Posts

Tips to destroy and shred

You can’t be too neurotic about shredding sensitive documents to smithereens. For example, some people make a career out of “dumpster diving,” digging through trash in search of bank account information, credit card preapprovals, medical bills, mortgage statements, etc., and then they commit fraud, including creating new accounts with the found information—accounts in the victim’s name.

2PAnd by the way, anything with your signature can be a gem to the dumpster diver, as your signature can be forged.

Diving for Dollars

  • Dumpster diving is legal if the trash can is in a public spot including the big trash bin at your apartment complex.
  • Dumpster divers aren’t necessarily homeless men dressed in rags looking for discarded food. They may be professional identity thieves, and if they’re extra smart, they’ll dress like a vagrant to fool people into thinking they’re looking for food scraps.
  • Your trash can is a goldmine for an identity thief; think of what’s on all the paperwork you toss out, week after week—all sorts of tidbits about your life, from your favorite stores to your kids’ names.
  • A lot of personal details about you come simply from empty envelopes with their return addresses.

Shredding

  • Buy a shredder. There are different kinds that shred at differing dimensions as well as various strengths (some shredders will slice and dice CDs).
  • Don’t buy a “strip-cut” type, as the shreds could be reconstructed. The “micro-cut” shreds at the smallest dimensions.
  • Believe it or not, there are crooks who will take the time to put back together a shredded document, including with the help of Unshredder, a computer program.

Burning

  • Keep a cardboard box handy that you continually fill up with shreddables.
  • Just toss documents that are on deck for burning into this box as you go throughout the day. Then incinerate the box.
  • A large stack of documents will not completely burn, so don’t place these in a motley arrangement so they aren’t “thick”.

Miscellaneous

  • Don’t leave boxes that contained expensive merchandise in plain view at your curb; this is almost the equivalent of sticking a sign there with bright red letters stating: “I just purchased a giant flat screen TV; come on in and steal it.” Destroy/shred

Ask yourself this question: If someone “stole” your trash, would that be a problem? If you say yes, then you toss too much data. For me, I don’t care, nothing I toss is of any value to anyone.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

What is private Information and what is not?

Data Privacy Day was Wednesday, January 28, and these days the concept of “privacy” can be ambiguous, generic or confusing. What you might think of as private actually isn’t. The definition of personal identifying information, by the U.S. privacy law and information security, is that of data that can be used to contact, identify or locate an individual, or identify him in context.

1PThis means that your name and address aren’t private, which is why they can be found on the Internet (though a small fee may be required for the address, but not always). Even your phone and e-mail aren’t private. What you post on Facebook isn’t private, either.

So what’s private, then? An argument with your best friend. A bad joke that you texted. Your personal journal. These kinds of things are not meant for public use. What about vacation photos that you stored in a cloud service? Well…they’re supposed to be private, but really, they’re at significant risk and shouldn’t be considered totally private.

And it’s not just people on an individual scale that should worry about privacy. It’s businesses also. Companies are always worrying about privacy, which includes how to protect customers’ sensitive information and company trade secrets.

But even if the company’s IT team came up with the most foolproof security in the world against hacking…it still wouldn’t protect 100 percent. Somewhere, somehow, there will be a leak—some careless employee, for instance, who gets lured by a phishing e-mail on their mobile phone…clicks the link, gives out sensitive company information and just like that a hacker has found his way in.

Even when employees are trained in security awareness, this kind of risk will always exist. An insider could be the bad guy who visually hacks sensitive data on the computer screen of an employee who was called away for a brief moment by another employee.

