Posts

How to Protect You Frequent Flier Miles NOW

Social Security numbers and credit card numbers are not the only types of data that hackers are after. Now, they are looking at frequent flyer accounts, and they are stealing reward miles, and then selling them online.

How do Hackers Steal Frequent Flyer Miles?

As with other types of ID theft, hackers use info that they have illegally obtained to access frequent flyer accounts. With more data breaches happening than ever before, hundreds of millions of records are exposed, and thus, hackers have great access to the personal info they need to get into these accounts.

What do Hackers Do with Frequent Flyer Miles?

It is hard for hackers to use these miles on their own because often, the travel has to be booked in the name of the owner. However, it is very easy to transfer these miles to other accounts or to use the miles to purchase other rewards. Usually, no ID is needed for a transfer like this. This is also difficult to track because hackers use the dark web and VPNs to remain anonymous.

Hackers also sell these miles, and they catch a pretty penny. For airlines like British Airways, Virgin Atlantic, and Delta, they can get hundreds, or even thousands of dollars for their work.

In addition to transferring these miles from one account to another, hackers are also selling the account’s login information. Once someone buys this, they can now get into the owner’s account and do what they want with the miles.

Protecting Your Frequent Flyer Miles

There are some things that you can do to protect your frequent flyer miles. You should check your frequent flyer accounts regularly using your airlines mobile app. Change all your airline passwords and never re-use passwords and set up a different password for each account.

Other things that you can do include the following:

  • Protect your personal information by making sure every online account has a unique and difficult to guess password.
  • Use a dark web scan. This will show you if any personal information is out on the dark web.
  • If you do find that your miles have been stolen, it also is probable that your personal information has been compromised, too. Monitor your credit report and check it often for anything that looks odd. This is a big sign of an issue.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Meet the FBI’s most wanted Hackers

Want to earn up to $4.2 million? Then find the hackers on the FBI’s most wanted list. Or at least give the FBI information leading to their arrest and/or conviction. These snakes have stolen hundreds of millions of dollars. Here is the list from the hackernews.com:

Evgeniy Mikhailovich Bogachev (reward: $3 million)

  • Ironically, one of his aliases is one of the most common (and thus easily cracked) passwords: lucky12345.
  • He’s the brains behind the GameOver Zeus botnet and CryptoLocker Ransomware.
  • Over a million computers were infected with this malware, causing nearly $100 million in losses.

Nicolae Popescu (reward: $1 million)

  • From Romania, Popescu tricked Americans with fraudulent auction posts on various websites.
  • AutoTrader.com, Cars.com and eBay were some of these sites.
  • He was selling cars that didn’t exist. (Please, people, never, ever send money for something as grand as a car unless you have proof it exists—which includes actually test driving it!)
  • Hundreds of people sent money without ever seeing more than an ad for the cars. If you think that’s bad, it gets worse: Some of the victims handed over their money for private planes and yachts! Nearly 800 people didn’t have on their thinking caps, but this doesn’t make Popescu’s deed any less obscene.

Alexsey Belan (reward: $100,000)

  • Belan breached the cybersecurity systems of three big U.S. based e-commerce sites.
  • He then tried to sell all of these stolen databases, which included passwords.

Peteris Sahurovs (reward: $50,000)

  • His crime involved creating and selling malware by putting ads up on various websites.
  • These advertisements forced users to buy the phony antivirus software that the ads pitched.
  • If the user declined the purchase, their desktop would be bombarded with phony security alerts and pop-ups.
  • This crook from Latvia collected over $2 million with the scheme.

Shailesh Kumar Jain (reward: $50,000)

  • Despite the name, Jain is a U.S. citizen.
  • He scored $100 million in less than two years.
  • He should have quit while he was ahead (maybe after the first $10 mil?), but he just couldn’t earn enough, so he kept hacking away at unsuspecting Internet users.

