Criminal Hackers Had Their Best Year

Identity Theft Expert Robert Siciliano

The FBI reported that last year, organized criminals made double what was reported in 2008. Phishing emails containing the name and logo of the FBI were one of the top money makers for scam artists.

Successful scams included auction scams where products were bought and paid for but product was not delivered. Advanced fee scams also topped the list.

Scammers will say and do anything to get a person to part with their money.

Never automatically trust over the phone or via the internet. Unless the business is one that is well established online; don’t ever send money that you can’t get back. Never send money in response to an email or a phone call or even a classified ad. Money orders and wiring money have less security than a credit card does.

Anytime the transaction involves wiring money, that’s a dead giveaway. In any virtual transaction, I’d suggest using a credit card, but not without first checking the legitimacy of the business or the individual. A quick scan online of a company, individual, or even the nature of a transaction can often provide enough information to make an informed decision.

Scareware was also a big player. Studies show that organized criminals are earning $10,000.00 a day from scareware. That’s approximately 200 people a day getting nabbed. Some “distributors” have been estimated to make as much as $5 million a year.

What makes the scam so believable is there is actual follow through of the purchasing of software that is supposed to protect you. There is a shopping cart, an order form, credit card processing and a download, just like any online software purchase.

The software is sometimes known as “AntiVirus2009” “WinFixer,” “WinAntivirus,” “DriveCleaner,” “WinAntispyware,” “AntivirusXP” and “XP Antivirus 2008.” These are actually viruses or spyware that infect your PC, or just junk software that does nothing of value.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Ransomeware on Fox Boston.

Why Everyone Should Learn to Be A Hacker

I know enough about hacking to make all of my software un-usable, mess up my operating system, and crash my PC. I also know enough about hacking to re-install my operating system, re-install all my software and get my PC running fresh and relatively secure. I’m no criminal hacker. And I am not suggesting that. Nor can I program; I don’t know code but I do know enough to hack in a way that keeps me running, and again, secure.

Hacker isn’t a bad word and hacking isn’t a bad thing to do. It’s something that if everyone who plugs into a PC every day did, they’d be a heck of a lot more versed in the functionality and security of a computer.

The beauty of becoming a “do it yourself” (DIY) hacker is you don’t need to pay a dude to come to your home or office to fix your computer when it’s not working. Three hundred and twenty five years ago I used to pay someone to fix me. Now I can do most of it myself, and when I don’t know how to do it I look it up on Google. Chances are if you have had this problem, then thousands of others have too. There are a bazillion forums that you can go to and solve annoyances and real technology issues.

Once you start asking questions you begin to find people who know the answers. Next thing you know you are the person with the answers. Along the way you connect with people that are smarter than you are who actually do know code and how to really hack a system. Then keep this stable of experts on your contact list so when you are in a pinch, you reach out. But do your best to figure it out on your own first so you aren’t constantly bugging them. You’d be amazed at how capable you are once you invest the necessary time to learn this stuff.

Another great way to learn how to be a DIY hacker is through tech support of your new PC. Most computers come with a one year guarantee that includes phone support. Now many people complain about lousy support, but the hundred or so hours I’ve spent over the years with these people from all over the world has definitely upped my hack-abilities. Even when the tech support guy is wrong, you learn something.

Recently I got rid of all my old 5-6-8 year old PCs and upgraded all but one to Windows 7 boxes and couldn’t be happier. In the process, I had to go through a litany of changes that were always frustrating, but made me a better, smarter, faster DIY hacker. I’ve spent about 20 hours with tech support on the phone getting everything to work like it should and now I know how to do it myself when things go wrong.

“Why I want my daughter to be a hacker” is the title of a post that’s been making waves in the blogosphere. It doesn’t exactly make my point, but worth a read.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing the identity theft on CNBC.

Google Hack Whacks Passwords

Code named Gaia after “Greek Goddess of Earth” a Google single sign on password system was hacked in December.

The NY Times reports “the intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.”

Google is a significant part of many individuals and businesses online activities. Millions rely on Google every day to be fast, functional and most important, secure. A breach such as this may erode the confidence of Google users, but for many, they have all their eggs in one basket.

The hack occurred when a Google employee in China received an instant message over Microsoft’s IM program, and clicked and infected the link. Once the Google employees computers were hijacked the criminal hackers obtained access to his files and credentials. This gave the bad guy’s access to Google.

Google has since added layers of encryption and beefed up security for its data centers and end users.

However, now is a good time to go through all your passwords and change them up.