Tips for Training Employees on Security Savvy

  • Make it fun. Give giant chocolate bars, gifts and prizes out to employees for good security behaviors.
  • Post fun photos with funny captions on signage touting content from the company’s security policy document. It’s more likely to be read in this context than simply handed to them straight.
  • Show management is invested. Behavior changes start from the top down,
  • Get other departments involved. Even if they’re small, such as HR, legal and marketing, they will benefit from security training.
  • Stop visual hackers. Equip employees with a 3M Privacy Filter and an ePrivacy Filter which helps bar snooping eyes from being able to see what’s on the user’s screen from virtually every angle.
  • Don’t forbid everything that’s potential trouble. Rather than say, “Don’t go on social media,” say, “Here’s what not do to when you’re on social media.”
  • Make it personal. Inform workers how data breaches could damage them, not just the company. A little shock to their system will motivate them to be more careful.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

Online Data less safe than ever

It’ll get worse before it gets better: online data safety. It’s amazing how many people think they’re “safe” online, while one huge business or entity after another keeps getting hacked to the bone.

1DAnd “safety” doesn’t necessarily mean the prevention of your computer getting infected with a virus, or falling for an online scam that results in someone getting your credit card information. It’s also a matter of privacy. While targeted advertising (based on websites you’ve visited) may seem harmless, it’s the benign end of the continuum—that someone out there is tracking you.

So, do you still think you’re hack-proof?

That you can’t be fooled or lured? That your devices’ security is impenetrable? That you know how to use your device so that nobody can get ahold of your sensitive information?

Consider the following entities that got hacked. They have cyber security teams, yet still fell victim:

  • LinkedIn
  • Yahoo! Mail
  • Adobe
  • Dropbox
  • Sony
  • Target

You may think the hacking is their problem, but what makes you believe that the service you use is immune? Are you even familiar with its security measures? That aside, consider this: You can bet that some of your personal information is obtainable by the wrong hands—if it already isn’t in the wrong hands.

Are you absolutely sure this can’t possibly be? After all, you’re just a third-year med student or recent college grad looking for work, or housewife with a few kids…just an average Joe or Jane…and you use the Internet strictly for keeping up with the news, keeping up with friends and family on social media, using e-mail…innocent stuff, right?

You’ve never even posted so much as a picture online and say you don’t use a credit card online either.

  • But hey, if your passwords aren’t strong, this ALONE qualifies you as a potential hacking victim.
  • So, what is your password? Is it something like Bunny123? Does it contain your name or the name of a sport? Keyboard sequences? The name of a well-known place? The name of a rock band?
  • Do you use this password for more than one account? That gets tacked onto your risks of getting hacked.
  • You need not be someone famous to get hacked; just someone who gets lured into filling out a form that wants your bank account number, credit card number, birthdate or some other vital data.
  • If you just ordered something from Amazon, and the next day you receive a message from Amazon with a subject line relating to your order…did you know that this could be from a scammer who sent out 10,000 of these same e-mails (via automated software), and by chance, one of them reached someone at just the right time to trick you into thinking it’s authentic?
  • People who know you may want your information to get revenge, perhaps a spurned girlfriend. Don’t disqualify yourself; nobody is ever unimportant enough to be below the scammer’s radar.
  • Did you know that photos you post in social media have a GPS tag? Scammers could figure out where the photo was taken. Are you announcing to all your FB friends about when your next vacation is? Did you know a burglar might read your post, then plan his robbery? Between the GPS tags and your vacation dates…you’re screwed.

Well, you can’t live in a bubble and be antisocial, right? Well, it’s like driving a car. You know there are tons of accidents every day, but you still drive. Yet at the same time, if you’re halfway reasonable, you’ll take precautions such as wearing a seatbelt and not driving closely behind someone on the highway.

