Posts

Facebook Wants my Social Security Number!

WTH Facebook? Generally,  I don’t have a problem giving out my SSN. That might seem contrary to the advice I give, but frankly, our SSNs are everywhere and if my insurance company needs it, I’ll generally just question them on it, maybe resist a bit, and if they insist, and I need that insurance policy, I’ll cough it up.

facebook security

My identity in regards to “new account fraud” is protected via a credit freeze and I also have identity theft protection in place. So between the two, I’m pretty locked down. This is the advice I give everyone. So I’m generally not alarmed or concerned when asked for my SSN.

BUT, today friggin Facebook asked for it and of all the company’s or government agency’s on the planet to ask for this level of personal identifying sensitive information, Facebook is the world’s single most notorious abuser of privacy in the history of the world.

There have been countless breaches and privacy issues with Facebook and this is so over the top I can’t even believe they have the nuts to ask for a copy of my Social Security card.

Here’s how it played out….An email came in from Facebook subject line “Your sales are on hold”  with the message:

Hi Robert Siciliano: Security Awareness Fraud & Personal Security Expert,

When Robert Siciliano: Security Awareness Fraud & Personal Security Expert’s shop was set up, Robert Siciliano’s information was entered. To help keep Facebook secure, we need to confirm the identity of people representing a business on Facebook or Instagram.

Your sales have been temporarily put on hold until we can confirm Robert’s information. This is a standard process and should only take a few minutes to complete.

Once you confirm Robert’s information, you’ll be able to receive payments again.

Thanks,
The Facebook Team

WTH?!! OK, sure. So I sell my books on my Facebook page and e-commerce is involved. There’s a tax thing going on here. But they aren’t asking for my EIN or are engaging me in a formal process to vet my viability as a tax payer. They are asking for a copy of my SSN in the form of a scan to “verify” me!

I clicked a link on Facebook to see where this debacle would take me and see here:

So I clicked “Contact Us” to voice my frustration and my response was:

And I’ll repeat: “Screw off. I’m not sending Facebook a copy of my SSN card. WTH is wrong with you? What are my other options?

Stay tuned for how this BS turns out.

To be continued. Robert.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Want to be a Cybercriminal? Try Facebook

When you think of a cybercriminal, you probably picture someone in a black hoodie in a dark room on the dark web, but most cybercriminals are out there in plain sight, including on Facebook.

facebook security

Talos, a cybersecurity firm, found that people can easily join Facebook groups, and then participate in cybercrime including buying and selling credit card info, obtaining spamming tools, or even getting account logins and passwords. All in all, these groups have almost 400,000 members.

Though that does sound like a lot, and it is a lot, you also have to remember that Facebook has about 2 billion users logging into the site each month. With that number of people, it is difficult for the social media giant to deal with these groups.

The failure of Facebook to remove these cybercriminals shows that it is struggling to keep bad online behavior at bay, and this also include hate speech, inciting violence, and sharing false information. This also, of course, show how this behavior can be amplified by the algorithms that Facebook uses.

These groups are easy to find on Facebook. All you have to do is type things like CVV or spam. Once you join one of these groups, Facebook’s algorithms come into play and suggest other groups that are similar in nature. Plus, Facebook doesn’t have a great way to catch these criminals, as it relies on reports from other users to stop this type of behavior.

Because of this, Facebook really has a long way to go before it stops relying on the reports of its users. It’s also true that these reports aren’t always taken seriously, and they often fall through the cracks.

One such example of this is with the recent terrorist attack in Christchurch, New Zealand. The gunman who was responsible for the attack streamed his murderous act on Facebook Live. Though Facebook eventually took the video down, it was seen by thousands of people. However, Facebook said that it had no report of the video during the attack, which is why it took so long to remove it.

Knowing all of this, Talos tried to take on some of these crybercrime groups through the reporting system at Facebook. Some of these groups were, indeed, removed from the platform, but others were not. Instead, only specific posts were removed, while the group itself was able to live another day. Talos kept reporting these groups, however, and eventually, most of them were removed. However, new groups are now popping up to take the removed groups’ places. Facebook has acknowledged that there is a problem, and it admits that these groups have violated its policies. It also said that it knows that more vigilance is required and that it is investigating all types of criminal activity on the platform.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Should You Use Facebook to Login to Websites?

