Posts

Fear of Fraud trumps Terrorism

Okay, what’s more likely? Getting bombed … or some punk racking up charges on your credit card?

11DThe yearly Crime Poll says that two-thirds of the respondents were edgy about data breaches involving their credit cards, as well as their computer and smartphones getting hacked—far more so than being robbed or taken hostage.

It’s easier to thwart a mugger or burglar than it is to thwart cybercrime. Just because you never click links inside e-mail messages doesn’t mean a cybercriminal won’t still figure out a way to nab you.

Interestingly, many people who’ve been digitally victimized don’t even bother filing a police report, says the survey. But a much higher percentage of burglary and mugging victims will.

Maybe that’s because 1) They know it will be easier to catch the thug, and 2) It’s way more personal when a masked man jumps you on the street and hits you with a brick, versus some phantom from cyberspace whose body you never see, voice you never hear, hands you never feel—even though they drain your bank account dry.

But which would you rather have? An ER visit with a concussion and broken nose from the mugger, or a hacked credit card? The Fair Credit Billing Act allows you to dispute unauthorized charges on your card statement and get other things straightened out. And until you pay the whopping bill, your account isn’t robbed.But if someone hacks into your debit card, they can wipe out your checking account in a flash.

The good news is that often, cyberthieves test the waters of the stolen data by making initially small purchases…kind of like a would-be mugger feeling out a potential victim by initially asking her for the time or “accidentally” bumping into her.

A credit card can have varying levels of alerts that can notify the holder of suspicious activity. An example is a charge over $1,000 nets a text message to the holder about this. However, if you set a much lower threshold, you’ll know sooner that the data or card was stolen. Don’t wait till the thief makes a huge charge to be alerted. The lower that threshold, the sooner the card company will contact you and then initiate mitigation.

You know how to prepare for a mugger (pepper spray, self-defense lessons, etc.), but how do you protect your credit and debit cards?

  • Check your credit card statements thoroughly.
  • Don’t put off contacting the company over a suspicious charge.
  • All of your devices should require a password to log on.
  • Use encryption for all of your devices.
  • Always use your bank’s ATM, never a public kiosk.
  • Never let an employee take your card out of your sight.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

It’s Beginning to Look a Lot Like the Holiday Shopping Season

The holiday season is in full force. Not only is it time to bring out the tinsel while jamming out to holiday music, it’s also time to buckle down on your holiday shopping. Have you made your holiday shopping list yet? Luckily, in the U.S., the biggest shopping days of the year are coming up meaning lots of shopping deals at stores on and offline to help you complete your holiday shopping list.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294There are people out there who are really gung-ho about Black Friday—camping outside a department store the night before and fighting the masses for the half-price widescreen tv. That’s not really my style; I’m more of a Cyber Monday kind of guy. I just fire up my computer or tablet and start clicking and then boxes magically arrive at my house…well maybe not magically.

Online shopping is convenient for the holiday shopper. No lines, no braving the sometimes nasty winter weather, no crowds—you can buy almost anything and never leave your couch. Although online shopping is a great way to complete your holiday shopping list, you should take a couple precautions while online to keep your personal and financial information safe from hackers.  Along with avoiding the 12 Scams of the Holidays, here are the top 5 tips to help you stay safe while shopping online this holiday season.

  • Be wary of deals. Does that 90% off blowout sale of iPhones sounds too good to be true? It probably is. Any offer you see online that has an unbelievable price shouldn’t be believable. Beware of spam emails with links to awesome deals, as it’s particularly dangerous to buy on a site advertised in a spam email. I recommend using web protection, like McAfee® SiteAdvisor® provides easy to results to protect you from going to a malicious website.
  • Use credit cards rather than debit cards. If the site turns out to be fraudulent, your credit card company will usually reimburse you for the purchase; and in the case of credit card fraud, the law should protect you. With debit cards, it can be more difficult to get your money back and you don’t want your account to be drained while you’re sorting things out with your bank. Another option savvy shoppers sometimes use is a one-time use credit card, which includes a randomly generated number that can be used for one transaction only. If the number is stolen it cannot be used again. Using this type of credit card also ensures that a thief does not have access to your real credit card number.
  • Review the company’s policies. Look to see how the merchant uses your personal information and check to make sure that it will not be shared with third parties. You should only disclose facts necessary to complete your purchase and not any additional information about yourself. Also, check the website’s shipping policy and make sure it seems reasonable to you. You want to make sure that you understand all your shipping options and how they will affect your total cost of your online purchase.
  • Check that the site is secure. Find out if a company’s website is secure by looking for a security seal, like the McAfee SECURE™ trustmark, which indicates that the site will protect you from identity theft, credit card fraud, spam and other malicious threats. Make sure the site uses encryption—or scrambling—when transmitting information over the Internet by looking for a lock symbol on the page and checking to make sure that the web address starts with httpS://.
  • Only use secure devices and connections.  If you are using a public computer, information such as your browsing history and even your login information may be accessible to strangers who use the computer after you. Also, never shop using an unsecured wireless network because hackers can access your payment information if the network is not protected.  To protect yourself, do all of your online shopping from your secure home computer. When shopping at home, make sure all your devices are protected with comprehensive security like McAfee LiveSafe™ service which protects all your PCs, tablets and smartphones.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Security is Everyone’s responsibility