I’ve said this multiple times. DON’T CLICK LINKS IN EMAILS AND INSTANT MESSAGES. These links are merely conveniences.  All you have to do is either go to whatever the link may be in your favorites menu or search out the site online. Spend the extra 30 seconds to leapfrog the links and go there manually.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing a Google hack on Shepard Smith with Fox News.

Stealing Identities of the Dead

Robert Siciliano Identity Theft Expert

Stealing the identity of the living is so 2009. Stealing the identity of the dead is so wrong, and so easy. It is made even easier by public records. A provision in federal law that reformed welfare in the 1990’s also created a loophole that could allow swindlers to obtain the Social Security numbers of the recently deceased.

In some state’s, Registry of Vital Records and Statistics include Social Security numbers on all certified death certificates. And anyone can obtain a death certificate from the registry for $18.

Wired reports Identity thieves filed for $4 Million in tax refunds using names of living and dead. A group of sophisticated identity thieves managed to steal millions of dollars by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased.

The thieves operated their scheme for at least three years from January 2005 to April 2008, allegedly filing more than 1,900 fraudulent tax returns involving about $4 million in refunds directed to more than 170 bank accounts. The conspirators used numerous fake IDs to open internet and phone accounts, and also used more than 175 different IP addresses around the United States to file the fake returns, which were often filed in bulk as if through an automated process.

The scam took advantage of the IRS’ quick turnaround in processing refunds for electronically filed returns. The IRS typically processes a refund request without verifying the taxpayer’s information — such as whether the taxpayer is alive — or confirming that the taxpayer is legitimately owed money.

Generally, a death is reported to the Social Security administration in a relative and timely fashion, but not always. As far as I can tell there is no form for merely “reporting a death” to the IRS. However, the IRS demands a final accounting, and it’s up to the executor or survivors to file the paperwork. When a taxpayer dies, a new taxpaying entity – the taxpayer’s estate – is born to make sure no taxable income falls through the cracks.

The 3 credit bureaus maintain a list of deceased based on the Social Security Administration’s data. However it can take a months for the bureaus to update their databases with information from the SSA. By contacting the credit agencies directly, you can report a death and have more confidence that the information will be used immediately.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Social Security numbers on Fox News.

1.5 Million Americans Have Been Victims of Medical Identity

Robert Siciliano Identity Theft Expert

The Smartcard Alliance has released an in-depth report called “Medical Identity Theft in Healthcare.

While identity theft is a global issue that garners much media attention, most do not realize that medical identity theft is a serious and growing threat. Many authorities consider medical identity theft one of the fastest growing crimes in America. With the digital age of healthcare upon us, the risks are expected to increase as electronic medical records become more prevalent and the exchange of this data over expanding networks becomes more pervasive. Heightened concern over personal data security and privacy highlight the importance of having secure electronic medical identities.

According to a recent Ponemon Institute study, nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion–or approximately $20,000 per victim. [1] Further evidence of the significance of the medical fraud problem is the allocation of $1.7 billion for fraud detection in the 2011 U.S. Health and Human Services Department budget. [2] In 2009, 68 reported healthcare data breaches in the U.S. put over 11.3 million patient records at risk of exposure.

Patients whose medical identities are stolen face serious lingering effects. Fraudulent healthcare events can leave erroneous data in medical records. This erroneous information–like information about tests, diagnoses and procedures–can greatly affect future healthcare and insurance coverage and costs. Patients are often unaware of medical identity theft until a curious bill or a surprising line of questioning by a doctor exposes the issue. Then, the burden of proof is often with the patient and it can be difficult to get the patient’s legitimate medical records cleaned up. The consequences can also be life threatening and can lead to serious medical errors and fatalities.

Identity theft prevention services generally will not protect you from medical identity theft. However, if your information is out there on the Net and being scanned constantly by the identity theft protection service, then your risk is lowered. Furthermore, I’m all about layers of protection. If your identity is protected from new account fraud via credit monitoring or credit freezes then the thief may use another identity that has less restrictions.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Medical Identity Theft on the CBS Early Show

Deputy Reports Finding Peek-a-boo Home Burglar in Closet

Turn up your Creep-o-meter for this one. In Florida, law enforcement arrested a man on a home burglary charge after a deputy spotted him sitting in a closet with a sheet over his upper body while his blue jeans and brown boots remained visible.

A relative of the homeowner notified local law enforcement when they received a call that a home security alarm was tripped. The deputy went to the home and noticed a window air-conditioned had been removed from a window and was an obvious point of entry.

The creep had a knife when they arrested him.