With fraudulent e-mails and pop-up ads, he tricked users into thinking their computers were infected with malware, and then sold them his fake antivirus software packages for $30 to $70. Do the math: Can you imagine how many people got rooked?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Bank Account depleted, Company sues

Is it Bank of America’s fault that a hospital was hacked and lost over a million dollars? Chelan County Hospital No. 1 certainly thinks so, reports an article on krebsonsecurity.com. In 2013, the payroll accounts of the Washington hospital were broken into via cyberspace.

4HBank of America got back about $400,000, but the hospital is reeling because the hospital says the bank had been alerted by someone with the Chelan County Treasurer’s staff of something fishy. The bank processed a transfer request of over $600,000—even though the bank was told that this transfer had not been authorized.

In short, some say Bank of America failed to follow contractual policies. And what does the bank have to say for this? They deny the lawsuit allegations. They deny brushing off the hospital’s alert that the wire transfer was not authorized.

This scenario has been replicated many times over the past five years, says the krebsonsecurity.com article. Hackers use Trojans such as ZeuS to infiltrate banks. And not surprisingly, phishing e-mails are the weapon of choice.

Though bank consumers are protected from being wiped out by hackers as long as they report the problem within 60 days, businesses like hospitals don’t have this kind of protection. The business victim will need to sue the bank to recoup all the stolen money. Legal fees will not be covered by the defendant, and they are enormous, which is why it’s not worth it to sue unless the amount stolen is considerable.

Businesses and consumers should:

  • Require that family and employees from the ground up complete security training that includes how to recognize phishing e-mails.
  • Stage phishing attacks to see how well everyone learned their security training
  • Retrain those who fell for the staged attacks
  • Make it a rule that more than one person is required to sign off on large transfers
  • Know in advance that the bank will not reimburse for most of the stolen money in a hacking incident, and that legal fees for suing can exceed the amount of money stolen.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

1 Billion Records hacked

Billions and billions—it’s only a matter of time before this becomes the number of hacking incidents in a single year, because just in 2014, over one billion records were hacked out of 1,500 different hacking incidents, says a recent report.

4DSome other findings from the report:

  • A little over half the breaches involved credit card numbers, Social Security numbers and other personal information.
  • Most hacking incidents occurred in the U.S.
  • 55 percent of the incidents involved retailers, primarily affecting point of sale systems that lack encryption technology.
  • The private sector, combined with the government, took up 17 percent of the hits.

The government has had it; the White House plans on devoting an office entirely to figuring out how to stay ahead of cyber crime. Let’s hope that the White House really dissects cyber attack technology.

What can consumers, the private sector, retailers, banks and the governments do to make it difficult for hackers to cause mayhem?

  • Go through all of their passwords and replace the weak ones with strong ones. A weak password is less than eight characters (some experts advise that it be at least 12), contains actual words or names, contains keyboard sequences and has limited character variety.

    Keep in mind that an eight-character password such as $39#ikPw is strong and superior to the 12-character 123qwertyTom. But maximize the strength by making the password at least 12 characters and a jumble of character gibberish. A password manager can do this all for you.

  • Install antivirus software. This means antivirus, anti-spyware, anti-phishing and a firewall. Then make sure they are always updated. This software should also be installed on your smartphone and tablet.
  • If you’re still using windows XP because you don’t want to part from your comfort zone, get out of it immediately, because it won’t be so comfy when your system gets dismantled by a hacker. Windows XP is no longer subject to security patches and updates by Microsoft. You need a version, such as MS Win 7, that receives regular updates.
  • Your router has a password that’s been set by the manufacturer. Hackers know these passwords. Therefore, you should change it. Next, turn your WPA or WPA2 encryption on. If you don’t know how to do these things, contact the router’s manufacturer or google it. And unless you have encryption while using public Wi-Fi, consider yourself a lone zebra wandering around in the African savanna where prides of hungry lions are watching you. Get a VPN. Google it.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. Disclosures.

Goodguy Hacker Selling Bad Guy hacks

Makes you wonder what these guys would have accomplished had they been born during the Renaissance…case in point: Kevin Mitnick, whose genius was so impressive as a cyber criminal (he hacked into IBM, Motorola, Sun Microsystems and other big-name outfits), that after serving prison time, he was hired as a good guy to help security teams develop penetration-proof systems.

