Social Security Numbers Cracked, Creates Identity Theft Risk

Robert Siciliano Identity Theft Expert

SearchSecurity.com reports that researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration’s Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people on the east coast had the lowest numbers and those on the west coast had the highest. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

The Carnegie Mellon researchers were able to guess the first five digits of a Social Security number on their first attempt for 44% of people born after 1988. For those in less populated states, the researches had a 90% success rate. In fewer than 1,000 attempts, the researchers could identify a complete Social Security number, “making SSNs akin to 3-digit financial PINs.” “Unless mitigating strategies are implemented, the predictability of SSNs exposes them to risks of identify theft on mass scales,” the researchers wrote.

While the researchers work is certainly an accomplishment, the potential to predict Social Security numbers is the least of our problems. Social Security numbers can be found in unprotected file cabinets and databases in thousands of government offices, corporations and educational institutions. Networks are like candy bars – Social Security numbers can be hacked from outside the hard chocolate shell or from the soft and chewy inside.

The problem stems from that fact that our existing system of identification is seriously outdated and needs to be significantly updated. We rely on nine digits as a single identifier, the key to the kingdom, despite the fact that our Social Security numbers have no physical relationship to who we actually are. We will only begin to solve this problem when we incorporate multiple levels of authentication into our identification process.

The process of true and thorough authentication begins with “identity proofing.” Identity proofing is a solution that begins to identify, authenticate and authorize. Consumers, merchants, government don’t just need authentication. We need a solution that ties all three of these components together.

Jeff Maynard, President and CEO of Biometric Signature ID, provides a simple answer to a complicated issue in four parts:

Identify – A user must be identified when compared to others in a database. We refer to this as a reference identity. A unique PIN, password or username is created and associated with your credential or profile.

Authenticate – Authentication is different than verification of identity. Authentication is the ability to verify the identity of an individual based specifically on their unique characteristics. This is known as a positive ID and is only possible when using a biometric. A biometric can be either static or dynamic (behavioral). A static biometric is anatomical or physiological, such as a face, a fingerprint or DNA. A dynamic biometric is behavioral, such as a signature gesture, voice, or possibly gait. This explains why, when authentication solutions incorporate multiple factors, at least two of the following identifiers are required: something you have, such as a token or card, something you are, meaning a biometric identifier, and something you know, meaning a pin or password.

Verify – Verification is used when the identity of a person cannot be definitely established. These technologies provide real time assessment of the validity of an asserted identity. When we can’t know who the individual is, we get as close as we can in order to verify their asserted identity. PINs, passwords, tokens, cards, IP addresses, behavioral based trend data and credit cards are often used for verification. These usually fall into the realm of something you have or something youknow.

Authorize – Once the user has passed the identification test and authenticated their identity, they can make a purchase or have some other action approved. Merchants would love to have a customer’s authenticated signature to indicate his or her approval of a credit card charge. This is authorization.

Effective identification results in accountability. It is being achieved in small segments of government and in the corporate world, but not systematically. Unfortunately, we are years away from full authentication.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;
Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano Identity Theft Speaker discussing identity theft

Identity Theft Expert; Fake IDs are as easy as 1,2,3

Robert Siciliano Identity Theft Expert

Do an online search for “fake ids” and you’ll be amazed to discover how easy it can be to obtain an ID allowing you to pose as someone else. Or how easy it can be for someone else to obtain an ID that will allow him or her to pose as you. Some websites peddle poor quality cards, others offer excellent quality, and many websites are simply scams.

The fact is, our existing identification systems are insufficiently secure, and our identifying documents are easily copied. Anyone with a computer, scanner and printer can recreate an ID. Outdated systems exasperate the problem by making it too easy to obtain a real ID at the DMV, with either legitimate or falsified information.

Another glitch is the potential for individuals to completely alter their appearances. Men with facial hair can wreak havoc on the current system. This is sometimes done as a prank. In other cases, the individual is attempting to subvert the system to maintain a degree of anonymity. New technologies, such as facial recognition, should eventually resolve some of these problems, but they are still years away from being fully implemented.

