Check Fraud Identity Theft is Rising

/1 Comment/in , , , , , , , , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

As opening new lines of credit becomes more difficult, identity thieves are gravitating toward check fraud.

Check fraud is a billion dollar problem. As predicted by the Identity Theft Resource Center, check fraud, which accounted for 12% of financial crimes in 2007, increased to 17% in 2008. According to the American Bankers Association Deposit Account Fraud Survey Report, $969 million were stolen via check fraud in 2006, up from a reported $677 million in 2003. Of the $969 million dollars lost to check fraud, 38% was stolen through return deposit scams, 27% was stolen using cloned checks, 28% was stolen using counterfeit checks,  and 7% was stolen by altering or washing checks.

In an article in The New York Post, a brazen ring of thieves enlisted crooked bank tellers to run a check fraud scheme that was brought down when the crooks made the mistake of forging checks from a NYPD account. Two criminal hacker ringleaders organized the counterfeit scam, using 950 “soldiers,” or “mules,” to deposit and cash counterfeit checks, netting them millions of dollars. Three bank tellers were involved, stealing and selling customer profiles which included names, Social Security numbers, and account numbers. Insider identity theft of this kind accounts for up to 70% of all instances of identity theft.

Check fraud victims include banks, businesses and consumers themselves. Our current system for cashing checks is somewhat flawed. Checks can be cashed and merchandise can be purchased even when there is no money in the checking account.

I presented a program on motivation and self-improvement at a women’s prison in Massachusetts a few years back. I requested a little background on the women I was speaking to, just because I watch too many movies and I wanted to know if there was any possibility I’d get shanked. The case worker informed me that about 80% of the women were incarcerated for check fraud and shoplifting. It seems that when some people get a checkbook, they consider it an opportunity to print money.

There are numerous forms of check fraud:

Forged signatures are the easiest form of check fraud. These are legitimate checks with a forged signature. This can occur when a checkbook is lost or stolen, or when a home or business is burglarized. An individual who is invited into your home or business can rip a single check from your checkbook and pay themselves as much as they like. Banks don’t often verify signatures until a problem arises that requires them to assign liability.

Forged endorsements generally occur when someone steals a check and cashes or deposits it. There’s really nothing anyone can do to protect themselves from this, aside from guarding their checks and going over their bank statements carefully.

Counterfeit checks can be created by anyone with a desktop scanner and printer. They simply create a check and make it out to themselves. In order to prevent your checks from being counterfeited, make sure you shred all canceled checks before throwing them away, and be sure to lock up any checks in your home or office. Consider a locked mailbox so nobody can access your bank statements. You should also seriously consider using online banking exclusively, and discontinuing paper statements.

Check kiting or check floating usually involves two bank accounts, where money is transferred back and forth, so that they appear to contain a balance which can then be withdrawn. A check is deposited in one account, then cash is withdrawn despite the lack of sufficient funds to cover the check. In this case, it’s generally the bank or whoever cashed the check that gets burnt, unless they are able to go after the person who used their own account.

Check washing involves altering a legitimate check, changing the name of the payee and often increasing the amount. This is the sneakiest form of check fraud. When checks or tax-related documents are stolen, either from the mail or by other means, the ink can be erased using common household chemicals such as nail polish remover. This allows the thieves to endorse checks to themselves. In this case, something as simple and inexpensive as a select uni-ball pen can help. Select uni-ball pens contain specially formulated gel ink (trademarked Uni-Super Ink™) that is absorbed into the paper’s fibers and can never be washed out. The pen costs two bucks and is available at any office supply store.

If you write a check to pay a bill and then put it in your mailbox for the postal carrier to deliver, you put yourself at a higher risk for check fraud. Thieves see that red flag up and go phishing for checks. I suggest using a uni-ball pen and taking checks directly to the post office, or dropping them in a big blue mailbox.

If you plan to do any online banking, which millions do, make sure your PC is protected with McAfee anti-virus software and all your critical security patches in your operating system are up to date.

Robert Siciliano identity theft speaker discussing identity fraud and security

Requests For Social Security Numbers Leads to Identity Theft

/3 Comments/in , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

A patient at a Washington state medical clinic was asked for his Social Security number numerous times. Many of us have endured this familiar process. Considering the recent buzz about identity theft, this patient became concerned about releasing his own sensitive personal data, and requested that the facility remove his Social Security number from their records. The clinic refused, the patient put up a stink, and was ultimately ejected from the facility. The clinic considered his request unreasonable, and a violation of their rules and regulations. So, who’s right and who’s wrong in this scenario?

One Saturday afternoon, years ago, my spouse and I went to a major chain that rents videos. Without naming them, let’s just say they rent some block buster movies. The account was under my wife’s name, but she didn’t have her card with her that day. Upon checkout, the pimply faced 17-year-old clerk said, “No problem,” and asked for her Social Security number, which appeared on the screen in front of him. I freaked out and was ejected from the store. So, who’s right and who’s wrong?

