Posts

What is Catphishing?

https://safr.me/webinar/  | Robert Siciliano is the #1 Security Expert in the United States with over 25 years of experience! He is here to help you become more aware of the risks and strategies to help protect yourself, your family, your business, and your entire life. Robert brings identity theft, personal security, fraud prevention and cyber security to light so that criminals can no longer hide in the dark. You need to be smarter than criminals yesterday so that they don’t take advantage of you today! If you would like to learn more about Security Awareness, then sign up for Robert’s latest webinar!

_______

What is catphishing? It certainly isn’t Garfield lazily sitting in a canoe holding a fishing rod. Catphishing is when a fraudster fabricates an identity and tricks someone via cyber communication into a phony emotional or romantic relationship—usually for financial gain to the scammer—because eventually he’ll hit the victim up for money.

1FBut another reason for catphishing is to lure someone into having a “relationship” with the scammer—to either ultimately publically humiliate them with this information if they’re well-known, or, to prove to a significant other that they’re capable of cheating. Not all catphishers are fraudulent. Sometimes, a person will catphish to catch a criminal.

One doesn’t get reeled in overnight, but the warning signs of the early stages of catphishing are clear: A too good to be true situation. The other party is very attractive (don’t bet for a second it’s really their photo). Another tell-tale sign that should make the alarm bells go off: This person comes out of thin air.

He…or she…will be reluctant to use the phone. Skype is out of the question: “I can’t figure out how to use it,” or, “It’s not compatible with my browser.” To maintain an air of legitimacy, the scammer will finally agree to meet you in person, making the plans sound like they’re running smoothly, but then at the last minute, must cancel the plans due to some crisis.

Some examples of real-life catphishing:

  • The DEA created the identity of a woman arrested on drug charges to nab drug dealers on Facebook.
  • Someone used the identity of a woman they personally knew, Ellie Flynn, to create phony accounts on Facebook, Twitter and Instagram. This fleabag even used “Ellie Flynn” and her photo on dating sites.

So the issue isn’t just the idea of you being tricked into a relationship by the catphisher, but the possibility that YOUR photo, name and other data can be used by the catphisher to commit this crime against someone else or to use it for dating sites. Are you pretty good-looking? Makes you wonder about the possibilities…catphishers DO peruse Facebook for those who are physically blessed.

It’s really difficult to discover that your image/name is being used by a catphisher. For example, suppose your name is Ashlee Patrick and you’re gorgeous. And someone named Ann Casey has decided to use your Facebook profile photo for a dating site she wants to register with, or maybe she wants to create a Facebook account.

How will you ever learn of this…unless, by freako chance, someone who knows you just happens to be on Ann Casey’s (if that’s even her real name) Facebook page or is communicating to her via the dating site?

At any rate, if you’re lucky enough to discover someone has stolen your picture for fraudulent purposes, you can report their phony account.

Best ways to protect yourself?

  1. Stop uploading pictures of yourself is one option. This way you have more control of what’s out there.
  2. Use Google Reverse Image Search. https://www.google.com/imghp?gws_rd=ssl simply upload a photo and Google will seek it out.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

4DFraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?
    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
  4. Any other thoughts?
    It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.

Credit Card Fraud isn’t the same as Identity Theft

Just as important as taking down the decorations, throwing out all the debris from opened gifts and getting the house back in order after the holiday activities, is that of scrutinizing your credit card statements.

2CWhy? To make sure that all the purchases on there were made by you and only you. The holiday season means more credit card use = more identity theft. In this case, it’s “account takeover.”

The crook gets your credit (or debit) card information in one of several ways: digging through trash to get credit card information; tampering with ATMs; hacking; and perhaps the thief is the person you gave the card to to pay for your restaurant meal.

Yet another way the thief could get you is to obtain a new credit card line—using your name, address and Social Security number. He maxes out his new card and doesn’t pay the bill. One day you get a call from a collection agency, along with knowledge that your credit has been ruined. This is called “new account fraud”

Account takeover can be discovered via unauthorized charges on your statements, or the thief’s spending habits may alert the company (via its anomaly detection software) to something suspicious, such as a lot of spending halfway across the globe one hour after you purchased something in your home town.

You have 60 days to report suspicious activity to save yourself from paying the unpaid bills. The zero liability policy protects you. The most you’ll pay out is $50. But if you delay reporting the fraudulent activity, you’re screwed.

