Posts

Protecting Yourself from a Data Breach requires Two Step Authentication

Have you ever thought about how a data breach could affect you personally? What about your business? Either way, it can be devastating. Fortunately, there are ways that you can protect your personal or business data, and it’s easier than you think. Don’t assume that protecting yourself is impossible just because big corporations get hit with data breaches all of the time. There are things you can do to get protected.

  • All of your important accounts should use two-factor authentication. This helps to eliminate the exposure of passwords. Once one of the bad guys gets access to your password, and that’s all they need to access your account, they are already in.
  • When using two-factor authentication, you must first enter your password. However, you also have to do a second step. The website sends the owner of the account a unique code to their phone also known as a “one time password”. The only way to access the account, even if you put the password in, is to enter that code. The code changes each time. So, unless a hacker has your password AND your mobile phone, they can’t get into your account.

All of the major websites that we most commonly use have some type of two-factor authentication. They are spelled out, below:

Facebook

The two-factor authentication that Facebook has is called “Login Approvals.” You can find this in the blue menu bar at the top right side of your screen. Click the arrow that you see, which opens a menu. Choose the Settings option, and look for a gold colored badge. You then see “Security,” which you should click. To the right of that, you should see Login Approvals and near that, a box that says “Require a security code.” Put a check mark there and then follow the instructions. The Facebook Code Generator might require a person to use the mobile application on their phone to get their code. Alternatively, Facebook sends a text.

Google

Google also has two-factor authentication. To do this, go to Google.com/2step, and then look for the blue “get started’ button. You can find it on the upper right of the screen. Click this, and then follow the directions. You can also opt for a text or a phone call to get a code. This also sets you up for other Google services, including YouTube.

Twitter

Twitter also has a form of two-factor authentication. It is called “Login Verification.” To use it, log in to Twitter and click on the gear icon at the top right of the screen. You should see “Security and Privacy.” Click that, and then look for “Login Verification” under the Security heading. You can then choose how to get your code and then follow the prompts.

PayPal

PayPal has a feature known as “Security Key.” To use this, look for the Security and Protection section on the upper right corner of the screen. You should see PayPal Security Key on the bottom left. Click the option to “Go to register your mobile phone.” On the following page, you can add your phone number. Then, you get a text from PayPal with your code.

Yahoo

Yahoo uses “Two-step Verification.” To use it, hover over your Yahoo avatar, which brings up a menu. Click on Account Settings and then on Account Info. Then, scroll until you see Sign-In and Security. There, you will see a link labeled “Set up your second sign-in verification.” Click that and enter your phone number. You should get a code via text.

Microsoft

The system that Microsoft has is called “Two-step Verification.” To use it, go to the website login.live.com. Look for the link on the left. It goes to Security Info. Click that link. On the right side, click Set Up Two-Step Verification, and then follow the prompts.

Apple

Apple also has something called “Two-Step Verification.” To use it, go to applied.apple.com. On the right is a blue box labeled Manage Your Apple ID. Hit that, and then use you Apple ID to log in. You should then see a link for Passwords and Security. You have to answer two questions to access the Security Settings area of the site. There, you should see another link labeled “Get Started.” Click that, and then enter your phone number. Wait for your code on your mobile phone, and then enter it.

LinkedIn

LinkedIn also has “Two-Step Verification.” On the LinkedIn site, hover your mouse over your avatar and a drop-down menu should appear. Click on Privacy and Settings, and then click on Account. You should then see Security Settings, which you should also click. Finally, you should see the option to turn on Two-Step Verification for Sign-In. Turn that on to get your code.

These are only a few of the major sites that have two-step verification. Many others do, too, so always check to see if your accounts have this option. If they don’t, see if there is another option that you can use in addition to your password to log in. This could be an email or a telephone call, for instance. This will help to keep you safe.

Amazon

Amazon’s Two-Step Verification adds an additional layer of security to your account. Instead of simply entering your password, Two-Step Verification requires you to enter a unique security code in addition to your password during sign in.

Without setting up Two Step authentication for your most critical accounts, all a criminal needs is access to your username, which is often your email address and then access data breach files containing billions of passwords that are posted all over the web. Once they search your username/email for the associated password, they are in.

Two factor locks them out.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Security training: the Human Being is impossible to fix

As long as humans sit at computer screens, there will always be infected computers. There’s just no end to people being duped into clicking links that download viruses.