In Indianapolis, Indiana, a man was able to obtain six different IDs. He accomplished this by visiting various different registries throughout the state and using borrowed names and stolen information. He obtained job applicant data from a failed body shop business he had owned. He used the false identities to open checking accounts at multiple banks and write fraudulent checks to himself.  He was caught while applying for his seventh ID, thanks to facial recognition software. But it is disturbing to know that he was able to acquire six different identities, all stolen from real people, without detection. It was a bank employee who eventually noticed that he had two different bank accounts under two different names. If the man hadn’t been so greedy, he would have gotten away with it.

In Indianapolis and other registries the daily photos are compared to millions of others already on file. The system constantly scans the data and presents cases that might match, requiring further investigation by registry employees.

Some of the requirements of improving facial recognition include not smiling for your picture or smile as long as you keep your lips together. Other requirements meant to aid the facial recognition software include keeping your head upright (not tilted), not wearing eyeglasses in the photo, not wearing head coverings, and keeping your hair from obscuring your forehead, eyebrows, eyes, or ears.

The fact is, identity theft is a big problem due to a systematic lack of effective identification and is going to continue to be a problem until further notice. In the meantime it is up to you to protect yourself. The best defense from new account fraud is identity theft protection.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name.

2. Invest in Intelius Identity Protect. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.
Includes;

Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano Identity Theft Speaker discussing identity theft

Judge Rules; It is legal to post Social Security numbers on Web sites

Robert Siciliano Identity Theft Expert

B.J. Ostergren is a proud Virginian. She’s known as “The Virginia Watchdog,” but I like to call her “The Pit Bull of Personal Privacy.” She is relentless in her efforts to protect citizens’ privacy, and she is primarily concerned with the posting of personal information online. So in order to make this point, she finds politicians’ personal information on their own states’ websites, and republishes that information online.

Publicly appointed government employees known as Clerks of Courts, County Clerks or Registrars are responsible for handling and managing public records, including birth, death, marriage, court, property and business filings for municipalities. Every state, city and town has its own set of regulations determining how data is collected and made available to the public.

The Privacy Act of 1974 is a federal law that establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.

Over the years, many have interpreted this law to allow public information, including Social Security numbers, to be posted online. I’ve seen Social Security numbers for Jeb Bush, Colin Powell, former CIA Director Porter Goss, Troy Aiken, and Donald Trump, all published on the Internet.

Years ago, B.J. discovered that several states, including her home state of Virginia, were posting our records online, and she immediately saw how this could contribute to identity theft. She has downloaded as many as 22,000 Social Security numbers from deeds, mortgages, tax liens from the websites of circuit courts, registers of deeds and secretaries of state. She made a concerted effort to inform each agency that what they were doing was unethical, at the very least, and possibly even criminal. But she was often rebuked. That’s when she decided to fight back. When government agencies stopped listening, she started posting politicians’ personal information on her own website, “The Virginia Watchdog.” This certainly attracted the attention of officials, but it also created a backlash against her.

Some states resolved the issue by redacting the Social Security numbers, but Virginia did not. B.J. persisted in informing them of the problem and, as the Richmond Times Dispatch put it, “the state decided that the person who brought the problem to their attention was the problem.”

A 2008 Virgina state law prohibited disseminating information taken from public records, and thus, prohibited B.J. from posting publicly available information on her own website. So legally, it was okay for the County Clerk to do it, but nobody else was allowed. U.S. District Court Judge Robert E. Payne recently ruled that this 2008 state law is a violation of First Amendment rights. It’s a win for B.J., but this doesn’t resolve the initial privacy issue.

So how does this impact you? This means that while you can do everything possible to protect yourself from fraud and identity theft, your local government may be circumventing your security efforts by posting your personal data online. B.J.’s fight has led to the resolution of some issues and prompted some states to redact data, but the battle is far from over.

