Resolve to Dissolve Identity Theft

Robert Siciliano Identity Theft Expert

Here we are again, getting ready to face a new year.   Time to set those dreaded New Year’s resolutions.  You know, lose the 10 pounds, give up the chocolate, quit smoking, and win the Nobel Peace Prize.

Along with the breaking of some bad habits, now is the time to take on some new habits to protect you against identity theft. The Identity Theft Resource Center® (ITRC) offers the following top resolutions you can make in 2010:

Lock up your social security card! Get it out of your wallet! Put this valuable card, along with all other important personal documents, in a safe, locked box or safety deposit box.

Don’t share your Social Security Number (SSN) unnecessarily. Ask questions: Why do you need it? What happens if I don’t give it to you? Who gets to see it? What are you going to do with it?  Legitimate reasons to provide your SSN are limited including:  verifying identity for employment; establishing new lines of credit; government benefit programs; and tax purposes.

Invest in a good cross cut shredder and USE IT! Destroy all documents that include personal identifying information (account numbers, birth date, SSN, medical numbers).  This includes those pre-approved credit card offers that fill your mailbox.  When in doubt, shred it!

Order your credit reports! Go to www.annualcreditreport.com or call 877-322-8228 to obtain your free credit reports.  And it’s really free!  You are entitled, by federal law, to obtain one free credit report from each Credit Reporting Agency every year.  For best results, the ITRC recommends that you stagger your requests to one CRA every four months, through this free program.

Consider investing in a locked mailbox. If you already have a locked community mailbox, just remember, sturdier is better.  Additionally, make it a habit to take out-going mail to the post office and stop using your “come steal me” red flag.

Take the time to place passwords on all your accounts and change the old ones. This includes bank accounts, investment accounts, money markets, credit cards, etc.  Be creative and use something that is not easily guessed by someone who may know you.  A good verbal password is NOT the last four digits of your SSN, your mother’s maiden name, your pet’s name or kid’s birthdays.  A random word, not associated with you or your life, is highly recommended.

Limit the amount of personal information you share online. If you don’t want it publicized – don’t put it online! For online accounts, use strong passwords and change them regularly.  (A strong password should be more than 8 characters in length, and contain both capital letters and at least one numeric or other non alphabetical character.  Use of non-dictionary words is also advised.)   Do not access accounts on shared or public computers (library, internet cafes, work, etc).  For more information on safe social networking, see ITRC Fact Sheet 138 – and  Social Networking and Identity Theft.

Be a savvy online shopper! Check out the merchant and make sure they are legit.  Protect your information online by using a secure payment agent – a security product which allows a consumer to control the use of their personal identifying information whether shopping, paying bills online, or registering at websites.  Consider using credit cards instead of debit cards when making purchases.  In addition, install security and malware software to protect your computer and update it frequently.

Monitor any and all account statements carefully. Don’t wait three months to balance your check book or open your mail! React quickly if you notice any discrepancies.

Guard all checks and deposit slips as you would your precious jewelry. In the wrong hands, these account numbers can be even more valuable than handfuls of cash!  When making out checks, use specially formulated gel ink pens, developed to defeat check washing.

Additionally I reccomend:

Protect your Social Media Identity Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday. You can do this manually or by using a very cost effective service called Knowem.com.

Protect your financial identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing Social Security Numbers on Fox news

ID Theft Is Set To Rise On The Heels Of The Recession

Jay McDonald from Creditcards.com does a great job of summarizing Identity Theft Predictions for 2010.

“Like wolves to injured prey, identity thieves are out to turn the recession struggles of average Americans to their own advantage.

“In my adult life, I’ve never seen more varations of old scams and the degree of sophistication in newer scams,” says Robert Siciliano, CEO of IDTheftSecurity.com.

The Identity Theft Resource Center predicts an increase in the number of identity theft crimes and victims during the next two years.

Particularly vulnerable are jobseekers whose desperate search for employment makes them easy targets for fake job listings and work-from-home scams.