Most of your fate is in your hands. And this applies to your online safety. You won’t be 100 percent immune from the bad cyber guys, just like you’re not 100 percent immune from a car wreck. But taking precautions and having the right tools really make a tremendous difference.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Data Breach Aftermath

Haste certainly doesn’t make waste if you’ve suffered from an entity getting hacked resulting in a data breach. Don’t waste a single minute delaying notifying affected accounts! In the case of a credit card company, they will investigate; you won’t have to pay the fraudulent charges. The breached card will be closed, and you’ll get a new one. And there is more.
11D
All sounds simple enough, but the experience can be a major hassle. Below is what you should do upon learning your card has been breached:

  • If a SSN is breached, place a credit freeze or fraud alert with the three big credit bureau agencies. Placement of the credit freeze or fraud alert will net you a free copy of your credit reports; review them.
  • See if you can find companies that have accounts in your name—that you didn’t set up. Notify and cancel them. Make a list of entities that might be affected by your ID theft, then contact them.
  • If your identity is actually stolen, you may need documents to show creditors proof of your ID theft, you should file a report with the police and FTC.
  • Keep vigilant documentation of all of your relevant correspondence.

If your credit card was compromised, you also must contact every company or service that was on autopay with the old card. This includes quarterly autopays (e.g., pesticide company) and yearly autopays, like your website’s domain name. Don’t forget these! You now have to transfer all the autopays to your new card.

But you also must consider the possibility that your credit card breach is only the beginning of more ID theft to come. You now must be more vigilant than ever. If it can happen once, it can happen again.

  • Check every charge on every statement. If you don’t remember making that $4.57 charge…investigate this. Thieves often start with tiny purchases, then escalate.
  • Use apps that can detect anomalous behavior with your credit card account. These applications are free and will alert you if there’s a purchase that’s out of the norm, such as there’s a charge to the card in your home town, but an hour later another charge occurs 800 miles away.
  • See if your card carrier will let you set up account alerts, such as every time a purchase exceeds a set amount, you get notified.
  • Never let your card out of your sight. The thief could have been someone to whom you gave your card for a payment—they used a handheld “skimming” device and got your data. If you don’t want to hassle with, for instance, the restaurant server who wants to take your card and go off somewhere to get your payment, then pay cash (if possible).
  • Never use public ATMs; ones inside your bank are less likely to be tampered with with skimming devices.

Other than tampered ATMs and retail clerks taking your card out of your view to collect payment, there are tons of ways your personal information could get into a thief’s hands. Here are steps to help prevent that:

  • Shred all documents with any of your personal information, including receipts, so that “dumpster divers” can’t make use of them.
  • When shopping online, use a virtual credit card number; your bank may offer this feature.
  • When shopping, patronize only sites that have “https” at the start of the Web address.
  • Never save your credit card number on the site you shop at.
  • If a retail site requires your SSN in order to make the purchase, withdraw from the site and never go back.
  • Never give your credit card or other personal information to online forms that you came to as a result of clicking a link in an e-mail message. In fact, never click links inside e-mail messages.
  • Make sure all your computer devices have a firewall, and antivirus/antimalware software, and keep it updated.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Cloud Data Breaches mo’ Money

IT people need to beef up their opinions about cloud security, says a recent report by the Ponemon Institute called “Data Breach: The Cloud Multiplier Effect.”

3DYes, data breaches occur in the cloud. In fact, it can be triple the cost of a data breach involving a brick and mortar medium.

The report put together data from the responses of over 600 IT and IT security people in the U.S. The report has three observations:

  • Many of the respondents don’t think that their companies are adequately inspecting cloud services for security.
  • The cost of a data breach can be pricey.
  • When a business attempts to bring its own cloud, this is the costliest for high value intellectual property.

More Results

  • 72% of the participants thought that their cloud service providers would fail to notify them of a breach if it involved theft of sensitive company data.
  • 71% believed this would be the same outcome for customer data breaches.

Many company decision makers don’t think they have a whole lot of understanding into how much data or what kind is stored in a cloud.

  • 90% thought that a breach could result when backups and storage of classified data were increased by 50 percent over a period of 12 months.
  • 65% believed that if the data center were moved from the U.S. to a location offshore, a breach could result.

All of these findings mentioned here are the result of self-estimations rather than objective analysis of real breaches.

