Data Leakage is a Correctable and Solvable Problem

/in /by

WNYT.com reports “the Social Security Administration in New York City says that 15,000 Social Security numbers were stolen by a subcontractor who was working in Office of Temporary Disability Assistance making computer infrastructure upgrades.”

In this case the culprit is a subcontractor and succeeded either because he had the contractor’s credentials/passwords and/or the files containing the SSN info weren’t encrypted.

The problem with protecting only with userid/passwords is well understood. Passwords are generally 123456 or otherwise easily cracked. Even if the password is a good one, chances are it is used on dozens of other sites that don’t do a good job of protecting it.

In this case the password gave a “good guy” access and he went rougue.

Some organizations think that deploying Full Disk Encryption (FDE) or File and Folder Encryption (FFE) provides them the desired security level. The point often missed is that even with Full Disk Encryption or File and Folder Encryption in place, users with correct credentials can access, copy, transfer/download to USB sensitive data without any problem.

I’ve said this before and I’ll say it again: Zafesoft can prevent such incidents from both of the above. Company administrators can remove access for a suspected malicious insider at any time and even if they have the physical file with them, it’ll be in encrypted format which they won’t be able to open.

Secondly, the Zafe technology travels with the information so they wouldn’t have been able to open the files even they were a legitimate user unless they were also using an approved laptop that has been registered and authorized with the company.

Moreover the moment they copied the data and tried to open it on a non-authorized laptop an alert would have gone to Company administrators alerting them of a possible theft and they could have prevented the incident from happening.

Robert Siciliano is a Personal Security and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)

Blue Cross Blue Shield Applications Found in Trash

/in /by

Ever apply for insurance of any kind? There is always a litany of paperwork and the process is always frustrating and somewhat demeaning. Insurer’s applications feel invasive and ask questions that require information that you may not even tell your mom.

What’s worse is they have to be given to another person who you often do not know. What’s even worse than that is you really have no control over what that agent will do with the information.

Private investigator William Cobra Staubs, was doing some dumpster diving conducting some “research” this week and happened upon a big box of discarded medical files and applications tossed there by what appears to be a Blue Cross Blue Shield agent who didn’t need them any longer. He found over 30 documents and approximately 50 Social Security numbers.

“Cobra”, as he is known is no stranger to controversy himself as a one-time Haleigh Cummings case investigator who accepted a plea deal in charges against him concerning his apprehension of a registered sex offender. He has also had intimate dealings in the OJ Simpson case. This is a guy to know.

Cobra determined who the agent was by finding a page from the agents “day planner”.

Personal identifying information is often collected by businesses and stored in various formats, both digital and traditional paper. With identity theft a growing problem in the country, many states have passed laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable, in order to protect an individual’s privacy. At least 29 states, listed HERE, provide laws that govern the disposal of personal data held by businesses and/or government.  See also Security Breach Notification Laws and Identify Theft Statutes.

Robert Siciliano is an Identity Theft Expert. See him discussing Social Security numbers on Fox News.

Yahoo News Search Results “Robert Siciliano”

/in /by

This is seriously braggadocios.  But it’s a nice way to end 2010 on a highnote.

  • Fox News – Dec 20
  • The Huffington Post – Dec 16
  • US News & World Report – Dec 14
  • MSNBC – Dec 04
  • ABC News – Nov 29


2010 was a great year. 2011 will be great-er. Thanks to all.

Thank you McAfee, ADT, Gemalto, Intelius, Knowem, RSA, and all my dynamite clients!

Happy New Year!



test AY6AJMUJJUHE

/in /by

test AY6AJMUJJUHE

How to Recover a Lost iPhone

/in , /by

You may be one of the millions and millions who own and love your iPhone. What I love about mine is the ability to work from anywhere and I can also view my home security cameras through an iPhone application.  ADT Pulse provides customers with anywhere, anytime access to their home via smart phones or personal computers, including an iPhone application.