Thus, you must make time to just sit down and look over every charge on your statements, even if this means that the only time you have to do it is when you’re on the toilet. But you DO have time. You have time to read someone’s drivel on Facebook or something about Duchess Kate’s hair…you certainly have time to read your card statements every month.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Synthetic Identity Theft hard to detect

A criminal can do a lot with “only” your Social Security number, says a report from darkreading.com. Okay, so he doesn’t have the name that goes with the number. Big deal—he’ll just make one up to go with it! This is called synthetic identity theft.

10DAnd this crime has proven worthwhile for the crooks. Nowadays, there’s an increased risk for this crime, says a report by ID Analytics. This is because thieves exploit new SSN randomization practices, says Dr. Stephen Coggeshall, author of the report, and chief analytics and science officer for ID Analytics.

In 2011, the SS Administration began issuing the numbers randomly rather than by pattern to help protect against ID theft. This change has backfired because it trips up anti-fraud technology that’s supposed to spot when a number, that was issued a few years ago, is linked to a phony identity.

The implementation of chip-and-pin cards will fuel the risk and growth of synthetic ID theft. Chip-and-pin point-of-sale transactions will inspire ID theft specialists to figure out new fraud tactics. And they will. They always will. They’re not dumb.

The ID Analytics report says that this crime goes undetected for long stretches because there’s no specific consumer victim. Like, who’s Alekksandreya Puytwashrinjeku? Or, who’s John Smith? Alekksandreya will open up small accounts just to get some credit going under “her” name. The next step is to apply for a big loan—that will never be paid.

The long-term nature of undetection allows the criminal to generate increasingly larger credit limits when compared to the typical ID theft case, says Coggeshall.

As you can see, there’s no actual consumer victim, but instead, the victims are the banks, along with the companies that offer the products that are illegally obtained by the fraudsters. The U.S. government is also a victim. The report explains that over a time period of three years, nearly 1.4 percent of tax returns seemed to be synthetic, costing the government $20 million.

You don’t hear much, if at all, about synthetic ID theft, but the report also points out that a credit card issuer did an analysis and discovered that over a three year period, about two percent of the total application volume consisted of this type of crime.

Still, an identity that incorporates identity theft protection is less likely to be victimized and more secure. And synthetic identity theft can sometimes be detected by a protection service.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 Things You Can Do To Protect Your Identity

One of my favorite commercials is a guy working out with his personal trainer. The trainer asks him if he’s been eating his vegetables every day. When he replies, “When I can,” the trainer bops him on the head. He could have had a V8!

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Just like the man thought that eating his daily vegetables would be hard, sometimes protecting your identity seems like a chore. But it doesn’t have to be that way. Here are 7 “duh” steps you can take to protect your identity this holiday season and all year round.

  1. Inspect credit card statements. Make a habit of regularly looking through your credit card statements for strange looking activity. If you notice just one unauthorized charge, assume that someone out there will strike again, and again and again—unless you take immediate action and contact your credit card company.
  2. Shred documents with personal information. Thieves will rummage through your garbage and recycling searching for intact documents that show Social Security numbers, credit cards and bank account information, etc. The next best thing to a cross-cut shredder is scissors. Shear up anything that could be revealing, including credit card purchase receipts.
  3. Review your credit reports. At least once a year, review your credit reports from the three major bureaus. This way you’ll be able to spot any suspicious actions, such as a thief opening a credit card account in your name.
  4. Credit freeze. If you’ve been a victim of identity theft, you might want to consider putting a freeze on your credit.While this will prevent you from getting loans or credit cards until you unfreeze it, this will also block criminals from opening accounts in your name and smearing your credit.
  5. Limit accessibility. In addition to using a shredder or scissors, consider getting a safe where you can store sensitive documents and limit the number of credit cards you carry with you. Have a list of important phone numbers (e.g., bank, credit card companies) already made up, in the event that you need to contact them immediately upon realizing you have lost or someone has stolen your identity or your physical credit cards, wallet, etc. 
  6. Password protection. If your device is lost or stolen, will someone be able to simply pick it up and access all your data? They won’t if it is password protected. Don’t use your cat’s name as your password; rather create a complicated password with upper and lower-case letters and numbers.
  7. Use comprehensive security software. It is essential that all your digital devices have updated security software, like McAfee LiveSafe™ service that can safeguard your data and protect against identity theft.

For more tips on protecting your identity, check out the Intel Security Facebook page or follow them on Twitter.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Identity Theft of the Dead affects the Living

You don’t have to be living to have your identity stolen. Every year in America there’s 2.5 million cases of ID theft involving the deceased. And while your first reaction might be “So what, I’ll be dead and I won’t care”, you need to keep in mind that identity theft of the dead often significantly affects the living. How can this be prevented or at least, minimized?

