Prankster Creates and Kills Fake Social Media Profiles

This is just weird, but what about social media isn’t weird? We “friend” people we’ve never met. We share our plans, location, and mother’s maiden name with the world.

In New Zealand, weird can be defined as a 28-year-old Auckland woman who created and used several fake online profiles depicting young, pretty women to befriend unsuspecting high school boys.

I can definitely see my 16-year-old self falling for this.

Sometimes, after creating a fake Facebook profile, the woman would use her other online personas to break the news that her fictitious creation had been killed, referring her high-school friends to a tribute website where they could leave messages mourning the dead young woman. So far, around 40 of this scammer’s young victim’s have been identified.

What a bizarre prank, playing on the emotional wellbeing of a kid!

Making it even more macabre, the scammer borrowed profile pictures of real Facebook users, as well as pictures of their children, friends, and family, and created memorial videos eulogizing them. Posing as the mother of one of her creations, she informed one boy that her daughter was in the hospital after a suicide attempt.

The woman committing these acts is either extremely disturbed or extremely intelligent. Either way, it’s very creative and probably prone to copycats. This woman should be banned from the Internet entirely.

Social media sites could go a long way in terms of protecting their users by incorporating device reputation management. Once a user has been banned, device reputation allows websites to analyze the history of that user’s computer or other device, which may have been used for spam, phishing attempts, predatory behavior, profile misrepresentation, or even credit card fraud.  Device reputation alerts businesses to suspicious behavior, uncovers the device’s true location, and exposes hidden relationships to other high-risk accounts and devices.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses social media scams on CNN. (Disclosures)

Match.com Screening For Sex Offenders a Partial Solution

Dating website Match.com is being sued by a woman who was raped after meeting with a man through Match.com. In response, the website has initiated a system to vet out sex offenders by checking registered users against sex offender registries.

Will this prevent sex offenders creating Match.com profiles? No. Will this prevent sex offenders from raping women they meet on the site? Of course not.

Is it necessary for Match.com to seek out and remove sex offenders? Of course it is. Even though there may be some false positives, even though it’s an imperfect system, it adds a layer of protection that will certainly vet out a bad apple or two, or thousands.

When someone subscribes to a dating site and begins the search for a mate, there is an implied assumption that Match.com has somehow validated other users. While that is definitely not the case, the reality is that new users are approved based on having a working credit card.

Going forward, sex offender registry checks will help, but anyone who meets dates online needs to realize that they are essentially on their own, and that no website can be with you on a date, protecting you from a sex offender.

Dating websites can try to prevent sex offenders from reregistering by recognizing and banning the email addresses or credit cards of unwanted users, but these are imperfect and less than effective security measures.

Dating websites could incorporate another layer of protection, such as vetting the computer used to create the profile in the first place. Device reputation management spots online evildoers in a fraction of a second, by examining the computer, smartphone, or tablet used to connect to the dating website or social network. If a device is associated with unwanted behavior, such as spam, online scams, fake profiles, bullying, or predatory behavior from a previous ban, the website can reject the new account or transaction.

Arguably, dating sites should not have to do any of this, but implementing new layers of security is the appropriate response to an unfortunate tragedy. Let’s hope dating sites get better at policing their members.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating security on The Tyra Show. (Disclosures)

Security Expert’s Credit Card Hacked

An excellent way to improve one’s level of security intelligence is to follow the writings of Robert X. Cringley, one of my favorite technology know-it-alls.

Anyway, Cringley’s credit card was recently hacked. And if his card can be hacked, anyone’s can. Like many cardholders, Cringley received a notification from his credit card company’s fraud department, informing him that his card data was being used overseas, on an online dating website.

A scammer used Cringley’s credit card number to create a fake profile, posing as a woman named Katya to lure desperate, unsuspecting men into dating scams.

Cringley determined that the IP address associated with the fraud was anonymized, going through numerous channels to disguise its origin. A Russia-based email address may mean Russian criminals are involved in the hack.

Cringley’s card was used to purchase Badoo credits, which are used to unlock certain features of the dating website, such as chatting with another user or requesting photos. The scammer used Cringley’s card to buy Badoo credits in numerous countries, making her profile internationally accessible.

