Botnets Lead to Identity Theft

When a virus recruits an infected PC into a botnet, a criminal hacker is able to remotely access all the data on that computer.

Robot networks, or botnets, have a varied history. A bot, which doesn’t necessarily have to be malicious or harmful, is essentially a program designed to connect to a server and execute a command or series of commands.

As reported by a McAfee study, networks of bots, otherwise known as drones or zombies, are often used to commit cybercrime. This can include “stealing trade secrets, inserting malware into source code files, disrupting access or service, compromising data integrity, and stealing employee identity information. The results to a business can be disastrous and lead to the loss of revenue, regulatory compliance, customer confidence, reputation, and even of the business itself. For government organizations, the concerns are even more far reaching.”

In the second quarter of 2010, more than two million PCs were recruited into botnets in the United States alone. That’s more than five out of every 1,000 personal computers. The rise and proliferation of botnets will continue to put identities at risk.

Computers with old, outdated, or unsupported operating systems like Windows 95, 98, and 2000 are extremely vulnerable. Systems using old or outdated browsers such as IE 5 or 6, or older versions of Firefox offer the path of least resistance.

To protect yourself, update your operating system to Windows 7 or XP SP3. Make sure your antivirus software is set to update automatically. Keep your critical security patches up to date by setting Windows Update to run automatically as well. And don’t engage in risky online activities that invite attacks.

In order to protect your identity, it is important to observe basic security precautions. When you conduct transactions with corporations and other entities, however, the safety of your information is often beyond your control.

Consumers should consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection includes all these features in addition to live help from fraud resolution agents if your identity is ever compromised. For more tips on protecting yourself, please visitwww.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft. (Disclosures)

Colorado Supreme Court: Using a Stolen Social Security Number is Not Identity Theft

I feel like my head is going to explode.

The Colorado Supreme Court has ruled “that using someone else’s Social Security number is not identity theft as long as you use your own name with it.”

The defendant in this particular case had admitted to using a false Social Security number on an application for a car loan, and to find employment. The court ruled that since he had used his real name, and the Social Security number was only one of many pieces of identifying information, he “did not assume a false or fictitious identity or capacity,” and “did not hold himself out to be another person.” The court found the defendant’s use of a false Social Security number “irrelevant,” since the number was provided to fulfill “a lender requirement, not a legal requirement.”

Justice Nathan Coats dissented, writing, “The defendant’s deliberate misrepresentation of the single most unique and important piece of identifying data for credit-transaction purposes” was “precisely the kind of conduct meant to be proscribed as criminal.”

This is yet another example of the lack of justice in the judicial system. The justices erred by failing to understand what identity theft really entails, especially when considering the distinction between a “lender requirement” and a “legal requirement.” Whether or not a Social Security number is legally required in order to obtain credit, it is still a legal identifier in many circumstances.

42 USC Chapter 7, Subchapter IV, Part D, Sec. 666(a)(13), a federal law enacted in 1996, determines when the numbers should be used. This law requires a Social Security number to be recorded for “any applicant for a professional license, driver’s license, occupational license, recreational license or marriage license.” It can also be used and recorded by creditors, the Department of Motor Vehicles, whenever a cash transaction exceeds $10,000, and in military matters.

“Synthetic identity theft” occurs whenever an identity is partially or entirely fabricated. This commonly involves the use of a real Social Security number in combination with a name and birth date that are not associated with the number. This type of fraud is more difficult to track because the evidence does not appear on the victim’s credit report or on the perpetrator’s credit report, but rather as a new credit file or subfile. Synthetic identity theft is a problem for creditors, who grant credit based on false records. It can also create complications for individual victims if their names become associated with synthetic identities, or if their credit scores are impacted by negative information in an erroneous subfile.

With this decision, the Colorado Supreme Court has fundamentally upset the balance of law, effectively opening a Pandora’s box of problems. This saga is far from over.

Since the law won’t protect you, at least in this scenario, consider investing in McAfee Identity Protection, which includes proactive identity surveillance to monitor subscribers’ credit and personal information, plus access to live fraud resolution agents who can help subscribers resolve identity theft issues. For additional tips, please visit www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft victims onThe Morning Show with Mike and Juliet. (Disclosures)

Leaked Social Security Numbers Put “Personal Security and Safety at Risk”

Allen West, a Republican Congressional candidate, is speaking out after a mailing from the Florida Democratic Party releases his Social Security number and his wife’s federal employee number. “It’s an attack against me and I think it shows the weakness of the character of Ron Klein and definitely the Florida Democratic party, to put a person’s personal security and safety at risk,” said West, “And also affects my family as well.”

The Florida Democratic Party responded by stating, “We apologize for the oversight of not redacting this information from the public record included in the mailer,” and by offering West two years of identity theft monitoring, but West says he will not accept their money.

Meanwhile, in Virginia, a judge has ruled it is legal to post Social Security numbers on websites. Every city, state, and town has its own set of regulations determining the collection and management of public records, including birth, death, marriage, court, property, and business filings. Many of these documents include Social Security numbers. And many are posted on the Internet.

The Privacy Act of 1974 is a federal law that establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of personally identifiable information in federal record systems.

Back in 1974, identity theft wasn’t an issue, so having your Social Security number on your driver’s license, school ID, and most other documents wasn’t a big deal. Then someone figured out how to use a Social Security number to pose as someone else, and from there, identity theft became big business.

When a judge rules that it’s okay to post Social Security numbers online, and a politician states that a similar act “puts a person’s personal security and safety at risk,” it’s clear that we have a systemic problem, one which the government is unlikely to solve.

It is important to observe basic security precautions to protect your identity. But you have no control over the security of your personal information when it is stored in government and corporate databases.

Consumers should consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection includes all these features as well as live help from fraud resolution agents if your identity is ever compromised. For more tips on protecting yourself, please visithttp://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Social Security numbers as national IDs on Fox News. (Disclosures)

IRS Fully Reliant on Social Security Numbers

On the Policy, Practice & Procedures page of their website, the IRS addresses the public’s concern regarding Social Security numbers on checks:

Complete Social Security Numbers (SSN) on Checks or Money Orders Remitted to IRS

Issue: Tax Professionals and clients have concerns about taxpayers putting their full SSN on checks remitted to IRS in payment of a balance due. Page 74 of the Form 1040 instructions directs taxpayers to put their full SSN on checks.

Response: The SSN Elimination and Reduction program is presently working on mid-to-long-term solutions to address the use of SSNs on checks remitted to IRS in payment of a balance due. To ensure payments are posted to the correct account, we encourage taxpayers to include their SSNs on checks and money orders submitted to the IRS. IRS processes millions of returns and payments each year, including many from taxpayers with the same or similar names. If you are concerned about providing the SSN, you may consider using the Electronic Federal Tax Payment System. EFTPS is a secure alternative to mailing a check.”

Essentially, if you want to be sure that you’re properly credited for any money paid to the IRS, and avoid being labeled a tax evader, you don’t have much of a choice about including your Social Security number on checks and money orders.

The IRS sent 201 million notices to taxpayers during the fiscal year 2009, and most of those mailings included Social Security numbers. Social Security numbers may also appear in more than 500 computers systems and 6,000 internal and external forms. According to the Treasury Department Inspector General, “this is because Social Security numbers are used to associate correspondence and documents with taxpayer accounts.”

The IRS is currently in the process of reviewing their current reliance on Social Security numbers as primary account numbers for all citizens. Some have suggested that we may eventually switch to barcodes, but if this transition ever does take place, it isn’t likely to happen anytime soon.

At present, the IRS, along with many other government agencies and corporations, relies on Social Security numbers and will do so for years to come. This continued reliance will inevitably result in additional data breaches and therefore, more stolen identities.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first, providing live access to fraud resolution agents who work with victims to help restore their identities. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss IRS related identity theft on Fox News. (Disclosures)

Live ATM Skimming Video Confiscated

ATM skimming, the top ATM-related crime, accounts for about $350,000 in fraud every day in the United States, exceeding a billion dollars a year.

An organization called EAST, or European ATM Security Team, posted seized video footage from a compromised ATM, depicting the installation of a camera and skimmer. The video shows how criminals collect cardholders’ PINs.  It also shows how easily cardholders can protect their PINs. This must-see video is simple, but says a lot. (You can watch more ATM skimming demonstrations on Extra TV.)

EAST explains, “while the vast majority of ATM transactions are completely secure, criminals do occasionally target cash machines to try to either steal cards (card trapping) or to copy cards (card skimming). In both cases, the criminals need to obtain the 4-digit cardholder PIN to allow for fraudulent cash withdrawal. The video shows criminals installing a micro camera above an ATM PIN pad and then placing a skimming device over the card reader throat. The scenes that follow show cardholders conducting transactions at the ATM and it’s easy to see that the criminals can’t obtain the PIN of those who cover their hand when entering it.”

To help combat this type of crime, ADT has introduced the ADT Anti-Skim ATM Security Solution, which helps prevent and detect skimming on all major ATM makes and models. ADT’s anti-skim solution is installed inside an ATM near the card reader, making it invisible from the outside.

When using an ATM, beware of skimming devices. The following cardholder security tips are courtesy of the LINK ATM Scheme.

– Protect your PIN by standing close to the ATM and shielding the key pad with your other hand.

– Check to see if anything looks unusual or suspicious about the ATM. If it appears to have anything stuck onto the card slot or key pad, do not use it. Cancel the transaction and walk away. Never try to remove suspicious devices.

