Google Gets Hacked & What It Means to You

Robert Siciliano Identity Theft Expert

Google disclosed that it had been breached by Chinese hackers, who were apparently targeting Chinese dissidents:

“The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator.”

McAfee found evidence that the attack exploited a vulnerability in Internet Explorer. Google Enterprise president Dave Girouard blogged to inform Google App clients their data was safe: “This incident was particularly notable for its high degree of sophistication. This attack may understandably raise some questions.” Girouad stated, “We believe our customer cloud-based data remains secure.”

The most successful techniques of Chinese hackers involve phishing and social engineering. These hackers determine their targets, then send a “spear phish,” or targeted email, to a specific employee, in which they pose as a coworker or a vendor. Once the target clicks a link, a remote control or malicious software is automatically downloaded. On a broader scale, hackers may send a blast to everyone in the company and ultimately hook a few employees, giving them access to company accounts.

The recent Google attack indicates that criminal hackers with financial incentives aren’t necessarily the only ones attempting to penetrate your networks. There is a strong possibility that hacking is being sponsored by foreign governments with a much bigger agenda.

  1. Never click on links in the body of an email. NEVER!
  2. Always be suspect of any external or internal communications. You could be a target of a phish.
  3. Before you go divulging usernames and passwords to anyone in response to an email, pick up the phone to verify the need
  4. Make sure your PC is fully and automatically updated with its critical security patches.
  5. Anti-virus must be run automatically and fully up to date.
  6. Its not enough to just run anti-virus. Run a program that immunizes your PC against keyloggers
  7. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  8. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and social engineering invasions on the Montel Williams Show

Why Am I Logged Into Someone-else’s FriendFeed?

Robert Siciliano Identity Theft Expert

I have pretty tight controls over my network and access to my 510 usernames and passworded accounts. Yes he just said “510”…and counting. I have full administrative rights over every PC and nobody else has access to my home or office. So it came as a surprise to me when I went to log into my FriendFeed account to make an adjustment and I discovered I was logged into someone-else’s account. Serious, no joke, I’m not stupid. I have FULL access.

The account is owned by Canadian who sells diet pills and skin care. There are 3 feeds coming into the account all being sent from Ping.fm. I am able to access the full dashboard and change the picture, email associated and add or delete feeds. The dashboard provided me with the existing email address of its owner, and of course I emailed him to let him know of my access. But of course he hasn’t responded. I’m probably in a spam folder.

My first thoughts were that I have spyware and someone is able to remotely access my machine and use it as their own. I did a full system scan and there is nothing on my machine. There is no other strange activity going on so I’ve narrowed the issue down to this one account.

Meanwhile ABCNews.com reports that A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers’ accounts with full access to troves of private information.

The glitch — the result of a routing problem at the family’s wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.

In each case, the Internet lost track of who was who, putting the women into the wrong accounts. It doesn’t appear the users could have done anything to stop it. The problem adds a dimension to researchers’ warnings that there are many ways online information — from mundane data to dark secrets — can go awry.

Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else. It’s not clear whether such episodes are rare or simply not reported. But experts said such flaws could occur on e-mail services, for instance, and that something similar could happen on a PC, not just a phone.

If this is what’s happening to me then it can happen to anyone. There is a logical explanation for this, and I don’t have it. If someone does, please chime in.

Like there aren’t enough security issues we now have to deal with hiccups on the internet that log us into someone else’s account because of switching errors. At least if it was a virus we could point a finger at someone. But now, based on what’s happening here, we can only point the finger at the “Internet” as a culprit. This is freaking me out.

All the more reason to protect your identity.

  1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
  3. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discusses lack of security in online banking on CBS Boston

Protect Yourself from Social Engineering

Robert Siciliano Identity Theft Expert

Social engineering is the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. But in many cases the attacker certainly does come in contact with the victim.

You may be doing all you can and should to protect yourself from hackers and scammers. But a response to a simple email that looks exactly like your expected monthly bank e-statement can completely drain your bank account.  On its face there is no way to tell if the communication is real of fake. While hovering over the link may provide a clue, there’s really no way in differentiating all the 1’s and zeros in a typosaquatted domain.

It amazes me that my bank and credit card company still put links in monthly e-statements.