Visit B.J.’s site, The Virginia Watchdog, to become more informed about one woman’s quest to point out what’s wrong and to fight for what’s right.

Next, protecting yourself from new account fraud requires a credit freeze, or setting up your own fraud alerts. This provides an extra layer of protection. In most cases it prevents the opening of new credit.

Consider making an investment in Intelius Identity Protect. Because when all else fails you’ll have someone watching your back. Includes a Free Credit Report, SSN monitoring, Credit & Debit Card monitoring, Bank Account monitoring, Email fraud alerts, Public Records Monitoring, Customizable “Watch List”, $25,000 in ID theft insurance, Junk Mail OptOut and Credit Card Offer OptOut.

Robert Siciliano Identity Theft Speaker discussing availability of Social Security numbers

Identity Theft Credit Card Security

Robert Siciliano Identity Theft Expert

Credit card fraud comes in two different flavors: account takeover and new account fraud. Account takeover occurs when the identity thief gains access to your credit or debit card number through criminal hacking, dumpster diving, ATM skimming, or perhaps you simply hand it over when paying at a store or restaurant. Technically, account takeover is the most prevalent form of identity theft. I’ve always viewed it as simple credit card fraud, rather than “identity theft” in its truest sense.

New account fraud, as it relates to credit cards, occurs when someone gains access to your personal identifying information, including your name, address and, most importantly, your Social Security number. With this data, a thief can open a new account and have the card sent to a different address. This is true identity theft. Once the identity thief receives the new card, he or she maxes it out and doesn’t pay the bill. Over time, the creditors track down the victim, blame him or her for the unpaid bills, and demand the owed funds. New account fraud destroys the victim’s credit and is a mess to clean up.

Victims of account takeover are likely to discover the fraud in numerous ways. They may notice suspicious charges on a credit card statement, or the credit card company may notice charges that seem unusual in the context of the victim’s established spending habits. Credit card companies have anomaly detection software that monitors credit card transactions for red flags. For example, if you hand your credit card to a gas station attendant in Boston at noon, and then a card present purchase is made from a tiny village in Romania one hour later, a red flag is raised. Common sense says you can’t possibly get from Boston to Romania in one hour. The software knows this.

Victims of account takeover only wind up paying the fraudulent charges if they don’t detect and report the crime within 60 days. A 6o day window covers two billing cycles, which should be enough for most account-conscious consumers who keep an eye on their spending. During that time, you are covered by a “zero liability policy,” which was invented by credit card companies to reduce fears of online fraud. Under this policy, the cardholder may be responsible for up to $50.00 in charges, but most banks extend the coverage to charges under $50.00. After 60 days, though, you are out of luck. So pay attention to your statements. As long as you do, account takeover should not hurt you financially.

But new account fraud is another story entirely – one that can and will hurt you if you don’t protect yourself. You may not be held financially responsible for the charges themselves, but you will pay in time, and time is money. In some cases you may pay lawyers or private investigators, or you may need to take time off from work, depending on how dire your credit situation becomes. Identity theft victims have been denied credit due to the unpaid debts in their names, and have missed opportunities to purchase homes as a result.

Protecting yourself from account takeover is relatively easy. Simply pay attention to your statements every month and refute unauthorized charges immediately. I check my charges online once every two weeks. If I’m traveling extensively, especially out of the country, I let the credit card company know ahead of time, so they won’t shut down my card while I’m on the road.

Protecting yourself from new account fraud requires more effort. You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. There are pros and cons to each.

Robert Siciliano Identity Theft Speaker discussing identity theft hackers

TJX Identity Theft Costs Another 10 million, Protect Yourself from WarDriving

Robert Siciliano Identity Theft Expert

Most people are familiar with the TJX data breach, in which 45 million credit card numbers were stolen. TJX recently agreed to pay $9.75 million to 41 states to settle an investigation of the massive data breach. According to some reports, TJX has spent up to $256 million attempting to fix the problem that led to the breach.