In both cases, the customer is wrong. That may not be the answer you were expecting. I was wrong and the patient was wrong.

In general, routine information is collected for all hospital patients, including the patient’s name, address, date of birth, Social Security number, gender and other specific information that helps them verify the individual’s identity, as well as insurance enrollment and coverage data. And due to federally mandated laws like HIPAA, they are careful to maintain confidentiality of all patient information in their systems.

Corporations such as banks, credit card companies, automobile dealers, retailers and even video rental stores who grant credit in any form are going to ask for your name, address, date of birth, Social Security number and other specific information that helps them verify your identity and do a quick credit check to determine their risk level in granting you credit.

The Social Security Administration says, “Show your card to your employer when you start a job so your records are correct. Provide your Social Security number to your financial institution(s) for tax reporting purposes. Keep your card and any other document that shows your Social Security number on it in a safe place. DO NOT routinely carry your card or other documents that display your number.” But beyond that they have no advice and frankly, no authority.

Over the past fifty years, the Social Security number has become our de facto national ID. While originally developed and required for Social Security benefits, “functionality creep” occurred. Functionality creep occurs when an item, process, or procedure designed for a specific purpose ends up serving another purpose, which it was never intended to perform.

Here we are decades later, and the Social Security number is the key to the kingdom. Anyone who accesses your number can impersonate you in a hospital or bank. So what do you do when asked for your Social Security number? Many people are refusing to give it out and quickly discovering that this creates a number of hurdles they have to overcome in order to obtain services. Most are often denied that service, and from what I gather, there is nothing illegal about any entity refusing service. Most organizations stipulate access to this data in their “Terms of Service” that you must sign in order to do business with them. They acquire this data in order to protect themselves. By making a concerted effort to verify the identities of their customers, they establish a degree of accountability. Otherwise, anyone could pose as anyone else without consequence.

So where does this leave us? I have previously discussed “Identity Proofing,” and how flawed our identification systems are, and how we might be able to tighten up the system. But we have a long way to go before we are all securely and effectively identified. So, in the meantime, we have to play with the cards we are dealt in order to participate in society and partake in the various services it offers. So, for the time being, you’re going to have to continue giving up your Social Security number.

I give up mine often. I don’t like it, but I do things to protect myself, or at least reduce my vulnerability:

How to protect yourself;

  • You can refuse to give your Social Security number out. This may lead to a denial of service or a request that you, the customer, jump through a series of inconvenient hoops in order to be granted services. When faced with either option, most people throw their arms in the air and give out their Social Security number.
  • You can invest in identity theft protection.
  • You can attempt to protect your own identity, by getting yourself a credit freeze, or setting up your own fraud alerts. You can use Google news alerts to sweep the net and take precautions to prevent social media identity theft.
  • Protect your PC. Regardless of what others do with your Social Security number, you still have to protect the data you have immediate control over. Make sure to invest in Internet security software.

Robert Siciliano, identity theft speaker, discusses the ubiquitous use of Social Security numbers.

What have you done in the past when asked for your SSN? Did you refuse? What happened?

Identity Theft Ring Pickpockets Caught by Feds

/in , , , , , , , , , , /by

Identity Theft Expert Robert Siciliano

If there were a “criminal hall of fame,” with an award bestowed on the “coolest” criminal, it would have to be a pickpocket. Pickpockets are sneaky, devilish creatures who function exactly one degree below the radar.

Pickpockets whisper through society, undetected and undeterred. They are subtle and brazen at the same time. They are  like a bed bugs, crawling on you and injecting a numbing venom that prevents you from detecting their bite until it’s much to late. They aren’t violent like a drug crazed mugger or confrontational like a stick up robber. They have much more gumption than any criminal hacker because they don’t hide under the anonymity of the Internet.

One second is all a pickpocket needs. A brief diversion, a quick move, and before you can take a breath, your wallet is gone.

Pickpocketing is one of the oldest criminal professions, and is still very prevalent in Europe. Their target? Clueless Americans. Americans just aren’t as aware of pickpockets, since it isn’t as prevalent here.

One victim’s story: “My wife and I were at a Paris Metro station where the loudspeakers were blaring, ‘WARNING. THERE ARE PICKPOCKETS PRESENT AT THIS STATION.’ We got on the crowded subway. A woman stayed half on and half off, blocking the door. At the same time, another woman was bumping against me, indicating that she needed to get off. She got past me and she and her friend exited the train, allowing the door to close. As she did, I realized that my cash (about $120) was gone from my pocket. As we pulled away, I watched the two women at the station, smiling and waving at me.”

Pickpockets’ greatest advantage is the fact that most people don’t believe it can happen to them. Including me.

