Scammers Are your Friend On Facebook

Robert Siciliano Identity Theft Speaker Expert

Facebook is a trusted site where 20 something’s up to 60 something’s gather to keep tabs on each others daily activities, hard party nights and reminisce with old flames they sought out and re-friended. Some Friends we know well, others in passing -but are still happy to make the connection. We all want lots of friends (at least on Facebook).

In a lighter sense, Facebook is much of what life is or should be. It’s a place to go where you can just be you, bygones be bygones, be with the people in your past and present and hold onto memories that make up who you are.

It’s a place that is generally free of judgment, and social clicks. In Facebook the nerds hang with the cool kids, the dirtbags with the jocks and the hot chics with the geeks. Everyone is cool on Facebook.

This all adds up to a problem.

There’s a lot of excessive trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. They have no reason to distrust. People who are your “Friends” are generally those who you “know, like and trust”. In this world, your guard is as down as it will ever be. You are in the safety of your own home or office hanging with people all over the world in big cities and little towns and never have to watch your back.

All this is why Facebook is the next big mess of the Internet. Scammers are watching. They know that once they are on Facebook, your guard is way way down.

I don’t share that trust that most people have. I’m a bit more business on Facebook than others. I’m not all that Friendly. Kind of a stiff. I’m also a security dude, not so trusting. Even my cousin messaged me and said “Robby you’re all business”. I apologize to all. I’m just not ready to share my daily routine with everyone just yet. If ever.

Read This

And by Jason Kincaid This

Watch This

If you have time read This

And smarten up.

Then Friend me Here (at your own risk)

Robert Siciliano Identity Theft Speaker Expert discussing people scammed on Facebook Here

Identity Theft Crime Victims Bill of Rights

Robert Siciliano Identity Theft Expert Speaker

A consortium of a number of companies in the identity theft prevention space have banded together to create a “Bill of Rights” for victims of identity theft. A Bill of Rights would provide victims of identity theft the needed leverage in response to a breach of their information that leads to numerous forms of identity theft. The consortium has some work to do to get the attention of legislators before it becomes law. This is certainly a noble effort that if passed will provide significant relief to victims.

I speak to victims on a weekly basis and the stresses of being victimized takes its toll. When a thief is functioning in society as you, fraudulently, irresponsibly and of course illegally, they tarnish every aspect of your life. There is an overwhelming sense of helplessness for many victims due to the notion that they are guilty until proven innocent. While this will in essence “take an act of congress” to become law, a good faith implementation of the bill by industry and government would certainly provide needed relief to those affected.

The Santa Fe Group, a financial services consulting firm, and The Santa Fe Group Vendor Council, a consortium of leading service providers to the financial services industry, today released the first comprehensive Bill of Rights for victims of identity theft. The Bill of Rights calls for consistent processes for handling identity crime incidents in addition to amendments to privacy legislation and regulation so victims can more easily access and correct their personal information records.

The five basic rights address the need for legislation that enables individual victims of identity theft to access and correct personally identifiable information (PII) records. The Bill of Rights white paper, titled Victims’ Rights: Fighting Identity Crime on the Front Lines, is now available.

The Identity Crime Victims Bill of Rights advocates improved protection and support for victims and includes:
• Assessment of the nature and extent of the crime that removes the procedural “Catch-22s” when validating identity
• Full restoration of victims’ identities to pre-theft status, including the ability to expunge records
• Freedom from harassment from collection agencies, law enforcement and others
• Prosecution of offenders and accountability for businesses that fail to reasonably secure personal information
• Restitution that includes repayment for financial losses and expenses

The white paper effort was led by the Identity Management Working Group of The Santa Fe Group Vendor Council chaired by Rick Kam, President of ID Experts

“Despite new additions to the Fair and Accurate Credit Transaction Act of 2003 (FACT), such as free credit reports and the ability to place fraud alerts after identity theft, victims are still subject to inconsistent and unfair treatment from state and federal agencies, law enforcement and businesses,” said Rick Kam, President of Portland-based ID Experts, a leader in data breach prevention and remediation. “We created the Bill of Rights to empower victims by granting them the same rights as victims of other crimes.”

According to Javelin Strategy and Research, 9.9 million Americans were victimized by identity crimes in 2008, an increase of 22% from 2007, with annual costs to consumers and businesses of more than $49 billion. In their journey to recover their identities, victims face a disjointed maze of privacy laws and information sources. Law enforcement processes are not always in place, and organizations often won’t share evidence with victims. As a result, a victim’s life can be disrupted for years.

“Victim empowerment is key to thwarting identity crime,” said Catherine A. Allen, Chairman and CEO of The Santa Fe Group. “With the Identity Crime Victims Bill of Rights, we’ve launched a national call to action, laying the groundwork for meaningful and much-needed legislation while building awareness of the issue in the media and among consumers and businesses. Our intent is that victims of all types of identity crime be provided with the same rights afforded to them via the FACT Act for resolving credit issues.”

Robert Siciliano Identity Theft Expert Speaker discusses identity theft victims Here and Here

Your Online Bank Account’; Criminal Hackers Hacking It

Robert Siciliano Identity Theft Speaker Expert

Why hack your online bank? Because thats where the money is!

White Hat Hackers (good guys) probably never anticipated whats happening. There are more viruses out there than ever. Black Hat Hackers (bad guys) are in full force. Back in the year 2000 some have said the white hats were about a year ahead of the black hats in technology. Meaning it would take about a year for the bad guys to crack the white hats stuff.

Others research shows by 2004 the black hats were about 2 weeks behind the white hats. Here we are in 2009. In many cases the black hats are years ahead of the white hats. The good guys are losing. Badly.

Many of the new viruses sit on your hard drive dormant, waiting to be “woken up” when they are signaled. Many of these Trojans are designed to sniff out when you are banking online. They sit and wait, then stike when you log on.

Consider that in our own bodies we already have numerous viruses that come alive when our immune system is down or when its woken up by coming on contact with another. Your PC is no different, there’s often something lurking in there. We get viruses on our PC simply by visiting a website, clicking on a link or downloading a program we think is clean, and many many more ways.

Studies show the amount of viruses quadrupled from over 15,000 in 2007 to almost 60,000 in 2008. The problem is the technology of the criminal hacker has evolved and is further evolving faster than the white hats. This means you have to be on your game. Don’t let your guard down and stay informed.

Basic stuff, again – basic;

Run Windows Update; Or it may be called “Microsoft Update” on your PC. This is a free update to your operating system that Microsoft provides. There are two ways to access this. Either click “Start” then “All Programs”, scroll up the menu and look for the link “Windows Update or Microsoft Update”. Click on it. Your browser (Internet Explorer) by default will launch taking you right to Microsoft’s Windows Update web page and will begin the process of looking at your PC and checking to see what security patches you don’t have. Follow the prompts and click “Express” and let it lead you in the direction it wants. The goal here’s for XP is to end up with “Service Pack 3” installed. Or go to “Control Panel” and seek out “Security Center”. And click “Turn on Automatic Updates” and let Microsoft do this automatically. In Vista the process is similar and your goal is “Service Pack 1”

Install Anti-Virus; Most PCs come with bundled anti-virus that runs for free for 6 months to a year. Then you just re-up the license. If you don’t, then every day that the anti-virus isn’t updated, is another opportunity for criminal hackers to turn your PC into a Zombie that allows your computer to be a Slave sending out more viruses to other PCs and turning your PC into a Spambot selling Viagra. You can also install a different anti-virus program for a fee or free. McAfee is great, Symantec is loosening their grip on the “bloatware” and getting better. Avast is free and good, but free scares me. Free means you have to manually scan your PC and most people don’t do manual very well. Theres also a paid version.

Install Spyware Removal Software; Most anti-virus providers define spyware as a virus now. However it is best to run a spyware removal program monthly to make sure your PC is rid of software that may allow a criminal hacker to remotely monitor you’re keystrokes, websites visited and the data on your PC. I like Lavasofts Ad-Aware Free www.lavasoft.com. There are plenty of good ones.

Run Firefox or Chrome; Microsofts Internet Explorer is clunky and the most hacked software on the planet. Mozillas Firefox is less hacked and more secure. The jury is still out on Googles Chrome browser, but it’s sweet! Maintain the default settings keep the pop-up blockers and phishing filters on.

Secure Your Wireless; If you are running an unsecured wireless connection at home or the office, anyone can jump on your network from 300-500 feet away and access your files. Serious. The router has instruction on how to set up WEP or WPA security. WPA is more secure. If this is a foreign language to you, then hire someone or get your 15 year old to do it.

Install a Firewall; Microsoft’s operating system comes with a built in firewall. But it is not very secure. Go with a 3rd party firewall that is prepackaged with anti-virus software.

Use Strong Passwords; Little yellow stickys on your monitor with your passwords isn’t good. Use upper case, lower case, alpha-numeric passwords that you change up every 6 Months.

PLEASE, you other security dudes or dudets, chime in. We need your guidance too.

Robert Siciliano Identity Theft Expert discussing online banking Here

Bankers Warned; Massive Credit Card Processor Breached

Robert Siciliano Identity Theft Expert

Hackers have breached another huge payment processor. Who? As of this writing they aren’t saying. A statement issued by the Community Bankers Association of Illinois states “Visa announced that an unnamed processor recently reported that it discovered a data breach. The processors name has been withheld pending completion of the forensic investigation” The Open Security Foundation posted a notice on its website Here

CBAI report here and highlights below

According to VISA officials, the breach affected all card brands. Evidence indicates that the account number, PAN and expiration dates were stolen. No cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers or other personal information were involved in the breach.

An increase in card-not-present fraud suggests some BIN number have been targeted by criminals.

VISA officials reported that while the number of accountholders affected is undetermined, it appears to be fewer than those affected by the recent Heartland Payment Systems breach, but a significant number nonetheless. And unlike the Heartland breach, where thieves also captured Track 2 data, officials reiterated that no personal information was taken in this most recent event.

The status of the processor’s PCI compliance is unknown at this time. Bankers. MORE TO COME….”

Why not go after processors, thats where all the data is!

Visa and MasterCard are in the process of notifying affected banks about what they say is a “major compromise”. So far this is not related to the Heartland Payment Systems breach where an expected 100 million cards have been compromised. Or it may be, we don’t know.

Initial reports say the criminal hackers planted malware, or malicious software on the processors servers. Malware of this type generally has some type of remote control component that allows a criminal hacker to remotely access the server and divert data underground.

Visa reached out to all affected banks on February 12th when they conducted a conference call disclosing the severity of the issue. Apparently the compromise occurred from February of 2008 till August 2008 the past few weeks.

At this point neither Visa or MasterCard haven’t disclosed which processor has been compromised nor have they disclosed the size of the breach.

Whether the unknown processor was compliant or not has also not been revealed.

Check your credit and banking statements carefully. Scrutinize every charge and refute any unauthorized charges within 30-60 days. Call your bank/credit card company immediately if you see any fraudulent activity.

Robert Siciliano Identity Theft Speaker Expert discussing another ugly data breach Here.

Recycle Your Phone? Sell it on eBay? Lose it? Still Have Your Data On It?

Robert Siciliano Identity Theft Speaker – Expert

Cell phones are the invention of the 20th century. Its a computer and a phone. Its as cool as the invention of the wheel. Its the single most effective communication tool since the land line.

Millions of cell phones are sold every year. Many are lost, stolen, millions more end up on eBay, recycled or tossed in the trash. Many of these phones still have enough data on them to commit identity theft or, in the wrong hands, make your life miserable.

A study done in December by Regenersis, a UK based recycler, tested a sampling of 2000 cell phones. They learned 99% had personal identifying data such as banking info, credit card data, personal emails, contacts, text messages, pictures, music, videos, calendar entries, notes, mailing lists, to-do lists, automatic log-ins for Twitter, LinkedIn, Facebook and more.

Studies show cell phones are replaced on average of every 18 months. Over the past 4-5 years Blackberrys, iPhones and countless other smartphone/PDAs have flooded the market. All of these devices technologies are upgraded within 6 months and the user wants the latest and greatest.

What kind if data is on your phone today? If it fell in the wrong hands would someone have access to all your social network sites? Usernames and passwords? Customer data? Corporate secrets?

Someone recently bought a Blackberry off eBay and scored phone numbers for Hollywood producers, writers and movie stars Natalie Portman, Julianne Moore and Jude Law. Not a huge deal, but in the wrong hands problematic for the affected.

What if someone got the names, addresses and emails for everyone in your life? Not good.

Its not just cell phones that often contain data. Thumbdrives, MP3 players, are also problematic. Credant Technologies surveyed 500 dry cleaners who said they found numerous USB sticks during the course of a year. Multiplying that by the number of dry cleaners and got a figure of approximately 9000 USBs lost and found annually.

To protect yourself, consider some of the tips below, and this is not a complete list. Please feel free to add in comments.

Don’t store data that will be considered a “data breach” if lost, stolen, sold, recycled.

On phones have strong password protection. Lock it up.

Remove your sim card upon selling.

Reformat the phones operating system multiple times. This generally wipes off the data, but there are programs that do it more thoroughly. There is no universal way to reformat. It is different with every phone/manufacturer/operating system.

Robert Siciliano Identity Theft Expert discussing cell phone security Here

Phishing Attacks Rise Dramatically in 2008

Robert Siciliano Identity Theft Expert – Speaker

Stupid people get hooked by phishers. You have to be a complete idiot to get sucked into a scam email that has typos making requests that are geared toward naïve simple minded pea brain fools. Right? Yes? No? So why have phishing attacks risen dramatically in 2008? That’s 66% higher than in 2007.

Have we gotten dumber or are the attackers getting smarter?