12DA report at theregister.co.uk explains how subjects, unaware they were guinea pigs, fell for a phishing experiment.

  • Subjects were sent an FB message or e-mail from an unfamiliar sender, though 16 percent of the subjects who ultimately clicked reported they knew the sender.
  • The sender announced they had images from a New Year’s Eve party but not to share them.
  • 43.5% clicked the FB message link and one-quarter clicked the e-mail link.
  • Many of the subjects denied making these clicks, but most who admitted it named curiosity as the reason.
  • 5% claimed they thought their browser would protect them from an attack.

Obviously, there will always be that percentage of the human population who will allow curiosity to preside over common sense and logic. The idea of simply never, never, ever clicking a link inside an e-mail is an impossible feat for them—perhaps more difficult than quitting smoking or losing 50 pounds.

This is the battle that businesses have with their employees, which is how businesses get hacked into and massive data breaches result.

However, says the report, rigid training of employees may backfire because valid e-mails may be ignored—though it seems that there has to be a way for companies to get around this—perhaps a phone call to the sender for verification if the company is small. For large businesses, maybe executives could just resort to the old-fashioned method of reaching out to employees; how was this done before the World Wide Web was invented?

Digital signing of e-mails has been suggested, but this, too, has a loophole: some employees misinterpreting the signatures.

Nevertheless, security training is not all for nothing; ongoing training with staged phishing e-mails has been proven, through research, to make a big difference. Unfortunately, there will always exist those people who just can’t say “No” to something as mundane as images from a New Year’s Eve party from a sender they’ve never even heard of.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Three Quarters of a Billion Records breached

Last year, says the security firm Gemalto, over 700 million records were breached. Or, to put it another way, this translates to two million stolen or lost records every day.

3D2015 Breach Level Report

  • 1,673 hacking incidents
  • 398 were triggered from the inside of the attacked company: employees and even IT staff who were tricked (social engineering) by hackers into clicking on malicious links or attachments
  • Government agencies suffered the greatest data leaks.
  • Following that were nation states and healthcare enterprises (remember the big Anthem breach?)

Gemalto also says that the U.S. is the leading target of cyber attacks, with the UK, Canada and Australia following behind in that order. But don’t let Australia’s fourth place standing fool you. It reports only 42 publically reported incidents, while the U.S. has reportedly had 1,222.

How can you tell your computer has been compromised by an attack?

  • Your computer is running slowly; you’re not simply being impatient—the device really is moving at a crawl. This is a possible sign the computer is infected.
  • Another possible sign of infection: Programs open up without you making them, as though they have a mind of their own.

Protecting Your Computer

  • First and foremost, businesses need to rigorously put their employees through training. This includes staged phishing attacks to see if any employees can be tricked into revealing sensitive company information. Training for workers must be ongoing, not just some annual seminar. A company could have the best security software and smartest IT staff, but all it takes is one less-than-mindful employee to let in the Trojan horse.
  • If you receive an e-mail with a link or attachment, never rush to open them. Pause. Take a few breaths. Count to 10. No matter what the subject line says, there is always plenty of time to make sure an e-mail is from a legitimate sender before opening any attachments or clicking any links.
  • Use firewall and anti-virus software and keep them updated.
  • Use a virtual private network to scramble your online activities when you’re using public Wi-Fi so that cyber snoopers see only scrambling.
  • Use the most recent version of your OS and browser.
  • Regularly back up your data.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Three ways to beef up security when backing up to the cloud

Disasters happen every day. Crashing hard drives, failing storage devices and even burglaries could have a significant negative impact on your business, especially if that data is lost forever. You can avoid these problems by backing up your data.

Backing up means keeping copies of your important business data in several places and on multiple devices. For example, if you saved data on your home PC and it crashes, you’ll still be able to access the information because you made backups.

A great way to protect your files is by backing up to the cloud. Cloud backup services like Carbonite allow you to store data at a location off-site. You accomplish this by uploading the data online via proprietary software.

Cloud backup providers have a reputation for being safe and secure. But you can’t be too careful. Here are a few ways to beef up security even more when you use a cloud backup system:

  • Before backing up to the cloud, take stock of what data is currently in your local backup storage. Make sure that all of this data is searchable, categorized and filed correctly.
  • Consider taking the data you have and encrypting it locally, on your own hard drive before backing up to the cloud. Most cloud backup solutions – including Carbonite – provide high-quality data encryption when you back up your files. But encrypting the data locally can add an additional layer of security. Just remember to store your decryption key someplace other than on the computer you used to encrypt the files. This way, if something happens to the computer, you’ll still be able to access your files after you recover them from the cloud.
  • Create a password for the cloud account that will be difficult for any hacker to guess. However, make sure that it’s also easy for you to remember. The best passwords are a combination of numbers, letters and symbols.

Cloud backups are convenient and have a good record when it comes to keeping your data safe. It doesn’t require the purchase of additional equipment or the use of more energy. You can also restore data from anywhere, to any computer, as long as there is an Internet connection available.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

How much is your Data worth online?

Cyber crime sure does pay, according to a report at Intel Security blogs.mcafee.com. There’s a boom in cyber stores that specialize in selling stolen data. In fact, this is getting so big that different kinds of hot data are being packaged—kind of like going to the supermarket and seeing how different meats or cheeses are in their own separate packages.

10DHere are some packages available on the Dark Net:

  • Credit/debit card data
  • Stealth bank transfer services
  • Bank account login credentials
  • Enterprise network login credentials
  • Online payment service login credentials

This list is not complete, either. McAfee Labs researchers did some digging and came up with some pricing.

The most in-demand type of data is probably credit/debit card, continues the blogs.mcafee.com report. The price goes up when more bits of sub-data come with the stolen data, such as the victim’s birthdate, SSN and bank account ID number. So for instance, let’s take U.S. prices:

  • Basic: $5-$8
  • With bank ID#: $15
  • With “fullzinfo” (lots more info like account password and username): $30
  • Prices in the U.K., Canada and Australia are higher across the board.

So if all you purchase is the “basic,” you have enough information to make online purchases—and can keep doing this until the card maxes out or the victim reports the unauthorized charges.

However, the “fullzinfo” will allow the thief to get into the account and change information, thwarting the victim’s attempts to get things resolved.

How much do bank login credentials cost?

  • It depends on the balance.
  • $2,200 balance: $190 for just the login information
  • For the ability to transfer funds to U.S. banks: $500 to $1,200, depending on the balance.

Online premium content services offer a variety of services, and the login credentials to these are also for sale:

  • Video streaming: $0.55 to $1
  • Cable channel streaming: $7.50
  • Professional sports streaming: $15

There are so many different kinds of accounts out there, such as hotel loyalty programs and auction. These, too, are up for sale on the underground Internet. Accounts such as these have the thief posing as the victim while carrying out online purchases.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Data security policies need teeth to be effective

Bottom line: If you have a data security policy in place, you need to make sure that it’s up to date and contains all of the necessary elements to make it effective. Here are 10 essential items that should be incorporated into all security policies:

4H1. Manage employee email

Many data breaches occur due to an employee’s misuse of email. These negligent acts can be limited by laying out clear standards related to email and data. For starters, make sure employees do not click on links or open attachments from strangers because this could easily lead to a ransomware attack.

2. Comply with software licenses and copyrights

Some organizations are pretty lax in keeping up with the copyrights and licensing of the software they use, but this is an obligation. Failing to do so could put your company at risk.

3. Address security best practices

You should be addressing the security awareness of your staff by ensuring that they are aware of security best practices for security training, testing and awareness.

4. Alert employees to the risk of using social media

All of your staff should be aware of the risks associated with social media, and consider a social media policy for your company. For example, divulging the wrong information on a social media site could lead to a data breach. Social media policy should be created in line with the security best practices.

5. Manage company-owned devices

Many employees use mobile devices in the workplace, and this opens you up to threats. You must have a formal policy in place to ensure mobile devices are used correctly. Requiring all staff to be responsible with their devices and to password protect their devices should be the minimum requirements.

6. Use password management policies

You also want to make sure that your staff is following a password policy. Passwords should be complex, never shared and changed often.

7. Have an approval process in place for employee-owned devices

With more employees than ever before using personal mobile devices for work, it is imperative that you put policies in place to protect your company’s data. Consider putting a policy in place which mandating an approval process for anyone who wants to use a mobile device at work.

8. Report all security incidents

Any time there is an incident, such as malware found on the network, a report should be made and the event should be investigated immediately by the IT team.

9. Track employee Internet use

Most staff members will use the Internet at work without much thought, but this could be dangerous. Try to establish some limits for employee Internet use for both safety and productivity.