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Shut Down Social Media

Though it’s hard to do, closing down the decedent’s Facebook page will contribute to preventing ID theft.

Contact the Social Security Administration

This agency has a “death master file” of the SS numbers of deceased people that should be rendered inactive. This way a thief can’t use the number. Don’t wait for a funeral director to do this (though that’s their job); do it yourself for faster results.

Obits

When composing an obituary, people should post very little information. Crooks actually read these in search of a possible ID theft victim. The information to leave out includes names of survivors, complete addresses and professional history.

Receiving Bills

If a decedent’s identity has been hijacked, a survivor may begin receiving bills in that person’s name…and eventually, calls from collection agencies. “The problem isn’t so much financial — it’s emotional,” says Maria Cordeiro with the Chubb Group of Insurance Companies in an article from business-news.thestreet.com. You may have to be dragged through the pain of proving that your deceased loved-one is, in fact, no longer around.

How do you fix this problem?

  • Get all the needed documentation together, because you’ll need to send it out to any entity that requires it for proof.
  • Obtain a credit report prior to the person’s death. Of course, this works in cases of a diagnosed terminal condition versus accident. Once you have the person’s credit report, then six months after death, obtain another for comparison, says Cordeiro. The decedent’s name and SSN, six months later, should be in the death master file.
  • Do some credit monitoring. This is easier than obtaining a credit report for someone who’s dead.
  • Do a credit freeze. For a small fee, the credit report gets frozen shut, preventing a thief from opening a new account.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Security is Everyone’s responsibility

In the movies, the good guys always get the bad guys. In cyber reality, no such thing exists.

1DA survey of 5,000 IT security professionals turns up the following:

  • 63% doubt they can stop data breaches.
  • 69% think threats slip through the cracks of their security systems.
  • 57% believe their company lacks protection from advanced attacks.
  • 80% think their company’s leaders fail to connect the dots between a data breach and potential profit loss.

A survey of customers shows:

  • 59% are quite concerned about credit and debit card information theft.
  • 57% are very concerned about ID theft.
  • About 60% believe that a data breach involving their credit card or personal details would make them less likely to conduct business at a store or bank they usually use.

That last point leads to reputation smearing and loss of customer trust. But what about customer responsibility when it comes to security breaches? The “blame the customer” mentality seems more appropriate in the workplace when employees bring to work their own devices to assist in their jobs. This lets the data-breach cat out of the bag.

Though a significant percentage of employees have admitted (in surveys) to having a security problem with their device, a remarkably small percentage of these users felt compelled to report this to their boss. A very statistically significant number of employees who bring their devices to work haven’t even signed a formal contract that outlines security procedures. The bottom line is that taking security seriously is a rare find among employees who do the BYOD thing.

Another survey turned up an unsettling result: 76% of the 700+ consumers (who were affected by a breach) who were surveyed experienced stress from the event—but more than half didn’t even take steps to prevent ID theft afterwards.

Maybe this complacency can be in part explained by the fact that the losses from breaches are mostly absorbed by the companies involved.

The consumer, customer and employee need to step up to the plate and do their fair share of taking security measures seriously, rather than sitting back and letting businesses and banks take the entire burden.

It’s like getting attacked by a shark. Is the shark entirely to blame if the swimmer jumped into water near a sign that says “Beware of Sharks”? Then again, someone has to take the responsibility of putting the sign there in the first place…

All entities must pull together, stop finger pointing and accusing, and try to get a step ahead of the real villains.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

What is Criminal Identity Theft?

Identity theft gets all kinds of buzz in the news. It’s not hard to see why—in 2012, over 16.6 million Americans were victims of identity theft. What most people don’t know is that identity theft is much more than just stealing your credit card number. In other posts, I discussed how thieves use your identity to get free healthcare or your child’s identity to apply for credit. Today, I want to introduce you to another kind of identity theft—criminal identity theft—where the criminal uses your identity to make you look like the criminal.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Criminal identity theft involves impersonation and it’s the worst kind of identity theft and the hardest to clean up. You don’t want to end up like Jason Bateman’s character Sandy Patterson, in the movie Identity Thief, where his identity was stolen and used by another individual and he finds out because he owes a bunch of money and has a warrant out for his arrest.