But what if you lost your iPhone? Certainly you can just get another one, but what if you are within the timeframe that you can’t get a subsidized phone upgrade? You may have to spend hundreds and hundreds on an unsubsidized iPhone. Fortunately, you have a great option to recover a lost iPhone that works with your iPhone’s GPS

It’s easy. Activate Find My iPhone. This is a subscription based service ($99 annually) if your iPhone is a 3G or 3Gs. Find My iPhone is FREE if you have an iPhone 4.

Just enable Find My iPhone in the MobileMe settings on your iPhone or iPad. Then sign in to me.com from any computer or using the Find My iPhone app on another iPhone, iPad, or iPod touch to display its approximate location on a full-screen map.

When I did this the process was a little buggy because of my inability to connect my phone to the Me/Find My iPhone Account.  Once you log into Me.com with your Apple credentials, the same credentials you use to download an App on your iPhone, the phone should connect.

Find My iPhone locates your phone via a map and tells you an approximate location. It also allows you to send a message to who may have found the phone (like a number they should call to return it) and it overrides your vibrate setting and emits an alarm if you send a signal and are in range to listen for it. If all else fails Find My iPhone can wipe all your phones data remotely to help prevent identity theft.

Robert Siciliano personal security expert to Home Security Source discussing mobile phone spyware on Good Morning America.

Protecting Yourself and Family During The Holidays

/in /by

Criminals share the same calendar as you and I. Their lives are no different than ours. They anticipate the holidays and feel the same pressures to provide.  But they “shop” in a different way than we do. I’m already seeing news reports of “Woman attacked while shopping” and “Teens jump man leaving jewelry store”

The only thing that separates us from them is the boundaries they have established. While you and I are civilized humans who feel sympathy, empathy and understand personal boundaries, the bad guys don’t.

It is an unfortunate fact that we must cope with this sub-species that views you and I as their natural prey. They look upon us as cattle to be herded and meat to be slaughtered. They think nothing of taking from us and committing violence to get what they want.

Having this knowledge and understanding what you are up against should empower you. By achieving this kind of awareness, you can anticipate and proactively prepare and prevent crime.

The following considerations need to be made as the holidays advance:

Every tip here revolves around “situational awareness”. The more aware you are of every situation, the safer and more secure you will be. Predators seek people who are unaware. By knowing what’s happening around the perimeter of your body you reduce the chances of being chosen by an attacker.

ATM: As you are getting cash look around you, cover the keypad with your other hand as you enter your PIN. If someone makes an attempt to accost you, toss the money and run.

Parking lots: Don’t park near windowless vans. Before you get out of the vehicle scan the area. Once you are on your way continually scan the area around you. If anyone suspicious or aggressive approaches scream and run.

Wallet/purse: Carry “chump change” which is enough dollars to toss in one direction while you run in the other. If they want your purse give it to them. Don’t fight over material items.

Self Defense: If your physical security is in jeopardy offering resistance has been proven more often to get you out of a dangerous situation. Run, fight, kick, scream, and do whatever a 2 pound cat would do to get away.

Leaving the Mall: It’s never good to be loaded down with bags. Get a carriage if possible. If you are shopping late at night get a security guard to walk you out or buddy up with someone leaving the mall.

Back to your car: Scan the area around your car. Look inside the car before getting in. Scan the area around the vehicle while putting your stuff in the trunk. Once inside lock your doors.

Robert Siciliano personal security expert to Home Security Source discussing self defense on Fox Boston.

Is “Enterprise Rent a Car” Insurance a Scam?

/in /by

I rent cars all the time. I travel and need to get around so I can teach people about how scams work and how to protect themselves. Yesterday I encountered what seems like a scam but is probably just very unethical behavior on the part of Enterprise Rent a Car.

Here is how it played out.

I head to the counter to rent my car. The Enterprise Rent a Car agent asks me, “Robert, would you like to purchase rental insurance for your car today”. I say “No, I have American Express and they take care of my rental car insurance”. Which they do. I’m Platinum on AMEX and AMEX ROCKS. Their card offers physical damage insurance but not liability. Liability insurance is paid via my personal policy.

The Enterprise Rent a Car agent responds “I’m sorry; we don’t have a contract with American Express.”

Her statement “I’m sorry, we don’t have a contract with American Express” more than likely was a statement that was provided to her in sales training by Enterprise Rent a Car to overcome objection.

That statement makes an American Express card holder doubt whether or not their American Express card covers rental car insurance.

So I respond to her again, “Well, I’m pretty sure my AMEX covers me” and she responds again, “Sir, I’m trying to tell you we don’t have a contract with American Express and you will have to go through them for that”. She is now reinforcing her original statement and trying to put further doubt in my mind. Then she says, “Sir, may I suggest to you that you purchase insurance, it is only $21.00 for the day and you will be protected”. This statement further suggests that my AMEX will not cover me.

The language she used was possibly engineered by someone whose motivation was to overcome objection in the insurance sales process. Enterprise Rent a Car agents and all other rental car agents hear the same statement in regards to AMEX every day. However in my experience when Hertz agents hear me say “No, I have American Express and they take care of my rental car insurance”, Hertz agents respond with “OK” and nothing more. Hertz has elected to take the high road and not try to scam me into paying for insurance I do not need.

However Enterprise Rent a Car, instead, pads their bottom line with unethical language meant to confuse the public and get them to pay for insurance they clearly do not need.

Shame on you Enterprise Rent a Car.

Robert Siciliano identity theft and personal security expert discussing scammers and thieves on The Big Idea with Donnie Deutsch.

McAfee Reveals the Top Ten Most Dangerous Places to Leave Your Social Security Number

/in /by

Universities/Colleges are the Riskiest

Research conducted by Robert Siciliano, Identity Theft expert, on behalf of McAfee

Cases of identity theft are skyrocketing, and 32% of all ID theft victims had their social security number compromised according to Javelin’s 2010 Identity Fraud Survey Report.  In honor of National Identity Protection week, McAfee set out to reveal the most dangerous places to leave your social security number.

When your Social Security number is used to commit fraud, it feels very personal. It can take hundreds of hours and sometimes thousands of dollars to rectify this violation.

Criminals find these crucial nine digits on discarded files in dumpsters, inside an organizations’ file cabinets, in any of the hundreds of databases maintained by government, corporate, and educational institutions, or even in public records, which are freely accessible on the Internet.

Robert Siciliano, on behalf of McAfee,  analyzed data breaches published by the Identity Theft Resource CenterPrivacy Rights Clearinghouse and the Open Security Foundation that involved Social Security number breaches from January 2009 – October 2010 to reveal the riskiest places to lose your ID.

The top 10 most dangerous places to give out your Social Security number are:

#1 – Universities/Colleges (108)

#2 – Banking/Financial Institutions (96)

#3 – Hospitals (71)

#4 – State Governments (57)

#5 – Local Governments (44)

#6 – Federal Governments (33)

#7 – Medical Businesses (27) (Please note: These are businesses that concentrate on services and products for the medical field such as distributers of diabetes or dialysis supplies, medical billing services, pharmaceutical companies, etc.)

#8 – Non-Profit Organizations (23)

#9 – Technology Companies (22)

#10 (tied) – Medical Insurance and Medical Offices/Clinics (21)


Your Social Security Number is Your National ID

For the past 70 years, the Social Security number has become our de facto national ID. The numbers were first issued in the 1930s to track income for Social Security benefits. But functionality creep, which occurs when an item, process, or procedure ends up serving a purpose that it was never intended to perform, soon took effect.

Here we are, decades later, and the Social Security number has become the key to the kingdom. You’re forced to disclose your Social Security number regularly, and it appears in hundreds or even thousands of files, records, and databases, accessible to an untold number of people.

What’s the danger of it getting into the wrong hands? Anyone who does access your Social Security number can use it to impersonate you in a hospital, bank, or just about anywhere else.

Hackers are Getting the Key to your Credit

Any organization that extends any form of credit is going to need your name, address, date of birth, and Social Security number in order to verify your identity and run a credit check. This means hospitals, insurers, banks, credit card companies, car dealerships and other retailers, and even video rental stores.

Now more than ever, criminal hackers are hacking into databases that contain Social Security numbers and using the numbers to open new financial accounts. Criminals use stolen Social Security numbers to obtain mobile phones, credit cards, and even bank loans. Some victims whose Social Security numbers fell into the hands of identity thieves have even had their mortgages refinanced and their equity stripped.

When should you provide your Social Security number, and when should you refuse?

According to the Social Security Administration, you should:

1. Show your card to your employer when you start a job so your records are correct

2. Provide your Social Security number to your financial institution(s) for tax reporting purposes

3. Keep your card and any other document that shows your Social Security number on it in a safe place

4. DO NOT routinely carry your card or other documents that display your number

But beyond that they have no advice and frankly, no authority.

A federal law, 42 USC Chapter 7, Subchapter IV, Part D, Sec. 666(a)(13), enacted in 1996, determines when the numbers should be used. The law requires Social Security numbers to be recorded for “any applicant for a professional license, driver’s license, occupational license, recreational license or marriage license.” It can be used and recorded by creditors, the Department of Motor Vehicles, whenever a cash transaction exceeds $10,000, and in military matters.

What happens when you refuse to give out your Social Security number?

–  Many people refuse, and quickly discover that this creates a number of hurdles that must be overcome in order to obtain services. A demand may be made that you, the customer, jump through a series of inconvenient hoops.

– Most customers are denied the service altogether, and from what we can tell, this is perfectly legal.

– When faced with either option, most people give up, and hand-over their number.

These organizations often state the Social Security number requirement in their terms of service, which you must sign in order to do business with them. They acquire this data for their own protection, since by making a concerted effort to verify the identities of their customers, they establish a degree of accountability. Otherwise, anyone could pose as anyone else without consequence.

Although I’d rather not, I frequently provide my Social Security number. But I do take steps to protect myself, or at least to reduce my vulnerability.

Tips To Protect Yourself:

1. In honor of National Protect Your Identity Week (October 17-23, 2010)check your credit report this week using a reputable firm such as, Experian, and set reminders every three months to review it again.

2. You can refuse to provide your Social Security number.

3. Invest in an identity protection service. Because there are times you cannot withhold your Social Security number, an identity protection service can monitor your bank information and your personal ID.  McAfee® Identity Protection (CounterIdentityTheft.com) will alert you, help prevent loss of personal information, allows unlimited checks of your credit, credit monitoring, scanning of the internet and identity fraud resolution.

4. Securely dispose of mail. The standard advice is to thoroughly shred preapproved credit card offers and anything that includes any account information. While this is good advice and should be heeded, it’s not going to protect you when your bank or mortgage company or utility provider tosses your information in a dumpster that is subsequently raided by identity thieves.

5. Opt out of junk mail and preapproved credit card offers. This is good advice and can be done at OptOutPrescreen.com. However, even if you opt out of new offers, others will still arrive. It’s inevitable. You also need to get a locking mailbox, but that still won’t fully protect you.

6. Lock down your PC. McAfee Total Protection™ software is the most comprehensive security tool to protect your computers data.

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing Social Security Numbers as National IDs on Fox News. (Disclosures)

11 Ways To Prevent Home Invasions

/in , , , , , /by

Strangers and posers: You tell your children not to talk to strangers, so why do you open the door to a total stranger? And never talk to strangers via an open or screen door. Home-invaders pose as delivery people, law enforcement or  public workers.

Distress: If someone is in distress tell him or her you will call the police for them. Don’t open the door for them.

Make a call: Under no circumstances do you open the door unless you get phone numbers to call their superiors. Even if that means making them wait outside while you call 411.

Money, jewels and drugs : One simple reason your house is chosen is someone tipped off the home-invader that you have valuables. You may have done it via social media or your friends or children or baby sitter might have unintentionally bragged. In states where medical marijuana is legal that may be an additional consideration.

Peephole: Install peepholes, talk through the door.

Do not call the police!: If you live in a high crime area where law enforcement takes a while to respond, and if someone is trying to break into your house while you are in it, calling the fire department will sometimes get help to the scene quicker. Do this only if you are desperate. Firefighters are not equipped to handle violence. However squealing sirens can deter a criminal. And call the police!

Get armed: Having a non-lethal weapon in the form of a Taser or a Pepper spray in close proximity to your bed or front door can debilitate your attacker before they gain control. But realize these can be used against you.

Have your mobile handy: Consider a second line or a cell phone in your bedroom. Burglars sometimes cut phone lines and often remove a telephone from the receiver when they enter a home.

Get alarmed: An alarm system activated while you are sleeping will prevent a burglar from getting to far. And keep it on 24/7/365. With a home alarm system on, when someone knocks on the door, a conscious decision has to be made to turn off the alarm. Most people will keep it on.

Locks: Call a qualified locksmith to take a physical security survey to help you determine the most efficient way to lock up. Many products on the market are a false sense of security. A qualified locksmith should be a professional associated with well known manufacturers.

Cameras: Install a 24-hour camera surveillance system. Cameras are a great deterrent.  Have them pointed to every door and access point.

Robert Siciliano personal security expert to Home Security Source discussing Home Invasions on Montel Williams. Disclosures

Thieves Hit Real Estate Open Houses

/in , /by

Here’s a strange proposition; place an ad in the local paper requesting complete strangers come to your home and look inside your kitchen, bathroom, your kids room and your bedroom. In the ad tell them how nice the house is and you want them to see it from 2-4 on Sunday afternoon.

Then, to make it even more interesting, have another stranger (or someone you only have a brief relationship with) show them around the house. Meanwhile you go out, run some errands or have lunch.

Keep the block of knives on the counter and leave everything pretty much where you normally would and when you get home maybe it will still be there. Sound like a sound plan? It’s one that thousands of people execute hundreds and thousands of times a year.

Open houses are (in my mind) a weird process that is otherwise a good way to bring attention to the sale of a home. If the homeowner is smart, they will hire a professional real estate agent to facilitate the process. However, the homeowner often puts too much faith in the real estate professional to protector their belongings. This is a big mistake and a false sense of security.

No offense to the real estate professionals, many of them don’t really understand what they should and shouldn’t do in regards to “securing” your stuff.

I present about 50 programs a year to real estate agents on this topic. I always ask “what would you do if you saw someone steal something?” Inevitably I get responses where agents would say “I’d tell them to put it back!” Alrighty then. While this is the “right thing to do” it’s not the right thing for the agent to do. Because now the thief has to decide how bad they want the stuff and they now have to determine what it’s going to take to keep it. Giving a thief an ultimatum may result in violence.

The Aldergrove Star reports “These crimes are committed by thieves posing as potential homebuyers attending open houses or walking through homes for sale with a realtor. The thieves will distract the realtor, perhaps asking for a tape measure, and while the realtor facilitates the request, property is pocketed. Property targeted during these thefts includes laptops, jewelry, designer purses, small electronics, and other miscellaneous items.”

Real estate agents should not consider themselves in any way “security guards”. The home owner in no way should consider agents responsible for protecting their stuff. If you are a homeowner or a real estate agent, have a discussion that includes the following tips:

  • Hide or remove your valuables and medications.  If it can be easily stolen and has resale street value, then remove it.
  • Request your real estate agent bring additional agents. There is always strength in numbers.
  • Protect yourself from identity theft. Remove or lock up bills, credit card receipts and bank statements.
  • If anyone ever steals something and you see them, run out of that home as fast as possible. If a person is crazy enough to steal from an open house, then they are crazy enough to commit violence.  There is nothing of monetary value on the planet that I would fight for.
  • Put signage out saying “Property Under Video Surveillance
  • Always check the security status of home security systems, doors and windows before and after a showing. Make sure they are all locked and the hinges are still in the doors.

Robert Siciliano personal security expert to ADT Home Security Source discussing Home Security and Identity Theft on TBS Movie and a Makeover. Disclosures.