Have you ever used Facebook to sign onto another site? Many of us do this pretty blindly simply because it is very convenient. But, this convenience could come at a cost.

You know the drill. You go to a website and it says “Log In With Facebook.” or Google. Usually, it just takes a couple of clicks and no logging in with other usernames or passwords. However, when you do this, Facebook essentially becomes your online identity. This means that anyone who knows these credentials have access to your preferences, posts, and most importantly, your personal information. What’s more is that you might be unknowingly giving permission to a third party to access your profile, view your online activities, and get information about your friends.

What Can You Do About It?

There are some things that you can do to keep yourself safe. First, of course, you should have a different username and password for all accounts. Make sure your passwords are strong and consider using a password manager. This helps to create strong passwords and keeps them safe for you.

If you play games, do quizzes, or other things on a social media platform, make sure that only necessary apps are connected. Stop connecting other apps.

You should also take some time to look at the settings you have set up for your social media accounts. Adjust them to make sure you are protected. Finally, make sure that you are logging out of your social media account when you are done with it. If you log into your social media account on your tablet or mobile phone, make sure that the lock screen is on before putting it away. Also, of course, make sure that you have a strong passcode on your device.

Control Your Data

Now is the time to take control of your data. When you choose to use a social media site to link with third-party services, apps, and sites, the social sites say that it will enhance your experience for the better. It also can make your online time more productive. At the same time, however, it can open you up to exposure, and even be an open door for hackers. It is important to understand what type of permission you are giving these apps when you click “Log in with Facebook.” Finally, if you are a parent, you should make sure that you understand what your kids are doing on social media, and take a look at what type of permission your kids have given to third-parties.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Do Not take that Stupid Facebook Quiz

Where should you live in the world? What Game of Thrones family are you in? What is the food that best describes your personality? All of these answers are given and found by doing quizzes on Facebook. You have surely seen them if you use Facebook, and have may have taken these quizzes, but you definitely might want to consider stopping. If you have ever used one of these quizzes, you have probably given these third-party apps permission to access some of your personal data. Not only does this affect you, it might also affect the people on your friends list. How does it affect you? These answers can sometimes crack password reset questions,

Here are some tips that you can use to protect yourself:

Use Two-Factor Authentication – Almost all social media sites offer two-factor authentication. This allows you to further lockdown your accounts, as you won’t be able to sign in with only a password. Instead, you need a password and a code, which is often sent to you via text message. So, no one can log into your account even if they have your password, unless they also have access to your phone and texts.

Stop Taking Quizzes – The best thing you can do to protect yourself is to stop taking those quizzes. Though they look innocent enough, every click gives the company information on you. It’s true that not all companies collect your personal info, but you really have to do some digging in the terms of service to see if they do or not.

Check Your Privacy Settings – When is the last time you reviewed your privacy settings on Facebook? If you are like most of us, it’s probably been awhile. So, take some time to log in and do this. If you need a tip, choose to only share with yourself by clicking “Only Me” on all of the settings. That’s the safest, but after all, this is SOCIAL media, so you might want to pick and choose.

Look at What You Share – You should also look in your app security to find out what you are sharing with third-parties. You might be surprised at what you see.

Delete Old Accounts – Finally, make sure that you take a look at, and delete, any old social media accounts. If you don’t want to delete it, at a minimum, change your password. Also, Google yourself and see what accounts come up. If you can find it, you can bet that a hacker can.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Facebook CEO Password dadada hacked

If you’ve heard this once, you need to hear it again—and again: Never use the same password and username for more than one account!

14DIf this got Mark Zuckerberg’s (Facebook’s chief executive).  Twitter account hacked, it can get just about anybody hacked.

A report at nytimes.com says that the OurMine hacking group takes credit for busting into Zuckerberg’s accounts including LinkedIn and Pinterest. It’s possible that this breach was cultivated by a repeated password of Zuckerberg’s.