“If the job description is not one that you would see printed on a business card, or you are asked to front money, it’s a scam,” says Siciliano.

Also on the rise are the misuse of social media and phony ads on Craigslist and other Web sites for the purposes of obtaining credit card numbers or cash.

Most disturbing has been the growing problem of child identity theft, sometimes by the child’s own family.

“The ITRC has noted that nearly 10 percent of its case load for the past six months involved child identity theft issues,” says founder Linda Foley. “It’s as if people have finally realized that a child’s Social Security number can be used for more than just opening a line of credit.”

Visit the ITRC Web site to learn how to protect your personal data from thieves and hackers.”

Protect your identity. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing credit card fraud on CNBC

5 Tips to Credit Card Identity Theft Prevention

Robert Siciliano Identity Theft Expert

In a recent article in Computer World, Tom Patterson CSO of Magtek, with his Glamor Shot photo, provides “5 counter-fraud tips you’ve never been told”. Anything a consumer can do to reduce their risk for account takeover, they should exercise. While in most cases the consumer isn’t responsible for the losses, as long as you refute the fraud in a specified time frame, and it’s your duty as a citizen to do so. Studies show much of the terrorists funding is coming from card fraud. Card fraud is a breach of national security.

Tip#1 Stare down your waiter, waitress, gas station attendant or anyone who you hand your card. Or at least stare at the card in process. You want to see where that card is going and how it’s being used. The idea here is to make sure the card isn’t being “skimmed” with a skimmer. This is good advice when it’s possible. Most waiters, gas station attendants walk away with the card. This really only works at a POS where the clerk never leaves the terminal. What you should see is the clerk swiping the card through a PC/register based fixed keyboard or terminal. If you see them swipe the card in a handheld skimmer or something on their body, like attached to a  belt or ankle that’s a redflag.

Tip#2 Shield your pin. This is absolutely necessary at any POS or ATM. The public nature of these devices makes it very easy for someone to shoulder surf and grab your pin. A cell phone video cam over your shoulder, a video camera from 50 feet away, binoculars or even a hidden camera attached the to face of the ATM can all compromise your pin. See here as explained in this video I did on ExtraTV demonstrating how I bought an ATM off Craigslist and rolled it all over Boston.

Tip#3 Change your card number. With millions of card numbers hacked over the last few years, chances are yours was compromised. I for one have had 3 changes of credit cards due to card issuers being proactive and sending me a new card whether I liked it or not. Tom suggests voluntarily changing your credit card number every few months. While this is an extra layer of protection, it’s not at all practical and I doubt even Tom does it. I have numerous EFT’s set up with my cards and changing the number means changing them as well. It’s enough of a burden to change it all when the banks issue a new card. But a nice idea if you have the time.

Tip#4 Check your credit card statements every day. This is an extra layer of protection that requires savant like attention. You check your email every day so checking your credit card statements every day is do-able right? Every week is sufficient. Even every 2 weeks is OK. Just make sure to check with your bank to determine what their cutoff date is to refute unauthorized withdrawals. For most credit cards it’s 60 days. For most banks it can be under 30 days. This is the most important tip of all.

Tip#5 Authenticate the card. Or the card holder. Today this is out of the hands of the consumer. There are a number of new technologies that if banks/retailers/industry adopt to identify the actual card/user at the POS or even online then most, if not all of the card fraud problems will be solved. There is a race going on right now to see who gets there first. In the next 1-5 years we may see new cards being issued such as “chip and pin” which are standard in Europe. Or no new cards at all but changes in the system that the card holder is unaware of, or a 2 card system that requires a second swipe of another authenticating card the hacker doesn’t have access to. There are also readily available technologies that will allow the turning on/off of your card with your own preset spend limits too. We will see how this all plays out.

 

Robert Siciliano identity theft speaker discussing credit card fraud on CNBC

Police, DA Investigators Conduct Fake ID Sting

Robert Siciliano Identity Theft Expert

Do an online search for “fake ids” and you’ll be amazed to discover how easy it can be to obtain an ID allowing you to pose as someone else. Or how easy it can be for someone else to obtain an ID that will allow him or her to pose as you. Some websites peddle poor quality cards, others offer excellent quality, and many websites are simply scams.