In the movies, the good guys always get the bad guys. In cyber reality, no such thing exists.

1DA survey of 5,000 IT security professionals turns up the following:

  • 63% doubt they can stop data breaches.
  • 69% think threats slip through the cracks of their security systems.
  • 57% believe their company lacks protection from advanced attacks.
  • 80% think their company’s leaders fail to connect the dots between a data breach and potential profit loss.

A survey of customers shows:

  • 59% are quite concerned about credit and debit card information theft.
  • 57% are very concerned about ID theft.
  • About 60% believe that a data breach involving their credit card or personal details would make them less likely to conduct business at a store or bank they usually use.

That last point leads to reputation smearing and loss of customer trust. But what about customer responsibility when it comes to security breaches? The “blame the customer” mentality seems more appropriate in the workplace when employees bring to work their own devices to assist in their jobs. This lets the data-breach cat out of the bag.

Though a significant percentage of employees have admitted (in surveys) to having a security problem with their device, a remarkably small percentage of these users felt compelled to report this to their boss. A very statistically significant number of employees who bring their devices to work haven’t even signed a formal contract that outlines security procedures. The bottom line is that taking security seriously is a rare find among employees who do the BYOD thing.

Another survey turned up an unsettling result: 76% of the 700+ consumers (who were affected by a breach) who were surveyed experienced stress from the event—but more than half didn’t even take steps to prevent ID theft afterwards.

Maybe this complacency can be in part explained by the fact that the losses from breaches are mostly absorbed by the companies involved.

The consumer, customer and employee need to step up to the plate and do their fair share of taking security measures seriously, rather than sitting back and letting businesses and banks take the entire burden.

It’s like getting attacked by a shark. Is the shark entirely to blame if the swimmer jumped into water near a sign that says “Beware of Sharks”? Then again, someone has to take the responsibility of putting the sign there in the first place…

All entities must pull together, stop finger pointing and accusing, and try to get a step ahead of the real villains.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

5 ways Criminals hack your PC

Hackers are hell-bent on busting into the network of their targets. They are persistent—never giving up. When you build your defense against cyber criminals, it must be done with the idea that they WILL succeed. When you operate on this assumption rather than thinking that your anti this and anti that are all you need, you’ll have the best cyber security in place.

4DAnother mistake is to assume that hackers hound only small businesses or weak networks. The cyber criminal doesn’t care so much about vulnerabilities; he wants the goods. It’s like a burglar wanting a million dollars worth of jewels that he knows is stashed inside a mansion surrounded by a moat filled with crocodiles. This won’t stop him. It will only determine the dynamics of how he penetrates.

Yes, less sophisticated hackers will target more vulnerable networks, but there’s a lot of hefty hackers out there who aren’t intimidated by persistence. If cyber thieves want a goal badly enough, they’ll get into every nook and cranny to achieve their mission.

Hackers also determine ahead of time how the victim might respond to an attack. The crime ring will invest time in this, going well-beyond the intended target’s IT tactics. They’ll go as far as learning employees’ after-hour leisure activities. To make it harder for hackers to mine all this information, a company should keep things unpredictable like work routines and not embrace social media.

The hacker creeps around quietly, going undetected while spreading damage. To catch below-the-radar cyber invasions, a business should employ a system that can spot and stamp out these murmurs.

