard” firewall policies. Use a white list of known good addresses to preclude the possibility of card and payment data going anywhere outside the enterprise firewall except to your payment processor.

For your own good, protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano identity theft speaker discussing holiday scams on Foxes Mike and Juliet Show

MIT Says Handing Over Your Identity Data Protects You

Robert Siciliano Identity Theft Expert

Identity is a simple concept that has become a complex problem. It has become complex due to fraud. Fraud, motivated by money and the ease of obtaining credit and taking over an account. Because identity has yet to be effectively established, anyone can be you.

Currently, identity is generally established when a person provides a single source of data such as a Social Security number, password, credit card number and so forth. Complicating things further, in the U.S. we have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use “for profit” third party information brokers and the lowly vital statistics agency that works for each state to manage the data.

According to a new proposal in New Scientist, our digital identities will be more secure if they are based on data from our everyday life, culled from cell phones and online transactions. The idea comes from the Massachusetts Institute of Technology’s Human Dynamics Laboratory. The lab is a pioneer of “reality mining,” which is the practice of studying how people behave by using the crumbs of digital data our actions produce.

Reality mining is “what you do and who you do it with.” Or in MIT-over-my-head-speak: “Reality Mining defines the collection of machine-sensed environmental data pertaining to human social behavior. This new paradigm of data mining makes possible the modeling of conversation context, proximity sensing, and temporospatial location throughout large communities of individuals. Mobile phones are used for data collection, opening social network analysis to new methods of empirical (information gained by means of observation) stochastic (random) modeling.”

Even Google can’t define the word “temporospatial.” Find it. I dare you.

The research is based on the use of mobile phones to provide insight into individual and group behavior. They captured communication, proximity, location, and activity information from 100 subjects at MIT over a year. This data represents over 350,000 hours (~40 years) of continuous data on human behavior. Some of the research questions include:

  • How do social networks evolve over time?
  • How predictable are most people’s lives?
  • How does information flow?

The idea is to capture and harness all this information that represents “what you do and who you do it with.” Managing this would consist of the creation of a central body, supported by a combination of cellphone networks, banks and government bodies. The bank, being one of the supporters, could provide “slices” of data to third parties that want to check a person’s identity.

This is different than “who you are and what you know.” Currently, positive ID is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples static biometrics include your iris, fingerprint, face, and DNA. Dynamic biometrics include your signature gesture, voice, keyboard, and perhaps gait. Also referred to as something you are. Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don’t know who the individual is but we try to get as close as we can to verify his or her asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.

Currently, identity isn’t established. There is no accountability. That’s why we have identity theft. Anyone can become you just by saying so. In the meantime, until the big heads at MIT figure this out, protect your identity.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano, identity theft speaker, discusses Social Security numbers on Fox News