2009 Data Breaches: Identity Theft Continues

Robert Siciliano Identity Theft Expert

The Identity Theft Resource Center® Breach Report recorded 498 breaches, less than the 657 in 2008, more than the 446 in 2007. Are data breaches increasing or decreasing? That is the question no one can answer. This fact will not change until there is a single data breach list requiring mandatory public reporting. With some breaches not being reported publicly, and some state Attorneys General not allowing public access to reported breaches, we doubt that anyone is in a position to answer the question above. When we allow laws to be created requiring breach reporting but not disclosure, and provide minimal enforcement or penalty for non-compliance, we can expect a lack of public disclosure. Counting breaches becomes an exercise in insanity.

ITRC collects information about data breaches made public via reliable media and notification lists from various governmental agencies. There are breaches that occurred in 2009 that never made public news. So rather than focus on a question without an answer, ITRC used percentages to analyze the 498 breaches recorded this year looking for any changes or new trends. (Both raw numbers and percentages have been provided in all charts)

The main highlights are:
• paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
• business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
• malicious attacks have surpassed human error for the first time in three years
• Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

In 2009, the business sector increased to 41% of all the publicly reported breaches. While there are some small statistical changes in the other sectors, business continues to increase for the fifth year in a row. The financial and medical industries, perhaps due to stringent regulations, maintain the lowest percentage of breaches.

Business 41.2%

Educational 15.7%

Government/Military 18.1%

Health/Medical 13.7%

Banking/Credit/Financial 11.4%

The ITRC Breach Report recorded more than 222 million potentially compromised records in 2009. Of those, 200 million are attributed to two very large breaches. Before obsessing with record count, however, one should be aware that in more than 52% of the breaches publicly reported, NO statement of the number of records exposed is given. Therefore, it is unknown how many total records may have been exposed due to breaches in 2009.”

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Data Security Predictions For 2010

Robert Siciliano Identity Theft Expert

Forrester Research, Inc. in Cambridge, MA is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology.

They released their 2010 data security predictions. Heading into 2010, they are predicting five new data security trends:

1) Enterprises will keep their data security budgets relatively flat;

2) Market penetration for data loss prevention (DLP) tools will increase even as prices fall by half;

3) Cloud data security concerns will begin to dissipate;

4) Full disk encryption will continue its steady march into the enterprise, spurred on by breach disclosure laws; and

5) Enterprises will give enterprise rights management (ERM) software a second look as an enforcement option coupled with DLP.

Information Rights Management (IRM) is a term that applies to a technology which protects sensitive information from unauthorized access. It is sometimes referred to as E-DRM, Enterprise Digital Rights Management. Sensitive data and information such as Patient records, personal tax or financial information in .PDF, XLS, .DOC, .TXT etc., needs security.

Zafesoft is a content IRM company that actively secures, controls, and tracks content wherever it is utilized; this is the next generation of content security. IRM information is secure, viewable, edit-able and transferable.

Authorized IRM content users can copy, paste, edit, save etc. The security travels with the content or portions of it with tracking anywhere in the world. Unauthorized users are never able to view, edit or copy/paste.

Forrester hit the nail on the head with rights management. When rights management is accessed by a hacker, the data is useless to the thief who hacks from the outside or gains unauthorized access from the inside.

It would be smart business for healthcare, legal, and any organization to incorporate DLP in the form of IRM now, before a breach occurs and data is lost.

Protect your identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing identity theft on Fox News

Impostor Poses as Secret Service Agent and Police Officer

Robert Siciliano Identity Theft Expert

At a friend’s 40th birthday party, we wound up discussing my Craigslist ATM, and that led to a conversation about how easily people can be conned. One friend’s new boyfriend began telling us how frequently he is able to con people in order to get into bars and clubs. “I never wait in lines,” he claimed, “and I always get VIP treatment.” I hate lines, too, but I have a hard time lying to get what I want.

He says he finds the phone number of the bar or club and calls ahead of time, claiming to be the manager of a Boston Celtics player and explaining that he’ll be coming to the bar with a few people and that his player will arrive later. He gets the name of the club manager and someone from security. That night, he goes straight to the front of the line and drops the manager or bouncer’s name and acts as if he’s entitled to enter. He says his success rate is 100%, and I believe him.

When a  couple can crash a formal event at the White House despite Secret Service presence, then almost anything is possible. People successfully pose as health inspectors, police officers, and even Secret Service agents. As I demonstrated on The Montel Williams Show, I once posed as a “water inspector,” gaining access to people’s homes by saying I needed to “check the colorization of their water.” Any kind of fake badge and uniform can do wonders.