According to OurMine, Zuckerberg had been using the same password for several accounts. Not only is that asking for trouble, but the password itself is highly crackable: dadada. Don’t laugh. A hacker’s software will find this in minutes.

How to Protect Your Accounts

  • Change any passwords that are used more than once.
  • Change any passwords that contain keyboard sequences, repetitions of letters or numbers (252525 is akin to dadada), or actual words or proper nouns.
  • If the idea of overhauling your passwords is overwhelming, use a password manager (e.g., RoboForm). A password manager will create long, unique passwords that are different for every account, and you won’t have to remember them because the manager will issue you a master password.
  • See which accounts offer two-factor authentication, then sign up. This is a tremendous step towards preventing being hacked. So if an unauthorized person attempts to log into your Twitter or LinkedIn account, this will send a code to your cell phone that needs to be entered before the account is accessible. Unless the hacker has your cell phone, he won’t be getting into your account.
  • Some say every 90 days, or at least twice a year, change all of your passwords. I think that’s a bit much. Different and strong is what matters most.

Visit Have I Been Pwned to see if your e-mail account has been hacked. I did. 6 of my accounts showed up as being part of data dumps of sites that were hacked. Then I checked all 6 accounts, all had different passwords, but I still changed them. One was gmail, but with two factor verification/authentication, I’ve had no issue. Simply type your e-mail address into the field and click “Pwned?” If the result shows bad news, then you must immediately change your password to one that you’ve never had before—and at least eight characters and unique.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Facebook Photos bust Bank Robber

Do these bank robbers have bricks for brains? They actually posted photos of themselves with wads of the stolen cash on Facebook, says a story on thesmokinggun.com.

The alleged bank robers are John Mogan, 28 and Ashley Duboe, 24, and they’ve been charged with robbing a bank in Ohio. Mogan has already served time for a previous bank robbery conviction and was out on parole.

It all started when Mogan apparently sauntered into the bank and demanded money with a note. It’s not clear from the article whether or not Mogan brandished a weapon. At any rate, the teller handed over the money.

A video camera shows a thief in a hoodie exiting the bank with cash in his hands. Mogan has a distinct appearance in that both cheeks are tattooed.

Authorities believe that Duboe covered up the facial (and neck) tattoos with makeup prior to the robbery. Four days later, both geniuses posted their images to the Facebook page that they share, with Mogan pretending to bite into a thick wad of bills—which he refers to as a “McStack.” In another incriminating image, Mogan is pretending that the wad of cash is a phone.

A relative spotted the images, and from that point, things went sour for these Bonnie and Clyde wannabes. Both are currently behind bars, and the bond has been set at $250,000. Let’s see Mogan try to make a “McStack” with that amount and put his mouth around it.

Not surprisingly, neither of these two look too smug in their mug shots.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Time to check your Facebook Privacy settings

Did you know that, once again, Facebook has changed its privacy policies? At the top of the FB page is a lock icon. Click it for more privacy settings.

14DWhat do visitors see? To view how visitors see your Facebook page, go to “Timeline and Tagging,” then hit “Review what other people see on your timeline/View As.”

Posts by friends. Click “Timeline and Tagging” to prevent a visitor’s unwanted post from showing. Then click “Enabled,” as this will allow you to “review posts friends tag you in before they appear.” Designate who can post on your timeline, ideally just “Only Me.”

Unauthorized logins. To prevent someone from logging onto your FB account, go to “Security” and click “Login Approvals,” and proceed from there. This way if someone tries to login from a computer other than your own, they’ll need to see the security code that FB sends to your mobile phone.

Search engine access. If you don’t want everyone finding your Facebook page by simply entering your name into a search engine, click “Privacy,” then “No” to “Do you want other search engines to link to your timeline?”

Old posts. In the “Privacy” setting is an option for limiting old images. You may not want everyone to see all of your timeline. You can also set up things so that you can review new posts by others as they come in.

Liked businesses. Where it says “Ads and Friends” click “Ads,” then “Edit.” Next click “No One” where it says “Pair my social actions with ads.” This will prevent you from becoming associated with a particular business.