Basically, a thief takes over your identity and assumes it as his or her own. But instead of using your identity to access your bank account or apply for a credit card, the thief uses your identity to commit crimes and get off scot-free.. How? They can give your personal information (like your name, identification number, or date of birth) to law enforcement officials during an investigation or an arrest. They could also use your information to create fake identification for themselves.

Criminal identity theft can lead to a very nasty headache for you. A thief could get caught for a traffic violation or a misdemeanor and sign the citation with your name. Then you get stuck paying those annoying fees and fines. If a thief uses your name when getting arrested for a crime, you could end up with a criminal record, which could affect your ability to get a job or buy property. Another case is when the thief commits a crime using your identity, and then a warrant is issued for your arrest.  But instead of looking for the criminal, they are looking for you—you could have a warrant out for your arrest and not even know it!

Criminal identity theft can have some pretty drastic consequences. Here’s some ways to protect yourself from this dastardly form of identity theft:

  • Shred all sensitive documents. This can prevent thieves from getting their hands on your personal information.
  • Report missing identification cards. Most criminal identity thieves get your information from stealing your driver’s license or other personally identifiable information (PII) like Social Security numbers or Identification cards. If you report a missing driver license, your state might flag your license number and in the event that another driver is pulled over by law enforcement and presents your license as their own they could be questioned for further information
  • Get a background check on yourself. If you feel like someone may be impersonating you, get a background check done. This can be done via online services or by a private investigator.
  • Check State and National criminal databases. Search your name in criminal databases like the FBI’s National Crime Information Center (NCIC) database to see if you have a criminal record.

Stay safe!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

2 Ways to Prevent Military Identity Theft

You’d think that servicemen and women would be better protected than civilians from identity theft, but their risk is higher, since their Social Security numbers are used so often and also abroad. In Iraq, it’s painted on their laundry bags!

2DOhio wants to introduce a bill to stifle military ID theft.

When a military individual has damaged credit and accumulated debt, they are subjected to disciplinary action. ID theft can delay or cancel a military person’s deployment and lead to revocation of security clearances.

The FTC says that ID theft among service individuals is on the rise. Last year, 22,000 filed complaints of ID theft. In Ohio, this crime jumped 20 percent between 2012 and 2013.

The proposed Ohio bill would raise the penalties for ID theft against active-duty members and their spouses. The bill would also allow the victims to file civil actions against the thieves.

New Jersey is also considering a bill that would increase the penalty for ID theft of veterans. New York and Illinois have already passed stronger penalties. North Carolina bans the release of military discharge documents.

All along, the SSN was printed on a service member’s military ID card, which was used all over the place. In 2008, the Department of Defense began removing the numbers. In 2012, they implemented removal of the SSNs from the card barcodes. These changes won’t be completed till 2017.

What can military personnel do to protect against ID theft?

Two things that service members can do is get active duty alerts and security freezes, but it would be simpler to use these tools one at a time.

The active duty alert, which is free, is done one year at a time after contacting one credit bureau. You can remove this at any time.

The security freeze, once in place, is indefinite unless you decide to remove it. It requires contacting three credit bureaus and is free online to North Carolina residents.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

3 Stupid Simple Tips to protect your Identity

For anyone who goes online, it’s impossible to hack-proof yourself, but not impossible to make a hacker’s job extremely difficult. Here are three things to almost hack-proof yourself.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Two-factor authentication. Imagine a hacker, who has your password, trying to get into your account upon learning he must enter a unique code that’s sent to your smartphone. He doesn’t have your smartphone. So he’s at a dead-end.

The two-factor authentication means you’ll get a text message containing a six-digit number that’s required to log into your account from someplace in public or elsewhere. This will surely make a hacker quickly give up. You should use banks and e-mail providers that offer two-factor. Two factor in various forms is available on Gmail, iCloud, PayPal, Twitter, Facebook and many other sites.

Don’t recycle passwords. If the service for one of your accounts gets hacked, the exposed passwords will end up in the hands of hackers, who will invariably try those passwords on other sites. If you use this same password for your banker, medical health plan and Facebook…that’s three more places your private information will be invaded.

And in line with this concept of never reusing passwords, don’t make your multiple passwords sound schemed (e.g., Corrie1979, Corry1979, Corree1979) for your various accounts, because a hacker’s penetration tools may figure them out.

Use a password manager. With a password manager, you’ll no longer be able to claim not being able to remember passwords or “figure out” how to create a strong password as excuses for having weak, highly crackable passwords. You’ll only need to know the master password. All of your other passwords will be encrypted, penetrable only with the master password.

A password manager will generate strong passwords for you as well as conduct an audit of your existing passwords.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.