One recent example is a Massachusetts man who has been accused of posing as a Secret Service agent in order to enter the U.S. Department of Health and Human Services and pleaded guilty to disorderly conduct, trespassing, and impersonating a public official after attempting to enter a U2 concert without a ticket by impersonating a police officer:

“Authorities say he flashed what appeared to be a gold Massachusetts State Police badge and entered Gillette Stadium in Foxborough, Mass., on Sept. 21. They say he didn’t have a ticket to the concert.

He repeatedly asked to see the fire chief and where the ambulances were parked. When he refused to identify himself, stadium security called police, who then arrested him.”

A criminal can easily impersonate you online or in person to commit financial identity theft as it relates to new account fraud and account takeover, or to commit social media identity theft. This is why a credit freeze and an identity theft protection service are essential. Because identity theft will flourish until we are properly identified and systems are in place that point towards effective authentication and identification which leads to accountability.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief. Invest is a social media identity theft protection toll such as Knowem.com.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing being an imposter and home invasions on the Montel Williams Show

Pair Accused Of Stealing TSA Workers Identities

Robert Siciliano Identity Theft Expert

In my early 20’s I bought real estate in a depressed area north of Boston in Lynn Massachusetts. At 20, that’s all I could afford. Lynn was then and is now known as “Lynn Lynn the City of Sin, you don’t go out the way you come in.” Lynn’s a hard city known for drugs and prostitution.  It’s also the home of various biker gangs known as “one percenters” The theory is 1% of all people come out of their momma just bad.

No surprise that the Boston Channel reports a Lynn couple was accused of selling the identities of at least 16 Transportation Security Administration workers at Logan International Airport.

Police said the ID data was allegedly taken by a female TSA contract worker who is related to one of the two Lynn suspects.

A TSA spokesman said the agency takes the ID theft very seriously.

“TSA can assure the traveling public the release of this information does not compromise aviation security,” TSA spokeswoman Ann Davis said.

TSA said the agency is helping workers obtain free credit reports so they can ensure their personal information remains secure, Davis said.

Well Ann, that’s step in the right direction but it won’t protect the identities of the victims. They need credit freezes, credit monitoring and at least a vacation to Maui to get over all the stress.

What’s more bothersome about this is the fact that this is a breach of airline/airport security that goes way beyond identity theft that isn’t being discussed. Just like THIS GUY got access to a corporation’s facility with a fake ID, a terrorist can do the same with a stolen TSA ID. To steal the ID of a TSA worker gives one access to the airport then to luggage and more. There needs to be a tighter system that prevent this. We need effective identification that makes another’s identity useless to the thief.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing stolen luggage at Logan on CBS Boston

How to Hack a Corporate Network…with Facebook

Robert Siciliano Identity Theft Expert

There’s a lot of excessive trust in the Facebook world. People have entirely dropped their sense of cynicism when logged on. They have no reason to distrust. People who are your “Friends” are generally those who you “know, like and trust”. In this world, your guard is as down as it will ever be. You are in the safety of your own home or office hanging with people all over the world in big cities and little towns and never have to watch your back.

Ethical hackers are the tech industries white nights, also known as “white hat hackers”. Steve Stasiukonis from Secure Network Technologies is such a person. He’s hired by by companies CIO’s to penetrate an organizations network to determine where its vulnerabilities are.

The process of a white hat starts with a permission based hack that often leads to results that make the CIO nauseous. Getting the data may mean hacking a wireless connection, hacking a public facing website, or even going through a skylight after hours. In Dark Reading Steve writes about how he did it with a fake badge and a Facebook profile. This is a perfect example of how vulnerable people make themselves and their corporate networks because of what they post to Facebook.

We started the project by scouring all of the social networking sites for employees of our target company. Not surprisingly, we found numerous people who openly discussed what they did for a living. We also found numerous employees who openly discussed disappointment in their employer.

We perused popular social networking site like MySpace, LinkedIn, and Plaxo, and ended up focusing on Facebook.com. The majority of our customer’s employees were using Facebook, so we created a Facebook group site identified as “Employees of” the company. Using a fictitious identity, we then proceeded to “friend,” or invite, employees to our “company” Facebook site. Membership grew exponentially each day.

By creating a group, they were able to get access to employees profiles. The “group” is a place where those who you know, like and trust are your “Friends” and in this case fellow employees who you have no reason to distrust.

Because our assignment required us to compromise a secured facility, we chose to use the identity of one of our Facebook-friended employees to gain access to the building.

Because of the companies size they were able to recreate the identity of an employee that wasn’t known to the branch office to which they breached. But his name was still in the system. So with a little creativity, a fake business card and enough information gleaned off of Facebook, they were able to re-create their man.