Social engineering has always been a “person to person” confidence crime. Once the conman gains the marks trust, the victim begins to “throw up” all kinds of information or begins to fork over cash and credit. Trust seems to be an inherent trait we all have from birth. I would suppose we would need to trust in order to survive as an interdependent communal species’, otherwise fear of others and not trusting would prevent us from relying on others to nurture us until we are tossed out of the nest.

The conman knows this and the heartless bastard takes full advantage of our trusting nature. Heck, I pulled it off on 2 woman by saying I was from the water company and walked right into there homes.

In the IT world social engineering is a huge problem because the conman doesn’t just access one bank account as in a one on one scam, he accesses thousands by scamming one IT admin or the secretary.

There is a tremendous amount of redundant security in place today that is often completely bypassed because of a simple lie and one naïve gullible person. The path of least resistance isn’t through an unpatched network, or an unsecured wireless connection, it’s via the phone, email, snail mail, social media or in person with a wink and a smile.

Check out this very comprehensive article by Computerworld and these two recent posts here and here.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief. Invest is a social media identity theft protection toll such as Knowem.com.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and home invasions on the Montel Williams Show

Data Breaches: The Insanity Continues

Robert Siciliano Identity Theft Expert

The Identity Theft Resource Center Breach Report also monitors how breaches occur.  This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches.  For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009.  This was a change from all previous years, where human error was higher than malicious attacks.  One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information.  For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Insider Theft 16.9%
Hacking 19.5%
Data on the Move 15.7%
Accidental Exposure 11.8%
Subcontractor 7.2%

Insanity might well be defined as repeating the same action again and again, and expecting a different outcome.  With that in mind:

Insanity 1 – Electronic breaches:  After all the articles about hacking, and the ever growing cost of a breach, why isn’t encryption being used to protect personal identifying information?  Proprietary information almost always seems to be well protected.  Why not our customer/consumer personal identifying information (PII)?

Insanity 2 – Paper breaches:  Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII?  Do we dare ask that those laws be actually enforceable?  Perhaps we are waiting for paper breaches to reach 35% of the total.

Insanity 3 – Breaches happen:  Deal with it!  You will get notification letters.  Breach notification does not equal identity theft.  Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website.  This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.

Insanity 4 – A Breach is a Breach:  Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.”  If it is your #$@%2 SSN that is out on the Internet, do YOU think there is “risk of harm?”  Some companies might say “no.”

Insanity 5 – Data on the Move:  You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years.  But, really!  This is 100% avoidable, either through use of encryption, or other safety measures.  Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.”  With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace.”

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News


2009 Data Breaches: Identity Theft Continues

Robert Siciliano Identity Theft Expert

The Identity Theft Resource Center® Breach Report recorded 498 breaches, less than the 657 in 2008, more than the 446 in 2007. Are data breaches increasing or decreasing? That is the question no one can answer. This fact will not change until there is a single data breach list requiring mandatory public reporting. With some breaches not being reported publicly, and some state Attorneys General not allowing public access to reported breaches, we doubt that anyone is in a position to answer the question above. When we allow laws to be created requiring breach reporting but not disclosure, and provide minimal enforcement or penalty for non-compliance, we can expect a lack of public disclosure. Counting breaches becomes an exercise in insanity.

ITRC collects information about data breaches made public via reliable media and notification lists from various governmental agencies. There are breaches that occurred in 2009 that never made public news. So rather than focus on a question without an answer, ITRC used percentages to analyze the 498 breaches recorded this year looking for any changes or new trends. (Both raw numbers and percentages have been provided in all charts)

The main highlights are:
• paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
• business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
• malicious attacks have surpassed human error for the first time in three years
• Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

In 2009, the business sector increased to 41% of all the publicly reported breaches. While there are some small statistical changes in the other sectors, business continues to increase for the fifth year in a row. The financial and medical industries, perhaps due to stringent regulations, maintain the lowest percentage of breaches.

Business 41.2%

Educational 15.7%

Government/Military 18.1%

Health/Medical 13.7%

Banking/Credit/Financial 11.4%

The ITRC Breach Report recorded more than 222 million potentially compromised records in 2009. Of those, 200 million are attributed to two very large breaches. Before obsessing with record count, however, one should be aware that in more than 52% of the breaches publicly reported, NO statement of the number of records exposed is given. Therefore, it is unknown how many total records may have been exposed due to breaches in 2009.”