In the UK a couple was sleeping when a man broke into their home and went into their bedroom to steal the woman’s underwear. The intruder went into the kitchen and grabbed an 8 inch steak knife. The victims woke up to find the intruder with a knife inches from their faces. The boyfriend quickly responded and subdued the man until police arrived.

Down under in Australia a father-of-two feared for his family’s safety when a burglar broke into their home, wandering through the family’s bedrooms in search for “something to make quick money” with. While the home burglar was in the parents’ bedroom he unplugged the father’s mobile phone to steal it. When he did the phones light turned on and woke up the dad. Instantly the father sprung up and chased the burglar out of the house and through an open window. The father was quoted saying “I am really annoyed – it doesn’t worry me that he broke in …, but what’s a real worry is that this person was only two inches away from my head, from my wife, from my girls.”

His 9 year old daughter said “It’s creepy to know someone walked into your room and looked at you while you were asleep.”

People, PLEASE! Lock your doors and windows! In two of these examples the homeowners were sleeping with no home alarms and the intruder walked right in! With kids in the house! Install a home security system with motion detectors. PLEASE!

Robert Siciliano personal security expert to Home Security Source discussing personal and home security on Fox Boston.

10 Personal Safety and Security Tips

Fundamentals: Body language is 55% of communications. That’s your walk, posture, facial expressions and eye contact. Awareness is being alert to your surroundings at all times. Intuition is when the hair on the back of your neck stands on end. Voice tone and pitch equal 35% of communications. The way a person communicates physically and verbally can determine whether or not a predator deems you a good target.

Prevent Abductions: When returning to a parked car, scan the area around your car, be alert to suspicious activity. Be aware of vans. Abductors and rapist open up the side doors and pull in their victims.

Never Use Your Keys As A Weapon: Contrary to popular belief your keys are not a good weapon. Using your keys as a weapon can injure your hand, the keys can break, you lose your “key to safety”, and you lose access to your car and home which are safe havens. Unless it’s a LARGE key. Then it’s a good weapon.

Prevent Home Invasions: You tell your children not to talk to strangers, so why do you open the door to a total stranger? Home-invaders pose as delivery people, public workers, or people in distress. Install peepholes, talk through the door. Under no circumstances do you open the door unless you get phone numbers to call their superiors. If someone is in distress tell him or her you will call the police for them. Install security cameras and a home security system.

Safety On The Streets: One dollar bills and change in an easily accessible pocket. Then if someone tries to rob you, you can throw the “chump change” several feet away. The robber will draw his attention to it giving you time to escape. Do not fight over material items.

What To Do If Attacked: Fighting, running and screaming are all options. Remember: You are worth fighting for!

Safety In Your Car: In the event of a minor accident, stop only in a well-lit area. Carjackers often provoke such “accidents” just to get a victim to stop. DO NOT stop on a deserted, dark street. Drive to a police station or a gas station. Use a cell phone and call 911.

Home Safe Home: Consider a second line or a cell phone in your bedroom. That’s because burglars often remove a telephone from the receiver when they enter a home. Of course, an alarm system activated while you are sleeping will prevent a home burglar from getting this far. Newer home alarms have cellular options, a safeguard even if the phone lines are cut.

Vacation/Business Traveler Safety: Be suspicious of a call from the hotel desk just after checking in requesting verification of your credit card number “because the imprint was unreadable.” A thief may have watched you enter the hotel room and called from the guest phone in the lobby. Never open your hotel room to anyone.

Telephone Security: Never give personal information over the phone unless you initiate the call. Do not click on links in text messages asking you to update banking information. Set your mobile to require password access in case it’s lost or stolen.

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.

ID Theft Ring Gleaned Socials From Medical Records

Robert Siciliano Identity Theft Expert

Medical identity theft occurs when the perpetrator uses your name and in some cases other aspects of your identity, such as insurance information, to obtain medical treatment or medication or to make false claims for treatment or medication. As a result, erroneous or fraudulent entries wind up on your medical records, or sometimes entirely fictional medical records are created in your name. Financial identity theft as it relates to new account fraud is when an identity thief gets the victim’s Social Security number and opens new financial accounts under the victim’s name. There’s very little protection from this due to a flawed system of open credit and lack of authenticating the actual “owner” of the SSN.

In Chicago, ABC News reports “Seven people have been arrested in an identity theft ring that allegedly used information stolen from victims’ medical records to obtain credit cards. The identities of more than 200 patients of a Chicago hospital were stolen. The information was stolen from the offices of the Northwestern Medical Faculty Foundation. That information led to $300,000 worth of goods and services being racked up on fraudulently.The suspects are even accused of using Facebook to post photos of themselves posing with stolen clothing and jewelry.”