– Be cautious if strangers offer to help you at an ATM, even if your card is stuck or you’re having difficulties. Don’t allow anyone to distract you.

– Where possible, use an ATM which is in clear view and well lit.

– Check that other people in the queue are a reasonable distance away from you.

– Keep you PIN secret. Never reveal it to anyone, even someone who claims to be calling from your bank or a police officer.

– Avoid opening you purse, bag or wallet when you’re in the queue. Put your money away immediately.

– Regularly check your account balance and bank statements, and report any discrepancies to your bank immediately.

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss ATM skimming on Fox Boston. (Disclosures)

Top 5 Scams to Watch Out For

#1 Nigerian Scams: According to a Dutch study, victims of advanced-fee scams, which are also known as 419 scams or Nigerian scams, lost more than $9 billion in 2009, almost 50% more than the previous year. (This PDF contains the statistics from the study.)

While these types of scams are generally understood to be Nigerian in nature and origin, and are in fact named after the 419 Nigerian code that made them illegal, advanced-fee scams were launched from 69 other countries in 2009. Scammers are broadening their targets to include emerging Internet markets, rather than simply targeting English-speaking nations.

#2 Romance Scams: If you ever hear talk like this, run far and fast: “In me sweetheart you are going to find the most passionate, loving and romantic man you have ever met. There are very few promises in life but this is one of them! ROMANCE is the key to my happiness and to my heart and soul!”

#3 Classified Ad Scams: This story caught my eye: “An online scam targeting pet-lovers is circulating the web, and it could cost you more than a new pet. An ad posted to a local online classified website by a man who claimed he was living in Florida. The seller said he had recently moved to Miami, and couldn’t keep his dog due to his new living conditions. He was willing to give the Labrador Retriever puppy named Dely away for the cost of shipping, which was $220.“

#4 Phishing: Phishing continues to become more sophisticated, more effective, and more prevalent. In one example, criminal hackers waited until Pennsylvania school administrators were on vacation, then used simple money transfers to liquidate over $440,000 between December 29 and January 2, 2010.

#5 Spear Phishing: Spear phishing occurs when the scammers concentrate on a localized target, usually an individual with control over a company’s checkbook. This insidious type of phishing occurs when a recipient clicks a link, either in the body of an email or on the spoofed website linked in the email, and a download begins. That download is almost always a virus with a remote control component, which gives the phisher full access to the user’s data, including user names and passwords, credit card and bank account details, and Social Security numbers.

Never, ever click on links in the body of an email. There is always a workaround.

Like mom said, if it sounds too good to be true, it probably is. And even if you will never fall for these scams, someone in your life might be a tad more naïve. So educate them.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss job scams on Fox News.(Disclosures)

Mobile Phone Security Under Attack

As mobile Internet usage continues its rapid growth, cyber criminals are expected to pay more attention to this sector. Mobile device platforms compete for content creators’ latest innovations, which often require more and more device access. As applications and other content are more widely distributed, security breaches will be inevitable.

The speed of technological advancement and the demand for new products and services make mobile phones particularly vulnerable. In some countries, almost all banking takes place with the use of phones.

Spyware, which was created as a legitimate technology for PCs, further complicates matters. Spyware can track and record social networking activities, online searches, chats, instant messages, emails, keystrokes, websites visited, and programs launched. It can be the equivalent of digital surveillance, revealing every stroke of the user’s mouse and keyboard. When a PC or phone becomes infected with spyware, all the data on that PC or phone is immediately compromised.

Mobile phone spyware is relatively new, and is quickly grabbing headlines. As PCs shrink to the size of a smartphone, spyware continues to evolve. This software records nearly everything a person does on a phone. Some spyware programs can record everything in a video file that can then be accessed remotely.

Spyware can be installed on your cell phone remotely or directly. To protect your phone, never click on links in texts or emails, since these links may actually point toward malicious downloads. Keep your phone with you, don’t let it out of your sight, and don’t share it with others. Make sure your phone requires a password, as this makes it more difficult to install spyware.

If your phone is behaving oddly or you have some other reason to suspect that it contains spyware, reinstall the phone’s operating system. Consult your user manual or call your carrier’s customer service for step-by-step help with this process.

With more than 11 million victims just last year, identity theft is a serious concern. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visithttp://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss mobile phone spyware on Good Morning America(Disclosures)

Five Ways Identities Are Stolen Online

Cybercrime has become a trillion dollar issue. In a recent survey, hundreds of companies around the world estimated that they had lost a combined $4.6 billion in intellectual property as a result of data breaches, and spent approximately $600 million repairing the damage. Based on these numbers, McAfee projects that companies lost more than a trillion dollars in the last year.

There are several motives for this type of theft, but the most prevalent is to steal identities. Your identity is your most valuable asset, but most consumers lack the time, knowledge, and resources to protect their identities. Five of the most common ways identities are stolen online are through phishing scams, P2P file sharing, social networking, malicious websites, and malicious attachments.

Phishing: Phishing scams still work. Despite consumer and employee awareness, a carefully crafted email that appears to have been sent by fellow employee or trusted entity is probably the most effective spear phish. “Whaling,” or targeting a CEO or other high level executive with a phishing email can be even more successful. As they say, the bigger they are, the harder they fall. Never click links in emails, even if they appear to come from a bank or other trustworthy source. Instead, type the address in manually or use a bookmark.

P2P File Sharing: Peer-to-peer file sharing is a fantastic way to leak company and client data to the world. Obama’s helicopter plans, security details, and notes on Congressional depositions have all been leaked on government-controlled computers via P2P. You should set administrative privileges to prevent the installation of P2P software.

Social Networking: One of the easiest ways into a company’s networks is through social media. Social networking websites have grown too big, too fast, and can’t keep up with security. Criminals know exactly how to take advantage of this, so create policies and procedures that outline appropriate use, and beware of social networking scams.

Malicious Websites: Websites designed to attack your computer and infect it with viruses number in the millions. Hacked websites, along with out-of-date operating systems and vulnerable browsers, put your identity at risk. Use antivirus software to protect your PC and your data.

Malicious Attachments: PDFs used to be safe, but Adobe is the same boat today that Microsoft found itself in years ago: hack central. Adobe’s software or files are used on almost every PC and across all operating systems, and criminal hackers love it. Every browser requires software to view PDFs and many websites either link to PDFs or incorporate Adobe Flash to play video or for aesthetic reasons. According to an estimate from McAfee, in the first quarter of this year, 28% of all exploit-carrying malware leveraged an Adobe Reader vulnerability.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first, providing live access to fraud resolution agents who work with victims to help restore identities. For additional tips, please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss P2P file sharing on Fox News. (Disclosures)

Half Billion Records Breached in 5 Years

In the late 90s and early 2000s, hacking had evolved from “phreaking” (hacking phone systems) to “cracking” (breaking into networks). At the time, hackers hacked for fun, for the challenge, and for fame and popularity within the hacking community. But soon enough, the public began spending more time online, shopping, banking, and managing personal affairs. Hackers are no longer wreaking havoc for its own sake, deleting files, or tormenting IT administrators. Now, they’re stealing proprietary data. Instead of fun and fame, today’s hackers are motivated by illegal financial gain.

Over the past five years, criminal hackers from all over the world have been targeting huge databases of Social Security and credit card numbers. The endgame for criminal hackers is identity theft. Once they obtain stolen data, their objective is to turn it into cash as quickly as possible. This either entails selling the data to identity thieves on black market forums, or using the information to create new accounts or to take over existing credit card accounts.

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen: “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

So when a so-called “identity theft expert” claims that you can protect yourself from identity theft for free, simply by shredding documents, not giving out your Social Security number, locking your mailbox, and monitoring your online accounts, that person does not have the full picture. You should take all these precautions. But when almost everyone’s personal information has been stolen or compromised once or twice, as a result of breaches that are entirely out of our control, it’s clear that you simply can’t protect yourself on your own. This is why identity theft protection is a must.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information, as well as access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visithttp://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss an identity theft pandemic on CNBC. (Disclosures)

Social Media is a Criminals Playground

Social media has become a playground for adults, teens, and tweens. And like on any playground, when you hit the jungle gym or horseplay on the seesaw, there is always a chance that you may go home with an egg on your forehead. Or, if you are like me, a broken collarbone.

Twitter and Facebook have become the most popular sites for frolicking, and the most popular sites for identity thieves — the bullies in the playground. These criminal hackers make social media very dangerous. They are attacking these sites to get at you, the end user. Users’ computers can become infected after users click links that appear to be safe, but actually prompt a malicious download or lead to a spoofed website.

New worms and viruses are infecting social networking websites every day. As these sites expand, they adopt new technologies that sometimes create holes through which they can be attacked. Social networking websites’ open nature allows users to upload content including files that may contain “scripts,” or code, designed to infect the site. Participating in user-submitted surveys, quizzes, and other applications may result in spam or stolen data.

The websites themselves host millions of users and they simply can’t protect every user. New technology is developed at a rate that vastly outpaces the security necessary to keep those technologies bulletproof. Essentially, you’re on your own.

While it is rare for a user to post Social Security numbers, which can directly lead to identity theft, on a social networking website, these websites or their users’ actions can compromise PCs, which does ultimately lead to identity theft.

Always make sure to run antivirus software, such as McAfee Total Protection, and invest in McAfee Identity Protection, which monitors your Social Security number and several other parameters of your identity. Learn more about how to protect yourself at http://www.counteridentitytheft.com/.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss Facebook scammers on CNN. (Disclosures)