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Data Security Predictions For 2010

Robert Siciliano Identity Theft Expert

Forrester Research, Inc. in Cambridge, MA is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology.

They released their 2010 data security predictions. Heading into 2010, they are predicting five new data security trends:

1) Enterprises will keep their data security budgets relatively flat;

2) Market penetration for data loss prevention (DLP) tools will increase even as prices fall by half;

3) Cloud data security concerns will begin to dissipate;

4) Full disk encryption will continue its steady march into the enterprise, spurred on by breach disclosure laws; and

5) Enterprises will give enterprise rights management (ERM) software a second look as an enforcement option coupled with DLP.

Information Rights Management (IRM) is a term that applies to a technology which protects sensitive information from unauthorized access. It is sometimes referred to as E-DRM, Enterprise Digital Rights Management. Sensitive data and information such as Patient records, personal tax or financial information in .PDF, XLS, .DOC, .TXT etc., needs security.

Zafesoft is a content IRM company that actively secures, controls, and tracks content wherever it is utilized; this is the next generation of content security. IRM information is secure, viewable, edit-able and transferable.

Authorized IRM content users can copy, paste, edit, save etc. The security travels with the content or portions of it with tracking anywhere in the world. Unauthorized users are never able to view, edit or copy/paste.

Forrester hit the nail on the head with rights management. When rights management is accessed by a hacker, the data is useless to the thief who hacks from the outside or gains unauthorized access from the inside.

It would be smart business for healthcare, legal, and any organization to incorporate DLP in the form of IRM now, before a breach occurs and data is lost.

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Impostor Poses as Secret Service Agent and Police Officer

Robert Siciliano Identity Theft Expert

At a friend’s 40th birthday party, we wound up discussing my Craigslist ATM, and that led to a conversation about how easily people can be conned. One friend’s new boyfriend began telling us how frequently he is able to con people in order to get into bars and clubs. “I never wait in lines,” he claimed, “and I always get VIP treatment.” I hate lines, too, but I have a hard time lying to get what I want.

He says he finds the phone number of the bar or club and calls ahead of time, claiming to be the manager of a Boston Celtics player and explaining that he’ll be coming to the bar with a few people and that his player will arrive later. He gets the name of the club manager and someone from security. That night, he goes straight to the front of the line and drops the manager or bouncer’s name and acts as if he’s entitled to enter. He says his success rate is 100%, and I believe him.

When a  couple can crash a formal event at the White House despite Secret Service presence, then almost anything is possible. People successfully pose as health inspectors, police officers, and even Secret Service agents. As I demonstrated on The Montel Williams Show, I once posed as a “water inspector,” gaining access to people’s homes by saying I needed to “check the colorization of their water.” Any kind of fake badge and uniform can do wonders.

One recent example is a Massachusetts man who has been accused of posing as a Secret Service agent in order to enter the U.S. Department of Health and Human Services and pleaded guilty to disorderly conduct, trespassing, and impersonating a public official after attempting to enter a U2 concert without a ticket by impersonating a police officer:

“Authorities say he flashed what appeared to be a gold Massachusetts State Police badge and entered Gillette Stadium in Foxborough, Mass., on Sept. 21. They say he didn’t have a ticket to the concert.

He repeatedly asked to see the fire chief and where the ambulances were parked. When he refused to identify himself, stadium security called police, who then arrested him.”

A criminal can easily impersonate you online or in person to commit financial identity theft as it relates to new account fraud and account takeover, or to commit social media identity theft. This is why a credit freeze and an identity theft protection service are essential. Because identity theft will flourish until we are properly identified and systems are in place that point towards effective authentication and identification which leads to accountability.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief. Invest is a social media identity theft protection toll such as Knowem.com.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and home invasions on the Montel Williams Show

Pair Accused Of Stealing TSA Workers Identities

Robert Siciliano Identity Theft Expert

In my early 20’s I bought real estate in a depressed area north of Boston in Lynn Massachusetts. At 20, that’s all I could afford. Lynn was then and is now known as “Lynn Lynn the City of Sin, you don’t go out the way you come in.” Lynn’s a hard city known for drugs and prostitution.  It’s also the home of various biker gangs known as “one percenters” The theory is 1% of all people come out of their momma just bad.