Cringley surmises that his card data may have been skimmed when he used an ATM or handed his credit card to a store clerk or waiter, or possibly stolen when used to make an online purchase. Even if you are giving your card number to a legitimate online merchant, there’s always the risk they may get hacked. It’s also possible than an unknown worm could have slithered onto Cringley’s PC and sniffed out a credit card transaction.

Even a security expert’s PC can fall victim to hackers, and even someone who knows plenty about security can get hooked. So you must be that much more alert, aware, and on top these issues.

Websites like Badoo can eliminate scammers with device reputation scanning. Real-time device reputation checks, such as those offered by iovation, can detect computers that have been used for fraud, as well as expose all of the accounts associated with the suspicious device or group of devices, allowing websites to immediately shut down sophisticated fraud rings and fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures)

Card Not Present Fraud Burdens eTailers

More than 90% of online purchases are made with cards, whether they are credit, debit, or gift cards. A virtual payment that takes place online or over the phone, without physical inspection of the card, is considered a “card not present” or CNP transaction. In a CNP transaction, it is not possible to examine a card’s security features or signature.

This creates a higher degree of risk than when a card is physically present at the point of sale. As a result, merchants pay higher fees for CNP transactions, and they pass those costs on to the customer. Identity thieves can use stolen credit card data to make CNP purchases, or they can copy the data to blank cards, which they can use at self-checkouts or when the thief knows the salesperson, who can “sweetheart” the transaction.

Blank cards can also be pressed with foils to create the appearance of a legitimate credit card. Device reputation, an effective online fraud prevention method, helps protect retailers from fraudulent CNP transactions by examining the computer or other device for a history of unwanted behavior plus any suspicious activity at the time of transaction.

If a customer’s PC, smartphone, or tablet indicates an abnormally high level of risk, the merchant can reject the purchase in advance. iovation, the global leader in device reputation, has blocked 35 million fraudulent online transactions in the last year. Protect yourself from credit card fraud by checking your statements regularly.

As long as you dispute unauthorized credit card charges within 60 days, federal laws limit liability to $50. Unauthorized debit card charges must be reported within two days, or liability jumps to $500. Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. (Disclosures)

Scammers Spoof College Website

Reed College’s entire website was recently copied and replicated, but with the fictitious name “University of Redwood.” The Wall Street Journal reports, “Officials at Reed suspect the site is part of a scheme to collect application fees from prospective students in Hong Kong and Asia.” Presumably, scammers could simply collect a fee and then issue a rejection letter several weeks later.

Spoofed websites are generally created in order to phish for consumers’ personal information, or to accept credit card payments for products or services that will never be delivered.

In the case of the nonexistent University of Redwood, it’s entirely possible the website served as the front for a diploma mill.

Diploma mills were born alongside legitimate, accredited online universities. Diploma mills issue degrees that can be used to fraudulently obtain employment, promotions, raises, or bonuses. They can also be used as fake identification, to gain employment under an invented name, impersonate a licensed professional, or use fake documents to obtain a genuine ID with fraudulent information.

Diploma mills model themselves after accredited institutions, right down to the .edu web address. They may even incorporate part of an existing university’s name or logo into their own, or mimic an Ivy League school’s color scheme or website design.

Just like a legitimate school, a diploma mill may actually require students to purchase books, do homework, and take tests. Unlike a legitimate school, the diploma school may make passing a foregone conclusion. In many cases, students can simply purchase a diploma, no questions asked. Many of these organizations are nothing more than glorified print shops.

Before plunking down a dime on any learning institution, do your research. There are websites that publicly expose diploma mills, and the U.S. Department of Education recommends that you consult their database as well as additional sources of qualitative information.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures)

How Much Would You Pay For a Fake Girlfriend?

They say there’s a sucker born every minute. Not everyone can be sophisticated and worldly. Unfortunately, naiveté invites predators and victimization.

Social engineering is the act of manipulating people into performing certain actions or divulging confidential information. Essentially it’s a fancier, more technical form of lying.

Combine naiveté with predators who use social engineering to manipulate their victims, and you get stories like this one, about an Illinois man who sent more than $200,000 to an “online girlfriend,” who didn’t actually exist. The man believed he had been in a relationship with the fictional woman for more than two years when he called police to report that she had been kidnapped in London. He then explained that over the course of the relationship, he had wired money to bank accounts In Nigeria, Malaysia, England, and the United States at his supposed girlfriend’s request.

It’s not as difficult as you might imagine to get swindled out of your money this way. Everyone wants to love and to be loved, and everyone likes to think they’re too smart to get scammed. The scammer’s advantage is his ability to appeal to a victim’s loneliness, which often trumps common sense and facilitates bad decision-making.

More than 40 million people subscribe to online dating services, and millions of those subscribers develop intimate, albeit virtual relationships with anonymous strangers. The most vulnerable users are often those who married young, divorced, and are now in their late 40s or early 50s, facing a new chapter of their lives. This dramatic life transition can foster a degree of loneliness and uncertainty that is extremely difficult to overcome without support from others.

Dating sites could protect users by incorporating another layer of protection, such as device reputation management, which would analyze the computers, smartphones, and tablets used to create new accounts. By examining the device used to connect to one’s website, the website’s operator can reject new accounts or transactions from users with a history of running online scams and spamming in other online communities.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating security on E! True Hollywood Stories. (Disclosures)

Spring Is In The Air (And So Are Dating Scams)

Despite the recession, online dating and matchmaking services are becoming increasingly popular. More than ever before, people are looking for love online.

Like a roller coaster, online dating can be fun and exciting, or it can be nauseating. Most dating veterans have been there, done that, with a few regrets and lots of lessons learned. While you may have already experienced a lot, you have yet to see it all.

It’s essential to be able to distinguish a conscious, healthy search for a mate from one that is potentially destructive.

Water seeks its own level, as the saying goes, which means that unhealthy and insecure people tend to find one another, which leads to destructive relationships. What’s worse is that insecure people are often unconsciously drawn to dangerous and sometimes violent mates.

Emotionally healthy, mindful people refuse to settle for unsuitable mates. People who are secure and self-aware tend to be more capable of recognizing threats to their personal security. When a person or situation triggers their suspicions, they trust their instincts and remove themselves from potential danger, cutting their losses and chalking it up to a learning experience.

Scammers take advantage of the insecure by telling them what they want to hear. They often mirror the tone and demeanor of the person with whom they are communicating. Beware of anyone who seems to echo who you are and what you want.

If more dating websites incorporated device reputation management to check for suspicious computer history, and investigated the behavioral characteristics consistent with fraudulent use, they’d be able to deny criminals the first time they tried to sign up.

If you use an online dating service, be on guard for scams. Stick to legitimate, well-known websites, and get referrals from friends who have successfully met romantic partners online.

When creating your dating profile, take care to consider the image you want to project. Never post personal information, including your full name, address, or phone number.

To vet potential dates, check whether the information in their online dating profiles matches other information available online.

If a potential date asks you for a loan or any financial information, immediately report them to the dating website.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating safely on The Tyra Show. (Disclosures)

Top 5 Business Security Risks

1. Data Breaches: Businesses suffer most often from data breaches, making up 35% of total breaches. Medical and healthcare services are also frequent targets, accounting for 29.1% of breaches. Government and military make up 16.2%, banking, credit, and financial services account for 10.5%, and 9.2% of breaches occur in educational institutes.

Even if you protect your PC and keep your critical security patches and antivirus definitions updated, there is always the possibility that your bank or credit card company may be hacked, and your sensitive data sold for the purposes of identity theft.

2. Social Engineering: This is the act of manipulating people into taking certain actions or disclosing sensitive information. It’s essentially a fancier, more technical form of lying.

At 2010’s Defcon, a game was played in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have. Of 135 “targets” of the social engineering “game,” 130 blurted out sensitive information. All five holdouts were women who gave up zero data to the social engineers.

3. Failure to Log Out: Web-based email services, social networking sites, and other websites that require login credentials generally provide an option to “Remember me,” “Keep me logged in,” or, “Save password,” and, once selected, will do so indefinitely. This feature often works with cookies, or codes stored in temp files. Some operating systems also include an “auto-complete” feature, which remembers usernames and passwords.

4. Inside Jobs: With millions losing jobs, there are many opportunities for an insider to plug in a thumb drive and steal client data or other proprietary information. Networks are like candy bars, hard on the outside, soft and chewy on the inside. Insiders who fear layoffs may be easily tempted to use their access to profit while they have the chance.