Years ago, I met this cat named Gene Turner at a convention. A great guy who has the skills of a real pickpocket, but uses his abilities to inform, educate and entertain people. I told him to get Pickpocket.com, which he did. I should get a slice of that action! Real nice guy, very personable. He introduced himself to me by – without me knowing – taking my watch off my left wrist. Then asked me what time it was. I looked at my left wrist, no watch. He pointed to my right arm, where he re-fastened it. Freaked me out.

Gene says, “Personally, I get ‘caught’ maybe once out of a thousand times when I’m lifting a watch. And usually it’s either a really difficult watch or I’m taking it from the same person for the third or fourth time. I have always said a good pickpocket could pick me clean and I would never feel it. Even the best multi-tasker can be distracted, and it only takes a split second of distraction to become a victim. I have lifted watches from and put watches on many magicians, security people and yes, even other pickpockets, without their knowledge.”

Wired reports that pickpockets have upped the ante: “Feds Swoop In on Nationwide Pickpocket, I.D. Theft Ring.” The suspects, using a novel and high-tech strategy, allegedly stole the identities and bank account information from victims nationwide through pickpocketing and other means. The ring allegedly traveled around the country to crowded events, targeting sports fans in particular. Often, they worked in teams, in which one person distracts the victim and the other lifts the victim’s wallet.

How to protect yourself:

1. Be wary of someone yelling, “There’s a pickpocket in the crowd.”

Gene says, “I use this ploy a lot in my show. When people find out that I can pick pockets, the men check for their wallets and the women will check for their jewelry in the order of value – most expensive first. Their actions clue me as to exactly where the wallets and valuable jewelry are located.”

A man in a business suit has four pants pockets and six to eight pockets in the jacket. His wallet, cash and credit cards could be in any one of ten or more pockets. Pickpockets don’t usually have time to search all ten, but if they see you check your pocket when you read the sign, they now know the exact location. If you think there are pickpockets around or you see a sign, don’t be obvious about checking for your wallet or valuables.

2. Don’t display money or valuables in public.

Flashing your money will get you more attention than you want. Pickpockets will notice where you stash the cash and one bump later, you’ll be left with an empty pocket.

3. Be aware of your surroundings.

Especially in crowded places, bumps, commotions, and aggressive people are the typical distractions pickpockets use. Sometimes a person will fall down, drop something or appear to be ill, and we rush in to help. That’s great and I recommend it, but it may be a diversion. If you’re helping a stranger, make sure someone you trust is watching your valuables. Sidewalks, malls, bus terminals, airports, train stations, in any type of crowd it is extremely important to be aware of your surroundings. Pickpockets are counting on you paying attention to everything except for your wallet or purse.

4. Don’t carry valuables in a backpack or fanny pack.

Anyone can reach into a backpack without you seeing or feeling. Fanny packs, if worn, should only be worn in front. Keep in mind that that won’t prevent a thief from undoing it or slashing the belt and getting away with it. If you do wear a fanny pack, make sure the buckle is near the pouch in front, so a pickpocket would have a more difficult time getting to the latch without your knowledge. It is not uncommon for a pickpocket to use a razor blade to slice through a bag and reach in.

5. Thin out your wallet.

Ultimately, they may still get your wallet. And when they do, you need to be prepared to respond to the fallout. The best protection is to not carry anything of value. There is no need to carry documents containing Social Security numbers, passwords, account numbers, birth certificates or anything that could lead to new account fraud. I carry a drivers license, credit card and a Costco card. Think of it this way: if your wallet were lost or stolen, would you feel like throwing up? If so, you have too much stuff in there.

6. Make copies.

For those of you that have to carry lots of stuff for various reasons, please make a photocopy, front and back, of every document in your wallet. Keep those photocopies in a secure place. If your wallet goes missing, you will have everything you need to close the existing cards and get new ones. Plus, it doesn’t hurt as much when you can see a copy of the missing cards.

7. Use anti-check washing pens.

Wallets often contain checkbooks. Check fraud is a billion dollar problem. Check washing occurs when criminals use nail polish remover to scrub out the payee and dollar amount, and rewrite checks to themselves for increased  amounts. With a uni-ball anti-check washing gel pen, you can prevent your checks from being washed.

8. Protect your identity
Invest in intelius identity theft protection and prevention services. Even if your wallet is squeaky clean, your data may be found in your banks dumpster or be hacked. Which is why you also must protect your computer by having the latest McAfee anti-virus and spyware protection.

Robert Siciliano Identity Theft Speaker discussing identity theft ring busted

Social Media Identity Theft Hits MLB Coach On Twitter

/in , , , , , , , , , , , , , /by

Identity Theft Expert Robert Siciliano

The scourge of identity theft knows no boundaries. It can happen to anyone: rich, poor, good credit, bad credit. Victims include children, the elderly, celebrities and politicians, even the dead. Identity theft may include new account fraud, account takeover, criminal identity theft, business identity theft and medical identity theft. Most of these result in financial loss.