On the day we intended to breach the facility, our guy was dressed with a shirt embroidered with our client’s logo, and armed him with business cards, a fake company badge, and his laptop. Upon entering the building, he was immediately greeted by reception. Our man quickly displayed his fake credentials and immediately began ranting about the perils of his journey and how important it was for him to get a place to check his email and use a restroom. Within in seconds, he was provided a place to sit, connection to the Internet, and a 24×7 card access key to the building.

Later that evening, he returned to the empty office building to conduct a late-night hacking session. Within a short period of time, he had accessed the company’s sensitive secrets.

Awesome. This is a perfect example of why Facebook is a nightmare to the corporate CIO. I don’t share that trust that most people have in Facebook. I’m all business on Facebook. I’m not all that friendly. Kind of a stiff. I’m also a security professional, not so trusting. So to my “Friends” (the actual 10 out of the 400 that I have) I apologize to all. I’m just not ready to share my daily routine with everyone just yet. If ever.

People often try to “friend” me, and I can see that they are “friends” with people I know. But I don’t know them. And the mutual friends often tell me that they don’t know the person, but were “friends” with someone else they knew, and they accepted based on that! That’s nuts! Next thing you know, they are trolling through your “friends” and befriending people in your network, who accept based on their trust in you! Dizzy yet? The point is, stop the madness! Don’t allow these trolls into your life. Mom told you not to talk to strangers. I’m telling you not to “friend” strangers, because they could be scammers.

Scammers are watching. They know that once you are on Facebook, your guard goes way down.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook hacking on CNN

How I Wasted 4 Hours with a Criminal Hacker

Robert Siciliano Identity Theft Expert

Lately I’ve been coming across “advertisements” on forums, posted by criminal hackers looking to sell our stolen information. They are “carders,” selling “dumps” and “fullz.” Well, I decided to make contact with one of them to see what the deal is. It turns out the one I connected with was less than forthcoming, but was very persistent and more than likely has and will continue to scam people. Here is the FIRST and SECOND postings set up by criminals that I’ve found this week. The links are functional as of this posting.

The hacker I contacted immediately returned my email. I told him I was a journalist and wanted to do a story on him. I couldn’t have been more upfront with my intentions. I even provided him with a link to my website, but that didn’t seem to matter. He just wanted my money. First he wanted me to open up an instant message and connect with him via his Yahoo email. That way we could chat. But I wasn’t about to let him in via IM, because there are known hacks that can allow a bad guy into your PC via an IM service. So instead, I set up a private chat at tinychat.com.

What follows is an abridged version of our conversation. (The full version is here.) I am robertsicili, and the scammer is dskimmed2009 (how appropriate).

[11:50] robertsicili: who is here?

[11:51] dskimmed2009: yes its me man

[11:52] robertsicili: nice meeting u

[11:52] robertsicili: where are you from

[11:52] dskimmed2009: I Have told you already man

[11:52] dskimmed2009: or have u forgotten that man

[11:53] robertsicili: you havent told me

[11:53] dskimmed2009: oh okay man

He avoided the question.

[11:55] robertsicili: why did you agree to speak to me?

[11:55] dskimmed2009: what do u mean ?

[11:56] robertsicili: well, your business isnt a normal one and usually guys like you try to stay 100percent under the radar

[11:56] dskimmed2009: ahahaha

[11:56] dskimmed2009: very good man

[11:56] dskimmed2009: so u too which country are u from ?

[11:57] robertsicili: US

[11:57] dskimmed2009: VERY GOOD

All CAPS “VERY GOOD” tells me right away he thinks I’m an idiot.

[11:57] dskimmed2009: I’m 27 years of age and  u?

[11:57] robertsicili: im 41

[11:58] dskimmed2009: wow…….then am small boy to u right

[11:58] robertsicili: youll be 40 before you know it

So small talk, getting used to each other.

[11:59] robertsicili: what country? your english is fine

[11:59] dskimmed2009: CVV,FULZ,DUMPS,BANKLOGINS,BANK TRANSFER,WU TRANSFERS,SKIMMING,ETC

He doesn’t want any more small talk. He want to get paid.

[12:00] dskimmed2009: What do you need to buy now man?

[12:00] robertsicili: all business, i get it.

[12:00] robertsicili: i want to tell your story. you are very interesting.

[12:01] dskimmed2009: yes am interesting man ok

[12:01] dskimmed2009: dont be serious let finish the deal at least today now ok

[12:01] robertsicili: i write for numerous US papers and find what you do facinating. Id like to understand your process.

This seemed to have gone right over his head because he never acknowledged it.

[12:06] robertsicili: so its not a problem for you to be public? how do you keep from being traced?