Finally, cyber criminals usually launch a secondary attack as a distraction while the major attack gets underway—kind of like that newsworthy operation of some years ago involving pairs of thieves: One would approach a woman with a baby and tell her the baby was ugly. This distracted her so much that she had no idea that the accomplice was slipping off her purse and scrambling away with it. You must anticipate decoy operations.

Remember, install layers of protection:

  • Antivirus, antispyware, antiphishing, firewall
  • Set up encryption on your wireless router
  • Use a VPN when on free wireless
  • Keep your devices software, apps, browser and OS updated

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

6 Ways to Protect your Internet of Things from Hackers

Everything seems like it is connected to the Internet, just about, including TVs, home thermostats, sprinkler controls, door locks, egg trays (yes, there’s an app for that), tooth brushes (cray cray), and more.

11DA study by HP shows that 70 percent of devices have vulnerabilities. Researchers have revealed that most of the devices in their study, plus the devices’ mobile and cloud applications, had a welcome mat for hackers.

Most of these devices had weak passwords (like qwerty) or weakly protected credentials (unencrypted): beacons for hackers. Seventy percent of the devices lacked encryption. Sixty percent had insecure software updates.

The Open Web Application Security Project notes that vulnerabilities include poor physical security of devices. Gartner, an industry analysis firm, predicts that over 26 billion items, by 2020, will be connected to the Internet. And this includes all sorts of stuff in your home.

All these “smart” devices are a little too dumb and need even smarter protection. The more connected you and all the things in your home are, the more vulnerable you truly are.

Just think of how much of your personal information gets all over cyberspace when you’re so connected, including where your person is at any moment and medical details. Its these “peripheral” devices that connect to your wired or wireless network that in some way connect to your desktop, laptop, tablet or smartphone that criminals are after. Once they hack, say your thermostat, that may give them a backdoor to your data.

Device makers are not bound by any policies to regulate safety/security, making the instruments highly prone to cyber criminals. Worse, most people don’t know how to spot attacks or reverse the damage.

So how do you create a “smarthome”?

  1. First, do your homework. Before you purchase that smarthome device, take a good hard look at the company’s security policy. How easy can this device be updated? Don’t make the purchase if you have any doubts. Take the time to contact the manufacturer and get your questions answered. Know exactly what you’re about to sink your teeth into.
  2. Your device, new or old, should be protected with a password. Don’t keep saying, “I’ll get around to it.” Get it done now. If you’ve had a password already, maybe it’s time to change it; update them from time to time and use two-step verification whenever available. If you recently created a new password for security purposes, change it if it’s not long, strong and unique. A brand new password of 0987poi is weak (sequential keyboard characters). Criminals are aware of these kinds of passwords in whats called a “dictionary attack” of known passwords.
  3. Make sure that your software/firmware is updated on a regular basis. If you see an update offered, run it, rather than getting annoyed by it and clicking “later” or cancelling it. The updated version may contain patches to seal up recently detected security threats.
  4. Cautiously browse the Internet. Don’t be click-happy. Make sure whenever using a wireless connection, especially those that are free public WiFi use Hotspot Shield to encrypt your data in transit.
  5. Don’t feel you must click on every offer or ad that comes your way, or on links just because they’re inside e-mails. Don’t click on offers that seem too good to be true.
  6. Your mobile devices should be protected. This doesn’t just mean your smartphone, but the smart gadgets that your smartphone or tablets control, like that egg tray that can alert you when you’re running low on eggs.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Cybersecurity Insurance still Requires Cybersecurity

OpenSSL vulnerabilities are sticking around for a while. In fact, recently two new ones were announced: One allows criminals to run an arbitrary code on a vulnerable computer/device, and the other allows man-in-the-middle attacks. A more famous openSSL vulnerability that made headlines earlier this year is the Heartbleed bug.

3DMight cybersecurity insurance be a viable solution?

As reported in SC Magazine, Yes, says Hunton & Williams LLP. Cybersecurity insurance fixes the problems that these vulnerabilities cause—that technology alone can’t always mitigate.

Hunton & Williams LLP reports that GameOver Zeus malware infiltrated half a million to a million computers, resulting in gargantuan losses to businesses and consumers. The firm says that antivirus software just isn’t enough to prevent mass infection. The fact is, advances in malicious code have rendered antivirus software frightfully weak, continues the firm..While not everyone agrees on this point, Hunton & Williams recommends a proactive approach which includes assessment of risk transfer methods, e.g., insurance.