One of the rings leaders alleged to have been a part of the group, is being held on $100,000 bond. Apparently her third run-in with the law.

Her mom said “That’s really not her. She is a good person. She do have a heart.” She “do”, huh? She do like to steal identities too. And she do like to buy her nice stuff with those stolen identities. The victims have to spend many hours cleaning up their good names. They may be denied loans in the process or jobs or insurance due to bad credit.

You do need to protect yourself from new account fraud and identity theft protection and a credit freeze is the best way. I did a spot on Good Morning America on this story below.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing ID Theft Ring on Good Morning America

Self-revelation Can Help Assemble a Social Security Number

I am not done nor will I ever be done sounding that alarm, ringing that bell and informing you about how ridiculous social media is. I was asked in a radio interview today what it will take to get people to recognize they are sharing too much data. In a word, tragedy. When a home is broken into, they install a home security alarm. When someone is mugged, they take a self defense course. When planes fly into buildings, we get frisked. Being smart is understanding risk and being proactive.

Most people are smart enough to NOT give out a social security number on Facebook. However between what you say, your family, friends and colleagues say and post, your profile is becoming more complete every minute. Even your mom or wife posts her name as “First Maiden Last” because she saw someone else do it and it made sense to allow her old friends/flames to find her.

But today with all this personal information readily available there are now rumblings from academia that they have cracked the code and have assembled technologies to decipher all this information and turn it into hard decipherable data that leads to opening new accounts in your name.

The New York Times reportscomputer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number. So far, this type of powerful data mining, which relies on sophisticated statistical correlations, is mostly in the realm of university researchers, not identity thieves and marketers.”

SearchSecurity.com reports that researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages and the publicly available Social Security Administration’s Death Master File.

Originally, the first three numbers on a Social Security card represented the state in which a person had initially applied for their card. Numbers started in the northeast and moved westward. This meant that people on the east coast had the lowest numbers and those on the west coast had the highest. Before 1986, people were rarely assigned a Social Security number until age 14 or so, since the numbers were used for income tracking purposes.

From this point on I’d suggest locking down social media profiles in a way that they are not publicly accessible. Prevent anyone (except those very close to you) from seeing and reading everything about your daily activities, who you associate with and all the names and contact information of all your friends and family.

Robert Siciliano personal security expert to Home Security Source discussing cracking the code and wireless security on Fox Boston.

Social Media Security: Using Facebook to Steal Company Data

Robert Siciliano Identity Theft Expert

There is a reason why computer users are called “users.” Like crack addicts who are drug users, more is never enough. And when under the influence, people do stupid things. I find myself scanning the Dell catalog like it’s the latest (or any) Victoria Secrets catalog. I’m amazed at how many people I know are online all day long and digitally stoned. The bad guy knows you are obsessed and uses this against you. He sees that you are comfortably numb here. He understands that in the virtual world you’re delirious and more apt to respond to his message then log your credentials.

Meanwhile Facebook’s security and privacy issues are being challenged from all sides. And during the brouhaha one of the Facebooks investors fell for a Facebook phishing scam.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc. and publishes to Dark Reading tested his clients network using a bogus identity, and joined the companies Facebook site and started mining the names and email addresses of individuals who identified themselves as employees.

As he collected a database of names for a penetration test in the phish, he secured a domain name similar to that of his client. This domain name took on the appearance of a human resources or benefits portal. When he emailed the employees as “human resources,” they were redirected to a Web page, such as https://www.xyzcompany-benefits.com.

He has been able to accumulate significant numbers of emails for phishing targets from Facebook and other social networking sites. When he launched his companie’s Facebook spear-phishing attack, he usually got an average response rate of 45 to 50 percent. So nearly half of the employees responded to an email with the logins and passwords they use on their employers’ network.

Steve says:

— Officially sponsor the social networking site and assign an administrator who is responsible for permitting employees to join. This will help control somebody infiltrating the site for devious purposes.

— Establish a social networking policy. If your employees are participating in social networking sites (company sponsored or not) make sure company policies dictate what is and is not permissible. For example, divulging your corporate email account on social networking sites should not be permitted.

— Last but not least, if employees feel the need to gather and converse about their day-to-day work, personal lives, and hobbies, consider a corporate intranet. Maybe someday social networking vendors will launch a product that will provide the same features and benefits, but with the security tools needed to keep employees and company secrets safe. But in the meantime, it’s up to you.

Sober up and protect your identity.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN