Be Aware of Tax Time Scams

/in /by

The Internal Revenue Service has issued its annual “Dirty Dozen” ranking of tax scams, reminding taxpayers to use caution during tax season to protect themselves against a wide range of schemes ranging from identity theft to return preparer fraud.

An IRS notice informing a taxpayer that more than one return was filed in the taxpayer’s name or that the taxpayer received wages from an unknown employer may be the first tip off the individual receives that he or she has been victimized.  While identity theft complaints increased last year and complaints pertaining to stolen tax returns have increased significantly—from 11,010 complaints in 2005 to 33,774 in 2009, according to an analysis of more than 1.4 million identity theft records from the U.S. Federal Trade Commission. That’s nearly 300%.

Be aware of these scams this tax season:

Phishing scams. If you receive an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), report it by sending it to phishing@irs.gov. Never respond or click on links within unsolicited emails requesting that you enter personal data or visit a website to update account information, especially from the IRS as they do not send emails out to consumer.

IRS scams. Beware of scammers posing as IRS agents. They contact targets via phone or email, and are often prepared with a few personal details, which they use to convince targets of their IRS affiliation. This data may actually have been gleaned from public records or even your trash. This type of scammer may offer you a tax refund, and will generally pressure you to comply with their request.

Rogue tax preparers. Questionable return preparers have been known to skim off their clients’ refunds, charge inflated fees for return preparation services and attract new clients by promising guaranteed or inflated refunds.  Anyone can hang out a shingle and claim to be a credible accountant. That shouldn’t be enough to persuade you to disclose all your financial records.

Signals to watch for when you are dealing with an unscrupulous return preparer would include that they:

Do not sign the return or place a Preparer Tax identification Number on it.

Do not give you a copy of your tax return.

Promise larger than normal tax refunds.

Charge a percentage of the refund amount as preparation fee.

Require you to split the refund to pay the preparation fee.

Add forms to the return you have never filed before.

Encourage you to place false information on your return, such as false income, expenses and/or credits.

Here are some suggestions to protect yourself and make sure that you get your return:

Protect your data. This means that all sensitive documents, including anything that includes tax or investment records, credit, debit, or bank account numbers, or a Social Security number, must be secured from the moment they arrive in your mailbox. Secure means that your mailbox and file cabinet have locks, or even storing important documents in a fire-resistant safe.

Shred non-essential paperwork. Check with your accountant to determine what you need and what you don’t. Use a cross-cut shredder to destroy unneeded documents.

Go paperless. Whenever possible, opt to receive electronic statements in your inbox. The less paper in your life, the better.

File early. The earlier you file, the more quickly you thwart any criminal’s attempt to file on your behalf and collect your refund. Only file your tax return with the help of a local, trusted, professional accountant whom you know, like, and trust. If you file online, you should use a secure PC and a secure Internet connection. If you submit your taxes through the mail, you should bring them directly to your local post office.

Protect your PC. A computer’s operating system should always be updated with the latest critical security patches and you should use comprehensive security software that provides antivirus, anti-spyware, anti-phishing, anti-spam and a 2-way firewall.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

How to Protect Your Privacy From “Leaky” Apps

/in /by

Back in 2010, The Wall Street Journal was already warning us about app developers’ lack of transparency with regard to their intentions.

“An examination of 101 popular smartphone “apps”—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders. The findings reveal the intrusive effort by online-tracking companies to gather personal data about people in order to flesh out detailed dossiers on them.”

And since then, our level of engagement with mobile apps has only increased (with over 10 billion apps downloaded), while there has not been a lot of movement to prevent applications from accessing your data.

So what to do? Privacy concerns are justified, but there is a limit to what how this information can be utilized. If you feel the urge to free yourself from data tracking, you could delete and avoid apps, or you could provide false information, but that could violate terms of service and might not be effective, anyway.

When downloading an application, make an effort to consider what you are giving up and what you are getting in return, and to consciously decide whether that particular tradeoff is worthwhile.

You can also use mobile security software like McAfee Mobile Security that scans your installed apps to determine the level of access being granted to each of them. This feature then alerts you to apps that may be quietly siphoning data and enjoying unnecessarily extensive control of device’s functionality and then you can decide if you want to keep the app or delete it.

With better insight, you can take more your mobile security and privacy into your own hands.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Protect Yourself from Vishing

/in /by

“Vishing” occurs when criminals cold-call victims and attempt to persuade them to divulge personal information over the phone. These scammers are generally after credit card numbers and personal identifying information, which can then be used to commit financial theft. Vishing can occur both on your landline phone or via your mobile phone.

The term is a combination of “voice,” and “phishing,” which is, of course, the use of spoofed emails to trick targets into clicking malicious links. Rather than email, vishing generally relies on automated phone calls that instruct targets to provide account numbers. Techniques scammers use to get your phone numbers include:

Wardialing: This is when a visher uses an automated system to target specific area codes with a phone call involving local or regional banks or credit unions. When someone answers the phone a generic or targeted recording begins, requesting that the listener enter a bank account, credit, or debit card number and PIN.

VoIP: Voice over Internet Protocol, is an Internet-based phone system that can facilitate vishing by allowing multiple technologies to work in tandem. Vishers are known to use VoIP to make calls, as well as to exploit databases connected to VoIP systems.

Caller ID Spoofing: This is the practice of causing the telephone network to display a false number on the recipient’s caller ID. A number of companies provide tools that facilitate caller ID spoofing. VoIP has known flaws that allow for caller ID spoofing. These tools are typically used to populate the caller ID with a specific bank or credit union, or just with the words “Bank” or “Credit Union.”

Social Engineering: Social engineering is a fancier, more technical form of lying. Social engineering (or social penetration) techniques are used to bypass sophisticated security hardware and software. The automated recordings used by vishers tend to be relatively professional and convincing.

Dumpster Diving: One time and tested “hack” is simply digging through a bank’s dumpster and salvaging any lists of client phone numbers. Once a visher has the list, he can program the numbers into his system for a more targeted attack.

To protect yourself from these scams you should:

Educate yourself – Knowledge is the key to defending yourself from vishing. The more you understand it, the better off you’ll be, so read up on vishing incidents, and if your bank provides information about vishing online or in the mail, sit up and pay attention. As this crime becomes more sophisticated, you’ll want to stay up to date.

If you receive a phone call from a person or a recording requesting personal information, hang up. If the call purports to be coming from a trusted organization, call that entity directly to confirm their request.

Don’t trust caller ID, which can be tampered with and offers a false sense of security.

Call your bank and report any fraud attempts immediately. The sooner you do, the more quickly the scam will be squashed.

Document the call, noting what was said, what information was requested, and, if possible, the phone number or area code of the caller, and report this to your bank.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

5 Lessons Learned from RSA

/in /by

A couple of weeks ago, the RSA Security conference took place in San Francisco, CA.  The increasing sophistication of hackers and visibility of data breaches (including one on the conference’s namesake company last year) makes this an exciting time to be in the security business.. While this show is for corporate IT and security professionals, there are some things that consumers can take away from all of this.

Social networking sites are prime targets for cybercriminals: Hackers are aware of the large numbers of people using sites like Facebook, Twitter, YouTube, and are using this to their advantage by putting offers out there to try and get you to click on malicious links. Security companies are using it to get the word out on protection. Security companies are using social media to help educate consumers – take the time to read their advice. McAfee pulls together lots of great content and advice and has over 575k on Facebook.

Hackers are targeting intellectual property: For a decade now credit card numbers, Social Security numbers and everything needed to take over accounts or open news ones has been a target. Criminals still want all that, and they also want proprietary data that will help their nation or company get an edge.

Advanced Persistent Threats (APTs) will be a bigger topic: You’ve heard the term “it’s not a matter of IF, but WHEN” and this applies to APTs. APTs are ongoing threats where the intent to persistently and effectively target a specific entity and can take criminals days to decades to achieve their goal.

Multiple layers of protection: For the enterprise, this is protection at all points, but this also applies to consumers. It used to be that all you needed was a firewall, then you needed antivirus, now you need anti-spam, anti-phishing, anti-spyware and for heavens sake make sure your wireless is protected too.  This is just the beginning! Expect more layers to come.

Protect the data and the device: It used to be all you had to be concerned about was protecting your PC. Now you have to be equally proactive in protecting your Mac, tablet and mobile phone. You still need antivirus and all the different layers of protection mentioned in the point above, but you also need to be aware of what stuff you have all your devices that can expose your personal information and identity.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

QR Codes Could Deliver Malware

/in /by

You’ve seen barcodes all your life. So you know what they look like: rectangles “boxes” comprised of a series of vertical lines. When a cashier scans a barcode, you hear a familiar beep and you are charged for that item.

A QR code looks different and offers more functionality. QR stands for “quick response.” Smartphones can download QR readers that use the phone’s built-in camera to read these codes. When the QR code reader application is open and the camera detects a QR code, the application beeps and asks you what you want to do next.

Today we see QR codes appearing in magazine advertisements and articles, on signs and billboards; anywhere a mobile marketer wants to allow information to be captured, whether in print or in public spaces, and facilitate digital interaction. Pretty much anyone can create a QR codes.

Unfortunately, that’s where the cybercriminals come in. While QR codes make it easy to connect with legitimate online properties, they also make it easy for hackers to distribute malware.

QR code infections are relatively new. A QR scam works because, as with a shortened URL, the link destination is obscured by the link itself. Once scanned, a QR code may link to an malicious website or download an unwanted application or mobile virus.

Here’s some ways to protect yourself from falling victim to malicious QR codes:

Be suspicious of QR codes that offer no context explaining them. Malicious codes often appear with little or no text.

If you arrive on a website via a QR code, never provide your personal or log in information since it could be a phishing attempt.

Use a QR reader that offers you a preview of the URL that you have scanned so that you can see if it looks suspicious before you go there.

Use complete mobile device security software, like McAfee® Mobile Security, which includes anti-virus, anti-theft and web and app protection and can warn you of dangerous websites embedded in QR codes.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Jailbreaking an iPad Exposes Vulnerabilities

/in /by

At the McAfee FOCUS conference in October of last year, members from McAfee Labs™ spoke about malware and other threats that affect security. One of the most popular events was when they brought an iPad on stage and did a live hack.

The researchers were able to remotely watch as a user accessed his email and even interacted with the device by accessing the iPad via an unprotected wireless Internet connection (like many of use in a café, airport or other public place).

The issue that made the iPad vulnerable has since patched, but the tools used in this hack were some that are also used to “jailbreak” a mobile phone or tablet.

Jailbreaking is the process of removing the limitations imposed by Apple and the associated carriers on devices running the iOS operating system. A jailbroken iPhone or iPad breaks Apple’s security and allows users to download applications, some of which are pirated from unofficial third party stores.

Similar to jailbreaking, rooting is the term used for this process of removing the limitations on any mobile phone or tablet running the Android OS.

Jailbreaking or rooting your mobile device may be desirable in some cases for some people, but what we all need to be aware of that by doing so, we are opening the device up to vulnerabilities which can be used for malicious purposes.

Here’s the link to the full paper that was written from this demo:http://www.mcafee.com/us/resources/white-papers/wp-apple-ipad-hack.pdf

The lesson we all can learn from this? We need to protect ourselves by:

Using strong passwords and locking our devices

Ensuring that anti-malware and anti-theft protection are in place on our mobile devices

Taking precautions when using public Wi-Fi connections

Being aware of what we do online and how it can make us vulnerable

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Don’t Let Location-Based Services Put You in Danger

/in /by

Location-based services utilize geo-location information to publish your whereabouts. In some cases, these services can also provide discounts or freebies as a reward for “checking in” at participating businesses and gathering “points.” These services can also be used to share photos and other media in real-time with your friends and followers.

Geo-location or geo-tagging can be used on PCs, but is primarily applicable to mobile phones. The geo-location software usually obtains its data from your device’s Internet protocol (IP) address or your global positioning System (GPS) longitude and latitude. Many of today’s social networking sites are now incorporating location-based services that allow users to broadcast their locations via smartphone.

Carnegie Mellon University has identified more than 80 location-sharing services that either lack privacy policies or collect and save user data for an indefinite period of time.

Some companies have even adopted the technology, which they’ve dubbed “GPS dating,” to connect singles with other local singles anywhere, any time. These dating services make it easy to find other users by providing photos and personal descriptions.

This technology is immensely useful to predators, thieves, and other criminals, since it makes it so simple to determine where you are, and where you are not. They can access a full profile of your itinerary, all day, every day. Someone who is paying unwanted attention to you can see your exact address each time you “check in.”

One of the most extreme examples of the dangers posed by GPS-locators is the issue of domestic abuse victims who seek safety at a shelter; volunteers have adopted a policy of removing batteries from women’s phones as soon as they arrive, so that abusers cannot track their victims to the shelter.

Thieves use geo-location to determine whether you are home or not, and then use that data to plan a burglary.

Stalkers who use the phone’s GPS are usually close to the victim—a family member or ex-boyfriend or girlfriend, for example—and use their personal access to manually turn on GPS tracking.

To protect yourself from broadcasting your location, you should:

Turn off your location services on your mobile phone or only leave it enabled for applications like maps. Most geo-location services are turned on by default.

Be careful on what images and information you are sharing on social networks and when. For example, it’s best to wait until you are home to upload those vacation photos.

Make sure you check your privacy settings on your social networking sites that you’re sharing information on to make sure you are only sharing information with your friends and not everyone.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing GPS Dating Security on Good Morning America. (Disclosures)

McAfee Mobile Security Delivers at Mobile World Congress

/in /by

In Barcelona, Spain on Feb. 27, 2012 McAfee unveils its series of technology advancements that deliver upon its vision of providing comprehensive mobile security and privacy protection for devices, data and apps. McAfee® Enterprise Mobility Management (EMM™) 10.0, available now, includes significant security updates for enterprise customers to enable ‘bring your own device’ practices in the enterprise. With EMM 10.0, IT professionals will have improved control to identify, secure, and assign policies to both employee- and business-owned smartphones and tablets.