4DBut Mitnick is now onto another venture: Absolute Zero Day Exploit Exchange. Mitnick wants to sell zero-day exploits (targeted surveillance), for at least a hundred grand each. In a wired.com article, for which Mitnick was interviewed, he states: “Researchers find them, they sell them to us for X, we sell them to clients for Y and make the margin in between.” He has not revealed how much he’s sold or to whom.

But Mitnick says they aren’t necessarily government related. For example, a buyer might be a penetration tester. He says he doesn’t want to help government agencies go around spying. Why would he want to assist the very people who locked him up in prison?

It’s anyone’s guess who’d be willing to shell out $100,000 for one of these tools (which would be used to garner information about bugs in the system that have not been addressed by security patches). After all, giants like Facebook pay only tens of thousands of dollars for this kind of tool.

Mitnick isn’t the only entrepreneur in the selling of secret hacking techniques; it’s already been going on. One of the skepticisms of this venture is just whom the buyer might be. Mitnick says he’ll carefully screen his buyers.

Though what Mitnick is doing is legal, it still snags attention because of his past. This guy was once the most wanted cyber criminal in the world, having made a career of hacking from his teens to early 30s, finally getting captured in 1995.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 Careful Commerce tips when Shopping this Holiday Season

Frosty the Hackman is teaming up this season with the Grinch to scam people out of their money. Shopping online is a godsend, but it brings with it a pristine opportunity to be ripped off.
http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294

  1. Avoid Phishing Scams. Never click on links inside e-mails even if they’re (allegedly!) from Macy’s, Kohl’s or some other big-name retailer. Scammers can easily make an e-mail appear legitimate. The e-mail inside the message may take you to a website that downloads a virus to your computer.
  2. Thwart Visual Hackers. Planning on doing some online shopping on your lunch break? Some hackers steal data by literally snooping over the shopper’s shoulder and if your credit card number, social security or other personal identifiable information happens to be on display on screen, you will be at risk. If you couple the 3M company’s ePrivacy Filter with their 3M Privacy Filter, “visual hackers” won’t be able to see from side angles, and you’ll be alerted to those peering over your shoulder and from most other angles.
  3. Do Your Research. If you want to buy from an unknown little retailer, hunt for reviews first. Be alert to phony reviews to make them look great; identical reviews across different sites are a bad sign. Check the Better Business Bureau’s rating for retailers you visit.
  4. Be Wary of Free Wi-Fi While it might be tempting to double check your bank account balance or get some emails done while you’re waiting in line for the register, if you’re accessing an unencrypted network you are putting yourself and your personal information at risk for data theft.
  5. Credit over Debit. If you get ripped off, the money is gone the second the card is used. At least with a credit card, you have some time to issue a dispute, and the card company will usually give you a full credit.
  6. Review Your Credit Regularly. Since you’ll be using your credit cards more frequently during the holidays, it’s important to stay on top of your statements to make sure there are no fraudulent charges.
  7. Mind your Passwords. To increase your security across the web, update your passwords during the holiday season in case one of your favorite retailers is hacked. Even if these sites are not infiltrated, right away consider changing your passwords across the board to better protect yourself down the road. And while it is annoying to remember different passwords, it’s important to very them for optimal protection.

Robert Siciliano is a Privacy Consultant to 3M discussing Identity Theft and Privacy on YouTube. Disclosures.

Hackers and Banks win, Clients lose

Don’t blame the hackers; don’t blame the bank; apparently it’s the victim’s fault that a Missouri escrow firm was robbed of $440,000 in a cybercrime, says a report on computerworld.com.

11DThe attack occurred in 2010, but the appeals court’s March 2013 ruling declared that the firm, Choice Escrow and Title LLC, can’t hold its bank accountable. The victimized firm might even have to pay the bank’s attorney fees. The court says that the firm failed to abide by the bank’s recommended security procedures.

