Thieves steal 30 Cars using Software

/in , , /by

Who needs a hanger to steal a car when you can use a laptop? Despite today’s vehicles having far more sophisticated security protection, thieves can still break in—like the two crooks who stole at least 30 Dodge and Jeep vehicles…with just a laptop computer.

11DIn Houston, video showed the pair in the act, though authorities are still working on piecing together just how the capers were pulled off.

One possibility is that a database contains codes that link key fobs to cars. Perhaps the thieves, who may be part of a ring, somehow got access to this database (one theory is that a crooked employee sold them the access), and from there, created key fobs based on vehicle ID numbers. VINs are visible on vehicles. Vehicles that are targeted for theft don’t “know” an authentic fob from a fraudulent one.

Again, this is all conjecture, but one thing’s for sure: The pair did not steal the vehicles the old-fashioned way.

Though today’s electronic security measures will stop the thief who lacks techy know-how and prefers the coat hanger and hotwire method, technology won’t stop smarter, more ingenious crooks who feel quite at home committing cyber based crimes.

With more and more criminals relying on the Internet of Things to commit all sorts of crimes, maybe the best security for a motor vehicle would indeed be one of the old-fashioned security features: install a kill switch.

Robert Siciliano, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Inside the Business E-mail Compromise Scam

/in , , /by

Trick e-mail = fraudulent wire transfer = hundreds of thousands to millions of dollars stolen.

emailThat’s what’s happening with business executives in select industries (e.g., chemical operations, manufacturing), says a report at threatpost.com, citing a finding from Dell SecureWorks.

The phishing e-mails are part of those Nigerian scams you’ve heard so much about, a business e-mail compromise scheme.

Security researchers have gotten a good glimpse into the inner workings of the BEC, thanks to one of the hackers, a key player, accidentally infesting his computer with the BEC malware.

The threatpost.com article explains that Joe Stewart of Dell’s Counter Threat Unit says that this hackster routinely uploads keystroke logs and screenshots to a server. This data includes many identities of the hacking group, and has been given to law enforcement for investigation. Stewart says that, thanks to the accidental infection, researchers have gained insight into the innards of their operation, such as viewing the group’s desktops.

What the hackers do is scour websites of specific industries for e-mail addresses. They construct e-mails, add malicious attachments, then send them along, hoping to get into a user’s account, which they then compromise. Their goal is monetary transactions between the target company and the hackers pose as a vendor which the company may already deal with.

The hacker/vendor replies with invoice and payment instructions, and the company is not aware that the recipient is the hacker. The hacker forwards the e-mail to the buyer who is tricked into wiring funds to the hacker. Though this group is not sophisticated, they’ve managed to come away with hundreds of thousands of dollars just from one company. Upon success the wired funds are directed to the hackers.

Overall, the scams have resulted in $3.1 billion lost, says the FBI. The article points out that the BEC scheme is not to be confused with the BES scams (business e-mail spoofing). The BEC operation doesn’t send spoofed e-mails; it uses malware or exploits to gain control of e-mail accounts.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Jihadis using easy to get Privacy Software

/in , , /by

Over the past two years, the media has tended to sensationalize jihadists’ rapid adoption and strategic use of social media. Despite perpetual news coverage on the issue, the public, by and large, continues to be relatively in the dark about the intricate ways in which many jihadists maintain robust yet secretive online presences.

To accomplish their goals — ranging from propaganda dissemination and recruitment to launching attacks — jihadists must skillfully leverage various digital technologies that are widely advertised and freely accessible online.

Just as smartphones and portable devices have transformed the way much of the world communicates and interacts, jihadists, too, have rapidly adopted and availed themselves of these technologies.

Their grasp of technology, which is quite savvy, yields one of the most frequently asked questions about the jihadists today: What is in their digital toolbox and how do they exploit these technologies to benefit their activities? This report explores these questions.

ISIS is no exception to the many entities out there, good and evil, who want a strong grasp on technical savvy, particularly software that can oppose surveillance. The Dark Web is abuzz with jihadist threads about how to beat surveillance systems. And they’re learning a lot, says a report from Flashpoint, a cybersecurity firm.

For instance, ISIS knows how to use Tor and Opera to scavenge the Web undetected. That’s just the beginning of their software knowledge. Jihadists also use:

In short, ISIS is very well keeping up with communications technology. Evil can be technologically savvy, too. Do not underestimate the technical prowess of jihadists, even though it seems as though some of them live rather primitively.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

What is the Signaling System No. 7 Network?

/in , /by

The iPhone has a vulnerability called the Signaling System 7 (SS7) that allows crooks to hack into the device.

4WThis was demonstrated on a recent “60 Minutes” episode in which a U.S. congressman (with his permission) had his iPhone hacked by German cybersecurity experts. The white-hat hackers got his phone number and eavesdropped on the conversation.

Penetration of the flawed SS7 makes it possible to listen in on conversations, intercept texts and track the victim’s movements. The congressman subsequently called for an investigation into the vulnerability.

The vulnerability was initially unearthed in 2014 at a German hacking conference. This SS7 flaw is not just a U.S. phone carrier problem, either. Mobile device carriers around the world are affected by this as well. A global attack on this vulnerability is very much warranted.

The criminals who carry out these attacks have a strong preference for targets who are not the regular Joe or Jane, but people of political significance or who represent major organizations.

So regardless of how “important” you are, what can you do?

  • Your mobile device should be fully equipped with security software.
  • Make sure that this software is always updated. Do not ignore update alerts.
  • You should not rely on just a single layer of security, no matter how strong.
  • Also keep in mind that skilled hackers can figure out ways to circumvent a layer of security. The more layers that your iPhone has, the less likely a crook will be able to penetrate it.
  • Load up on the layers of protection, which include a passcode and biometrics such as a fingerprint scanner. Go for depth.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Can Two-Factor Authentication actually fail?

/in , , /by

You’ve probably read many times that two-factor authentication is a superb extra layer of protection against a thief hacking into your accounts, because gaining access requires entering a One Time Passcode (OTP)—sent via text or voice—into a login field. In other words, no phone, no access.

7WBut CAN a hacker get the phone? Ask Deray McKesson, an activist with Black Lives Matter. Hackers got his phone.

Now, this doesn’t mean they busted into his home while he was napping and took his phone. Rather, the thief took control of his mobile account.

The thief rerouted McKesson’s text messages – to a different SIM card that the mobile carrier, Verizon, had issued to the thief. This is how the criminal got the two-factor code. Next thing, the imposter was in McKesson’s Twitter and e-mail accounts.

So though two-factor is a pretty well-padded extra layer of protection, it can be circumvented.

“Someone called Verizon impersonating me,” tweeted McKesson on June 10. The crook got a different SIM this way. The flaw isn’t the two-factor system. In this case it was Verizon, allowing this to happen just too easily.

“Today I learned that it is rather easy for someone to call the provider & change your SIM,” says a subsequent tweet. Though Verizon does require the last four digits of the user’s SSN to get a new SIM card, this isn’t enough to filter out imposters, as we see here. McKesson further tweeted he was “not sure” how the imposter knew those last four digits, but that “they knew it.”

Verizon has since implemented additional safeguards.

So what really happened? How did someone get McKesson’s SSN? Did he reveal it somewhere where he didn’t have to? And then the wrong person saw it? Was he tricked into revealing it through a phishing e-mail?

Nevertheless, here’s what to do:

  • Set up a secondary code on your phone’s account.
  • This is a personal identification number that an imposter would have to reveal before any changes were made to the account—even if he gave out your entire SSN to the mobile company rep.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Parents legally can spy on their Kids

/in , , /by

Just because something is legal, does that mean you should do it? In the case of spying on your kids’ phone activities, some say yes. Though the very same mode of operation is illegal in most states when the eavesdropper is your boss or anyone else and you’re the “eavesdropee,” this same mechanism is legal and encouraged for parents to their kids.

12DYou’re probably envisioning a parent listening in on their boy-crazy teen daughter’s phone conversation. But it’s more than that.

According to a nydailynews.com article, the Court of Appeals in New York ruled that secretly listening in on and even recording a cellphone conversation is legal—after a man recorded a cellphone conversation involving his five-year-old son. The child’s mother’s boyfriend, over the phone, threatened to beat him.

Dad acted in good faith when he wired the phone, and the slime who made the threat, was convicted on three counts. But his attorney claimed that the eavesdropping was illegal and thus, the conversation was not admissible.

The judge in this case pointed out that not all cases come in template form inside a black box. But can a parent eavesdrop on an older child who’s cognizant enough to rationally protest? Again, we can’t apply a cookie cutter to this concept. But in New York, it’s legal to conduct this practice, with the assumption that the parent is acting in the best interest of the minor.

In another case, points out the article, a woman inserted a tape recorder in her autistic son’s backpack to pick up the suspected verbal abuse from the boy’s bus matron.

The line can be very fuzzy over just when it’s ethical for a parent to tap a child’s phone conversations and when it’s done for more self-serving reasons, such as in divorce cases. Again, it’s legal in New York, because it was determined that the potential benefits far outweigh the potential grievances.