It’s been said repeatedly that the criminal hackers responsible for the breach were sitting in a car outside a store when they stumbled across a vulnerable, unprotected wireless network using a laptop, a telescope antenna, and an 802.11 wireless LAN adapter. This process is called “Wardriving.”

WiFi is everywhere. Whether you travel for business or simply need Internet access while out and about, your options are plentiful. You can sign on at airports, hotels, coffee shops, fast food restaurants, and now, airplanes. What are your risk factors when accessing wireless? There are plenty. WiFi wasn’t born to be secure. It was born to be convenient. As more sensitive data has been wirelessly transmitted over the years, the need for security has evolved. Today, with criminal hackers as sophisticated as they ever have been, wireless communications are at an even higher risk.

When setting up a wireless router, there are two different security techniques you can use. WiFi Protected Access is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy. Wired Equivalent Privacy was introduced in 1997 and is the original form of wireless network security. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks.

It’s one thing to access your own wireless connection from your home or office. It entirely another story when accessing someone else’s unprotected network. Setting up a secure WiFi connection will protect the data on your network, for the most part, but if you’re on someone else’s network, secured or unsecured, your data is at risk. Anyone using an open network risks exposing their data. There are many ways to see who’s connected on a wireless connection, and gain access to their data.

There are a few things you should do to protect yourself while using wireless. Be smart about what kind of data you transmit on a public wireless connection. There’s no need to make critical transactions while sipping that macchiato.

Don’t store critical data on a device used outside the secure network. I have a laptop and an iPhone. If they are hacked, there’s nothing on either device that would compromise me.

Install Hotspot Shield. A free ad supported program, Hotspot Shield protects your entire web surfing session by securing your connection, whether you’re at home or in public, using wired or wireless Internet. Hotspot Shield does this by ensuring that all web transactions are secured through HTTPS. They also offer an iPhone application. There are fee based programs, including Publicvpn.com and HotSpotVPN, which can create a secure “tunnel” between a computer and the site’s server.

Turn off WiFi and blue tooth on your laptop or cell phone when you’re not using them. An unattended device emitting wireless signals is very appealing to a criminal hacker.

Beware of free WiFi connections. Anywhere you see a broadcast for “Free WiFi,” consider it a red flag. It’s likely that free WiFi is meant to act as bait.

Beware of evil twins. These are connections that appear legitimate but are actually traps set to snare anyone who connects.

Keep your antivirus and operating system updated. Make sure your anti-virus is automatically updated and your operating systems critical security patches are up to date.

Invest in Intelius Identity Protect. Because when all else fails you’ll have someone watching your back. Includes a Free Credit Report, SSN monitoring, Credit & Debit Card monitoring, Bank Account monitoring, Email fraud alerts, Public Records Monitoring, Customizable “Watch List”, $25,000 in ID theft insurance, Junk Mail OptOut and Credit Card Offer OptOut.

Robert Siciliano identity theft speaker discussing criminal wireless hack

Insider Identity Theft Poses Major Threats

Robert Siciliano Identity Theft Expert

A Boston woman has been indicted for allegedly stealing at least 34 identities, which she was able to access from her workplace, a medical cost-management firm.

“This was an extensive scheme in which the defendant used her access to the victims’ personal identifying information as a means to steal their identities, obtain credit cards in their names without their knowledge, and then use those credit cards to make purchases for her own personal gain,” said the local District Attorney. “The defendant had access to a large database of health care professionals that contained their personal information.”

State police learned of the fraud when a physician discovered that a credit card had been set up in her name and sent to a P.O. Box in Lowell, Massachusetts. Further investigation by postal inspectors revealed that other cards had also been sent to this P.O. Box. If convicted, she could face up to 75 years in state prison for 15 counts of grand larceny, 100 years for 20 counts of credit card fraud, 55 years for 22 counts of identity theft, and 20 years in for being a “common and notorious thief.”