One form of identity theft that is particularly damaging to the victim’s reputation is social media identity theft. Social media identity thieves have various motivations. The most damaging type of social media identity theft occurs when someone poses as you in order to disrupt your life. This disruption can take on many forms. They may harass and stalk you or your contacts, or they may steal your online identity for financial gain.

In the case of St. Louis Cardinals manager Tony La Russa, someone created a Twitter account in his name. La Russa is suing Twitter, claiming the impostor Twitter page damaged his reputation and caused emotional distress. The lawsuit includes a screen shot of three tweets. One, posted on April 19, read, “Lost 2 out of 3, but we made it out of Chicago without one drunk driving incident or dead pitcher.” Apparently, La Russa has had a drunk driving arrest and two Cardinals pitchers have died since 2002. One pitcher died of a heart attack, the other in a drunk driving accident.

There is no limit to the damage someone can do by using your name and picture in order to impersonate you online. In Milwaukee, Wisconsin, an 18 year old student was accused of posing as a girl on Facebook, tricking at least 31 male classmates into sending him naked photos of themselves, and then blackmailing some of these young men for sex acts.

Social media websites were created with the intention of bringing people together in a positive way, but we are beginning to see these sites being used in very sinister ways. The root of the problem is the fact that social media sites are all based on the honor system, with the assumption that people are honestly setting up accounts in their own names. There are few checks and balances in the world of social media, which means that you need to adopt a strategy from yet another form of predator to protect yourself.

There are hundreds or even thousands of social media sites, including Facebook, MySpace, Twitter and YouTube. Even your local newspaper’s website has a place for user comments, and most people would prefer to register their own names before someone else has done so on their behalf.

I have obtained over 200 user names pertaining to my given name in order to mitigate social media identity theft. This may sound obsessive, but the two examples given above are all the proof anyone needs to clamp down on social media. I’m on everything from Affluence.org to Zooomr.com. Some I use, others just have my profile and a link back to my website. I should also mention that there are some hazards involved in such a mission. You may experience a spike in spam, as I did, so I suggest creating an alternate email address. Furthermore, some websites make you join various groups that you don’t have much control over. I’m now a member of some masochistic fetish group of the opposite sex. Not exactly what I signed up for. So be careful.

The goal is to obtain your real first and last name without periods, underscores, hyphens, abbreviations or extra numbers or letters.

These tips bear repeating:

  1. Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday.
  2. Set up a free Google Alerts for your name and get an email every time your name pops up online.
  3. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google Alerts does of fetching your name on the web.
  4. Consider dropping $65 on Knowem.com. This is an online portal that goes out and registers your name at what they consider the top 120 social media sites. Their top 120 is debatable, but a great start. The user experience with Knowem is relatively painless. There is still labor involved in setting things up and with some of the 120. And no matter what you do, you will still find it difficult to complete the registration with all 120 sites. Some of the social media sites just aren’t agreeable. This can save you lots of time, but is only one part of solving the social media identity theft problem.
  5. Start doing things online to boost your online reputation. Blogging is best. You want Google to bring your given name to the top of search in its best light, so when anyone is searching for you they see good things. This is a combination of online reputation management and search engine optimization for your brand: YOU.
  6. If you ever stumble upon someone using your likeness in the social media, be very persistent in contacting the site’s administrators. They too have reputations to manage and if they see someone using your photo or likeness they would be smart to delete the stolen profile.
  7. Or do nothing and don’t worry about it. But when some other John Doe does something stupid or uses your name in a disparaging way or for identity theft, and people assume that it’s you, remember that I told you so.
  8. Despite all the work you may do to protect yourself, you still need identity theft protection and Internet security software.

Robert Siciliano, identity theft speaker, discusses social media privacy.

mCrime; Hacking Mobile Phones for Identity Theft

/in , , , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

History indicates that we are at the forefront of an era in which criminal hackers develop tools and techniques to steal your money using your own cell phone.

Fifteen years ago, cell phones were so bulky and cumbersome, they had to be carried in bags or briefcases. Then they became chunky, heavy bricks. Calls dropped every other minute. Clearly, cell phones have evolved since then. Today’s cell phone is a lot more than a phone. It’s a computer, one that rivals many desktops and laptops being manufactured today. A cell phone can pretty much do everything a PC can do, including online shopping, banking, and merchant credit card processing.

The personal computer started out slow and stodgy, and was mainly used for things like word processing and solitaire. Today, PCs are fast, multimedia machines, capable of performing amazing tasks.

There are consequences to the rapid evolution of these technologies.

A decade ago, during the slow, dial up era, hackers (and, in the beginning, phreakers) hacked for fun and fame. Many wreaked havoc, causing problems that crippled major networks. And they did it without today’s sophisticated technology.