[12:06] dskimmed2009: i have many securities upon me so u dont need to be worried about that at all man ok

[12:07] dskimmed2009: becoz i do genue and valid business here with many and more costumers man

[12:07] dskimmed2009: so no one will traced upon me ok

[12:07] robertsicili: not worried, just curious, youre very smart

[12:07] dskimmed2009: why are u saying that am smart

[12:08] robertsicili: because you are able to be public, but still anonomous

[12:08] dskimmed2009: of course man becoz if i were to be bad i will never be in public annoucenment forums

[12:09] robertsicili: what is your “valid business”

[12:10] dskimmed2009: My valid business is to just do long term business with the other costumers man

He begins to tell me how honest he is with his customers.

[12:10] dskimmed2009: always i do give them what they will paid me for ok

[12:10] dskimmed2009: i dont dissapoint them as some ppl’s are doing to the other costumers

[12:10] robertsicili: so you are an hoinest business man who doesnt stiff his customers.

[12:11] dskimmed2009: i never stiff my costumers ok

[12:11] robertsicili: i see you take pride in that. and you should.

[12:11] dskimmed2009: am not interesting to do that to my costumers to loose my market man

[12:11] dskimmed2009: i always want to do long term business with my costumers

[12:12] robertsicili: there must be a lot of dishonest people in your business who stiff people

[12:12] robertsicili: how long have you been doing it?

[12:12] dskimmed2009: of course and they are those who used to spoiled most of the hackers business man

[12:13] robertsicili: so you are a “hacker”, do you get the data directly?

[12:13] dskimmed2009: i have been in this business for very good 17 years of age man

He loosens up a little and begins to give me history and a bit about his process.

[12:14] dskimmed2009: i use to go to Ho Minh Chin…Vietnam to hack softwares and come back to russian again man

[12:15] dskimmed2009: i have 3 types of softwares i use for my work man

[12:15] robertsicili: what are they called?

[12:15] dskimmed2009: One if for use to skimmed dumps

[12:15] dskimmed2009: software to skimmed dumps called Skimmer

[12:16] dskimmed2009: i have one too hacking software it used to hack credit card numbers and bank logins man

[12:16] dskimmed2009: i have western union bug software version 2010 with an activation code

[12:17] dskimmed2009: used to do online western union wireing and also hacking an mtcn numbers out from fullz man

[12:17] dskimmed2009: i have all types of skimming

[12:18] robertsicili: “hacking software”  so on other peoples computers?

[12:18] dskimmed2009: OH YES

He’s all happy now.

[12:22] robertsicili: are you russian?

[12:23] dskimmed2009: am not a russian man

[12:23] dskimmed2009: i have been there for good 8 years just to study how to hack very experiencely and perfect way man

[12:26] robertsicili: in the US we are hacked by many countries. The chinese are great hackers, Romanians too.

[12:27] robertsicili: I have heard of vietnamese hackers too but not as often.Ukraine have many good hackers

[12:27] dskimmed2009: oh yes man

[12:27] dskimmed2009: RUSSIAN,VIETNAM,THIALAND,ROMANIA,UKRAINE,NIGERIA ,GHANA

[12:28] robertsicili: Yes. All hacking Americans or all over the world?

[12:28] dskimmed2009: All those countries i just mention they contain alot of fake and good hackers

[12:29] dskimmed2009: they hack EUROPE,UK,US,CANADA,ASIA,WESTERN PART OF AFRICA

We discuss family!

[12:29] robertsicili: do you have kids?

[12:29] dskimmed2009: they hacked all over the world man

[12:29] robertsicili: ok

[12:29] dskimmed2009: i have 2 kids and my personal wife

Back to business

[12:35] robertsicili: how do you get paid?

[12:35] dskimmed2009: they are sooo many ways of means to get money easy but they dont like it on that way

[12:36] dskimmed2009: Through Western Union,Money Gramm,Liberty Resrve and Web Money

[12:38] dskimmed2009: u can also do western union online transaction money transfer with fullz

[12:39] robertsicili: define fullz

[12:39] dskimmed2009: fullz contain , SSN : SOCIAL SECURITY NUMBERDOB : DATE OF BIRTHDL : DRIVING LINCENSEMMN : MOTHER MAIDEN NAME

[12:40] robertsicili: I now understad fullz, but how do I turn that data into money?

[12:40] dskimmed2009: i will teach u if u buy either the fullz or the software ok

[12:40] dskimmed2009: u will just process and operate the software thats all

[12:41] robertsicili: how much for the software?

[12:41] dskimmed2009: 700$

[12:41] robertsicili: damn!~

[12:42] dskimmed2009: Don’t make noise

[12:42] dskimmed2009: i can reduce the price for u if u are ready at any time ok

[12:42] dskimmed2009: am not difficult hacker ok\

Such a great guy and all around good business man. Now I want more detail I want raw data, I want proof.