At least 12 other states, though, are on board with this doctrine of vicarious consent, including New Jersey, Texas, Arizona, Maine and the Carolinas. Hopefully, not too many parents will abuse this legal right and end up eavesdropping for the fun of it or to show off their “power” as the adult in charge.

But that fact is, kids can get into lots of trouble with their physical and digital lives if their parents are unaware of what’s going on.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Beware of the CEO E-mail Scam

/in , /by

Beware of the B.E.C. scam, says a report at fbi.gov. The hackers target businesses and are good at getting what they want.

emailThe hackers first learn the name of a company’s CEO or other key figure such as the company’s lawyer or a vendor. They then figure out a way to make an e-mail, coming from them, appear to come from this CEO, and send it to employees.

The recipients aren’t just randomly selected, either. The hackers do their homework to find out which employees handle money. They even learn the company’s particular language, says the fbi.gov article. The company may be a big business, small enterprise and even a non-profit organization.

Once they get it all down, they then request a wire transfer of money. This does not raise red flags in particular if the company normally sends out wire transfer payments.

This CEO impersonation scam is quite pervasive, stinging every state in the U.S. and occurring in at least 79 other nations. The fbi.gov article cites the following findings:

  • Between October 2013 and February 2016, complaints came in from 17,642 victims. This translated to over $2.3 billion lost.
  • Arizona has been hit hard by this scam, with an average loss per scam coming in at between $25,000 and $75,000.

Companies or enterprises that are the victim of this scam should immediately contact their bank, and also request that the bank contact the financial institution where the stolen funds were transferred to.

Next, the victim should file a complaint with the IC3.

How can businesses protect themselves from these scam e-mails?

  • Remember, the hacker’s e-mail is designed to look like it came from a key figure with the organization. This may include the type of font that the key figure normally uses in their e-mails; how they sign off (e.g., “Best,” “Thanks a bunch,”), and any nicknames, such as “Libbie” for Elizabeth. Therefore, contact that person with a separate e-mail (not a reply to the one you received) to get verification, or call that individual.
  • Be suspicious if the e-mail’s content focuses on a wire transfer request, especially if it’s urgent.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Before you die, do This

/in , , /by

“Nobody likes to do it, but it has to be done.” You’ve heard that before. This time, it applies to 26 documents that you should have all bundled up in a folder that trusted family members have access to (someplace where fire and water won’t damage them). But first let’s go over some details about what should be in that bundle.

1PEssential Documents

  • Your will: Some say not a copy, but the original, accompanied by instructions. Supplying everyone in your will a copy is also advised by others.
  • A completed power of attorney form that your benefactors have access to, should you become rendered impaired.
  • Complete list of loans you’ve made to others, and debts.
  • Proof of ownership of the following if you have them: owned property/housing, vehicles, cemetery plots, savings bonds, stock certificates, brokerage/escrow mortgage accounts and partnership/corporate operating agreements.
  • Last three years’ of tax returns might seem excessive, but if you can, do it.

Bank Accounts

  • Name of bank and phone number, account numbers, online login information
  • Register a family member or spouse’s name with the bank; have them sign the registration document to allow them access to your accounts.
  • A list of safe deposit boxes if you have them

Retirement List

  • Pensions
  • Annuities
  • IRAs
  • 401ks

Medical

  • Power of attorney form. If you become incapacited, who will make medical care decisions for you? This should also be IN your will.
  • Choose your POA attorney while you’re of sound mind.
  • Have it spelled out how you’d like to be treated in the event of incapacitation (and this includes what should be done if you end up in a persistent vegetative state). Who pulls the plug?

Marriage & Divorce

  • Does your spouse know where your marriage license is?
  • If you’re divorced, make sure there are documents spelling out child support, alimony and any property settlements and financial divisions. To avoid disputes, include bank account numbers for the appropriate settlements.
  • Keep copies of life insurance documents.
  • Last but not least is the qualified domestic-relations order, that can prove your spouse got a share of your retirement accounts.

Life Insurance

  • Family members should have copies of life insurance documents and contact information for the carrier.

In a Nutshell, the Top 26

  1. Marriage license
  2. Divorce papers
  3. Living will (what should be done if you’re alive but incapacitated)
  4. Personal/family medical history
  5. Authorization to release medical care information
  6. Durable healthcare POA
  7. Do-not-resuscitate (DNR) order
  8. Tax returns
  9. Housing, land and cemetery deeds
  10. Escrow mortgage accounts
  11. Proof of loans made and owed debts
  12. Titles for vehicles
  13. Stock certificates, savings bonds and brokerage accounts
  14. Partnerships and corporate operating agreements
  15. Life insurance policies
  16. IRAs
  17. 401ks
  18. Pension documents
  19. Annuity contracts
  20. Bank account list
  21. List of bank usernames and passwords
  22. Safe-deposit box list
  23. Will
  24. Letter of instruction for the will
  25. Trust documents
  26. Updated passwords document for all your critical accounts.

Do you have docs you think should be on this list? Please provide in the comments.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Posting Kids’ Photos online is illegal?

/in , , /by

In France, anything is possible. Like getting tossed in jail for posting your children’s photos on Facebook.

12DYes indeed, it’s true. People in France might be put behind bars for putting their kids’ pictures on Facebook. Or, they may face heavy fines. This is because the French authorities deem posting kids’ photos online threatens their security.

Parents are being warned about the consequences of this violation. The authorities believe that posting images of one’s kids online can lead to some pretty nasty things:

  • Photo-napping, particularly by pedophiles
  • Stealing the images and posting them on adoption sites
  • Kids, when grown, suing their parents for emotional damage that they think resulted from photos of their younger selves being posted online
  • Parents may even sue each other if photos of their kids go up after a divorce.

France’s privacy laws are a force to be reckoned with. How does a year in prison and a fine of almost $50,000 sound for posting children’s photos? Wow, French parents really better watch out when posting that photo of the family reunion or company picnic with kids in the background.

If you’re poo-pooing France right now, save your poo-poos for Germany as well. German police are urging parents to stop posting their kids’ images—especially because a lot of people are putting up images of their kids naked in the context of water activities.

Maybe if fewer parents got off on posting pictures of their naked toddlers and even older children (one can only guess what these parents are hoping to accomplish), the police wouldn’t be so rigid.

Still think the police are over-reacting? And maybe they are, but consider this: According to The Parent Zone, the average person posts nearly 1,000 images of their child online by the time that child blows on five birthday candles. Now maybe The Parent Zone isn’t the gospel, but we all know people who seem to have 8,000 pictures up of their children on social media.

What’s even more staggering, says The Parent Zone, is that 17 percent of these parents have never bothered to set their Facebook privacy settings. And 46 percent checked the settings only one or two times. This all means that these parents absolutely are in denial that some weirdo isn’t drooling over their naked preschooler in the backyard baby pool.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Protect Yourself from Online Dating Scams

/in , , , /by

$200 million: The amount people were ripped off by online dating scams in a year.

1FDUI: dating while under the influence…of the quest for love…is costly to countless people.

A nytimes.com article notes that this quest impairs judgment, making it easy for con artists to bilk lonely people. Or are some people just plain stupid? But many victims are highly educated.

It all begins with a phony profile that grabs the victim’s attention. The nytimes.com report points out that the scamster uses attractive photos stolen off of other sites.

INTERRUPTION: If he/she is too gorgeous to be true, right-click the image to see where else it appears online! Is “Emilene McKenna” whom she says she is?

These scammers come from anywhere on the globe.

  • They prey upon loneliness, greed and desire.
  • Overseas scam rings
  • Solitary scammers working at home late at night
  • Women, not just men
  • They almost always profess to be in a glamorous or exciting line of work, though occasionally, they’ll pose as a more common person (perhaps to appear less suspicious).
  • People of all ages and walks of life, plus sexual orientations, are targeted.
  • The common denominator is a request for money.
  • Reasons for money requests run the gamut but usually focus on medical bills, legal fees or fees relating to a planned trip to meet the victim (which never occurs).

The nytimes.com article quotes victim specialist Debbie Deem that these con artists are skilled at mirroring the victim’s needs and creating “a sense of intimacy very quickly.” The victim soon becomes convinced that this is their soulmate—and thinks nothing of sending them the requested money.

However, the scammer may reveal their true colors after luring the victim into posing for raunchy photos or videos: The crook threatens to expose these unless the victim sends them money.

Other Facts

  • Being offered a spouse is a growing ruse.
  • Some victims have lost over $400,000.
  • Significant contact from the scammer lauding the victim.

How to Protect Yourself

  • If you haven’t already figured that out after reading this article…I’m very worried.
  • In addition to right-clicking the photo, copy and paste the profile’s narrative into a search engine and see if it shows up anywhere else like on an unrelated person’s blog or another dating profile under a different name.
  • NEVER SEND MONEY! Think: They’ve gotten this far in life without your financial help; they’ll survive without it.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.