Ponemon also determined that if a breach involved at least 100,000 records of stolen personal data, the economic impact could jump from an average of $2.4 million to $4 million, up to $7.3 million. For a breach of confidential or high-value IP data, the impact would soar from $3 million to $5.4 million.

In addition to the self-reporting loophole, the report had a low response rate: Only 4.2 percent of the targeted 16,330 people responded, and in the end, only 3.8 percent were actually used. Nevertheless, you can’t ignore that even self-estimated attitudes paint a dismal picture of how cloud security is regarded.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 ways to prevent Data Theft when traveling

The threat of data theft follows travelers; there’s never a vacation from hackers. So what should the traveler do? Anticipate snooping by hackers. This way, you can prepare for the worst.3D

  1. If you must bring a laptop, use it as a shell to access data remotely. Leave private information behind. If this is not possible, bring it with you in the form of an encrypted memory stick or have it stored online to download later.
  2. Always use comprehensive security software whenever connecting online.
  3. If you anticipate bringing your laptop or other devices along, have an IT expert install on it disk encryption software. Better yet, have the whole hard drive encrypted: This would be worthless in the hands of a thief.
  4. Install a VPN: virtual private network. The VPN will allow you to get onto websites that are blocked in some foreign countries like China. A VPN will also protect data as it’s transmitted through the air, scrambling it so that hackers can’t understand it.
  5. Use multiple layers of protection. For example, if your device has the capability, use a fingerprint scanner to verify the user’s identity in addition to password protecting your device. Any combination of these features might be built into the hardware, software or available as a peripheral.
  6. To prevent visual hacking (people spying on what you’re doing on your computer), use a privacy screen. 3M makes a great one. And be careful where you choose to work on your computer. Don’t have your back facing the open where someone can easily peer over your shoulder or even record what’s on your screen from a distance.
  7. Never leave your devices in a hotel room or unattended while you head off to the restroom or take a break from a conference meeting. Just suck it up and take it with you.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Mailroom Error, Big Data Breach

Data breaches need not be launched maliciously in order to be very troublesome, as was the case involving about 3,700 Medicare Advantage members. Freedom Blue and Security Blue members received risk assessment results that actually belonged to other individuals. The addresses, birthdates, member ID numbers and medical information of some members ended up in the hands of other members.

1DAnd how? An innocent mistake committed by a mailroom employee. Though there was no evidence of malicious use of this personal information, it just goes to show you how easily a person’s private information can end up in a stranger’s hands. Imagine receiving a stranger’s medical information in your mailbox. It would make you think twice about trusting the company with your personal information in the future.

Members were notified of this error after the insurer spent a month exploring how it happened. Though the unintended recipients received information about other members’ scores on mood tests, medications and results of frailty tests, at least the Social Security numbers weren’t revealed.

If a breach affects more than 500 people, law requires that the health industry alert the Health and Human Services Department, which will then launch an investigation. The affected consumers, and local news outlets, are also required to be notified.

Highmark Inc., the health insurance company whose members were affected by the mailroom breach, changed the member ID numbers of the affected members or those who might have been affected. Sixty-three members received forms pertaining to other people, and 233 never received a mailing, suggesting that their forms possibly went to other members.

As for the bumbling employee, that person was fired. The other employees are being retrained, and Highmark will implement a bar code system on all mailings, which is one proper way to track breach notification letter mailings to ensure the right pieces of mail end up in the right hands and avoid over-stuffing or mis-stuffing of envelopes..

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

 

Data Breaches May Result in Board Breakups

The ripple effect continues to haunt Target: It’s expected that seven of its board of directors members may be replaced because they failed to provide effective oversight into the corporation’s data-protection risks. Boards simply need to be more proactive in safeguarding their companies against data breaches.

2DInstitutional Shareholder Services (ISS) prepared a report on the Target data breach and aftermath. The report states that Target’s board members should have been kept in the loop pertaining to protection of sensitive information and what a breach could mean to brand reputation and customer loyalty.