The fact is, our existing identification systems are insufficiently secure, and our identifying documents are easily copied. Anyone with a computer, scanner and printer can recreate an ID. Outdated systems exasperate the problem by making it too easy to obtain a real ID at the DMV, with either legitimate or falsified information.

“In Houston, Authorities have arrested three people accused of producing fake documents apparently destined for use in identity theft and fraud in Houston.

Harris County District Attorney Patricia Lykos said Monday that the suspects ran four fraudulent document businesses, including two operated out of a flea market.

Houston police and officials from the identity theft section of the district attorney’s office conducted the two-week operation. Undercover officers posing as customers were able to obtain IDs using real and fictitious names.

They confiscated Social Security cards and ID cards from Texas and other states.”

OMG! “including two operated out of a flea market” a FLEA MARKET!! The extent of the security of our nations identities is OPERATED OUT OF A FLEA MARKET!!!!!!!!!

USA Today reports that in the four years since Congress enacted the Real ID Act, which was intended to make it more difficult to obtain a fraudulent driver’s license, the act has languished due to opposition from several states. Real ID supporters say it will not only deter terrorism but also reduce identity theft, curb illegal immigration and reduce underage drinking, all by making the nation’s identification-of-choice more secure. Homeland Security Secretary Janet Napolitano is proposing the repeal of the Real ID Act.

However The May 10, 2011, deadline for full compliance remains in effect, and the department will continue to work closely with states to meet this deadline,” said Matt Chandler, deputy press secretary for the department. “However, Congress must act to address systemic problems with the REAL ID Act to advance our security interests over the long term.”

The fact is, identity theft is a big problem due to a systematic lack of effective identification and is going to continue to be a problem until further notice. In the meantime it is up to you to protect yourself. The best defense from new account fraud is identity theft protection.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses criminal hackers and identity theft on Fox News

Profile of a “REAL (Bad) HACKER HERE”

Robert Siciliano Identity Theft Expert

The wild, wild web never ceases to amaze me. My daily routine includes a tremendous amount of research, keeping me on top of what’s new in information and personal security. Every day, I spend about three hours simply “consuming” information via news alerts, feeds, and subscriptions, then breaking it down for others.

Recently, I was shocked to come across a website created by a self-declared “real hacker,” advertising his services.

“I SELL CCV2,tracks+ ATM PIN,FULLZ, BANK LOGIN, BANK TRANSFER… PRICE FOR CCV us (visa or master)= 2$ us (amex or dis)= 3$ uk (visa or master)= 4$ uk (amex or dis )= 6$ US Amex 3 $ UK master/visa 6$ All Our PayPa Acc Have Full Info And With Email Access and With All Security Answer . And With Orginal Ip And A Program For Fake Your System Ip To Orgina Ip For Full Access To PayPal Acc. Ebay Login : Fresh And Verified And Unlimited Ebay Account”

This guy is a “black hat hacker,” a carder selling stolen credit card data, referred to as “fullz” and “dumps.” His website includes live examples of his wares, including names, address, phone numbers, bank account numbers, credit card numbers, CCV2 numbers, Paypal account logins, you name it.

On his “Rates and Services” page, he states:

“We are a group of Ethical Hackers based in the Turkey but our staff comprises of Experienced hackers around the world, we have over the years strategically recruited the best hackers from the UK,USA,Russia,India,Philippians,Vietnam and Egypt.

Our policy is simple “making the world a better place by creating an equal balance” in other words, hack the rich and give to the poor, Robin Hood style :-)

The way we do this is to sell Carding Stuff and hacking softwares and tools at really cheap prices so that everyone can afford it and also be able to hack.You can definitely be a hacker with our new approach tutorial. We can offer you pre-written tutorials but we will also allocate you your own specialist hacker, who you can add to your yahoo messenger and will give you a more hands on approach by teaching you everything you want to know over instant messenging.