5. Fraudulent Accounts: Many businesses lay claim to thousands or millions of members or clients who have access to web-based accounts. No matter the nature of the business, social network, dating site, gaming site, or even bank or retailer, some percentage of the accounts are ongoing instigators and repositories for fraud. Troublemaker accounts infect the overall stability of any organization, and flushing them out is essential.

One anti-fraud service getting lots of attention for protecting online businesses from crime and abuse is ReputationManager 360 by iovation Inc. The service is used by hundreds of online businesses to prevent fraud by deeply analyzing the computer, smartphone, or tablet connecting to their online properties.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. (Disclosures)

How Important is Cyberspace

Cyberspace has become as essential to the function of daily modern life as we know it, as blood is to the function of our bodies. And I don’t believe that’s an overstatement. If the Internet suddenly vanished, there would be deaths as a result.

Our dependency on the Internet has long since passed the point of turning back, and I think we’ve made a mistake in that approach. Fortunately, it’s extremely unlikely that the Internet will go down entirely.

The U.S. and most other developed countries are thoroughly electrically and digitally dependent. Critical infrastructures, including drinking water, sewer systems, phone lines, banks, air traffic, and government systems, all depend on the electric grid. After a major successful attack, we’d be back to the dark ages in an instant. No electricity, no computers, no gasoline, no refrigeration, no clean water. Think about what happens when the power goes out for a few hours. We’re stymied.

Wired op-ed by Deputy Secretary of Homeland Security Jane Holl Lute and Bruce McConnell, a Senior Counselor at the department, points out that no single individual or entity has the capacity to protect the Internet, not would we want to rely on one entity. They stress the necessity of collaboration among, private citizens, corporations, and government.

The most important part:

While America is deeply reliant on cyberspace, the health of this critical ecosystem is itself a work in progress. Indeed, tomorrow’s threats and defensive capabilities have probably not yet been invented. Government must engage: to secure government systems, assist the private sector in securing itself, enforce the law, and lay the policy foundation for future success. Where industry lags, policy change can incentivize key actions. Today’s environment does not, for example, adequately incentivize companies to write secure software. This must change.”

What this is saying is, essentially, “This ain’t no dress rehearsal.” This is the time to act, particularly for those companies that are engaged in commerce or in support of our critical infrastructures.

Robert Siciliano, personal security expert contributor to iovation, discusses the possibility of an Internet crash on Fox Boston. (Disclosures)

Hackers Cheat a Stock Market Game

Gaming websites, like banks and retailers, are forced to deal with online fraud and other abuses, which cost the industry hundreds of millions of dollars each year.

Many gaming sites have increased efforts to detect suspicious players, but savvy criminals have learned to mask their true identities, changing account information to circumvent conventional methods of fraud detection.

When players conspire to hack one game, they compromise the integrity of the entire website. Other players eventually realize that the deck is rigged against them and that the website’s fundamental security has been compromised. The website becomes useless to honest players, who take their business elsewhere.

Earlier this month, six buses transported online entrepreneurs to Austin for the South by Southwest conference, as part of the Startup Bus project.

As reported by CNET, “The coders and would-be Mark Zuckerbergs [took] part in a high-paced competition” in which they formed teams and competed to come up with “the best, and most viable, tech start-up” during the 48-hour drive to Texas. As it turns out, some “buspreneurs” collaborated (or conspired, depending on your perspective) to create automatic scripts that would effectively stuff the ballot box on behalf of three of the teams.

Elias Bizannes, who founded the Startup Bus project, explained, “The good news is that this exploit is no longer a problem and the fake accounts will be penalized. We’ve identified 1,300 fake accounts, with 900 from the same IP address, so not exactly done smartly by them. It’s a problem not with technology, but identity – which to be honest, is just a problem across the Internet.”

It is increasingly necessary for online gaming sites to deploy more effective security solutions, including analysis of information beyond that which is voluntarily provided by users. By leveraging a device reputation check from services like Oregon-based iovation, gaming websites can reject problem players within a fraction of a second, and avoid further problems from users whose devices are already known to be associated with fraudulent behavior.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another data breach on Good Morning America. (Disclosures)