RSA concluded that phishing attacks rose to an unprecedented 15,002 in April of 2008. Millions of people in mainly english speaking nations receiving ruse after ruse. 68% of US bank brands attacked. Less than 7% UK brands experiencing less than attacks.

However the UK takes the title for the most exploits as the most phished country in the world equating to 40% of the 135,426 cases detected by RSA.

This seems to be due to the UKs system allowing fraudulent transfers fast enough “real-time” to avoid detection. Criminals like real time fast cash.

Much of the success of phishers is that they are in fact getting smarter using “flax flux” attacks. *Fast flux is a technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures. *Thank you Wikipedia.

Tonight I spent 2 hours on the phone in a webinar with a startup reviewing a fully functional toolbar that makes 54 checks to determine the validity of a website checking for phishing, pharming etc. All any bank needs to do is adopt the technology and require their clients to adopt it in the sign-in process. In most cases problems solved.

And do you know what we labored over in this call? How to get all the banks clients to install a simple toolbar that would protect them and the bank.

Why is this so difficult?

Robert Siciliano Identity Theft Expert discussing Scambaiter in video Here

Nuclear Weapons, CyberSecurity and an Unlocked Door.

Robert Siciliano Identity Theft Expert Speaker www.IDTheftSecurity.com

What happens when you have an unlocked door at the home of and employee at the top U.S. nuclear weapons laboratory? How about 3 stolen computers with yet to be disclosed data, that was said to be non-classified. We hope. Were the computers stolen to be resold for crack? Or for nuclear weapons secrets? We may never know. Or we may find out the hard way.

At the Los Alamos National Laboratory in Santa Fe New Mexico dozens more (67 total) systems are currently listed as missing. Officials are conducting a full review of the lab’s policies and procedures governing the use of official computers at employees’ homes.

Situations like this are common in every industry with every conceivable form of data. We just wish it wasn’t data from a nuclear weapons facility.

Its important to point out that the facility has as many as 40,000 computers including desktops, laptops, PDAs, printers and so on. Do the math, less than a .25 percent lost or stolen. The lab has been documented at a better than 99.5 accountability rate.

We know there is no such thing as 100% security whether protecting from hardware or data thieves. Security is an ongoing, never ending, consistent, on your toes, don’t let your guard down, vigilant process.

And its not just criminal hackers causing big problems, lowly burglars looking for their next bag of dope stole a laptop computer from the home of a government employee containing 26.5 million Social Security Numbers, a US primary identifier. This $500 laptop cost millions.

Can you say your organization has a 99.5% success rate?

What policies do you have in place to foster a security minded culture? Here are just a few bullets as examples for you to add too.

# Cover all organizational systems used for processing, storing or transmitting personal information.

# Security risks faced assessed in the development of the policy

# Cost-effective measures devised to reduce the risks to acceptable levels

# Monitored and periodically reviewed.

# Staff and management made aware of the protective security policies and how to implement them.

Robert Siciliano discussing another hack Here

Quarter Million Dollar Bounty for Criminal Hacker

Robert Siciliano Identity Theft Speaker and Expert

In a Microsoft press release a global bounty has been offered for the arrest and prosecution of whoever has created and released the “conficker” virus.

Conficker was released in the last quarter of 2008 and has infected a wide estimate of 2 million to 10 million PCs. After issuing patches, Microsoft estimates approximately 3 million PCs globally are still compromised.

However none of the PCs infected with the conficker are displaying any of the characteristics generally exhibited by the recent spate of viruses offering a remote control component and often used to host spoofed websites and other malicious fraud related activities.

Although, this virus is designed to constantly ping some 250 different domains that were most likely controlled by the criminal hackers that created it. The virus acts like any software calling home looking for an update, checking time/dates stamps and what version is running.

It is widely believed that conficker is waiting for its next set of updates to unleash the endgame its writers had in mind. BRILLIANT!

Many who study conficker as it phones home have been monitoring the 250 domains looking for the next “update”.

Each of these top level domains include .com, .net and .org. All of which fall under Internet Corporation for Assigned Names and Numbers (ICANN), who heads up the domain registration industry. ICANNs rules prohibit such reserving of domains. ICANN then worked with registrars in heading off any future registration of conficker sought domains.

What has been out of the control of ICANN has been .ws and .cn (China) based domains and due to the ferocity of conficker and negocitions by ICANN, China and other global registrars have agreed to make it difficult for conficker to continue to control its 250 base domains or seek others along the string.

What we are seeing here is a global effort by international agency’s, security professionals from around the world and Microsoft working together to defeat an unknown attacker, that if left un-matched, could infect a significant portion of the worlds computers.

This story is not over.

Robert Siciliano Identity Theft Expert-Speaker video discussing rise in identity theft Here