10. Safeguard your data with a privacy policy

Finally, make sure that all staff members understand your company’s privacy policy. Make sure that data is used correctly and within the confines of the law.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses.

How to recycle Old Devices

When it comes to tossing into the rubbish your old computer device, out of sight means out of mind, right? Well yeah, maybe to the user. But let’s tack something onto that well-known mantra: Out of site, out of mind, into criminal’s hands.

7WYour discarded smartphone, laptop or what-have-you contains a goldmine for thieves—because the device’s memory card and hard drive contain valuable information about you.

Maybe your Social Security number is in there somewhere, along with credit card information, checking account numbers, passwords…the whole kit and caboodle. And thieves know how to extract this sensitive data.

Even if you sell your device, don’t assume that the information stored on it will get wiped. The buyer may use it for fraudulent purposes, or, he may resell to a fraudster.

Only 25 states have e-waste recycling laws. And only some e-waste recyclers protect customer data. And this gets cut down further when you consider that the device goes to a recycling plant at all vs. a trash can. Thieves pan for gold in dumpsters, seeking out that discarded device.

Few people, including those who are very aware of phishing scams and other online tricks by hackers, actually realize the gravity of discarding or reselling devices without wiping them of their data. The delete key and in some cases the “factory reset” setting is worthless.

To verify this widespread lack of insight, I collected 30 used devices like smartphones, laptops and desktops, getting them off of Craigslist and eBay. They came with assurance they were cleared of the previous user’s data.

I then gave them to a friend who’s skilled in data forensics, and he uncovered a boatload of personal data from the previous users of 17 of these devices. It was enough data to create identity theft. I’m talking Social Security numbers, passwords, usernames, home addresses, the works. People don’t know what “clear data” really means.

The delete button makes a file disappear and go into the recycle bin, where you can delete it again. Out of sight, out of mind…but not out of existence.

What to Do

  • If you want to resell, then wipe the data off the hard drive—and make sure you know how to do this right. There are a few ways of accomplishing this:

Search the name of your device and terms such as “factory reset”, “completely wipe data”, reinstall operating system” etc and look for various device specific tutorials and in some cases 3rd party software to accomplish this.

  • If you want to junk it, then you must physically destroy it. Remove the drive, thate are numerous online tutorials here too. Get some safety glasses, put a hammer to it or find an industrial shredder.
  • Or send it to a reputable recycling service for purging.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

Tips for backing up and protecting your data while traveling

The season of giving is now upon us — but don’t forget, it’s also the season of stealing — and no, I don’t mean your wallet or the gift package at your doorstep, but your Social Security number, credit card information, medical records and any other highly confidential information that you have stored on your computers.

1DThieves want your data — the information stored in your smartphone, laptop and other devices. People are especially vulnerable to this crime when they travel. Don’t let the hustle and bustle of holiday travel detract you from protecting your data!

  • Make sure your devices have updated security software.
  • Remove all the sensitive data (e.g., medical records) from your device prior to travel — but not before you back it up.
  • One way to protect your data is cloud backup. Protecting your data begins with keeping your computer in a safe, secure, locked location, but when you are traveling, this is simply not an option. Therefore, automatically back up data to the cloud. The third layer is to use local backups; ideally sync software that offers routine backups to an external drive.
  • Before the trip, an IT expert should install disk encryption for your laptop– especially if you’ll be bringing along lots of sensitive data. If the laptop ends up in the wrong hands, the crook will see only scrambled data.
  • Even with the aforementioned security measures in place, you should also use a virtual private network when conducting online transactions at public Wi-Fi spots, so that snooping hackers “see” only encrypted transmissions.
  • All of the above tactics still aren’t enough. “Shoulder surfers” could visually snatch your login credentials while you’re typing away at the airport lobby or coffee shop. “Visual hackers” may also use binoculars and cameras. A privacy filter for your screen will conceal what’s on your screen. If they’re right behind youthis technology will alert you. You should use a privacy filter even when your back is to a wall.

Never let your device out of your sight, and if you must, like at a relative’s dinner gathering, lock it up.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Best practices for BYOD data storage

The Bring Your Own Device (BYOD) movement has in some ways saved companies money, but in other ways put customer data at risk. Employees are onsite, telecommuting or traveling on business. This means their devices, and company data could be anywhere at any given moment.

7WA company manager or owner realizes that company use of employee mobile devices brings benefits. But employees also use the devices for personal activities, increasing the risk of hackers getting into company data.