Apps. Go to “Apps” if you don’t want everyone seeing what apps you use on Facebook. Change the “App Visibility” to “Only Me.” In “Apps Settings” are more options.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Very effective Social Engineering Scams

It’s amazing how ingenious cybercriminals are, but the victims also need to take some responsibility for falling for these ruses, especially when the victim is a business that has failed to train its employees in cybersecurity measures.

10DRansomware

The stuff of science fiction is here: Who would have ever thought there’d ever be a such thing as criminals remotely stealing someone’s personal information (word processing files, any kind of image, etc.), scrambling it up via encryption, then demanding ransom in exchange for the remote “key” to “unlock” the encryption?

Payment is remotely by Bitcoin which can’t be traced. The payment is usually at least $500 and escalates the longer the victim waits.

The virus that poisons a computer to steal someone’s files is called ransomware, a type of malicious software (in this case, “Cryptolocker” and “CryptoDefense”). But how does this virus get into your computer in the first place?

It’s called social engineering: tricking users into allowing their computer to be infected, or duping them into revealing personal information.

Often, a phishing e-mail is used: It has an attention-getting subject line that entices the user to open it. The message contains a link. They click the link, and a virus is downloaded. Or, the link takes them to a site which then downloads the virus.

These e-mails, sometimes designed to look like they’re from the company the user works for, often go to workplace computers where employees get tricked. These kinds of attacks are lucrative to their instigators.

Funeral Fraud

If you wanted to notify a relative or friend that a mutually dear person has left this earth…would you send an e-mail or phone that person? Seems to me that heavy news like this would warrant a phone call and voice interaction.

So if you ever receive an e-mail from a funeral home indicating that a dear one to you has passed, and to click a link to the funeral home to learn details about the burial ceremony…consider this a scam.

Because if you click the funeral site link, you’ll either get redirected to the crook’s server because he’s already created an infected funeral looking site ahead of time. This is where a virus will be downloaded to your computer.

Vishing Credit Card Scam

You get a phone call. An automated voice identifies itself as your credit card company (they’ll say “credit card company” rather than the specific name). It then says something like, “We are investigating what appears to be a fraudulent charge on your card.”

They’ll ask if you made a particular purchase lately, then to hit 1 for yes and 2 for no. If you hit no, you’re told to enter your credit card number, three-digit security code and expiration date. You just fed a thief all he (or she) needs in order to go on an online or on-phone spending spree.

Ever order something via phone and all you had to give up was the credit card number, expiration date and security code? This trick is also aimed at employees. The calls come from an automated machine that generates thousands of these calls.

Healthcare Record Scam

You receive an e-mail that appears to be from your employer or healthcare provider that you get through work. This may come to you on your home computer or the one you use at work. The e-mail is an announcement of some enticing change in your healthcare plan.

The message may reference something personal about you such as marital status, income or number of dependents. When enough of these e-mails are pumped out with automated software, the personal situation of many recipients will square off with those identified in the e-mail, such as income and number of children. The user is then lured into clicking a link in the e-mail, and once that click is made…malware is released.

Facebook Company Group Scam

Scammers will scan Facebook and LinkedIn seeking out employees of a particular company and create a group. This groups purpose is for information gathering so scammers can penetrate a company’s facility or website. Once all the groups member join, the scammers will pose various innocuous questions and start palatable discussions that make everyone feel comfortable.

Over time scammers will direct these discussions to leak bits of data that allow criminals to enter a facility under a stolen identity or to contact specific employees who have advanced access to computer systems in an attempt to get usernames and passwords.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

15 Top Facebook Privacy Tips

You wouldn’t have to worry about privacy issues on Facebook if you didn’t post sensitive, private information on Facebook…such as information that one day can be used against you. And really, you should share only what you consider “professional” information, even with family. Just stop with the nonsense.

At any rate, it’s important to know how to use Face14Dbook’s privacy features, which change from time to time. Here are useful tips.