Laurie Mercer, from the security consulting company Contest Information Security, also believes in cybersecurity insurance. Mercer uses cars as an analogy. A car must stick to safety standards. The car gets serviced every so often. But the car also has various buttons and whatnots inside that can alert the driver of a problem.

Likewise, with cybersecurity, products can be certified with commercial product assurance accreditation. A website can get a regular security audit every so often. And like the interior buttons of a car, a website can have a response strategy to a cyber incident or some kind of detection for an attack. However, the car should still be insured.

At a recent SC Congress London, Sarah Stephens from Aon EMEA pointed out that cyber insurance is rising in popularity. But Andrew Rose, a security analyst with Forrester, noted that many threats can be resolved with adequate plans in place.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Cyber Security Insurance Difficult for Business to Navigate

Cyber insurance is now booming, with about 50 carriers in the industry. An increasing number of companies have cyber insurance to protect against cyber crime. However, businesses claim it’s not easy to get adequate coverage.

4DLosses from data breaches are difficult to quantify. The tangible losses are more easily insured, says a New York Times online report. When it comes to a data breach, there are often related losses such as reputational damage and loss of customer loyalty that are harder to quantify.

Add to this the fact that underwriters don’t yet have sufficient data to estimate the likeliness or cost of an attack; most breaches get missed or aren’t reported publicly.

While an insurance company can tell you the precise odds of a major city office building burning down, nobody knows when the next giant retailer will be hacked. Statistics on hacking risks aren’t constant due to the continuous evolution of cyber crimes.

According to New York Times estimates, companies seeking coverage can only hope for, at best, a $300 million policy, peanuts compared to the billions devoted to property protection. Though this still sounds generous, the cost of a major breach can easily exceed it. Target’s situation is on course for just that, says the New York Times online article. The 2011 Sony breach has already exceeded $2 billion in fallout.

The best policies cover costs associated with alerting customers, plus forensics, call center setups, consumer identity monitoring, legal fees and a crisis management firm. But that may only dent the disaster. Policies don’t address loss in profits due to customers jumping ship. A policy can’t prevent a marred brand reputation. “Although a solid cyber policy will cover notification, crisis management expenses, defense costs, damages and the costs associated with regulatory action, it would not cover other, potentially much larger losses, such as reputational injury and loss of brand and market share,” says Roberta Anderson, an insurance coverage and cybersecurity attorney with the law firm of K&L Gates, LLP.  “Those losses are difficult to value and remain uninsurable in the market today.”

Expect the cyber insurance industry to continue swelling while cyber crime continues to remain several steps ahead of businesses and security systems.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Bankers on the Front lines of Cyber Defense

There was once a time when the only threat to a bank’s security was when that innocent-looking man hands a note to the bank teller that makes her face go ashen. And the only security, save for video surveillance, was the armed guards and the silent alarm that the teller triggers.

2DNowadays, terms like firewalls, encryption, anti-virus and cloud providers are just as important to a bank’s security as are the armed guards, huge windows, security cameras and steel vaults. No longer is the masked robber who says “Hand over the money” a bank’s biggest threat. ATM skimming, where nobody is ever shot at, is at the top of the list.

The Three Directions of Banking Security

  • Analyzing big data and assessing potential threats
  • Banks joining forces by sharing information relevant to protection against cybercrime
  • Focusing more on fast recovery and less on prevention of crime

That last point is because breaches are always going to occur no matter how thick the security is, and there’s a lot of room to improve in terms of recovery speed. So it makes sense that this shift in attention is developing at an increasing rate.

A New Breed of Locks

Banks require many layers of protection, and this includes keycards, which allow select employees through specific doors at specific times. Just stick the card in a slot and the door opens (a common device also used in hotels).

Keycards are also used by extraneous service people. A lost card can be immediately turned off, and cheaply replaced, whereas traditional locks would cost a bundle.

Customized badges are another way that financial institutions have improved security measures, replacing keys and keycards. Employees can be “add onto” a badge, and a lost and found badge can be deactivated and activated, respectively.

Anti-Skimming Devices

Anti-skimming devices can significantly reduce this crime, when a thief puts a phony reader over an ATM device to capture a customer’s card data. The volume of skimming crimes is enormous, yet many ATMs still have no anti-skimming protection.

Cloud Storage for Data

More and more financial organizations are relying upon cloud computing, though this technology also brings with it some concerns, since the cloud involves a third-party provider—which can turn bank data over to the government without the bank’s permission.