The solution is to train these employees in BYOD, information security and awareness. They must be aware of how risky a data breach is, how to secure data, especially if the device is loaded with company data. An overlooked part of that training is knowing how to deal with old data, back up that data and in some cases, delete it.

Data lives in 3 forms: stored on a local device, backed up in the cloud and deleted. Over time, old data begins to accumulate on devices and that can cause problems.

Here are some key considerations and best practices for dealing with the BYOD phenomenon at your business:

  • Ask yourself when old data no longer needed? Data should have expiration dates set up to indicate this.
  • Businesses should realize that “useless” or “old” data may surprisingly be needed sooner or later. This data can be stored offsite, in the cloud, so that if the device is hacked, at least the old data (which may contain valuable information to the hacker) won’t be accessible.
  • Setting up cloud storage that automatically backs up data will ensure that if a device is lost or stolen, the data is still available. Every bit of data, even if it’s seemingly useless, should be backed up.
  • How do you truly delete data? Don’t think for a second you’ll achieve this by hitting the delete button. In many cases, a hacker could still find it and obtain it from the hard drive. What you can’t see is not invisible to a skilled hacker.
  • Want to just get rid of old data altogether? You must destroy the hard drive. This means put it on the ground and hit with a sledgehammer. Then recycle the guts. Or you can professionally shred it.
  • Deploy Mobile Device Management (MDM) software that gives companies the ability to remotely manage devices. Tasks might include locating, locking or wiping a lost or stolen device. MDM can also be used to update software and delete or back up data.

The planning and prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and the tricks that cyber thieves use.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. Disclosures.

Human error is inevitable: Here are some ways to protect your business

National Preparedness Month is happening right now. It’s the perfect time to take action for you and your community. It’s all about making plans to remain safe, and when disasters do strike, to keep communications going. September 30th is the culmination of NPM, with the National PrepareAthon! Day.

3DIf a burglar sees your Facebook status that you are traveling on vacation and then enters your house, and takes $10,000 worth of valuables, it’s safe to say you as the homeowner facilitated the theft. This is no different than leaving your doors unlocked when you head to the store. This lack of attention to security is why crime often happens.

These lapses in judgement are akin to how human error enables data breaches. Even worse, for a small business, employee behavior accounts for a significant number of hacking incidents – and the costs of data breaches are tremendous.

A study from CompTIA says that human error is the foundation of 52 percent of data breaches. The CompTIA report also says that some of the human error is committed by IT staff. Funnily enough, it also points out that typically, businesses rank human error pretty low on the priority list of potential problems.

Some important things to remember:

  • Security awareness training is crucial for employees.
  • A strong incident response system must be in place.
  • Appointing a CISO (chief information security officer) will also help.

The high price of human error can include lost or stolen mobile devices, slow notification of a data breach, a weak security structure and response plan, and lack of a CISO. To avoid these and protect your business, you should:

  • Implement an aggressive security awareness training program for employees
  • Develop a data breach response plan
  • Implement strong authentication practices
  • Use encryption
  • Implement a data loss identification system

And all companies should take note of the following safeguards:

  • Vigorously train employees in safety awareness that pertains to the “bring your own device” policy. Many data breaches occur when someone conducts business on their personal mobile device.
  • Security awareness training isn’t just about telling employees the facts. It also should include staged attempts at a data breach (by hired white hackers) to see who takes the bait. This also includes staged attempts by people posing as vendors or other executives trying to gain access to sensitive information.
  • Back up all data on a frequent basis, ideally on a local drive in combination with a cloud service.
  • Computers should be replaced every two to three years. This will make it easier for businesses because the computers at this point will still be functioning.

The prevention tactics above apply to businesses and really, everyone. Employees should be rigorously trained on proactive security and tricks that cyber thieves use. To learn more about preparing your small business against the common accidents of everyday life, download Carbonite’s e-book, “5 Things Small Businesses Need to Know about Disaster Recovery.”

#1 Best Selling Author Robert Siciliano CSP, CEO of IDTheftSecurity.com is a United States Coast Guard Auxiliary Flotilla Staff Officer of the U.S. Department of Homeland Security whose motto is Semper Paratus (Always Ready). He is a four time Boston Marathoner, Private Investigator and is fiercely committed to informing, educating, and empowering people so they can be protected from violence and crime in the physical and virtual worlds. As a Certified Speaking Professional his “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders. Disclosures.