“The company acknowledged the need for more stringent internal capabilities to identify potential risks with less reliance on external reports which suggested the systems were robust enough,” the report says.

The report concludes that Target failed to prepare for keeping up with today’s cyber threat technology, and that this failure comes from the audit and the corporate responsibility committees.

ISS says that these committees are responsible for being in charge of risk assessment and management. This includes the risk of fraud. The inadequate oversight in these areas paved the way to the disastrous data breach.

The ISS report should be a wakeup call to board members of all businesses. Board members need to realize the importance of directing more time, energy and money toward improving security programs.

Though the dismissal of seven of Target’s total of 10 board members may seem radical, it also has a fair degree of rationale because it sends the message that boards and senior executives need to be held accountable for their company’s cyber security.

Boards need to be practically fused with their organization’s IT experts and executive team so that they have an intimate knowledge of the steps a company is taking to protect customer information—even if none of the board members are security experts. The ramifications from poor handling of a data security incident are now things that even board members must be aware of and work to prevent.

Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

How to Prepare a Storage Device for Resale

If you want to sell a storage device, first back everything up on it with a flash drive, external drive or automated backup service. For Android or iOS, activate the Google Auto Backup service or Apple’s iCloud.

12DNext, wipe the device. No, not with a rag, but wipe out the data, completely. Reformatting the hard drive can still leave data. Hitting “delete” won’t work, either.

To wipe a Mac, use WipeDrive or the OS X Disk Utility. For Windows PCs, use Active KillDisk or McAfee Shredder. For most recent smartphones, do a factory reset, but also remove the SIM card. For extra security, use Blancco Mobile for the Android or iOS.

If you want ultimate reassurance of destroying data, destroy the device with a hammer or drill through the drive with multiple holes.

If your device is headed for recycling, make sure that the recycling company is a part of Responsible Recycling (R2) or e-Stewards certification programs. This way your recycled device won’t end up in the wrong hands.

If you donate your device, hold onto the receipt for a tax write-off.

Did you just buy an external drive or flash drive? You should format it to rid the extra software that it probably came with. This will give you more space for storing data.

How do you format an external drive in Windows?

  • Plug the drive into your computer or wall outlet.
  • Open Windows Explorer, click “Computer” and locate the drive.
  • Right-click it and hit “Format.”
  • Under “File System,” select the desired file system.
  • Under “Volume Label,” name your drive, then check “Quick Format.”
  • Hit “Start.” Confirmation will take a few seconds.
  • In Windows Explorer, open the drive; it’s ready to use.

How do you format an external drive on a Mac?

  • Go to Finder, then Applications/Utilities; double-click Disk Utility.
  • Click on your drive, go to “Erase.”
  • Under “Format,” select the desired file system.
  • Name your drive, then click “Erase.” Formatting will take a few seconds.
  • In Finder, click on the drive; it’s ready to use.

How do you format a computer’s main hard drive?

This is more complex than the above tasks. You will need a bootable USB drive or a CD. If your plan is to sell your hard drive or computer, you’ll need to completely wipe the device. Wiping is the only way to eradicate all data. Once this is done, you can reinstall the operating system by inserting the installation disk or drive.

Of course, before you reinstall, make sure that all of your data is securely backed up!

Additional instructions for installing: For Linux or OS X, you’ll probably need to just select the option to install from scratch, and this will erase the drive. For the Windows installer, wait till you see a screen that has a list of your drives. Hit “Drive Options,” then hit “Format,” and this will format your drive as NTFS. After this, click “Next” to install Windows.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Data Breaches: How To Protect Your Business From Internal Threats

The biggest threat to your data may not come from external hackers. Find out how to guard against intentional or accidental internal cyber breaches.

14DThe NSA leaks we keep hearing about are a constant reminder of just how vulnerable data is and how this vulnerability can result in data breaches by organization insiders. As Reuters reported, “Edward Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator.” It’s apparent now that the nation’s most significant intelligence and security team failed to install the most up-to-date, anti-leak software.