BancorpSouth Bank was sued by Choice Escrow following a cyber assault in which the password and username to the firm’s online bank account was stolen.

The victim asserted that the bank failed to implement sufficient security measures, allowing the attack to take place. The firm also insisted that the bank should have detected that the wire transfer of the money to Cyprus was fraudulent because it was initiated outside the U.S.—an unprecedented type of transaction.

BancorpSouth’s defense was that Choice Escrow failed to instill the security precautions for wire transfers that the bank recommended.

At first it seems like the bank here is bucking culpability, but according to the bank:

  • It had controls in place for Choice Escrow to use.
  • The bank requested that the firm use a dual-control process for wire transfer requests that would require two people to sign.
  • The bank asked the firm to enforce an upper limit on wire transfers.
  • Choice failed to follow these two recommendations.

The bank also points out that the wire transfer was started by someone who used the firm’s legitimate banking credentials, along with a computer that seemed to belong to the company. Had the company followed the bank’s recommendations, the crime may not have occurred.

Stealing legitimate banking credentials and using them to initiate criminal wire transfers to overseas accounts is nothing new to cyber criminals. This crime causes disputes between banks and their customers and heightens awareness over how much responsibility each entity should carry.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

6 Ways to Protect your Internet of Things from Hackers

Everything seems like it is connected to the Internet, just about, including TVs, home thermostats, sprinkler controls, door locks, egg trays (yes, there’s an app for that), tooth brushes (cray cray), and more.

11DA study by HP shows that 70 percent of devices have vulnerabilities. Researchers have revealed that most of the devices in their study, plus the devices’ mobile and cloud applications, had a welcome mat for hackers.

Most of these devices had weak passwords (like qwerty) or weakly protected credentials (unencrypted): beacons for hackers. Seventy percent of the devices lacked encryption. Sixty percent had insecure software updates.

The Open Web Application Security Project notes that vulnerabilities include poor physical security of devices. Gartner, an industry analysis firm, predicts that over 26 billion items, by 2020, will be connected to the Internet. And this includes all sorts of stuff in your home.

All these “smart” devices are a little too dumb and need even smarter protection. The more connected you and all the things in your home are, the more vulnerable you truly are.

Just think of how much of your personal information gets all over cyberspace when you’re so connected, including where your person is at any moment and medical details. Its these “peripheral” devices that connect to your wired or wireless network that in some way connect to your desktop, laptop, tablet or smartphone that criminals are after. Once they hack, say your thermostat, that may give them a backdoor to your data.

Device makers are not bound by any policies to regulate safety/security, making the instruments highly prone to cyber criminals. Worse, most people don’t know how to spot attacks or reverse the damage.

So how do you create a “smarthome”?

  1. First, do your homework. Before you purchase that smarthome device, take a good hard look at the company’s security policy. How easy can this device be updated? Don’t make the purchase if you have any doubts. Take the time to contact the manufacturer and get your questions answered. Know exactly what you’re about to sink your teeth into.
  2. Your device, new or old, should be protected with a password. Don’t keep saying, “I’ll get around to it.” Get it done now. If you’ve had a password already, maybe it’s time to change it; update them from time to time and use two-step verification whenever available. If you recently created a new password for security purposes, change it if it’s not long, strong and unique. A brand new password of 0987poi is weak (sequential keyboard characters). Criminals are aware of these kinds of passwords in whats called a “dictionary attack” of known passwords.
  3. Make sure that your software/firmware is updated on a regular basis. If you see an update offered, run it, rather than getting annoyed by it and clicking “later” or cancelling it. The updated version may contain patches to seal up recently detected security threats.
  4. Cautiously browse the Internet. Don’t be click-happy. Make sure whenever using a wireless connection, especially those that are free public WiFi use Hotspot Shield to encrypt your data in transit.
  5. Don’t feel you must click on every offer or ad that comes your way, or on links just because they’re inside e-mails. Don’t click on offers that seem too good to be true.
  6. Your mobile devices should be protected. This doesn’t just mean your smartphone, but the smart gadgets that your smartphone or tablets control, like that egg tray that can alert you when you’re running low on eggs.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Are All Hackers Bad?