As much as 70% of all identity theft is committed by someone with inside access to organizations such as corporations, banks or government agencies, or simply someone who has an existing relationship with the victim. People with access to sensitive personal data are most likely to commit identity theft. For many, it’s just too easy not to.

An identity thief begins by acquiring a target’s personal identifying information: name, Social Security number, birth date and address, in that order. If the thief has regular access to a database, he can simply copy and paste the information into an online credit application, or hand write the information on a paper credit card application.

Many credit applications request current and previous addresses. So the thief fills out the victim’s current address as “previous” and plugs in a new address, usually a P.O. Box or the thief’s own address, where the new credit card will be sent. I’m amazed that a lender or credit card company can be careless enough to send a new credit card to a relatively anonymous P.O. Box. The lender just checks the victim’s credit and, since everything matches, no red flags pop up. The card is issued and the fun begins.

Once the thief receives the new card, he or she activates it from a throwaway cell phone. The next step is to either use the card to withdraw as much cash as possible from an ATM, or max it out with charges and then resell the stolen goods through classified ads or online auctions. If the thief is suffering from a drug addiction, it can be impossible to stop this cycle, because stealing identities goes hand in hand with addictive behavior. It’s like gambling. Thieves get a high or a rush when they feel they’re beating the system.

In the case of the Boston woman mentioned above, most people’s first response would be a determination that her employer should have done more to protect the data. There are numerous technologies that monitor, manage, control and restrict who has access to sensitive information. Today, these technologies are being deployed more often than ever before, due to various regulatory issues. However, regardless of what technologies are deployed, all you need to open a file cabinet is a key, if the cabinet is even locked in the first place. So how do you protect yourself when someone has full access to all your information?

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name.
2. Invest in Intelius Identity Protect. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Includes;
Personal Identity Profile – Find out if you’re at risk for identity theft with a detailed report of your identity information, including a current credit report, address history, aliases, and more.

24/7 Identity Monitoring and Alerts – Prevent identity theft with automatic monitoring that scans billions of public records daily and alerts you to suspicious activity.

Identity Recovery Assistance – Let professionals help you recover your identity if you ever become a victim of identity theft.

Robert Siciliano Identity Theft Speaker discussing identity theft

Identity Theft Ring Pickpockets Caught by Feds

Identity Theft Expert Robert Siciliano

If there were a “criminal hall of fame,” with an award bestowed on the “coolest” criminal, it would have to be a pickpocket. Pickpockets are sneaky, devilish creatures who function exactly one degree below the radar.

Pickpockets whisper through society, undetected and undeterred. They are subtle and brazen at the same time. They are  like a bed bugs, crawling on you and injecting a numbing venom that prevents you from detecting their bite until it’s much to late. They aren’t violent like a drug crazed mugger or confrontational like a stick up robber. They have much more gumption than any criminal hacker because they don’t hide under the anonymity of the Internet.

One second is all a pickpocket needs. A brief diversion, a quick move, and before you can take a breath, your wallet is gone.

Pickpocketing is one of the oldest criminal professions, and is still very prevalent in Europe. Their target? Clueless Americans. Americans just aren’t as aware of pickpockets, since it isn’t as prevalent here.

One victim’s story: “My wife and I were at a Paris Metro station where the loudspeakers were blaring, ‘WARNING. THERE ARE PICKPOCKETS PRESENT AT THIS STATION.’ We got on the crowded subway. A woman stayed half on and half off, blocking the door. At the same time, another woman was bumping against me, indicating that she needed to get off. She got past me and she and her friend exited the train, allowing the door to close. As she did, I realized that my cash (about $120) was gone from my pocket. As we pulled away, I watched the two women at the station, smiling and waving at me.”

Pickpockets’ greatest advantage is the fact that most people don’t believe it can happen to them. Including me.

Years ago, I met this cat named Gene Turner at a convention. A great guy who has the skills of a real pickpocket, but uses his abilities to inform, educate and entertain people. I told him to get Pickpocket.com, which he did. I should get a slice of that action! Real nice guy, very personable. He introduced himself to me by – without me knowing – taking my watch off my left wrist. Then asked me what time it was. I looked at my left wrist, no watch. He pointed to my right arm, where he re-fastened it. Freaked me out.

Gene says, “Personally, I get ‘caught’ maybe once out of a thousand times when I’m lifting a watch. And usually it’s either a really difficult watch or I’m taking it from the same person for the third or fourth time. I have always said a good pickpocket could pick me clean and I would never feel it. Even the best multi-tasker can be distracted, and it only takes a split second of distraction to become a victim. I have lifted watches from and put watches on many magicians, security people and yes, even other pickpockets, without their knowledge.”

Wired reports that pickpockets have upped the ante: “Feds Swoop In on Nationwide Pickpocket, I.D. Theft Ring.” The suspects, using a novel and high-tech strategy, allegedly stole the identities and bank account information from victims nationwide through pickpocketing and other means. The ring allegedly traveled around the country to crowded events, targeting sports fans in particular. Often, they worked in teams, in which one person distracts the victim and the other lifts the victim’s wallet.

How to protect yourself:

1. Be wary of someone yelling, “There’s a pickpocket in the crowd.”

Gene says, “I use this ploy a lot in my show. When people find out that I can pick pockets, the men check for their wallets and the women will check for their jewelry in the order of value – most expensive first. Their actions clue me as to exactly where the wallets and valuable jewelry are located.”

A man in a business suit has four pants pockets and six to eight pockets in the jacket. His wallet, cash and credit cards could be in any one of ten or more pockets. Pickpockets don’t usually have time to search all ten, but if they see you check your pocket when you read the sign, they now know the exact location. If you think there are pickpockets around or you see a sign, don’t be obvious about checking for your wallet or valuables.

2. Don’t display money or valuables in public.

Flashing your money will get you more attention than you want. Pickpockets will notice where you stash the cash and one bump later, you’ll be left with an empty pocket.

3. Be aware of your surroundings.

Especially in crowded places, bumps, commotions, and aggressive people are the typical distractions pickpockets use. Sometimes a person will fall down, drop something or appear to be ill, and we rush in to help. That’s great and I recommend it, but it may be a diversion. If you’re helping a stranger, make sure someone you trust is watching your valuables. Sidewalks, malls, bus terminals, airports, train stations, in any type of crowd it is extremely important to be aware of your surroundings. Pickpockets are counting on you paying attention to everything except for your wallet or purse.

4. Don’t carry valuables in a backpack or fanny pack.

Anyone can reach into a backpack without you seeing or feeling. Fanny packs, if worn, should only be worn in front. Keep in mind that that won’t prevent a thief from undoing it or slashing the belt and getting away with it. If you do wear a fanny pack, make sure the buckle is near the pouch in front, so a pickpocket would have a more difficult time getting to the latch without your knowledge. It is not uncommon for a pickpocket to use a razor blade to slice through a bag and reach in.

5. Thin out your wallet.

Ultimately, they may still get your wallet. And when they do, you need to be prepared to respond to the fallout. The best protection is to not carry anything of value. There is no need to carry documents containing Social Security numbers, passwords, account numbers, birth certificates or anything that could lead to new account fraud. I carry a drivers license, credit card and a Costco card. Think of it this way: if your wallet were lost or stolen, would you feel like throwing up? If so, you have too much stuff in there.

6. Make copies.

For those of you that have to carry lots of stuff for various reasons, please make a photocopy, front and back, of every document in your wallet. Keep those photocopies in a secure place. If your wallet goes missing, you will have everything you need to close the existing cards and get new ones. Plus, it doesn’t hurt as much when you can see a copy of the missing cards.