[12:48] robertsicili: when you get a chance send me samples of what I can get with the software. CVV2?

[12:49] dskimmed2009: all my software are containing security password and codes so i cant just give out like that man

[12:49] dskimmed2009: unless u have make payment for it

[12:49] dskimmed2009: b4 i can give u man

He is refusing to send me samples of data he hacked. I’m beginning to think he has nothing.

[12:50] robertsicili: if im going to make an investment in your softwareI need to understand what it does.

[12:51] dskimmed2009: it will hack the amount on the fullz as mtcn numbers for u to get out with the rest of the infomations man

[12:51] robertsicili: what is mtcn

[12:52] dskimmed2009: Money Transfered Control Number

But he never tells me what it does or how it works. I spend the next hour trying to pull that from him.

[12:54] robertsicili: you sell logins, how do you get them?

[12:55] dskimmed2009: bank logins ?

[12:55] robertsicili: is that what you sell?

[12:55] dskimmed2009: i have software to hack that from bank personal and company account’s

[12:55] dskimmed2009: yes i sell bank logins too man

[12:55] dskimmed2009: CVV,FULLZ,DUMPS,LOGINS,TRANSFERS

[12:56] dskimmed2009: I Do bank transfer,western union transfer and paypal verified account transfer toooo

[13:12] robertsicili: How do you get login data?

[13:14] dskimmed2009: i hack from online banking with software

[13:14] dskimmed2009: i have boa,rbc,wamu,wachovia

[13:14] dskimmed2009: icici,hsbc,abbey

[13:37] dskimmed2009: u need banking software for bank login date?\

[13:38] robertsicili: if im to start a business of hacking data I want to know what to buy from you.

[13:38] dskimmed2009: yes man

[13:38] dskimmed2009: please give me ur western union infomations now ok

[13:38] dskimmed2009: with ur phone number

[13:39] robertsicili: and what will you do with my western union info?

[13:39] dskimmed2009: i want to send some money for u to cash it out and send it to me on my infos in ghana man ok

Now he wants my “western union” account data so he can send me money so I can send his partner money in Ghana. He’s beginning to try an “affinity” scam on me.

[13:39] dskimmed2009: one of my business patner man

[13:39] dskimmed2009: he is online now am talking with him

[13:40] dskimmed2009: so i want to give him us infos to send the money

[13:40] dskimmed2009: through money gramm

[13:40] dskimmed2009: becoz right now all the banks is close

[13:40] dskimmed2009: here in ghana now

[13:41] robertsicili: why do you want to send me cash?

[13:41] dskimmed2009: i want him to send the money to us country so that u cash it out send it to me here in ghana now man ok

[13:41] dskimmed2009: becoz right now all banks is close in ghana now ok

[13:44] robertsicili: OK so he sends me money and i send it back to you because the banks are closed?

[13:44] dskimmed2009: oh yes

[13:44] dskimmed2009: that is it my brother

[13:45] robertsicili: In the US we call that an “advanced fee” scam. At least thats what someone told me.

[13:46] dskimmed2009: okay then stop ok

[13:46] dskimmed2009: don’t do it again ok

[13:46] dskimmed2009: we continue our business now

“don’t do it again” he tells me. OMG LMAO!!!!!

[13:47] robertsicili: I want to buy your software that hacks online banks. Tell me what it does and how much money it will cost me.

[13:49] dskimmed2009: it cost 1300$ for online banking software to hack bank logins both personal and company account

[13:51] robertsicili: tell me how it works, I want to undersyand the technology. Is it sql-injection, spyware? Password hacks, Phishing?

[13:52] dskimmed2009: 2 COMERSUS SOFTWARE WITHOUT BANK LOG IN AND BANK CREDIT CARD CODE ==========1000$

[13:52] dskimmed2009: 3 NEW WESTERN UNION HACKING BUG FOR WORLD WIDE TRANSFER ==========700$4 NEW PAYPAL LOG IN HACKWARE FOR HACKING FRESH PAYPAL ==========250$

[13:53] dskimmed2009: 7 NEW CREDIT CARD VALIDATOR FOR VALIDATING ANY FULL CC INFO ==========120$

[13:53] dskimmed2009: WESTERN UNION ONLINE SOFTWARE(WESTERN UNION BUG)VERSION 2009/2010PRICE:700$

Now I begin to get confused as he describes his process, because it makes no sense.

[14:22] robertsicili: explain to me me how it brings the infos and what the software hacks

[14:22] dskimmed2009: it will hack the bank u will choose on the list of the software processor

[14:23] dskimmed2009: then u will wait for 30 minutes for that bank u choose it’s infomations

[14:23] dskimmed2009: every infomations that will appear within that 30 minutes if valid infomations

[14:25] dskimmed2009: It’s not difficult to understand but if u understand i will be very happy man ok

[14:25] robertsicili: so the software is hacking the banks processor and getting consumer logins?