No surprise that the Boston Channel reports a Lynn couple was accused of selling the identities of at least 16 Transportation Security Administration workers at Logan International Airport.

Police said the ID data was allegedly taken by a female TSA contract worker who is related to one of the two Lynn suspects.

A TSA spokesman said the agency takes the ID theft very seriously.

“TSA can assure the traveling public the release of this information does not compromise aviation security,” TSA spokeswoman Ann Davis said.

TSA said the agency is helping workers obtain free credit reports so they can ensure their personal information remains secure, Davis said.

Well Ann, that’s step in the right direction but it won’t protect the identities of the victims. They need credit freezes, credit monitoring and at least a vacation to Maui to get over all the stress.

What’s more bothersome about this is the fact that this is a breach of airline/airport security that goes way beyond identity theft that isn’t being discussed. Just like THIS GUY got access to a corporation’s facility with a fake ID, a terrorist can do the same with a stolen TSA ID. To steal the ID of a TSA worker gives one access to the airport then to luggage and more. There needs to be a tighter system that prevent this. We need effective identification that makes another’s identity useless to the thief.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing stolen luggage at Logan on CBS Boston

How to Hack a Corporate Network…with Facebook

Robert Siciliano Identity Theft Expert

There’s a lot of excessive trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. They have no reason to distrust. People who are your “Friends” are generally those who you “know, like and trust”. In this world, your guard is as down as it will ever be. You are in the safety of your own home or office hanging with people all over the world in big cities and little towns and never have to watch your back.

Ethical hackers are the tech industries white nights, also known as “white hat hackers”. Steve Stasiukonis from Secure Network Technologies is such a person. He’s hired by by companies CIO’s to penetrate an organizations network to determine where its vulnerabilities are.

The process of a white hat starts with a permission based hack that often leads to results that make the CIO nauseous. Getting the data may mean hacking a wireless connection, hacking a public facing website, or even going through a skylight after hours. In Dark Reading Steve writes about how he did it with a fake badge and a Facebook profile. This is a perfect example of how vulnerable people make themselves and their corporate networks because of what they post to Facebook.

We started the project by scouring all of the social networking sites for employees of our target company. Not surprisingly, we found numerous people who openly discussed what they did for a living. We also found numerous employees who openly discussed disappointment in their employer.

We perused popular social networking site like MySpace, LinkedIn, and Plaxo, and ended up focusing on Facebook.com. The majority of our customer’s employees were using Facebook, so we created a Facebook group site identified as “Employees of” the company. Using a fictitious identity, we then proceeded to “friend,” or invite, employees to our “company” Facebook site. Membership grew exponentially each day.

By creating a group, they were able to get access to employees profiles. The “group” is a place where those who you know, like and trust are your “Friends” and in this case fellow employees who you have no reason to distrust.

Because our assignment required us to compromise a secured facility, we chose to use the identity of one of our Facebook-friended employees to gain access to the building.

Because of the companies size they were able to recreate the identity of an employee that wasn’t known to the branch office to which they breached. But his name was still in the system. So with a little creativity, a fake business card and enough information gleaned off of Facebook, they were able to re-create their man.

On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client’s logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.

Later that evening, he returned to the empty office building to conduct a late-night hacking session. Within a short period of time, he had accessed the company’s sensitive secrets.

Awesome. This is a perfect example of why Facebook is a nightmare to the corporate CIO. I don’t share that trust that most people have in Facebook. I’m all business on Facebook. I’m not all that friendly. Kind of a stiff. I’m also a security professional, not so trusting. So to my “Friends” (the actual 10 out of the 400 that I have) I apologize to all. I’m just not ready to share my daily routine with everyone just yet. If ever.

People often try to “friend” me, and I can see that they are “friends” with people I know. But I don’t know them. And the mutual friends often tell me that they don’t know the person, but were “friends” with someone else they knew, and they accepted based on that! That’s nuts! Next thing you know, they are trolling through your “friends” and befriending people in your network, who accept based on their trust in you! Dizzy yet? The point is, stop the madness! Don’t allow these trolls into your life. Mom told you not to talk to strangers. I’m telling you not to “friend” strangers, because they could be scammers.