We are ethical hackers and here to help not make money, we only charge because of the cost,time and effort involved in the services and products we offer.

Enjoy your stay and we hope we can help. Thank you!! :-”

And on his “About Us“:

GOOD HACKER WITH GOOD PRODUCE HIEN_HACK IS A GOOD HACKER WITH FRESH PRODUCE…ALL STUFFS HAVE THEIR PRICE AND ALL STUFFS GOT GOOD LIMIT AND GOOD BALANCE..WE HAVE MANY SOFTWARE FOR HACKING STUFFS…HE IS A GOOD HACKER AND NEVER RIPP HATE RIPPERS IN IS LIST…HE DO GOOD DEAL FOR LONG ….WITH GOOD CUSTOMER WHO IS READY TO HAVE GOOD DEAL…ANY THING U NEED CONTACT HIM AND HE WILL HELP GET ANY STUFFS…HE DO BANK TRANSFER FOR REAL AND WESTERN UNION TRANSFER,GOT FRESH CC ETC…TRY HIM AND YOU WILL BE HAPPY OF HIM….IF U NEED HIM JUST GO TO IS CONTACT AND GET IS YAHOO ID OR EMAIL ADDRESS ALSO HE HAVE IS NUMBER THERE CONTACT HIM AND CALL HIM FOR GOOD DEAL OKAY..BE FAST SO THAT STUFFS WILL NOT GET FINISHED…..”

He and his band of delusional criminals have convinced themselves they are good and their victims are bad. Unfortunately, this is what we have to contend with. Hackers have been selling raw, stolen data to one another for a while now. But the fact that this type of underground activity is so prevalent that it’s begun showing up in my Google News Alerts is alarming, and indicates that it isn’t getting any better any time soon.

Most of the raw data being sold online is used for account takeover, but can also lead to new account fraud. In many cases, it’s your own computer that’s compromised, while other hacks target retailers or banks. Either way, you are ultimately responsible for the charges made in your name, unless you do something about it.

  1. Check your credit card statements often. Refute unauthorized charged within 60 days to be made whole by the issuing bank.
  2. Anytime you ever receive a phish email asking for personal information, credit information, banking etc, do not enter it. Just hit delete. Often victims will receive and email from what looks like a trusted source but is actually a phish.
  3. Install and update antivirus protection.If your PC is infected with a virus that allows the remote control of your PC, a criminal can get all your important files
  4. Check out my spyware killer. Even if your PC has spyware that logs your account information while you are typing in your browser, this software scrambles the data making it useless to the thief.
  5. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  6. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)
Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC

Expanding Internet Capabilities Makes U.S. IT More Vulnerable

Robert Siciliano Identity Theft Expert

The FBI considers the cyber threat against our nation to be one of the greatest concerns of the 21st century.

Steven R. Chabinsky is deputy assistant director of the cyber division of the Federal Bureau of Investigation. This article is sourced from GovInfoSecurity.com and was adapted from written testimony he delivered earlier this month to the Senate Judiciary Committee’s Subcommittee on Terrorism and Homeland Security.

“Despite the enormous advantages of the Internet, our networked systems have a gaping and widening hole in the security posture of both our private sector and government systems. An increasing array of sophisticated state and non-state actors have the capability to steal, alter or destroy our sensitive data and, in the worst of cases, to manipulate from afar the process control systems that are meant to ensure the proper functioning of portions of our critical infrastructure. Moreover, the number of actors with the ability to utilize computers for illegal, harmful, and possibly devastating purposes continues to rise.

When assessing the extent of the cyber threat, the FBI considers both the sophistication and the intent of our adversaries. The most sophisticated actors have the ability to alter our hardware and software along the global supply chain route, conduct remote intrusions into our networks, establish the physical and technical presence necessary to re-route and monitor our wireless communications, and plant dangerous insiders within our private sector and government organizations. The actors that currently have all of these capabilities – which is a finding that is distinct from whether and when they are using them – include multiple nation states and likely include some organized crime groups.

In the cyber realm, the technical positioning an adversary requires to steal data typically provides them with the very same access and systems administrator rights that could be used for destructive purposes. As a result, computer network exploitation – the ability of foreign spies to monitor our networks and steal our secrets – might simultaneously provide our enemies with pre-positioned capabilities to conduct computer network attack – the ability to deny, disrupt, degrade, or destroy our information, our networks, and the infrastructure services that rely upon them.

With respect to organized crime groups, financially motivated cyber crime typically does not involve acts of violence or network destruction. The exception to this generality however is extortion. Cyber criminals can threaten to hold entire networks, or more simply the data on them, hostage to their demands. Often, cyber criminals have the technical sophistication and access to make good on their threats, especially if an insider is involved.

The FBI has not yet seen a high level of end-to-end cyber sophistication within terrorist organizations. Still, the FBI is aware of and investigating individuals who are affiliated with or sympathetic to al-Qaeda who have recognized and discussed the vulnerabilities of the U.S. infrastructure to cyber attack, who have demonstrated an interest in elevating their computer hacking skills, and who are seeking more sophisticated capabilities from outside of their close-knit circles. Should terrorists obtain such capabilities, they will be matched with destructive and deadly intent.

In addition, it is always worth remaining mindful that terrorists do not require long term, persistent network access to accomplish some or all of their goals. Rather, a compelling act of terror in cyberspace could take advantage of a limited window of opportunity to access and then destroy portions of our networked infrastructure. The likelihood that such an opportunity will present itself to terrorists is increased by the fact that we, as a nation, continue to deploy new technologies without having in place sufficient hardware or software assurance schemes, or sufficient security processes that extend through the entire lifecycle of our networks.”

Take control. Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses criminal hackers and identity theft on Fox News

U.S. Cyber Challenge to Defeat Criminal Identity Theft

Robert Siciliano Identity Theft Expert

President Obama has chimed in with a directive to review the nations cyber security as it relates to security and our critical infrastructures.

CNN recently reported about the “U.S. Cyber Challenge” to find and develop 10,000 cybersecurity specialists to help the U.S. regain the lead in cyberspace. In its simplest form, the U.S. Cyber Challenge participants are white-hats in training who play a game called NetWars, which is an online version of Capture the Flag, with competitors vying to penetrate and take control of target computer systems and then protect them from other intruders.

Hackers in this contest range from as young as 17 to 21 with perhaps little formal computer education who, nonetheless, could contribute to the defense of the nation’s cyber-networks. In many cases, organizers of the U.S. Cyber Challenge say, hackers’ skills go unrecognized or unappreciated by those around them and sometimes even by themselves.

“Organizers say the competition is aimed at identifying young people with exceptional computer skills and inspiring them to join the country’s woefully understaffed ranks of cybersecurity specialists needed to protect systems used by the military, industry and everyday people.”

Unfortunately your security, or lack thereof, is in the hands of others. Take control. Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses criminal hackers and identity theft on Fox News

Russian Hackers Make Millions Breaching 7/11 and ATMs

Robert Siciliano Identity Theft Expert

It started simply by hacking 7-Elevens public website using a SQL injection.  SQL is abbreviation of Structured Query Language.  Pronounced  ”Ess Que El” or ”Sequel” depending on who you ask.  This led to 7 elevens main servers compromised which led to ATMs within 7-Eleven hacked.

Wired reports

““The Russians, evidently using an SQL injection vulnerability,  “gained unauthorized access to 7-Eleven, Inc.’s servers through 7-Eleven’s public-facing internet site, and then leveraged that access into servers supporting ATM terminals located in 7-Eleven stores,” the plea agreement reads. “This access caused 7-Eleven, Inc., on or about November 9, 2007, to disable its public-facing internet site to disable the unauthorized access.””

The investigation began with noticeable fraud at a Citibank followed by a stakeout and arrest. From there a traffic stop connected a mule to the rest and the name dropping began.