A way around this is for the bank to encrypt data prior to placing it in a cloud, and to keep encrypting it even when at rest, and retain the encryption keys.

Biometrics

Fingerprint swiping to withdraw money is one of the latest security tactics: multispectral imaging (MSI). Who can possibly “skim” that? This is biometric technology and is already in thousands of ATMs. This “inner fingerprint” is immune to breakdown from grime, wear or moisture, making it very tamper resistant.

Look for even more progress in the multilayered security of financial institutions in the years to come—technologies that right now we can’t even comprehend.

For more information about this shifting industry, visit:

securitymagazine.com/articles/print/85356-banking-battlegrounds-cyber-and-physical-security-risks-today

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

ATM Skimming, Cyber Fraud Keep Bankers up at Night

Last year there were hundreds of cyber fraud incidents that struck banks and put consumers’ personal data at risk, even though the one involving Target stole the scenes. These crimes included payment card skimming, denial-of-service and web app tampering.

1DAs we’ve discussed, security is a top concern for banks at the board level. It’s not that the criminals are particularly bright and that’s why they’re causing so many problems, but rather, security for banks just cannot keep up with the volume and type of attacks. Security can also be under-resourced and/or putting too much of its attention in the wrong places.

A web app attack is the interference of web applications, (such as sending a phishing e-mail ) that tricks the recipient into revealing their banking information. Another example is cracking passwords.

Web attacks are ubiquitous and can be conducted by mediocre-skilled crooks, hunting for the user names and passwords of online banking customers. Banks are responding by beefing up verification processes for their customers rather than relying on just the one-step authentication.

The denial-of-service attack is the second big threat upon banks, when malicious traffic is heaped upon the institution’s web server to disrupt site operation. A malfunctioning site turns off customers—including potential customers. But a DDoS attack can also be launched to divert attention away from another planned attack that actually steals data.

Payment card skimming hits banks hard. The crook puts a phony card reader over the card-swiping device to collect the card’s data off its magnetic strip. The thief will then create phony ATM cards.

The skimming tool can be made at home with a 3D printer—and the cost of the printer can very quickly be recovered with fraudulent use of the phony cards. Skimmers are not traceable, putting a lot of load on bankers’ backs. The fact that some ATMs are remotely located doesn’t help.

There’s still room for the criminals to become savvier, joining forces and sharing ideas, getting organized etc. However, many still remain solitary, which enhances their ability to go undetected.

As renowned security expert Bruce Schneier recently said “Security is now about resilience – it’s not about defense. Banks must up their security awareness, and have a plan in place to respond quickly and thoroughly should there be a breach.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Study Shows Businesses not prepared for Attacks

Amazing: With the proliferation of cyber attacks globally, most businesses are ill-prepared to deal with this, says research from the Economist Intelligence Unit and Arbor Networks.

1DPerhaps businesses have an “It won’t happen to us” mindset, even though hackers steal the most sensitive data, force the company to make enormous payments to fix the situation, and crush its customers’ trust, in turn damaging future profits. It’s a pebble-thrown-into-a-pond effect: Those ripples just keep going out and out.

Haven’t companies learned from that giant retailer breach in December of 2013? That big retailer was left toppled. Companies don’t realize that if they nickel-and-dime security, they’ll get what they pay for.

The research turned up the following after surveying 360 senior business leaders in organizations nationwide and in Europe and Asia-Pacific:

  • 77 percent experienced a security breach within the past two years.
  • 38 percent lack a response plan for a cyber attack.
  • 17 percent believe they’re “fully prepared” for a cyber attack.
  • Many of the survey participants reported that they relied upon IT departments to deal with the issue of cyber threats. However, companies that indeed suffered a data breach within the past two years were actually twice as likely to have relied upon a third-party IT team.
  • 41 percent of business decision makers believe that a more solid understanding of risks and potential threats would assist them in being better prepared, but, oddly, only one-third of businesses share concerning situations with other businesses for the sake of spreading best practices and information.
  • 57 percent do not report incidents on a voluntary basis if they’re not legally required to do this.

Interestingly, while 41 percent of business decision makers believe that a more solid understanding of potential threats would increase preparedness, only one-third of businesses are willing to share information with other businesses about incidents concerning data security.

The big message regarding cyber attacks on businesses all over the world: It’s not “if,” it’s WHEN.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.