Scammers are watching. They know that once you are on Facebook, your guard goes way down.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook hacking on CNN

How I Wasted 4 Hours with a Criminal Hacker

Robert Siciliano Identity Theft Expert

Lately I’ve been coming across “advertisements” on forums, posted by criminal hackers looking to sell our stolen information. They are “carders,” selling “dumps” and “fullz.” Well, I decided to make contact with one of them to see what the deal is. It turns out the one I connected with was less than forthcoming, but was very persistent and more than likely has and will continue to scam people. Here is the FIRST and SECOND postings set up by criminals that I’ve found this week. The links are functional as of this posting.

The hacker I contacted immediately returned my email. I told him I was a journalist and wanted to do a story on him. I couldn’t have been more upfront with my intentions. I even provided him with a link to my website, but that didn’t seem to matter. He just wanted my money. First he wanted me to open up an instant message and connect with him via his Yahoo email. That way we could chat. But I wasn’t about to let him in via IM, because there are known hacks that can allow a bad guy into your PC via an IM service. So instead, I set up a private chat at tinychat.com.

What follows is an abridged version of our conversation. (The full version is here.) I am robertsicili, and the scammer is dskimmed2009 (how appropriate).

[11:50] robertsicili: who is here?

[11:51] dskimmed2009: yes its me man

[11:52] robertsicili: nice meeting u

[11:52] robertsicili: where are you from

[11:52] dskimmed2009: I Have told you already man

[11:52] dskimmed2009: or have u forgotten that man

[11:53] robertsicili: you havent told me

[11:53] dskimmed2009: oh okay man

He avoided the question.

[11:55] robertsicili: why did you agree to speak to me?

[11:55] dskimmed2009: what do u mean ?

[11:56] robertsicili: well, your business isnt a normal one and usually guys like you try to stay 100percent under the radar

[11:56] dskimmed2009: ahahaha

[11:56] dskimmed2009: very good man

[11:56] dskimmed2009: so u too which country are u from ?

[11:57] robertsicili: US

[11:57] dskimmed2009: VERY GOOD

All CAPS “VERY GOOD” tells me right away he thinks I’m an idiot.

[11:57] dskimmed2009: I’m 27 years of age and  u?

[11:57] robertsicili: im 41

[11:58] dskimmed2009: wow…….then am small boy to u right

[11:58] robertsicili: youll be 40 before you know it

So small talk, getting used to each other.

[11:59] robertsicili: what country? your english is fine

[11:59] dskimmed2009: CVV,FULZ,DUMPS,BANKLOGINS,BANK TRANSFER,WU TRANSFERS,SKIMMING,ETC

He doesn’t want any more small talk. He want to get paid.

[12:00] dskimmed2009: What do you need to buy now man?

[12:00] robertsicili: all business, i get it.

[12:00] robertsicili: i want to tell your story. you are very interesting.

[12:01] dskimmed2009: yes am interesting man ok

[12:01] dskimmed2009: dont be serious let finish the deal at least today now ok

[12:01] robertsicili: i write for numerous US papers and find what you do facinating. Id like to understand your process.

This seemed to have gone right over his head because he never acknowledged it.

[12:06] robertsicili: so its not a problem for you to be public? how do you keep from being traced?

[12:06] dskimmed2009: i have many securities upon me so u dont need to be worried about that at all man ok

[12:07] dskimmed2009: becoz i do genue and valid business here with many and more costumers man

[12:07] dskimmed2009: so no one will traced upon me ok

[12:07] robertsicili: not worried, just curious, youre very smart

[12:07] dskimmed2009: why are u saying that am smart

[12:08] robertsicili: because you are able to be public, but still anonomous

[12:08] dskimmed2009: of course man becoz if i were to be bad i will never be in public annoucenment forums

[12:09] robertsicili: what is your “valid business”

[12:10] dskimmed2009: My valid business is to just do long term business with the other costumers man

He begins to tell me how honest he is with his customers.

[12:10] dskimmed2009: always i do give them what they will paid me for ok

[12:10] dskimmed2009: i dont dissapoint them as some ppl’s are doing to the other costumers

[12:10] robertsicili: so you are an hoinest business man who doesnt stiff his customers.