[14:28] dskimmed2009: it’s like bank transfer

[14:36] robertsicili: explain how th bank transfer works?

[14:36] dskimmed2009: a’m worry about how u dont understand man

[14:36] dskimmed2009: infact its pains me

“infact its pains me” TOOOOOO FUNNNNNYYY!!!!!!!!!!!!!!!

[14:36] robertsicili: Im skilled in software but want to understand how it works. is it a sql injection?

[14:38] robertsicili: if I am to spend thousands of dollars I needd to know how the tech nology works. you are selling hacking softeware but wont tell me how it works

[14:38] dskimmed2009: it will bring that bank u choose all its infomations will appear on it within that 30 minutes time man

None of this makes sense.

[14:40] dskimmed2009: u see someone’s bank account

[14:40] dskimmed2009: he is from usa

[14:40] dskimmed2009: his account was hacked by the software last weeks monday

[14:41] dskimmed2009: 38k was withdraw from it by one of my costumer who come to buy the software man

[14:43] robertsicili: ok

[14:43] dskimmed2009: u see ?

[14:44] robertsicili: soft of. I think there mayt be a language barrier here

[14:45] dskimmed2009: what do u mean by that man?

[14:45] robertsicili: so the software gives me access to the server and shows the banks customers accounts?

[14:45] robertsicili: then I can withdraw from the account and make a transfer?

[14:46] dskimmed2009: oh yes man

[14:46] dskimmed2009: that is it

[14:46] dskimmed2009: u can make the transfer ur self to ur account either company or personal account

So I ask him how he hacks Paypal. Based on his answer It cant possibly be this easy.

[14:50] robertsicili: ok. how does it work with paypal?

[14:51] dskimmed2009: We have Verified and Non Verified Account

[14:51] dskimmed2009: just the id and the password

[14:51] dskimmed2009: we have ones with an empty balances and with ones with founds tooooo

[14:59] robertsicili: how does it work?

[15:00] dskimmed2009: for that one is not difficult man

[15:01] dskimmed2009: u will just put the id on it,it will show the password and the amount in the account

WHAT? His software just needs an ID (account number) and it shows the password? I think I smell a rat.

[15:01] dskimmed2009: then u transfer to ur bank account or ur paypal account or uur personal account or any of ur company accout man

[15:02] dskimmed2009: that’sall

[15:02] robertsicili: serious? you have software that will show a persons user ID and their passwords and whats in the account? How does it do that?

[15:03] dskimmed2009: the software self will show the password and the amount on it

[15:03] dskimmed2009: infact i have sell this to 2 costumers only

[15:03] dskimmed2009: it’s too cost but simple to operate

[15:05] robertsicili: This sounds to good to be real. How can you prove this works before i send you money?

[15:05] guest-14953 entered the room

[15:06] dskimmed2009: i dont have any thing to show man

So he’s got nothing. Or at least wont give up anything.

[15:07] dskimmed2009: if u are ready u go to send money now so that i send u the software man

[15:07] dskimmed2009: becoz with the software u will make alot of money

[15:07] dskimmed2009: and am going to do long term business with u for ever man

[15:07] robertsicili: if what you say is true then the entire banking and paypal security is non existent.

[15:08] dskimmed2009: so u must to trust me and to be honest with me that alll

[15:08] robertsicili: dude, i find it hard to trust in this situation.

[15:09] dskimmed2009: ok

[15:09] dskimmed2009: any way thanks for contacting me ok

[15:09] dskimmed2009: bye

What an ASS. I learned he wasn’t much of a hacker, or at least didn’t have a very good handle on his technology or he just didn’t want to tell me. But the mere fact that he is sitting in a hut or internet café  somewhere and communicating like this tells me someone somewhere has sent him money. Man.

  1. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
  2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing credit card and debit card fraud on CNBC

Resolve to Dissolve Identity Theft

Robert Siciliano Identity Theft Expert

Here we are again, getting ready to face a new year.   Time to set those dreaded New Year’s resolutions.  You know, lose the 10 pounds, give up the chocolate, quit smoking, and win the Nobel Peace Prize.

Along with the breaking of some bad habits, now is the time to take on some new habits to protect you against identity theft. The Identity Theft Resource Center® (ITRC) offers the following top resolutions you can make in 2010:

Lock up your social security card! Get it out of your wallet! Put this valuable card, along with all other important personal documents, in a safe, locked box or safety deposit box.