7. Use anti-check washing pens.

Wallets often contain checkbooks. Check fraud is a billion dollar problem. Check washing occurs when criminals use nail polish remover to scrub out the payee and dollar amount, and rewrite checks to themselves for increased  amounts. With a uni-ball anti-check washing gel pen, you can prevent your checks from being washed.

8. Protect your identity
Invest in intelius identity theft protection and prevention services. Even if your wallet is squeaky clean, your data may be found in your banks dumpster or be hacked. Which is why you also must protect your computer by having the latest McAfee anti-virus and spyware protection.

Robert Siciliano Identity Theft Speaker discussing identity theft ring busted

P2P on Your PC Equals Identity Theft

Robert Siciliano Identity Theft Speaker

Peer to peer file sharing is a great technology used to share data over peer networks.  It’s also great software to get hacked.

The House Committee on Oversight and Government Reform is responding to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords. This is the same P2P software that allows users to download pirated music, movies and software.

What’s interesting is that they didn’t already realize this was going on. Most of the committee members probably have kids, and their own home PCs probably have P2P software installed.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software. In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and, frankly, the most fun kind of hacking. I’ve seen reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

The House Committee on Oversight and Government Reform sent letters to the Attorney General and FTC Chairman, asking what the Department of Justice is doing to prevent the illegal use of P2P. Which is kind of ridiculous, because it’s not illegal to use P2P programs. Even if it were made illegal, P2P file sharing is a wild animal that can’t be tamed.

The letter also asks what the government is doing to protect its citizens. Okay. I’ve sat with both the FTC and the DoJ. These are not dumb people. I‘ve been very impressed by how smart they are. They know what they are doing and they see the major issues we face. But they are not in a position to prevent an Internet user from installing a free, widely accessible software, and subsequently being stupid when setting it up and unintentionally sharing their C-drive with the world. No government intervention can prevent this. The House Committee on Oversight and Government Reform should focus more on educating the public about the use of P2P file sharing.

Politicians are most likely being lobbied and funded by the recording and motion picture industries to put pressure on the providers of such software. Letters and government noise will not do anything to stop file sharing. While there have been plenty of witch hunts leading to prosecutorial victories, the public will always be vulnerable. It is up to us, as individuals, to protect ourselves.

  • Don’t install P2P software on your computer.
  • If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.
  • Set administrative privileges to prevent the installation of new software without your knowledge.
  • If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select data for you.

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

Credit card fraud is Americans number one concern

Identity theft Expert Robert Siciliano

A recent study conducted by the Unisys Corporation shows that identity theft as it pertains to credit card fraud is Americans’ number one concern.

When people ask me, “How do I protect myself from credit card fraud?” I tell them, “Cancel the card, or never use it.” Because that’s the only way.

Personal security (as it pertains to violence) and national security have always been a concern. However, this new study shows that people are more concerned with fraud, and the risk of having their savings depleted by scammers. Not so hard to believe, what with the number of data breaches, and the Madoffs of the world fleecing their unsuspecting investors.

75% of Americans feel that the recession has increased their chances of being victimized by criminal hackers and thieves. Most are also concerned their “private” information on a corporate or bank network may be compromised.

FBI’s Internet Crime Complaint Center’s 2008 Annual Report determined that online fraud increased by 33.1% last year. Dollar losses resulting from online fraud increased to $265 million.

Overall, these concerns are valid, due to flaws in the system of issuing credit that facilitate new account fraud. Furthermore, account takeover requires nothing more than access to credit card numbers, which are available in hacked databases or susceptible every time you hand your card over to a gas station attendant.

Viruses in spam or phishing emails continue to plague consumers and as scammers get more sophisticated, the chances of getting hooked increase.

Banks and business will continue to feel the pressure as criminals target their clients’ data.

Credit card skimming at ATMs and gas pumps makes it impossible to protect yourself when you could essentially be handing your digits over to a criminal.

Skimming is one of the financial industry’s fastest-growing crimes, according to the U.S. Secret Service. The worldwide ATM Industry Association reports over $1 billion in annual global losses from credit card fraud and electronic crime associated with ATMs.

Marite Ferrero, a blogger with Finextra, adds, “In Europe, the points of compromise are everywhere: ATM, gas pumps, parking, DVD rentals, movie tickets, food kiosks, tolls, buying metro tickets, and the list goes on… Because of chip and pin implementation, the proliferation of stand-alone terminals that accept chip and pin has provided a profitable playground for fraudsters.”

While the card holder is generally only responsible for the first $50.00 in losses, which is often waived by a “zero liability policy,” card holders who don’t pay attention to their statements often let these charges pass and eat them.

There are many technologies available to secure credit cards, such as “smart cards” and “chip and pin.” However, due to the nature of a credit card transaction, once the data leaves the card, it’s up for grabs. Whatever card security their may have been is now gone.

Check your credit and banking statements carefully. Scrutinize every charge and refute any unauthorized charges within 30-60 days. Call your bank or credit card company immediately if you see any fraudulent activity.

Invest in identity theft protection. Credit freezes or fraud alerts help prevent new account fraud. Protect your PC with McAfee, or other Internet security software.

Robert Siciliano, identity theft speaker, discusses credit card fraud.

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information.

Identity Theft Expert; Conficker Virus Countdown

Robert Siciliano Identity Theft Speaker

News of Conficker out of control then under control is everywhere.

60 minutes reports on everything we have discussed in these posts. Main stream media has recognized the Internet has a cancerous virus and is infected. Criminal hackers are creating viruses infecting webpages in record numbers all in the name of money.

Security professionals are losing sleep as they race against the bad guys in anticipation of the next big breach.

Conficker is big news as its infecting mainly corporate networks at an astonishing estimated 10-12 million PCs and this sleeper cell is set to get its next set of updates April 1st.

Like Al Queda operatives living amongst us, cyber terrorists waiting for their next communiqué from a remote cave, Conficker waits to strike.

Nobody knows what’s going to happen April Fools, but security professional have a plan. Do you?

By all accounts Conficker has the potential capacity to steal data or launch a massive denial of service attack which encompasses massive amounts of data, flooding the Net, bogging down mainframe servers that distribute data to our inboxes.

60 Minutes used the example of what I did on CNN describing a Facebook hack and used a Morley Safer Facebook account that may be hacked with Conficker and begins to send messages to Morleys friends. Then Leslie Stahl who is a Morely “friend” receives an email looking like it’s from Morelys Facebook account to click a video. That video has a destructive payload that infects Leslies machine and the virus replicates itself to Leslies contacts.

Now Morelys PC has a virus that records all his keystrokes and Leslie is just as vulnerable. Bank accounts are cracked, credit card log-ins are stolen, the contents of their My Documents folders are copied and sent to Turkey and identities are stolen. People who don’t have any identity theft protection face years of dealing with creditors who accuse them of being bad debtors.

Malware is showing up on thousands of websites compromised in numerous ways and infecting computer users whose defenses are down.

Most attacks can be prevented with updated anti virus like McAfee or others. But with an estimated 15,000 new infections daily it’s difficult for the every day user to protect themselves unless they are automatically downloading virus definitions. And that may not be enough.

Criminal hackers come in all shapes and colors from every corner of the world. Russian hackers are often depicted as the best of the worst. These cyber criminals are often put on a pedestal in their communities as they brag about their accomplishments, hacking wealthy hacker Americans and stealing 10s of thousands of dollars monthly and spending that money in their remote villages.

Russian authorities generally don’t prosecute and may even employ criminals to steal from greedy Americans. As long as hate and money are motivators, foreign governments will groom and incite talented 14 year olds into a life of crime.

This story is far from over.

Robert Siciliano Identity Theft Speaker discusses online banking security here

I’m excited to work with uni-ball in 2009 in a partnership to help raise awareness about the growing threat of identity theft and provide tips for protecting yourself. Check out uniball-na.com for more information