The word hacker has a pretty negative connotation. It brings to mind other words like cybercriminal, thief, and malicious. It’s easy to see why hacker has a bad rep. The news is full of stories about hackers stealing data from large companies and the government. Hackers are the bad guys.

But are they?11D

Tesla just recently announced they are hiring hackers to find and fix security holes in the Model S car. Google started a league of hackers called “Project Zero” to track down security flaws in their software. Companies like Facebook and others sponsor hack-a-thons, where anyone is invited to try and crack their systems, all the time. Why would these companies want to hire or incentivize hackers?

The truth is not all hackers are the same. Here are the different kinds of hackers:

  • White hat hackers: Also known as “ethical hackers,” these hackers use their skills to make the Internet a safer place. Some white hat hackers do this for fun and then report the information to companies or sites they have broken into so the companies and sites can be fixed. It is these white hat hackers that Tesla is hiring they can find any security holes in their Internet-enabled cars before the bad hackers find and exploit them.
  • Gray hat hackers: These are the guys in the middle. They sometimes act legally, sometimes not. They usually do not hack for personal gain or have malicious intentions, but may or may not occasionally commit crimes during the course of their technological exploits. An example of gray hat hackers is hacktivists—who hack to bring attention to a political agenda or social cause. Anonymous, a predominant hacktivist group, recently took down multiple Israeli websites in protest of the Gaza crisis.
  • Black hat hackers: These are the bad guys that give the word hacker its negative connotation. These hackers are committing crimes…and they know it. They are looking to exploit companies or you and your devices for their financial gain.

So the next time you hear the word hacker, don’t automatically assume it’s a bad thing. Hacking can used for good and evil, it all depends on the hacker’s intent.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Russian Organized Crime: Krem D’la Krem of Hackers

The Russians have definitely come…in the world of cybercrime. A Russian ring of hackers has amassed 1.2 billion stolen passwords and usernames involving 400,000 websites. The criminals have also garnered 542 million e-mail addresses.

11DAnd these Russians didn’t discriminate: Any website they could bust into, they did, ranging from big U.S. companies to little websites—anything. Most of these sites remain vulnerable.

Apparently, the thieves are not working for Russia’s government (which rarely goes after hackers anyways), nor have they sold the stolen information…yet. They’ve been paid by third-party entities who want to send out spam.

This gang of thieves operates like a business, with some doing the programming and others doing the stealing. The crooks use botnets to scope a site’s weaknesses, then plow in there.

This massive breach has called attention to the reliance that businesses have on usernames and passwords; this will need to be changed.

Tips for Preventing Getting Hacked

  • Say NO to clicking on links inside e-mails, even if the apparent (note “apparent”) recipient is your bank or a friend.
  • URL security. Trust only sites whose URL starts with a padlock icon and “https.” An “http” won’t cut it.
  • Two-step verification. If your financial institution offers this, then activate it. Call the bank if its website doesn’t have this information.
  • Online banking. If possible, conduct this on a separate computer just for this purpose.
  • Change the router’s default password; otherwise it will be easy for hackers to do their job.
  • Wired ethernet link. This is better than a powerline or Wi-Fi for protection. To carry out an ethernet attack, the thief would probably have to break into a home and set up a device, whereas Wi-Fi data can be snatched out of the air, and powerline data can leak into next-door.
  • Encryption. If you must use Wi-Fi or powerline networks, encryption will scramble data, but a hacker can crack into Wi’Fi’s WEP.
  • Say no to third-party Wi-Fi hotspots.
  • Security updates. Keeping up to date will guard against hackers who use a keylogger to figure out your keystroke pattern—which can tell him your passwords.
  • Hotshot Shield; This service protects you from fraudulent activity when you’re working online in an unprotected network (wired or wireless), such as at airports, hotels or coffee houses.
  • Get identity theft protection. Generally your identity is protected from new account fraud. Many of the services monitor your data on the dark web.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.