Don’t share your Social Security Number (SSN) unnecessarily. Ask questions: Why do you need it? What happens if I don’t give it to you? Who gets to see it? What are you going to do with it?  Legitimate reasons to provide your SSN are limited including:  verifying identity for employment; establishing new lines of credit; government benefit programs; and tax purposes.

Invest in a good cross cut shredder and USE IT! Destroy all documents that include personal identifying information (account numbers, birth date, SSN, medical numbers).  This includes those pre-approved credit card offers that fill your mailbox.  When in doubt, shred it!

Order your credit reports! Go to www.annualcreditreport.com or call 877-322-8228 to obtain your free credit reports.  And it’s really free!  You are entitled, by federal law, to obtain one free credit report from each Credit Reporting Agency every year.  For best results, the ITRC recommends that you stagger your requests to one CRA every four months, through this free program.

Consider investing in a locked mailbox. If you already have a locked community mailbox, just remember, sturdier is better.  Additionally, make it a habit to take out-going mail to the post office and stop using your “come steal me” red flag.

Take the time to place passwords on all your accounts and change the old ones. This includes bank accounts, investment accounts, money markets, credit cards, etc.  Be creative and use something that is not easily guessed by someone who may know you.  A good verbal password is NOT the last four digits of your SSN, your mother’s maiden name, your pet’s name or kid’s birthdays.  A random word, not associated with you or your life, is highly recommended.

Limit the amount of personal information you share online. If you don’t want it publicized – don’t put it online! For online accounts, use strong passwords and change them regularly.  (A strong password should be more than 8 characters in length, and contain both capital letters and at least one numeric or other non alphabetical character.  Use of non-dictionary words is also advised.)   Do not access accounts on shared or public computers (library, internet cafes, work, etc).  For more information on safe social networking, see ITRC Fact Sheet 138 – and  Social Networking and Identity Theft.

Be a savvy online shopper! Check out the merchant and make sure they are legit.  Protect your information online by using a secure payment agent – a security product which allows a consumer to control the use of their personal identifying information whether shopping, paying bills online, or registering at websites.  Consider using credit cards instead of debit cards when making purchases.  In addition, install security and malware software to protect your computer and update it frequently.

Monitor any and all account statements carefully. Don’t wait three months to balance your check book or open your mail! React quickly if you notice any discrepancies.

Guard all checks and deposit slips as you would your precious jewelry. In the wrong hands, these account numbers can be even more valuable than handfuls of cash!  When making out checks, use specially formulated gel ink pens, developed to defeat check washing.

Additionally I reccomend:

Protect your Social Media Identity Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday. You can do this manually or by using a very cost effective service called Knowem.com.

Protect your financial identity. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing Social Security Numbers on Fox news

ID Theft Is Set To Rise On The Heels Of The Recession

Jay McDonald from Creditcards.com does a great job of summarizing Identity Theft Predictions for 2010.

“Like wolves to injured prey, identity thieves are out to turn the recession struggles of average Americans to their own advantage.

“In my adult life, I’ve never seen more varations of old scams and the degree of sophistication in newer scams,” says Robert Siciliano, CEO of IDTheftSecurity.com.

The Identity Theft Resource Center predicts an increase in the number of identity theft crimes and victims during the next two years.

Particularly vulnerable are jobseekers whose desperate search for employment makes them easy targets for fake job listings and work-from-home scams.

“If the job description is not one that you would see printed on a business card, or you are asked to front money, it’s a scam,” says Siciliano.

Also on the rise are the misuse of social media and phony ads on Craigslist and other Web sites for the purposes of obtaining credit card numbers or cash.

Most disturbing has been the growing problem of child identity theft, sometimes by the child’s own family.

“The ITRC has noted that nearly 10 percent of its case load for the past six months involved child identity theft issues,” says founder Linda Foley. “It’s as if people have finally realized that a child’s Social Security number can be used for more than just opening a line of credit.”

Visit the ITRC Web site to learn how to protect your personal data from thieves and hackers.”

Protect your identity. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing credit card fraud on CNBC

5 Tips to Credit Card Identity Theft Prevention

Robert Siciliano Identity Theft Expert

In a recent article in Computer World, Tom Patterson CSO of Magtek, with his Glamor Shot photo, provides “5 counter-fraud tips you’ve never been told”. Anything a consumer can do to reduce their risk for account takeover, they should exercise. While in most cases the consumer isn’t responsible for the losses, as long as you refute the fraud in a specified time frame, and it’s your duty as a citizen to do so. Studies show much of the terrorists funding is coming from card fraud. Card fraud is a breach of national security.