The concern for IT professionals is “BYOD” (Bring Your Own Device) which has become widely adopted to refer to mobile workers bringing their own mobile devices, such as smartphones, tablets and PDAs, into the workplace for use and connectivity. Today, many consumers expect to be able to use personal smartphones and mobile devices at work, which is an IT concern. Many corporations that allow employees to use their own mobile devices at work implement a “BYOD policy” to help IT better manage these devices and ensure network security.”

Expanded Data Security, Application Security and Ease of Administration

McAfee EMM software gives enterprises the ability to offer their employees mobile device choice, while delivering secure and easy access to mobile corporate applications. New features and functionality include:

Expanded Data Security: Email “Sandboxing” for iOS and an integrated Secure Container for Android, available by Q2

Enhanced Application Security: Application Blacklisting for Android and iOS allows the administrator to define a set of applications and block access.

Ease of Administration: Bulk provisioning for Android and iOS

 Enhanced Protection for Consumers

McAfee® Mobile Security 2.0 for consumers, which offers an all-encompassing approach to mobile security and protects a user’s privacy when using smartphones and Android tablets. McAfee Mobile Security combines powerful anti-theft, antivirus, call and SMS filtering, web and app protection. It was also recently awarded with the LAPTOP Magazine Editors’ Choice award for best mobile security app.

McAfee can also be seen the week of Feb. 27 at Mobile World Congress in Barcelona, Spain at the Intel stand in Hall 8 B197 and at the RSA Conference in San Francisco, CA at McAfee booth #1117 or Intel booth #1324. Be sure if you are attending Mobile World Congress to stop by for a chance to win a Samsung Galaxy Tab!

 

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

I Found Your Data on That Used Device You Sold

/in /by

Over the past 15 years, the increasingly rapid evolution of technology has resulted in new computers or mobile phones becoming outdated in a matter of one or two years. Chances are, you’ve gone through no less than ten digital devices in the past decade, if not more. It has become standard practice to upgrade to a newer device and often sell, donate, or discard the old one. Or you’ve received a new computer or mobile phone for a holiday gift and need to get rid of the old one.

What did you do with all of your old devices? Some may be in your basement, others were given away, and you might have hocked a few on eBay or Craigslist. Did you know it is very likely that you inadvertently put all of your digital data in someone else’s hands if you no longer have the device?

I recently bought 20 laptops, desktops, netbooks, notebooks, tablets, Macs, and mobiles through Craigslist, all from sellers located within 90 minutes of my home. Of the 20, three of them had never been wiped, meaning that I bought the devices exactly as they once sat on someone’s desk. The original owners had made no effort to clean out the data, which meant that I was able to access the records of their entire digital lives. 17 of the devices had been wiped, meaning that the seller took the time to reformat or reinstall the operating system. Of the 17 wiped drives, seven contained remnants of the previous users’ digital lives. Despite the effort made to reformat or reinstall the operating systems, there were partitions and leftover data on the drives.

After having spent the past few months working with a forensics expert, I’ve come to the conclusion that even if you wipe and reformat a hard drive, you may still miss something. IT professionals tasked with data destruction use “wiping” software, and you can too. But after what I’ve seen, more needs to be done. This means external and internal drives, thumb drives, SD cards, and anything else that stores data really should be destroyed.

So whether you destroy an unwanted drive with a sledgehammer, or use a drill press to turn it into swiss cheese, or use a hack saw to chop it into pieces, and then drop those pieces into a bucket of salt water for, oh, say a year, just to be safe, for your own good, don’t sell it on eBay or Craigslist.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)

Analysts Expect Explosion in Mobile Malware

/in /by

As consumers have overwhelmingly flocked to purchase smartphones—149 million were shipping in Q4…a 37% increase over Q4 2010—mobile operating systems from the likes of Apple, Google, and Microsoft are becoming big targets.

Malware, which consists of virusesspyware, scareware, and other digital infections designed to steal data, is known to be a serious issue for PCs. And in response, there are complete security solutions that include antivirus, anti-spyware, anti-phishing protection, anti-spam and firewall protection. As smartphones gradually eclipse PCs in usage volume, criminals will direct their malware efforts toward mobile devices. But at present, the world of mobile security offers very few options.

According to McAfee Labs™, “nearly all the types of threats to desktop computers that we have seen in recent years are also possible on mobile devices (parasitic viruses may be a notable exception for modern mobile OS’s, more on this below). Moreover, we are bound to see threats readapted to mobile environments and, unfortunately, we are also likely to see new kinds of malware that target smartphone capabilities that are not available on desktops.”

Now would be a good time to install a mobile security product on your smartphone.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube.(Disclosures)