This is brilliant:

“Federal prosecutors in New York had by then charged three more people in the ATM-cashing conspiracy, including 32-year-old Ukrainian immigrant Yuriy Ryabinin, aka Yuriy Rakushchynets, and 30-year-old Ivan Biltse.

In addition to looting Citibank accounts, Ryabinin had participated in a global cybercrime feeding frenzy that tore into four specific iWire prepaid MasterCard accounts, issued by St. Louis–based First Bank,  in the fall of 2007. On Sept. 30 and Oct. 1 — just two days — the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines around the world, resulting in $5 million in losses.

At the time of the ATM capers, FBI and U.S. Secret Service agents had been investigating Ryabinin for his activities on Eastern European carder forums. Ryabinin used the same ICQ chat account to conduct criminal business, and to participate in amateur-radio websites. The feds compared photos of Ryabinin from some of the ham sites to video captured by New York ATM cameras in the Citibank and iWire withdrawals, and determined it was the same man — right down to the tan jacket with dark-blue trim.

When they raided Ryabinin’s home, agents found his computer logged into a carding forum. They also found a magstripe writer and $800,000 in cash — including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe-deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash.

Ryabinin’s wife told investigators that she witnessed her husband “leave the couple’s house with bundles of credit cards in rubber bands and return with large sums of cash,” a Secret Service affidavit (.pdf) reads.”

This is all “account takeover”. All this money comes from consumer accounts who used ATMs at a convenient store and sometimes at a bank. Once the criminal gets your account data and PIN via the processors server they then burn the data to a white card. There’s no way to protect yourself from this crime when the data is breached at the processor level.

Check your statements frequently, at least every week online. Some banks give less than a week to refute unauthorized charges. Check with your bank to find out exactly what their time frame is if your account is compromised. Call the “claims” department and ask them “what’s the cut off date when making a claim?” My bank told me I can make a claim up to a year, but after 60 days there are federal regulations the limit their liability.

I asked my bank what their thoughts were on using a debit card and they said:

  1. Not to use it at a gas pump or a convenient store ATM where you enter your PIN
  2. They suggested using it as a credit card and not as a debit card
  3. Not to use at their own branch after hours to withdraw cash due toi skimming, which wasn’t new information to me but I didn’t expect my bank to say that.

Unfortunately your security, or lack thereof, is in the hands of others. Take control. Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses ATM skimming on NBC Boston

Craigslist ATM I bought Causes Industry Stir

Robert Siciliano Identity Theft Expert

Apparently I raised a hackle or two. Seems my little stunt got the attention of industry insiders, and not all of them believe that I bought a used ATM on Craigslist, which turned out to contain thousands of credit card numbers. Well, it did actually happen, and despite what many say, that the ATM couldn’t have contained 16-digit credit and debit card numbers on it, it did.

The most intense resistance to my experiment came from one Boston cop who watched me plant this thing in Downtown Crossing. He crossed his arms, glared at me, and when I walked away from the ATM, asked what I was doing. When I told him, he yelled for the women who were already using my ATM to stop, then took down my information while screaming at me. He later told me that his main concern was the possibility that the ATM might have contained a bomb!

According to ATMmarketplace.com, the ATM industry is braced for a backlash in the face of security concerns. There should be a backlash. We definitely need some regulation as to who can or can’t buy an ATM. And according to Mike Lee, the chief executive of the ATM Industry Association, “while ATMIA does not condone the auctioning of ATMs, online or otherwise, the association has little control over how they are sold.”

Personally, I think that the association needs to start establishing some control, and throwing your hands up in the air is lame. Both eBay and Craigslist have prohibited certain items. Why can’t I buy an old credit card off eBay, but I can buy an ATM with thousands of credit and debit card numbers on it? I can’t buy a “traffic signal control device” off eBay either. Because someone recognized in the wrong hands, the device can wreak havoc.