[12:11] dskimmed2009: i never stiff my costumers ok

[12:11] robertsicili: i see you take pride in that. and you should.

[12:11] dskimmed2009: am not interesting to do that to my costumers to loose my market man

[12:11] dskimmed2009: i always want to do long term business with my costumers

[12:12] robertsicili: there must be a lot of dishonest people in your business who stiff people

[12:12] robertsicili: how long have you been doing it?

[12:12] dskimmed2009: of course and they are those who used to spoiled most of the hackers business man

[12:13] robertsicili: so you are a “hacker”, do you get the data directly?

[12:13] dskimmed2009: i have been in this business for very good 17 years of age man

He loosens up a little and begins to give me history and a bit about his process.

[12:14] dskimmed2009: i use to go to Ho Minh Chin…Vietnam to hack softwares and come back to russian again man

[12:15] dskimmed2009: i have 3 types of softwares i use for my work man

[12:15] robertsicili: what are they called?

[12:15] dskimmed2009: One if for use to skimmed dumps

[12:15] dskimmed2009: software to skimmed dumps called Skimmer

[12:16] dskimmed2009: i have one too hacking software it used to hack credit card numbers and bank logins man

[12:16] dskimmed2009: i have western union bug software version 2010 with an activation code

[12:17] dskimmed2009: used to do online western union wireing and also hacking an mtcn numbers out from fullz man

[12:17] dskimmed2009: i have all types of skimming

[12:18] robertsicili: “hacking software”  so on other peoples computers?

[12:18] dskimmed2009: OH YES

He’s all happy now.

[12:22] robertsicili: are you russian?

[12:23] dskimmed2009: am not a russian man

[12:23] dskimmed2009: i have been there for good 8 years just to study how to hack very experiencely and perfect way man

[12:26] robertsicili: in the US we are hacked by many countries. The chinese are great hackers, Romanians too.

[12:27] robertsicili: I have heard of vietnamese hackers too but not as often.Ukraine have many good hackers

[12:27] dskimmed2009: oh yes man

[12:27] dskimmed2009: RUSSIAN,VIETNAM,THIALAND,ROMANIA,UKRAINE,NIGERIA ,GHANA

[12:28] robertsicili: Yes. All hacking Americans or all over the world?

[12:28] dskimmed2009: All those countries i just mention they contain alot of fake and good hackers

[12:29] dskimmed2009: they hack EUROPE,UK,US,CANADA,ASIA,WESTERN PART OF AFRICA

We discuss family!

[12:29] robertsicili: do you have kids?

[12:29] dskimmed2009: they hacked all over the world man

[12:29] robertsicili: ok

[12:29] dskimmed2009: i have 2 kids and my personal wife

Back to business

[12:35] robertsicili: how do you get paid?

[12:35] dskimmed2009: they are sooo many ways of means to get money easy but they dont like it on that way

[12:36] dskimmed2009: Through Western Union,Money Gramm,Liberty Resrve and Web Money

[12:38] dskimmed2009: u can also do western union online transaction money transfer with fullz

[12:39] robertsicili: define fullz

[12:39] dskimmed2009: fullz contain , SSN : SOCIAL SECURITY NUMBERDOB : DATE OF BIRTHDL : DRIVING LINCENSEMMN : MOTHER MAIDEN NAME

[12:40] robertsicili: I now understad fullz, but how do I turn that data into money?

[12:40] dskimmed2009: i will teach u if u buy either the fullz or the software ok

[12:40] dskimmed2009: u will just process and operate the software thats all

[12:41] robertsicili: how much for the software?

[12:41] dskimmed2009: 700$

[12:41] robertsicili: damn!~

[12:42] dskimmed2009: Don’t make noise

[12:42] dskimmed2009: i can reduce the price for u if u are ready at any time ok

[12:42] dskimmed2009: am not difficult hacker ok\

Such a great guy and all around good business man. Now I want more detail I want raw data, I want proof.

[12:48] robertsicili: when you get a chance send me samples of what I can get with the software. CVV2?