This news coincides with two recent reports that show insiders are becoming the most significant reason data breaches proliferate. While threats to data security and privacy are often perceived to come from the outside via criminal hackers, recent research has marked internal threats as equally dangerous to customer/client data—whether breached on purpose or by accident.

According to a recent Forrester Research report titled “Understand the State of Data Security and Privacy,” 25 percent of survey respondents said that abuse by a malicious insider was the most common way in which a breach occurred in the past year at their company, while 36 percent of breaches were caused by employee mistakes, making it the current top cause of most data breaches.

Another report, from MeriTalk, which focuses on the federal government, found that 49 percent of breaches happen when employees bypass existing security measures, such as when they’re Web surfing or downloading email or other files. If the federal government can’t protect itself against data leaks, how can small-business owners expect to adequately protect their business data? Let’s take a look at how these data leaks are happening to find out how you can protect against them.

Cracking The Code

We’re at a point where companies interested in protecting their data have invested significant resources into fighting off network attacks from outsiders by incorporating numerous layers of security, such as firewalls, antivirus software, antispyware, antiphishing software and security awareness training, but they’re leaving their data vulnerable to their employees. Companies may have malicious, Edward Snowden-like insiders who hack the network for information, including fellow employees’ passwords.

Or, on the less malicious end of the spectrum, employees may just make simple mistakes that leave the network vulnerable to data breaches. Because of this “hidden” vulnerability, company networks are often compared to candy bars that are hard on the outside and soft and chewy on the inside. Additional risks revolve around savvy employees who might have good intentions but may make the network vulnerable when they go outside existing security measures. They may find themselves forced to do this because of restrictions that prevent them from getting their jobs done.

The Meritalk study found:

  • 66 percent of federal network users believe security is time-consuming and restrictive.
  • 69 percent say their work takes longer because of additional cyber security measures.
  • One in five users report an inability to complete work because of security measures.
  • 31 percent of users work around security measures at least once a week.

Forrester found:

  • 36 percent of breaches stem from inadvertent misuse of data by employees.
  • 42 percent received training on how to remain secure at work, which means 58 percent haven’t had training at all.
  • 57 percent say they’re not even aware of their organization’s current security policies.
  • 25 percent say a breach occurred because of abuse by a malicious insider.

Guarding What’s Yours

The most important thing companies can do is to put the right security measures in place. Employees who need identification include those who are known to access critical data resources, such as those in accounting, human resources, administration, legal, personnel and account management as well as company officers and various contractors. Looking at data flow—that is, where data might be either vulnerable, shared across departments or bottle-necked—companies should work with each critical department to gradually implement security controls that create a delicate balance of security and productivity for day-to-day activities.

Data loss prevention begins with data discovery, classifying data in need of protection, and then determining what level of risk your company may face. Then you should complete a cost/benefit analysis and review the various technologies that can integrate with your existing systems. These include data loss prevention (DLP) technologies that provide real-time network activity monitoring, as well as system status monitoring from the inside out and the outside in.

The goal is to limit who has access to what data as well as determine why the person needs it. It’s also important to look for your vulnerabilities from outside attacks. DLP can simultaneously determine when employees are circumventing security because the system may be prohibiting them from getting their job done.

Other procedures and tools you might want to consider implementing include:

  • System-wide encryption
  • Tools that report alerts and events
  • Inspection access controls
  • Password management
  • Multifactor authentication
  • Device recognition
  • Data disposal for e-data, paper data and discarded devices
  • Transparency

This last one is critical because the more transparent your network security and security policies are, the more effective each department will be when communicating its requirements, needs, wants and differences.

The battle to fight criminal hackers from the outside must not hinder your employees’ progress on the inside. At the same time, you must protect against internal threats from employees, which is an equally dangerous risk that your IT department must acknowledge—and work to secure quickly.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.