Meanwhile, the dot-com boom and bust occurred. Then, as e-commerce picked up speed, high speed and broadband connections made it easier to shop and bank online, quickly and efficiently. Around 2003, social networking was born, in the form of online dating services and Friendster. PCs became integral to our fiscal and social lives. We funneled all our personal and financial information onto our computers, and spent more and more of our time on the Internet. And the speed of technology began to drastically outpace the speed of security. Seeing an opportunity, hackers began hacking for profit, rather than fun and fame.

Now, iPhones and other smart phones have become revolutionary computers themselves. For the next generation, the phone is replacing the PC. AT&T recently announced that they’ll be upping the speed of the latest version of their 3G network, doubling download speeds. It has been reported that the next iPhone will have 32 gigabytes. That’s more hard drive than my three year old laptop.

So naturally, criminal hackers are considering the possibilities offered by cell phones today, just as they were looking at computers five years ago.

Two things have changed the game: the speed and advancement of technology and spyware. Spyware was created as a legitimate technology for PCs. Spyware tracks and records social network activities, online searches, chats, instant messages, emails sent and received, websites visited, keystrokes typed and programs launched. It can be the equivalent of digital surveillance, revealing every stroke of the user’s mouse and keyboard. Parents can use spyware to monitor their young children’s surfing habits and employers can make sure their employees are working, as opposed to surfing for porn all day.

Criminal hackers created a cocktail of viruses and spyware, which allows for the infection and duplication of a virus that gives the criminal total, remote access to the user’s data. This same technology is being introduced to cell phones as “snoopware.” Legitimate uses for snoopware on phones do exist: silently recording caller information, seeing GPS positions, monitoring kids’ and employees’ mobile web and text messaging activities. Criminal hackers have taken the snoopware and spyware technology even further. Major technology companies agree that almost any cell phone can be hacked into and remotely controlled. Malicious software can be sent to the intended victim disguised as a picture or audio clip, and when the victim clicks on it, malware is installed.

One virus, called “Red Browser,” was created specifically to infect mobile phones using Java. It can be installed directly on a phone, should physical access be obtained, or this malicious software can be disguised as a harmless download. Bluetooth infared is also a point of vulnerability. Once installed, the Red Browser virus allows the hacker to remotely control the phone and its features, such as the camera and microphone.

While this may sound improbable, I’ve consulted and appeared on television (Tyra Banks and Fox) with an entire family that seems to have been victimized by every aspect of snoopware. The Kuykendalls, of Tacoma, Washington, found that several of their phones had been hijacked in order to spy on them. They say the hacker was able to turn a compromised phone on and off, use the phone’s camera to take pictures, and use the speakerphone as a bug. Ever since the program featuring the Kuykendalls’ story aired and continues to repeat, I’ve received dozens of emails from people around the world who have experienced the same thing. Many of these people seem totally overwhelmed by what has happened to them, and some are beginning to suffer financial losses.

If history is any indication of the future, mobile phones, just like computers, will soon be regularly hacked for financial gain. Prepare for mCrime in the form of credit card fraud, identity theft and data breaches.

Some Internet security software providers are beginning to offer software specifically for mobile phones. In the meantime, identity theft protection services are one line of defense against the latest cybercrime techniques.

Robert Siciliano, identity theft speaker, discusses hacked cell phones.

Typosquatting on Twitter and other social networks

/in , , , , , , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Typosquatting, which is also known as URL hijacking, is a form of cybersquatting that targets Internet users who accidentally type a website address into their web browser incorrectly. When users make a typographical error while entering the website address, they may be led to an alternative website owned by a cybersquatter. This can lead to financial or social media identity theftPhishing is the criminally fraudulent process of attempting to acquire sensitive information such as user names, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.tvviter

Scammers recently created a website imitating Twitter.com, and have been sending phishing emails to millions of users, many of whom click on the link contained within the emails, which sends them to the phishing site, where they enter their user names and passwords in order to log in.

The site is Tvviter.com, spelled with two V’s instead of a W. This is a form of “TypoPhishing”. I doubt anyone is going to inadvertently typo two V’s, but it’s certainly a creative ruse by the criminal hackers. This website is currently live. Assuming that your browser is up to date, it should alert you to the fact that Tvviter.com is a suspected phishing site.  Tweet.ro is another phishing website, which my up to date browser did not warn me about. Notice that neither web address is hyperlinked here. I would not suggest playing around on these sites. At any time, the creators can easily introduce malware to these sites, and then onto your outdated operating system or browser in the form of a “drive by” hack, which ultimately leads us back to identity theft and fraud.

tvviter1If you decide to play in the devil’s den, you are bound to get burnt.

Forward this blog post to your contacts. Let people know, so that they won’t be fooled. This scam may stick if the site isn’t taken down by the time this warning is read. Don’t get hooked. And protect yourself with Internet security software and identity theft protection.

Robert Siciliano, identity theft speaker, discusses phishing.

How to prevent social media identity theft

/8 Comments/in , , , , , , , , /by

Robert Siciliano Identity Theft Expert

Two words: you can’t. However, there are several things you can and should do in order to manage your social media identity, which may prevent social media identity theft. What exactly is social media identity theft? It’s a form of cybersquatting using social media sites.

If you’ve ever attempted to join a social media, more commonly known as a social networking site, or applied for an email account, and found that your first and last name were already taken, that may or may not have been social media identity theft, or cybersquatting.

There may be someone out there who shares your exact name and happened to register first, or else there is someone out there who took your name so that you can’t have it, or who wants to sell it back to you, or wants to pose as you and disrupt your life. These are all possibilities.

The most damaging possibility occurs when someone wants to pose as you in order to disrupt your life. This disruption can take on many forms. They may pose as you in order to harass and stalk you, or to harass and stalk people you know. Or they may steal your social media identity for financial gain. Throughout my years working in the field of financial crimes and identity theft, I’ve seen plenty of social media identity theft that led to financial loss. The thieves use a combination of email and social media to extract funds from others, or to open new accounts.

There are hundreds, or maybe even thousands, of social media sites (FacebookMySpaceTwitterYouTube), web-based email providers (hotmail.com, gmail.com, yahoo.com) and domain extensions (.com, .net, .biz). Then there are all the blog portals, such as WordPress and Blogspot. Even your local online newspaper has a place for user comments, and most people would want to register their own names before someone else comments on their behalf.

Social media websites offer the option to provide your real name as well as a user name. The user name may be a fun chat handle or an abbreviation of your real name. The key is to give your real name where requested and also to use your real name as your user name. Even if you don’t plan on spending any time on the site, or to use the domain or email, you want to establish control over it.

The goal is to obtain your real first and last name without periods, underscores, hyphens, abbreviations or extra numbers or letters. Your ideal name, for example would be twitter.com/RobertSicilianoRobertSiciliano.com, orRobertSiciliano@anymail.com. This strategy won’t prevent someone else from registering with your name and adding a dot or a dash, but it trims down the options for a thief.

Some names are very common, or are also owned by someone famous. If that applies to your name, you can still take actions to manage your online reputation. If there is any uniqueness to your name or the spelling of your name, it’s still a good idea to claim your name in social media and work toward managing your online reputation.

Understand that your name is your brand. Your name is front and center on every document you sign and every website that shows up when your name is searched. The phrase, “All I have is my good name,” has never rung truer than today. If you are a writer, blogger, personality of any sort, or anyone who “puts it out there,” you probably already know enough to do these things. But there is more to do.

If someone, perhaps a potential employer or mate or client, searches your name on Google Web, Google Blogs or Google News, what will they find? Will it be someone else posing as you? Will it be a picture of you doing a keg stand? Or will it be you in your nicest outfit, accepting an award for an accomplishment? Either way, you need to manage your online identity and work toward preventing social media identity theft.

This isn’t an easy task. Nor is it fun. It can be time consuming and almost overwhelming. But I believe that the long term rewards are worth it.

  1. Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday.
  2. Set up a free Google Alerts for your name and get an email every time your name pops up online.
  3. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google Alerts does of fetching your name on the web.
  4. Consider dropping $65 on Knowem.com. This is an online portal that goes out and registers your name at what they consider the top 120 social media sites. Their top 120 is debatable, but a great start. The user experience with Knowem is relatively painless. There is still labor involved in setting things up and with some of the 120. And no matter what you do, you will still find it difficult to complete the registration with all 120 sites. Some of the social media sites just aren’t agreeable. This can save you lots of time, but is only one part of solving the social media identity theft problem.
  5. Start doing things online to boost your online reputation. Blogging is best. You want Google to bring your given name to the top of search in its best light, so when anyone is searching for you they see good things. This is a combination of online reputation management and search engine optimization for your brand: YOU.
  6. If you ever stumble upon someone using your likeness in the social media, be very persistent in contacting the site’s administrators. They too have reputations to manage and if they see someone using your photo or likeness they would be smart to delete the stolen profile.
  7. Or do nothing and don’t worry about it. But when some other John Doe does something stupid or uses your name in a disparaging way or for identity theft, and people assume that it’s you, remember that I told you so.
  8. Despite all the work you may do to protect yourself, you still need identity theft protection and Internet security software.

Robert Siciliano, identity theft speaker, discusses social media privacy.

ATM Skimmer Defeated By Customer

/3 Comments/in , , , , , , , , , , , , /by

Identity Theft Expert Robert Siciliano

Its not often that I get to report on the victim becoming the victor. It’s nice to see the good guys win one.

I met a charismatic gent on FOX and Friends named Sean Seibel. Sean has a unique job title at Microsoft: User Experience Evangelist. Sean’s job is to be on top of what’s new and what’s next in technology, in the next 5-7 years. He’s a futurist. He and I spoke in the green room of the show before we appeared together on a segment regarding ATM skimming.

ATM skimming often results in forms of identity theft, credit card fraud or bank fraud.

To be a User Experience Evangelist requires a certain vision, insight and the ability to go beyond what’s current or obvious. Sean proved his ability to see “more” by trumping a gang of identity thieves who set out to steal millions from ATMs but “only” got away with $500,000.

Sean stopped at an ATM to get some cash to pay his barber. When he inserted his ATM card in the machine, he noticed a bit of resistance. Most people wouldn’t think twice about this. But Sean doesn’t think like most people. Then the screen said the machine was unable to read his card so he tried again. The second time, the machine gave him an error message. Before he tried again, he thought about a report he had heard about devices that fraudsters attach to the outside of card readers on ATM machines and wondered if that was the source of his problem.

He says, “I’m looking at the thing and thinking, this can’t be. No way. There are all these stories and myths about it, but I actually found one in the wild.”

Sean was face to face with an ATM skimmer, one that he had just swiped his card through. His heart started pounding. Adrenalin was rushing through his body. He was concerned, not just that he might be scammed, but that criminals might be very close by, maybe even behind him or watching him. However, that did not deter him.

Sean says, “I tried to pull on the green plastic surrounding the card slot and found that it peeled right off.” This plastic ATM skimmer had an SD card built into it to store all the stolen data. Sean went into the bank and notified the branch manager, who had never seen an ATM skimmer and didn’t know what to do. She took the skimmer and thanked Sean.

Then Sean remembered, from numerous reports about ATM skimming, that there are usually 2 parts to the ATM skimmer. One is the skimming device itself, the second is a micro-camera placed somewhere on the machine, where it 1arecords the user’s PIN. The camera is often installed in a false brochure holder that taped to the ATM. In this case, it was behind a small mirror that alerts the ATM user to beware of “shoulder surfers.”

Sean went back to the still operational ATM, where people were waiting in line for their cash, and noticed a tiny video camera behind an extra mirror attached to the machine, positioned right over the key pad where it could record user’s PINs. Not being a bank employee and not wanting to alarm any of the people iwaiting, he actually got in line, waited his turn (knowing that the skimmer was gone and nobody was in danger) and pulled the camera off the ATM.

He brought the camera to the bank manager, who replied by saying, “Maybe we should shut 2b*that machine down, huh?” Sean said, “I think that’s a good idea.” The bank manager contacted bank security, shut down the machine and alerted other area banks. The identity thieves netted $500,000 from their scam, rather than the millions they might have stolen had Sean Seibel not foiled their operation.

Bank branch manager…ZERO
Identity Thieves……….$500,000
Sean Seibel foiling their operation and becoming a hero to many….Priceless.

Some great tips from Marite Ferrero, of CardSwitch Technology:

  • Skimming has been and will continue to be the most common type of ATM-related fraud.
  • Criminals attach skimming devices over card slots on ATMs to steal data as the machine reads the card’s magnetic strip.
  • Hidden cameras record victims typing in their PIN codes.
  • More sophisticated criminals use wireless keypad overlays, which transmit PINs to a nearby laptop, instead 3bof cameras.
  • The U.S. Secret Service estimates that annual losses from ATM skimming total about $1 billion each year, or $350,000 a day.
  • Bank ATMs are more vulnerable than standalone ATMs.
  • Standalone ATMs in grocery stores or on the street use technology that encrypts the PIN pad, making them more difficult for criminals to hack.
  • Standalone ATMs are often positioned near the watchful eye of cashiers or store owners, so it’s harder to install skimmers without being caught.
  • Bank ATMs are also more highly trafficked, which means a bigger potential payoff for the criminals.

Also, invest in identity theft protection and make to update your PC’s McAfee internet security software.

Identity theft expert Robert Siciliano discusses ATM skimming.

Data Breaches; LexisNexis – FAA Hacked, Botnets Grow, Hackers Hold Data Ransom

/1 Comment/in , , , , , , , , , , , , , , /by

Identity Theft Expert

What a week. Just when it starts to get boring, criminal hackers put on a spectacular show.

Criminal hackers continue to step up to the plate. Security professionals are fighting, and sometimes losing, the battle. Here’s one week’s worth of hacks:

Lexis Nexis, which owns ChoicePoint, an information broker I recently blogged about that was hacked in 2005, was just hacked again this week. On Friday, LexisNexis Group notified more than 32,000 people that their information may have been stolen and used in a credit card scam that involved stealing names, birth dates and Social Security numbers to set up fake credit card accounts. The cybercriminals broke into USPS mailboxes of businesses that contained LexisNexis database information, according to a breach notification letter sent by LexisNexis to its customers. The U.S. Postal Inspection Service is investigating the matter. (Check your credit reports and examine        your credit card statements carefully!)

CNET reports that hackers broke into FAA air traffic control systems, too. The hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, for 48,000 current and former FAA employees. In a House Oversight and Government Reform Subcommittee testimony, it was stated, “FAA computer systems were hacked and, as the FAA increases its dependence on modern IP-based networks, the risk of the intentional disruption of commercial air traffic has increased.”

Computerworld reports that a hacker has threatened to expose health data and is demanding $10 million. Good for him, bad for the Virginia Department of Health Professions. The alleged ransom note posted on the Virginia DHP Prescription Monitoring Program site claimed that the hacker had backed up and encrypted  more than 8 million patient records and 35 million prescriptions and then deleted the original data. “Unfortunately for Virginia, their backups seem to have gone missing, too. Uh oh,” posted the hacker. Holding data hostage is nothing new, but it is      becoming increasingly common.

The Register reports that bot-herders have taken control of 12 million new IP addresses in the first quarter of 2009, a 50% increase since the last quarter of 2008, according to an Internet security report from McAfee. The infamous Conficker superworm has occupied all the headlines, and makes a big contribution to the overall figure of compromised Windows PCs, but other strains of malware collectively make a big contribution to this number. McAfee’s Threat Report notes that the US is home to 18% of botnet-infected computers.

While you can’t do much about others being irresponsible with your data, you can protect your identity, to a degree. Consider investing in identity theft protection and always keep your Internet security software updated.

Robert Siciliano, identity theft speaker, discusses Ransomware.

Lie to Me; Social Engineering and Bold Face Cons

/in , , , , /by

Identity Theft Expert

If only our noses grew every time we lied. Life would be so transparent.

Social engineering is the act of manipulating people into performing certain actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

Call them con men, grifters, scammers, or thieves. Or simply call them liars. Lying is what they do best. They stare you in the eyes and lie through their teeth. They do it casually and with such conviction that we have no reason not to believe them. Their craft and skill is a remorseless trait called social engineering, which is also known as pre-texting.

Lying is a learned behavior. One day as children we stumble upon a situation, one that we created or were a party to, and we are confronted by someone in authority. Most likely mom, dad, or a teacher. We are asked a question and we respond with what we think they want to hear, as opposed to the truth. We lie. They believe us and we are relieved of the burden of truth’s consequences.

We then use this tool throughout life whenever we feel it will outweigh the benefits of honesty. “Sir, did you know you were speeding?” We lie to others, we lie to ourselves, we all lie to a degree. It’s a survival mechanism. But some people are absolute professionals at it and take it way beyond what’s a reasonable lie. Their entire life’s motivation is to get out of bed in the morning and use deception to take what belongs to others. Liars often have a form of anti-social personality disorder. They lack empathy for others’ feelings. They aren’t concerned about the consequences of their actions and the potential harm it may do others. Many in prison are said to have this “ailment.”

Laws are created because of man’s behaviors, and the fact that man lies. Laws protect man from himself and from others.

Liars are often so good that they end up in a position of authority and trust. They could be heads of state, CEOs of corporations, judges, a significant other, or even a member of the clergy. For the past year, I’ve been corresponding with a minister who was convicted of identity theft and received an 18 month sentence. He’s asking me to testify on his behalf in an appeal.

What compounds the problem is the naïveté of civilized human beings. We are raised to love and respect, to be kind and cordial. We are taught to behave ourselves and tell the truth. And we expect others to act in kind. Trust is the foundation of functioning in a civilized society. Without a degree of trust in everyone and everything, we’d cease to move in a forward direction, always in fear of dire consequences of venturing out. If we didn’t inherently trust, how could we possibly get behind the wheel of a car and drive down a two way street, with nothing but a yellow painted line separating us from a head-on collision and imminent death?

I often hear people say, “I don’t trust anyone,” or advise others never to trust anyone else. And they are liars, too. Because they do trust.

When someone lies in our presence, we can sometimes smell a skunk. One on one contact provides us with numerous telltale signals of truth and lies. Human communication relies not just on words, but on body language and tone of voice. Believe it or not, we all exude energy towards others. Sometimes that energy is positive or negative. A negative energy coupled with certain neuro-linguistics can send a ping to our bellies and prompt the hair on the back of our necks to raise, signaling a primordial instinct to beware of a cheat in our presence.

Technology has made it easier than ever for liars to perfect their craft. We see thousands of scams and ruses pulled every day. The key is to understand the lures, motivations, and tactics of the con. When you can sense a snake-oil salesman and “see them from a mile away,” you are much safer and more secure than those who assume it can’t happen to them.

Trust is a fundamental and necessary part of life. But a degree of cynicism can go a long way. Because liars lie, invest in identity theft protection and make sure your PC has McAfee Internet security software.

Identity theft speaker Robert Siciliano discusses identity theft with a real conman.