[12:49] dskimmed2009: all my software are containing security password and codes so i cant just give out like that man

[12:49] dskimmed2009: unless u have make payment for it

[12:49] dskimmed2009: b4 i can give u man

He is refusing to send me samples of data he hacked. I’m beginning to think he has nothing.

[12:50] robertsicili: if im going to make an investment in your softwareI need to understand what it does.

[12:51] dskimmed2009: it will hack the amount on the fullz as mtcn numbers for u to get out with the rest of the infomations man

[12:51] robertsicili: what is mtcn

[12:52] dskimmed2009: Money Transfered Control Number

But he never tells me what it does or how it works. I spend the next hour trying to pull that from him.

[12:54] robertsicili: you sell logins, how do you get them?

[12:55] dskimmed2009: bank logins ?

[12:55] robertsicili: is that what you sell?

[12:55] dskimmed2009: i have software to hack that from bank personal and company account’s

[12:55] dskimmed2009: yes i sell bank logins too man

[12:55] dskimmed2009: CVV,FULLZ,DUMPS,LOGINS,TRANSFERS

[12:56] dskimmed2009: I Do bank transfer,western union transfer and paypal verified account transfer toooo

[13:12] robertsicili: How do you get login data?

[13:14] dskimmed2009: i hack from online banking with software

[13:14] dskimmed2009: i have boa,rbc,wamu,wachovia

[13:14] dskimmed2009: icici,hsbc,abbey

[13:37] dskimmed2009: u need banking software for bank login date?\

[13:38] robertsicili: if im to start a business of hacking data I want to know what to buy from you.

[13:38] dskimmed2009: yes man

[13:38] dskimmed2009: please give me ur western union infomations now ok

[13:38] dskimmed2009: with ur phone number

[13:39] robertsicili: and what will you do with my western union info?

[13:39] dskimmed2009: i want to send some money for u to cash it out and send it to me on my infos in ghana man ok

Now he wants my “western union” account data so he can send me money so I can send his partner money in Ghana. He’s beginning to try an “affinity” scam on me.

[13:39] dskimmed2009: one of my business patner man

[13:39] dskimmed2009: he is online now am talking with him

[13:40] dskimmed2009: so i want to give him us infos to send the money

[13:40] dskimmed2009: through money gramm

[13:40] dskimmed2009: becoz right now all the banks is close

[13:40] dskimmed2009: here in ghana now

[13:41] robertsicili: why do you want to send me cash?

[13:41] dskimmed2009: i want him to send the money to us country so that u cash it out send it to me here in ghana now man ok

[13:41] dskimmed2009: becoz right now all banks is close in ghana now ok

[13:44] robertsicili: OK so he sends me money and i send it back to you because the banks are closed?

[13:44] dskimmed2009: oh yes

[13:44] dskimmed2009: that is it my brother

[13:45] robertsicili: In the US we call that an “advanced fee” scam. At least thats what someone told me.

[13:46] dskimmed2009: okay then stop ok

[13:46] dskimmed2009: don’t do it again ok

[13:46] dskimmed2009: we continue our business now

“don’t do it again” he tells me. OMG LMAO!!!!!

[13:47] robertsicili: I want to buy your software that hacks online banks. Tell me what it does and how much money it will cost me.

[13:49] dskimmed2009: it cost 1300$ for online banking software to hack bank logins both personal and company account

[13:51] robertsicili: tell me how it works, I want to undersyand the technology. Is it sql-injection, spyware? Password hacks, Phishing?

[13:52] dskimmed2009: 2 COMERSUS SOFTWARE WITHOUT BANK LOG IN AND BANK CREDIT CARD CODE ==========1000$

[13:52] dskimmed2009: 3 NEW WESTERN UNION HACKING BUG FOR WORLD WIDE TRANSFER ==========700$4 NEW PAYPAL LOG IN HACKWARE FOR HACKING FRESH PAYPAL ==========250$

[13:53] dskimmed2009: 7 NEW CREDIT CARD VALIDATOR FOR VALIDATING ANY FULL CC INFO ==========120$

[13:53] dskimmed2009: WESTERN UNION ONLINE SOFTWARE(WESTERN UNION BUG)VERSION 2009/2010PRICE:700$

Now I begin to get confused as he describes his process, because it makes no sense.