Tip#1 Stare down your waiter, waitress, gas station attendant or anyone who you hand your card. Or at least stare at the card in process. You want to see where that card is going and how it’s being used. The idea here is to make sure the card isn’t being “skimmed” with a skimmer. This is good advice when it’s possible. Most waiters, gas station attendants walk away with the card. This really only works at a POS where the clerk never leaves the terminal. What you should see is the clerk swiping the card through a PC/register based fixed keyboard or terminal. If you see them swipe the card in a handheld skimmer or something on their body, like attached to a  belt or ankle that’s a redflag.

Tip#2 Shield your pin. This is absolutely necessary at any POS or ATM. The public nature of these devices makes it very easy for someone to shoulder surf and grab your pin. A cell phone video cam over your shoulder, a video camera from 50 feet away, binoculars or even a hidden camera attached the to face of the ATM can all compromise your pin. See here as explained in this video I did on ExtraTV demonstrating how I bought an ATM off Craigslist and rolled it all over Boston.

Tip#3 Change your card number. With millions of card numbers hacked over the last few years, chances are yours was compromised. I for one have had 3 changes of credit cards due to card issuers being proactive and sending me a new card whether I liked it or not. Tom suggests voluntarily changing your credit card number every few months. While this is an extra layer of protection, it’s not at all practical and I doubt even Tom does it. I have numerous EFT’s set up with my cards and changing the number means changing them as well. It’s enough of a burden to change it all when the banks issue a new card. But a nice idea if you have the time.

Tip#4 Check your credit card statements every day. This is an extra layer of protection that requires savant like attention. You check your email every day so checking your credit card statements every day is do-able right? Every week is sufficient. Even every 2 weeks is OK. Just make sure to check with your bank to determine what their cutoff date is to refute unauthorized withdrawals. For most credit cards it’s 60 days. For most banks it can be under 30 days. This is the most important tip of all.

Tip#5 Authenticate the card. Or the card holder. Today this is out of the hands of the consumer. There are a number of new technologies that if banks/retailers/industry adopt to identify the actual card/user at the POS or even online then most, if not all of the card fraud problems will be solved. There is a race going on right now to see who gets there first. In the next 1-5 years we may see new cards being issued such as “chip and pin” which are standard in Europe. Or no new cards at all but changes in the system that the card holder is unaware of, or a 2 card system that requires a second swipe of another authenticating card the hacker doesn’t have access to. There are also readily available technologies that will allow the turning on/off of your card with your own preset spend limits too. We will see how this all plays out.

 

Robert Siciliano identity theft speaker discussing credit card fraud on CNBC

Police, DA Investigators Conduct Fake ID Sting

Robert Siciliano Identity Theft Expert

Do an online search for “fake ids” and you’ll be amazed to discover how easy it can be to obtain an ID allowing you to pose as someone else. Or how easy it can be for someone else to obtain an ID that will allow him or her to pose as you. Some websites peddle poor quality cards, others offer excellent quality, and many websites are simply scams.

The fact is, our existing identification systems are insufficiently secure, and our identifying documents are easily copied. Anyone with a computer, scanner and printer can recreate an ID. Outdated systems exasperate the problem by making it too easy to obtain a real ID at the DMV, with either legitimate or falsified information.

“In Houston, Authorities have arrested three people accused of producing fake documents apparently destined for use in identity theft and fraud in Houston.

Harris County District Attorney Patricia Lykos said Monday that the suspects ran four fraudulent document businesses, including two operated out of a flea market.

Houston police and officials from the identity theft section of the district attorney’s office conducted the two-week operation. Undercover officers posing as customers were able to obtain IDs using real and fictitious names.

They confiscated Social Security cards and ID cards from Texas and other states.”

OMG! “including two operated out of a flea market” a FLEA MARKET!! The extent of the security of our nations identities is OPERATED OUT OF A FLEA MARKET!!!!!!!!!

USA Today reports that in the four years since Congress enacted the Real ID Act, which was intended to make it more difficult to obtain a fraudulent driver’s license, the act has languished due to opposition from several states. Real ID supporters say it will not only deter terrorism but also reduce identity theft, curb illegal immigration and reduce underage drinking, all by making the nation’s identification-of-choice more secure. Homeland Security Secretary Janet Napolitano is proposing the repeal of the Real ID Act.

However The May 10, 2011, deadline for full compliance remains in effect, and the department will continue to work closely with states to meet this deadline,” said Matt Chandler, deputy press secretary for the department. “However, Congress must act to address systemic problems with the REAL ID Act to advance our security interests over the long term.”

The fact is, identity theft is a big problem due to a systematic lack of effective identification and is going to continue to be a problem until further notice. In the meantime it is up to you to protect yourself. The best defense from new account fraud is identity theft protection.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano, identity theft speaker, discusses criminal hackers and identity theft on Fox News