James Phillips, director of North American sales for ATMGurus, a Triton company, says that “an ATM that has old software or one that retains card numbers does not provide enough information for the owner to compromise consumer accounts,” but that my experiment still “has the potential to be so damaging to the industry’s reputation.” First of all, a 16-digit number is enough to turn data into cash. Even without a PIN, the 16-digit number can be used to buy goods online, or encoded on a blank card to buy goods in a store. This is why Visa and MasterCard require new software to block out the numbers. Second, Jim, you’re right, this is damaging. So please, fix it, and don’t allow lame excuses. And my machine is a Triton 9100. She’s a beauty by the way. Works nice off a 12-volt car battery, too.

Wendy Amaral, an account manager at Nationwide Money Services, says that while it’s possible that some companies could provide processing without collecting the required background information about the ATM owner, Visa, MasterCard, and other financial institutions are firm about the rules, and that audits are unlikely but possible. I think “possible audits” sounds like another cop out. For those of us who use ATMs, the idea that we are protected by “possible audits” is a slap in the face.

George McQuain, chief executive of ATM ISO Global Axcess Corp., which provides ATM processing, says he’s skeptical that I was able to set up my ATM for processing without a background check or even any questions. I haven’t revealed the processors who agreed to set up my ATM because they seemed to be small shops, and I don’t intend to destroy their livelihoods in my attempt to point out the inadequacy of the industry’s regulations. But the first processor set me up over the phone, and all I had to do was fill out a PDF and fax it back. The second showed up to my house in a pickup truck to service the ATM in my garage.

McQuain also says that it is rare for an ATM to have such outdated software that it would allow the owner to print so much customer information. But it was easy for me to find one. And even when they are replaced with newer models, where do they go? Where does the data go? I’ll tell you. On Craigslist, and then to the criminals.

There have been tons of reports on my story:

You can protect yourself from these types of scams by paying attention to your statements. Refute unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. Cover your pin!! And invest in Intelius Identity Theft Protection and Prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano Identity Theft Speaker rolling an ATM around on Fox

Lack of Laptop Security Leads to Identity Theft

Robert Siciliano Identity Theft Expert

In 2003, an estimated 1.5 million laptops were stolen worldwide. Today, that number has climbed to 2.6 million. That’s a 70% increase in just a few years. That’s one stolen laptop every 12 seconds.

Laptop computers have been the source of some of the biggest data breaches of all time. 800,000 doctors were recently put at risk for identity theft when a laptop containing their personal data went missing from the Chicago-based Blue Cross and Blue Shield Association.

As the years pass, laptop prices come down and their computing power goes up, making them increasingly vulnerable.

According to yet another interesting Ponemon Institute study, more than half of IT and security professionals worldwide believe their companies’ laptops and other mobile devices pose security risks, and only half of them have CEOs who are strong advocates and supporters of data security efforts. Kelly Jackson Higgins’ article at Dark Reading gives a good summary of these findings.

In the United States specifically, the situation is even worse, with only 40% of IT and security pros believing their CEOs to be security supporters. When it comes to compliance with regulations, “US firms were also less inclined to consider compliance helpful to security of their endpoints.”

This report is both quite troubling and yet unsurprising. It models the philosophies that produce what we see in the real world: data breaches are quite commonplace, decent security is quite achievable, and most businesses just don’t really care, at least until they learn the hard way. It’s akin to a widespread lack of interest in wearing seat belts, with only those who experience accidents deciding that, sure enough, it’s not very hard to buckle a seat belt and the benefits are enormous.

Many businesses have a department, or at least a group or individual, that handles security. (Note that the report also exposes a woeful lack of collaboration with this section of the business.) Yet “the security department,” or the IT department in general, tends to find that upper management just doesn’t “buy in” with security efforts.

Dan Yost, Chief Technology Officer of MyLaptopGPS, states, “It seems good to let the upper management take a serious fall when (not if) breaches happen. They choose not to support the buckling of seat belts, because it’s ‘not important’ or at least not a priority. It’s only fair that their necks be on the line during the next ‘accident’.”

Unfortunately your security, or lack thereof, is in the hands of others. Take control. Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses Laptop Security on The Today Show.