[14:22] robertsicili: explain to me me how it brings the infos and what the software hacks

[14:22] dskimmed2009: it will hack the bank u will choose on the list of the software processor

[14:23] dskimmed2009: then u will wait for 30 minutes for that bank u choose it’s infomations

[14:23] dskimmed2009: every infomations that will appear within that 30 minutes if valid infomations

[14:25] dskimmed2009: It’s not difficult to understand but if u understand i will be very happy man ok

[14:25] robertsicili: so the software is hacking the banks processor and getting consumer logins?

[14:28] dskimmed2009: it’s like bank transfer

[14:36] robertsicili: explain how th bank transfer works?

[14:36] dskimmed2009: a’m worry about how u dont understand man

[14:36] dskimmed2009: infact its pains me

“infact its pains me” TOOOOOO FUNNNNNYYY!!!!!!!!!!!!!!!

[14:36] robertsicili: Im skilled in software but want to understand how it works. is it a sql injection?

[14:38] robertsicili: if I am to spend thousands of dollars I needd to know how the tech nology works. you are selling hacking softeware but wont tell me how it works

[14:38] dskimmed2009: it will bring that bank u choose all its infomations will appear on it within that 30 minutes time man

None of this makes sense.

[14:40] dskimmed2009: u see someone’s bank account

[14:40] dskimmed2009: he is from usa

[14:40] dskimmed2009: his account was hacked by the software last weeks monday

[14:41] dskimmed2009: 38k was withdraw from it by one of my costumer who come to buy the software man

[14:43] robertsicili: ok

[14:43] dskimmed2009: u see ?

[14:44] robertsicili: soft of. I think there mayt be a language barrier here

[14:45] dskimmed2009: what do u mean by that man?

[14:45] robertsicili: so the software gives me access to the server and shows the banks customers accounts?

[14:45] robertsicili: then I can withdraw from the account and make a transfer?

[14:46] dskimmed2009: oh yes man

[14:46] dskimmed2009: that is it

[14:46] dskimmed2009: u can make the transfer ur self to ur account either company or personal account

So I ask him how he hacks Paypal. Based on his answer It cant possibly be this easy.

[14:50] robertsicili: ok. how does it work with paypal?

[14:51] dskimmed2009: We have Verified and Non Verified Account

[14:51] dskimmed2009: just the id and the password

[14:51] dskimmed2009: we have ones with an empty balances and with ones with founds tooooo

[14:59] robertsicili: how does it work?

[15:00] dskimmed2009: for that one is not difficult man

[15:01] dskimmed2009: u will just put the id on it,it will show the password and the amount in the account

WHAT? His software just needs an ID (account number) and it shows the password? I think I smell a rat.

[15:01] dskimmed2009: then u transfer to ur bank account or ur paypal account or uur personal account or any of ur company accout man

[15:02] dskimmed2009: that’sall

[15:02] robertsicili: serious? you have software that will show a persons user ID and their passwords and whats in the account? How does it do that?

[15:03] dskimmed2009: the software self will show the password and the amount on it

[15:03] dskimmed2009: infact i have sell this to 2 costumers only

[15:03] dskimmed2009: it’s too cost but simple to operate

[15:05] robertsicili: This sounds to good to be real. How can you prove this works before i send you money?

[15:05] guest-14953 entered the room

[15:06] dskimmed2009: i dont have any thing to show man

So he’s got nothing. Or at least wont give up anything.

[15:07] dskimmed2009: if u are ready u go to send money now so that i send u the software man

[15:07] dskimmed2009: becoz with the software u will make alot of money

[15:07] dskimmed2009: and am going to do long term business with u for ever man

[15:07] robertsicili: if what you say is true then the entire banking and paypal security is non existent.

[15:08] dskimmed2009: so u must to trust me and to be honest with me that alll

[15:08] robertsicili: dude, i find it hard to trust in this situation.

[15:09] dskimmed2009: ok

[15:09] dskimmed2009: any way thanks for contacting me ok

[15:09] dskimmed2009: bye

What an ASS. I learned he wasn’t much of a hacker, or at least didn’t have a very good handle on his technology or he just didn’t want to tell me. But the mere fact that he is sitting in a hut or internet café  somewhere and communicating like this tells me someone somewhere has sent him money. Man.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC