The $6.75 Million Dollar Laptop

Robert Siciliano Identity Theft Expert

Dan Yost Chief Technology Officer of MyLaptopGPS brought attention to the Ponemon Institute, with sponsorship from PGP, has released their “Fifth Annual U.S. Cost of Data Breach Study.” As usual, the report is a treasure trove of great data (just like most people’s laptops are).

The average cost per breached data record rose $2 in 2009, to $204. That’s actually not too bad. The average cost of a breach was $6.75 million, compared to $6.65 million in 2008.

PC World has a good article to summarize, and thanks to lyger at DataLossDB for the pointer.

Not very many businesses are taking serious note of the fact that, on average, they have $6.75 million laptops walking around out there. For those who are, our hats are off.

Here’s an interesting excerpt:

“Overall, 42% of all cases in the Ponemon data-breach study involved third-party mistakes and flubs. In addition, more than 82% of the cases in the Ponemon study were organizations that had more than one data breach in 2009 involving the loss or theft of more than 1,000 records containing personal information. At about 40% of the companies that participated in the study, the chief information security officer (CISO) was in charge of managing the response related to the data breach.”

And how about the maximum data breach cost in the study? $31 million.

That’s a rather expensive laptop, and probably worth a few dollars to protect instead. (Note: the breach may actually have been the result of something other than a lost/stolen laptop, such as a network break-in).

The least expensive breach? $750,000. That beats $31 million, but $750k is still a pretty penny to pay, compared to protection.

Many thanks to Ponemon and PGP for another excellent study.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing laptop security on The Today Show

The State of Information Security Sucks

Robert Siciliano Identity Theft Expert

The sheer volume of potential targets coupled with the vast amounts of money to be made has captured the attention of the global criminal hacking community.

Enterprise networks are becoming hardened and they are still vulnerable. Some are being penetrated directly while others are accessed through 3rd parities such as their clients or end users. Unprotected networks are being sniffed out and data breaches continue.

The organizations that track these breaches are bored, frustrated, hate the industry and offer no good news. Innovation isn’t happening fast enough and new laws and regulations aren’t effective in solving the problems.

PCI and all those who fall under its requirements are chasing their tail. Infighting continues and rumblings of lawsuits against PCI persist.

Law enforcement is getting better at investigating and catching the badguy, but there are far more of them then there are of us.

Between the TJX breach and the Heartland hack there were as many as 224 million credit and debit card numbers hacked. The criminals penetrated the networks “in broad daylight” so to speak, which means they didn’t have much trouble getting in. The hacks may have occurred via unsecured wireless networks, SQL injections or via social engineering though a phishing email with infected links.

While IT security professionals and white-hat hackers are fighting the battle with newer, better, faster, more robust technologies to keep the bad-guy out, the bad guy still gets in via the path of least resistance, which may be human error, laziness or a zero-day attack consisting of  something we’ve never seen before. Often it is the former.

New stories keep coming out depicting small businesses losing hundreds of thousands of dollars via online banking hacks and the banks filing suit so they don’t have to pay it back.

I just spoke to 60 bankers at a conference in Las Vegas. Many of them professed to learning a lot. . No offense here, but I am of the belief that nothing I say should be in any way “new information” to anyone in the banking industry.

As we move closer to mobile banking and a dozen new ways to process credit cards we create new opportunity for the criminals and we haven’t tightened up existing vulnerabilities yet.

We are fragmented and all over the place with an incredible array of interdependent technologies that are set up with convenience in mind and security second.

Somebody please tell me to shut up.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing ATM skimming on ExtraTV

Fostering Awareness & Improving Security Education

Robert Siciliano Identity Theft Expert

Financial institutions have the most to lose and the most to gain by improving security education of their clients and employees.

A while back  I appeared on a local TV show talking about phishing. Amazingly, still, not everyone knows what phishing is. A good friend saw the show and was shocked by what she learned….about her bank.

She received a phishing email and didn’t know what it was. The email asked her to update her account. It was confusing so she called her bank. She spent 20 minutes on the phone with a bank rep discussing her account and the bank could find no record of the communication or any issues with her account. At the conclusion of the call the bank rep said, “I don’t know why you received this email, your account information is in order.” Click.

That night she saw my phishing clip and wondered why the bank never mentioned a single word about phishing. Her bank failed her. They failed to educate her and therefore failed to protect her. She is no longer a client of that bank.

The mindset of financial institutions needs to change drastically when it comes to educating their clients about identity theft and security issues. Old school “sweep it under the rug” don’t discuss it because it will scare people school of thought is dead. People want, need and require information to protect themselves.

The game has changed. People are concerned for their personal security and are hungry to learn. The fact that you or anyone reads this blog is a testament to society as a whole wants to learn. Soccer moms are now security moms.  I’ve seen major industry players in the anti-virus space catering to these mommy bloggers and others because they understand the public is hungry for this. Banks, well, not so much.

Engage the public and they will respect you and want to do further business with you.

Linda McGlasson, Managing Editor at BankInfoSecurity.com interviewed me for a segment on this issue. Listen to the Podcast here It requires a login but its worth your time.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing the lack of security in online banking on CBS Boston

Diploma Mills Facilitate Identity Theft

Robert Siciliano Identity Theft Expert

Diploma mills were born along with elearning institutions who are actually legitimate and accredited bodies. Degrees and diplomas issued by diploma mills are frequently used for fraudulent purposes, such as obtaining employment, promotions, raises, or bonuses on false pretenses. They can also be used as a form of fake ID when posing as someone else to gain employment, impersonation of a licensed professional or used to assist as a breeder document leading to “real” fake ID’s.

A fake diploma is an effective social engineering tool used to gain access to your corporate networks.

From Wikipedia “A diploma mill (also known as a degree mill) is an organization that awards academic degrees and diplomas with substandard or no academic study and without recognition by official educational accrediting bodies. The purchaser can then claim to hold an academic degree, and the organization is motivated by making a profit. These degrees are often awarded based on vaguely construed life experience. Some such organizations claim accreditation by non-recognized/unapproved accrediting bodies set up for the purposes of providing a veneer of authenticity.”

The diploma mills often model the names or accredited educational institutions. They may even take a portion of a universities name and make it a part of their own. Such modeling tactics involve using similar logos, color schemes, and designing their websites to mimic an Ivy League school, right down to the .edu web address.

Just like a legitimate college or university, diploma mills may actually require the student to purchase books, do homework and take tests.  However, the diploma mill may make it extremely easy for someone to pass. Students in many cases are able simply purchase a diploma no questions asked. Many of these organizations are nothing more than glorified print shops.

As an employer who requires a diploma as official entry to your organization, you must recognize the risks associated with accepting documents that are fake, designed to give the bad guy access to your networks.

Diploma mills and the documents they print can be difficult to detect. However, today, thanks to the Internet, many websites and organizations are publicly “outing” diploma mills.

When hiring and presented with a diploma, search out the name of the educational institution and see what comes up. More effective is to do a search of the name on the diploma then “diploma mill” in quotes. If you begin to see a trend of sites popping up referencing fraud then call your attorney. Someone who is likely to commit fraud of this nature, may cause even more problems when you decline their employment.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing fraud on Fox News

mCrimes Morph Into mBotnets

Robert Siciliano Identity Theft Expert

Botnets are robot networks of computers connected to the Internet that sit in our homes and offices. A botnet is generally banks of multiple PC’s from the 10’s to 10,000’s to millions. There are no hard numbers on botnets but last figure I saw was somewhere between 3-5 million. Another stat is 25 percent of all US based PC’s are on a botnet. That’s just insane.  Botnets PC’s are called Zombies. Zombies all generally share a virus in common that allows for a remote control component. The criminal hacker controls the zombies on the botnet via an IRC control server or via a peer to peer network.

The combined power of the zombies on the botnet allows the criminals to commit all kinds of crimes such as denial of service attacks, mass spam campaigns of blasting viruses to millions.

Often botnets are used to store stolen data or to host spoofed websites that collect that data.

Now comes “Sexy Space,” an infected text message containing a link that when clicked downloads a file making that phone part of an mBot. mBots are made up of “Zobiles”.  The download then infects the users contact list and in typical virus multiplication fashion, sends the Sexy Space text to them too.

It is believed that infected phones could then be used in similar ways as traditional zombies are.  The extra twist with a zobile is its ability to take pictures, video, and used as a covert audio listening device. It can also sniff out wireless connections to the Internet and gather additional data to be used to hack.

History indicates that we are at the forefront of an era in which criminal hackers develop tools and techniques to steal your money using your own cell phone. Fifteen years ago, cell phones were bulky and cumbersome, they had to be carried in bags or briefcases. Then they became chunky, heavy bricks. Calls dropped every other minute. Clearly, cell phones have evolved since then. Today’s cell phone is a lot more than a phone. It’s a computer, one that rivals many desktops and laptops being manufactured today.

Never click on links in text messages unless you are 100 percent sure it’s a legitimate communication from a trusted source.

Follow your phones manufacturers and carriers recommendations on securing your phone. A search on “mobile phone security” turns up options/downloads/security to consider.

Protect your identity.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing mobile phone crimes and hacking on the Mike and Juliet Show

EFT Point of Sales Hackers Net $50 Million

Robert Siciliano Identity Theft Expert

Readers of these posts are familiar with ATM skimming. ATM skimming is a billion dollar problem and growing. A relatively new scam over the past few years is electronic funds transfers at the point of sale (EFTPOS ) skimming. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets. In Australia, Fast-food, convenience and specialist clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted.

Last year, legitimate EFTPOS devices at McDonald’s outlets across Perth Australia were replaced with compromised card-skimming versions, with 3500 customers cheated of $4.5 million. They actually replaced the entire device you see at the counter when you order your Big Mac!

Officials say the problem is so bad they urged people to change credit and debit card pin numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

In the United States a similar scam was pulled off at the Stop and Shop Supermarket chain.

“One reason POS machines are so vulnerable is that nearly all of the estimated 12 million devices in the U.S. employ a 40-year-old magnetic stripe technology that industry experts say is largely defenseless against the high-tech wizardry available to fraudsters today. These experts say that thieves can buy skimming gadgetry on the open market. Right now you can walk into a computer store in Malaysia and buy one of these devices for about $200”

The solution to this type of crime may be with authenticating the card or the card holder. Today this is out of the hands of the consumer. There are a number of new technologies that if banks/retailers/industries adopt to identify the actual card/user at the POS or even online, then most, if not all, of the card fraud problems will be solved. There is a race going on right now to see who gets there first. In the next 1-5 years we may see new cards being issued such as “chip and pin” which are standard in Europe. Or no new cards at all but changes in the system that identifies a fraudulent card making the data useless to the thief, or a 2 card system that requires a second swipe of another authenticating card the hacker doesn’t have access to. We will see how this all plays out.

You can’t protect yourself from these types of scams. However, by paying attention to your statements and refuting any unauthorized transactions within 60 days, you can recover your losses. When using any POS, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, or error messages, don’t use it.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing ATM skimming on ExtraTV

Citizens Need to be More Involved in Cybersecurity

Robert Siciliano Identity Theft Expert

In the University of Cincinnati’s Journal of Homeland Security and Emergency Management, the authors write “The general population must be engaged as active security providers, not simply beneficiaries of security policy, because their practices often create the threats to which government responds.” Somebody is saying to take personal responsibility and start doing things securely opposed to expecting it to all be done for you. What a revelation!

Just because everyone has access to the Internet, doesn’t mean they are using it securely. If a person decides to login, they should take some basic courses or read about how to login securely. And the education doesn’t stop there. New scams pop up every day and one has to be aware of their options. I write almost every day and there is never a shortage of topics for me to discuss.

The Internet can be a dangerous neighborhood with bad people around every corner. I got an email from a colleague today who is in the security business. He asked me if the email he received from Facebook to change his password was a fake or real. This is a smart guy, who obviously never heard of the Facebook phishing scam before.

NetworkWorld reports They cite the coordinated attack that overwhelmed U.S. and South Korean government sites last July as being the type of attack that individuals can unwittingly participate in by allowing their computers to be taken over by botnets, the authors say. The awareness they call for has to go beyond simply “if you do not protect yourselves bad things will happen to you” and create a sense that cyber security is a civic duty. Most users remain unaware that not only is their computer data vulnerable, but that their insecure access to cyberspace can be exploited by others turning them into unwitting agents of coordinated cyber threats [both criminal and disruptive attacks],”they say. “Cybersecurity must become a national civic responsibility.”

Frankly, we as citizens HAVE TO do something. Richard Clarke, the president’s cybersecurity adviser, recently wrote that the Department of Homeland Security “has neither a plan nor the capability” to protect the U.S.’s cyber infrastructure. He said companies and individuals “almost uniformly believe that they should fund as much corporate cybersecurity as is necessary to maintain profitability and no more.”

Whether you realize it or not, your computer is one of the biggest threats to your personal security. The Obama administration believes that your computer is also one of the biggest threats to national security.

The message is: Think before you click. Know who’s on the other side of that instant message. What you say or do in cyberspace stays in cyberspace — for many to see, steal and use against you or your government.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in  Intelius identity theft protection and prevention. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU. (Disclosures)

3. Make sure your anti-virus is up to date and set to run automatically.

4. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

5. Check your bank statements often, online, at least once a week.

6. Visit US-Cert here

Robert Siciliano identity theft speaker discussing the mess of data security on Fox News

Targeted Injection Attacks on the Rise

Robert Siciliano Identity Theft Expert

In the latter half of 2009, criminal hackers went from mass SQL injection campaigns to targeted attacks. SQL is abbreviation of Structured Query Language. Pronounced  ”Ess Que El” or ”Sequel”. The attackers shift in strategy focused on targeting high-profile websites, concluded Websense’s State of Internet Security report for the third and fourth quarter of 2009.

SQL injections have evolved in their purpose and sophistication. Originally meant as a tool to attack a merchant’s database and steal data. The attack was reconfigured last summer to install viruses on users’ computers that contain a remote control component.

Matt Chambers with Corporate IT Solutions says, “Web applications are one of the most outward facing components a corporation contains in its network design, and one of the least protected. Applications typically take input information and send it to a database for storage and processing. We interact with these kinds of applications every day, whether it’s a signup form or a login page for a favorite networking site.”

Patrik Runald, senior manager of security research at Websense, told SCMagazineUS.com “The bad guys are going after high-profile, high-volume websites, instead of going after the smaller websites, which are easier to inject code into.”

The report says attackers increasingly launched targeted attacks, which often start with an email containing a malicious link. During the second half of 2009, 81 per cent of email contained a malicious link, the report states.

When an employee receives a spear phish, based on information gathered from the companie’s website, and that employee clicks that link, the link may download a program that disables the companies anti-virus and defeats all security measures. This is why one must never click links in the body of an email. There are hardly ever links in emails that can’t be worked around either in the favorite menus or via manually typing in the browser.

1.      NEVER click links in email. It’s shear laziness, naiveté or stupidity when someone clicks links in the body of an email today.

2.      Get yourself and ethical hacker to test your network and see what damage he can do before the bad guy does.

3.      Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

4.      Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

5.      Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC

3 Nabbed in Massachusetts ATM Skimming Ring

Robert Siciliano Identity Theft Expert

Police believe they may have uncovered an international ATM “skimming” ring responsible for stealing money from hundreds of local accounts. Izaylo Hristov, 28, of Ontario, Canada, a Bulgarian citizen, was arrested at an ATM in the Boston area along with Viadiclav Vladevo and Anton Venkov. Venkov had $99,100 in $20 bills in his car when he was arrested. One of them had Dunkin’ Donuts gift cards and American Express cards with post-it notes that had “PIN’’ and various numbers written on them. These cards were used to write the stolen data on, and then used to make withdrawals.

It was not too long ago that I bought an ATM north of Boston from a dude named Bob at a bar and rolled it through the streets of Boston nabbing unsuspecting users who entered their debit cards and PINS. I performed this crazy stunt to demonstrate how easy it is and how vulnerable we are. As a writer/blogger/speaker my primary motivation is to educate and inform, so the public and industry doesn’t get scammed.

Apparently a few more than a few people in the Boston area didn’t watch this on Fox Boston, or this on NBC Boston or read this in the Boston Globe. Because many of them got scammed over the course of the past few weeks. I’m trying here people. All you have to do is pay attention.

You can protect yourself from these types of scams first by covering your pin!! Scammers have a difficult time turning your 16 digit account numbers into cash without the PIN. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages or the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. Ultimately you must pay close attention to your statements. Refute unauthorized transactions within 60 days. Check with your bank to determine what their timeframe is to refute unauthorized withdrawals. In some cases an can be as early as a week.

1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated and check out my spyware killer IDTheftSecurty HERE

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing the Bulgarian ATM scammer getting busted on Fox Boston

Top 8 Worst Twitter Social Media Hacks

Robert Siciliano Identity Theft Expert

In the past year our use of Twitter has increased dramatically. And so has the criminal hacker’s attention to the opportunity to use it for illicit gain.

  1. Jacked Twitter Accounts:  Numerous Twitter (and Facebook) accounts including those of President Obama, Britney Spears, Fox News and others were taken over and used to make fun of, ridicule, harass or commit fraud.
  2. Social Media Identity Theft: Hundreds of imposter accounts are set up every day. Sarah Palin, St Louis Cardinals Coach Tony LaRussa, Kanye West, Huffington Post and many others have had Twitter accounts opened in their names or names likened to them.
  3. Twitter Worms: Worms infiltrating Twitter requesting to click on links would infect user’s accounts and begin to multiply the message. Then your followers and their follower would get it, causing more grief than anything else.
  4. Twitter DOS Attack: Victimized by a denial-of-service attack that left the site dark for more than three hours. Reports of a Russian politically motivated attack seemed to be the origin.
  5. Twitter as a Botnet Controller: A Twitter account produced links that led to commands to download code to run a botnet.
  6. Twitter Phishing: Sending tweets to update accounts or visit spoofed sites where the user needs to enter credentials that allows a financial transaction is rising.
  7. Twitter Porn: Please, “Misty Buttons” stop sending me another invite to chat or see your pics.
  8. Twitter Spam: The use of short URLs has made Twitters 140 character limit the perfect launch pad for spam leading to diet pills, Viagra and whatever else you don’t need.

    With Twitter now a part of millions of peoples daily routines, who login from home or work, Twitter will undoubtedly play a big role in the criminal hacking community in 2010.

    Protect your identity:


    1. Get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
    2. Invest in social media protection @ Knowem.com
    3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
    4. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)


    Robert Siciliano identity theft speaker discussing social media identity theft on CNN