  1. Go to Start, then Account, then Privacy Settings, then Edit Your Profile.
  2. In the Edit Your Profile feature, go through everything there and set things up. There are multiple data fields. To get their drop-down menus, hit the lock on the right of the fields.
  3. Review posts friends tag you in before they appear on your timeline” Set this so your friends can’t make posts that include you that appear on your timeline without your knowledge and/or permission. A friend may tag you in something racist or sexist that makes you look bad by association.
  4. “Ads and Friends.” Set this so people can’t see which businesses you have friended if you’d like. For example, if you’re Liked a “bondage” shop because it was funny to Like it, it might not be in your best interests that a potential employer sees this.
  5. “Do you want other search engines to link to your timeline” Set this to prevent people from finding your timeline entries when they do Google searches. Theres no reason a private FB needs this setting live.
  6. “Limit the audience for posts you’ve shared with friends of friends or Public?” Set this to avoid letting a wide audience see your old posts. You may have had a cock tail or two one night and posted something you may regret the next day.
  7. “Log-in approval” This is big. signing up for this ensures that no one else can easily log into your Facebook account.
  8. Friends Lists. Click Edit Friends after you click Account. Go to Create a List to categorize your “friends,” such as those from work only or “share everything.”
  9. To restrict access, you can choose something on your friends lists to narrow the field, such as your created category of “childhood close friends.” Play around with the options. You’ll see an option called Custom, which breaks down to Select Specific People. Be patient and tinker around a bit. If you don’t want your nosy neighbor to see anything, click “Hide this from.”
  10. Under Privacy Settings is Apps and Websites. Other people’s apps can take your information and post it elsewhere. Go to Apps you Use, and How People Bring Your Info Into Apps They Use. You’ll be able to tell who’s taking information from you. But you can disable this too. If you only want select people to know you have an FB page, turn off the Public Searches function. Then, if someone googles your name, your FB page won’t show in the results.
  11. The How Tags Work feature controls tags about you on your page only. You’ll see an option called Friends Can Check You Into Places. Turn this off. Otherwise, one of your “friends” could blab personal information about you. (Gee, at this point, it’s easy to understand why some people just don’t have a FB account—including the most social, outgoing people you’ve ever known.)
  12. To see how your profile looks to visitors, click View As at the top right.
  13. Click on How You Connect under Privacy Settings. This feature determines/controls who can interact with you and view your posts. Again, play around with this.
  14. The Block Lists under Privacy Settings will block whomever you please from contacting you.
  15. Continue spending time in Privacy Settings to further refine your preferences.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Feds Perp Social Media Identity Theft

A federal agent impersonated a woman without her knowledge; he created a Facebook page in a woman named Sondra, and the Justice Department is defending him. In addition, he posted racy photos of her, from her cell phone, to the site. The site was being used to connect with suspected criminals.

14DSondra learned of this when a friend wondered about the photos on the FB page; Sondra didn’t even have an FB account. The agent is with the U.S. Drug Enforcement Administration.

Seems like he was simply doing what he had to do, because prior, Sondra had been arrested for suspicion of drug ring involvement. While she was awaiting trial (and ultimately was given probation), the agent created the Facebook account.

“The incident at issue in this case is under review by Justice Department officials,” states Brian Fallon, the Justice Department’s top spokesperson. Facebook’s terms of service do not exempt undercover agents from term violations, one of which is posing as another person.

Facebook removed the page once news broke. This case doesn’t compare to when detectives go undercover in person, posing as a fictitious character or a real person who authorizes the impersonation. Sondra is real, and she didn’t know about this.

The defense claims that Sondra indeed consented because she granted access to the data in her phone. A privacy expert points out, however, that this is parallel to granting detectives permission to search your house for drugs, but then they steal photos in your bedroom and post them online. Furthermore, the agent posted photos of Sondra’s minor son and niece.

But is Sondra any angel herself? She pled guilty to conspiracy to distribute cocaine in February 2011, but was slapped on the wrist because apparently, she wasn’t a key player in the ring. Really this shouldn’t matter.

It is necessary for law enforcement to use any means necessary and legal to capture bad guys. However there must be a better way to create a social profile, such as using a stock photo or even a computer generated one. The technology is readily available to make this happen.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.