Robert Siciliano Joins Identity Theft Resource Center Board of Directors

(San Diego, CA:  October 1, 2014) The Identity Theft Resource Center, a nationally recognized organization dedicated to the understanding of identity theft and related issues, announced today that Robert Siciliano, CEO of, will serve on its Board of Directors.  Siciliano, with more than 30 years of experience in this field, will bring his vast knowledge to the ITRC Board and will help to heighten awareness on current trends and pro-active measures consumers and victims can take to protect themselves.

ITRCThe ITRC, founded in 1999, is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft.  It is the on-going mission of the ITRC to assist victims, educate consumers, research identity theft and increase public and corporate awareness about this problem and related issues.

“The ITRC is the single most comprehensive resource for victims dealing with identity theft,” said Siciliano. “For the past 15 years victims have been coming to me for help and my immediate response is to point them right to ITRC. There isn’t another non-profit on the planet that has as much experience in dealing with this horrible crime,” Siciliano added.

As an identity theft expert and frequent speaker, Siciliano is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His “tell it like it is” style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace.

“Robert’s expansive expertise in the areas of data security and online safety will help the ITRC in serving the thousands of consumers who reach out to the ITRC call center year after year,” said Julie Fergerson, ITRC Board Chair.  “His research efforts in these areas have allowed him to forge ahead as a nationally renowned industry leader in identity theft, internet best practices and technological advances being made in this space every day,” Fergerson added.

About the ITRC

Founded in 1999, the Identity Theft Resource Center® (ITRC) is a nationally recognized non-profit organization which provides victim assistance and consumer education through its toll-free call center, website and highly visible social media efforts. It is the mission of the ITRC to: provide best-in-class victim assistance at no charge to consumers throughout the United States; educate consumers, corporations, government agencies, and other organizations on best practices for fraud and identity theft detection, reduction and mitigation; and, serve as a relevant national resource on consumer issues related to cybersecurity, data breaches, social media, fraud, scams, and other issues.

Contact:  Cristy Koebler
Communications & Media Manager 
Identity Theft Resource Center|858-444-3287 (D)

Guarantee your Customers’ Identity Protection

The AllClear Guarantee is designed to protect a business owner’s customers from identity theft. Your customers are assured:

  • Six months of automatic protection once they complete their transaction. Each new purchase means extended coverage with any merchant who displays the Guarantee.
  • Protection wherever customers go. Customers are protected by the Guarantee beyond your site, no matter where they go or how ID theft happens.
  • If a customer’s ID is stolen, AllClear will fix everything: restoration of credit report, recovery of financial losses, etc.
  • Zero cost to customers. Participating merchants pay for the Guarantee.

These points are extremely important to the merchant. After all, according to Forrester (2012), 66% of customers are most worried about getting their identities stolen while they’re online. But what’s their greatest online concern? Edelman (2012) says that 90 percent of customers name sharing financial information online as being their greatest concern—as in, for example, using a credit card to make an online payment to a retailer.

How does guaranteed protection benefit the business owner?

  • Increased revenue. Your customers will have more confidence when they complete transactions and will feel more secure about giving accurate information.
  • Customer retention. When consumers feel safe online, they’re more likely to return time and again. The Guarantee will provide this secure feeling.
  • Reduced risk. You’ll be able to respond faster to a data breach, thanks to the Guarantee.

With the AllClear Guarantee, you won’t hope your clients are safe online; you’ll know they are.

  • Consumers should seek out websites that show the AllClear Guarantee
  • Every purchase gets automatic identity protection.
  • The Guarantee is covered by participating merchants.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Introducing: 99 Things You Wish You Knew Before Your Identity Was Stolen

Yes, it’s a glorious day with the birth of my new book. I’ve spent 15 years in the trenches, reporting on all issues of personal security. Now I’ve taken what I know about protecting your identity and avoiding fraud and packed it all into 99 tips, a quick read of less than 35,000 words. Now you can also become an expert on how to protect yourself from these horrible crimes.

But I didn’t do it by myself. McAfee, the largest and most trusted name in digital security, helped me. Their teams of threat experts are constantly fighting off the bad guys, and I drew upon their vast experience and research.

In 99 Things You Wish You Knew Before Your Identity Was Stolen, I proactively demystify identity theft and computer fraud by presenting the relevant information surrounding these issues in the form of simple, bite-sized chunks, In order to make consumers, families, employees, and small businesses safer and more secure. Readers will learn the difference between scareware, ransomware and spyware. They’ll learn about the types of cybercriminals, such as black hats, crackers, script kiddies, and hacktivists. And most importantly, readers will learn how to protect their identities, both online and in the physical world.

As millions of consumers begin searching and shopping online during the holiday season, McAfee understands the necessity of spreading awareness of cybercriminals’ tactics and methods for protecting oneself from identity theft and online fraud.

So, from November 9th through the 15th, McAfee will be offering a complimentary PDF copy of my just-released book through Facebook. To get your free copy, click “like” on McAfee’s page.

After November 15th99 Things You Wish You Knew Before Your Identity Was Stolen will be available in print, ePub, and PDF, and can be found on Amazon, the Amazon Kindle, the Sony eBook Store, and from $5.99-$14.97.

Robert Siciliano is an Online Security Evangelist for McAfee. See him discuss identity theft on YouTube. (Disclosures)

Search Engine Doesn’t Need Kids SSN

When Google launched Doodle-4-Google, in which children can compete to design Google’s homepage logo, they requested contestants’ Social Security numbers in an effort to prevent duplicate entries.

Americans have become accustomed to handing over the last four digits of their Social Security number as a password or identifier for various accounts and applications. But with the development of new technologies that have cracked the code for the distribution of Social Security numbers, the last four digits have become as sensitive and valuable as the first five.

The coder or marketer at Google who believes it’s reasonable to request the last four digits of children’s Social Security numbers is probably someone who readily shares his or her own number, which is not a good idea.

Researchers at Carnegie Mellon University have developed a reliable method to predict Social Security numbers using information from social networking sites, data brokers, voter registration lists, online white pages, and the publicly available Social Security Administration’s Death Master File.

The New York Times reports, “Computer scientists and policy experts say that such seemingly innocuous bits of self-revelation can increasingly be collected and reassembled by computers to help create a picture of a person’s identity, sometimes down to the Social Security number… So far, this type of powerful data mining, which relies on sophisticated statistical correlations, is mostly in the realm of university researchers, not identity thieves and marketers.”

The primary issue here is new account fraud, or financial identity theft in which the victim’s personally identifiable information and good credit standing are used to create new accounts, which are then used to obtain products and services. Stolen Social Security numbers are often used to commit new account fraud.

Aside from subscribing to an identity theft protection service, it’s difficult to stop or prevent new account fraud. One way that online businesses can mitigate the issue would be to verify the reputation of the computer or smartphone being used to submit credit applications, rather than simply verifying the Social Security number or other identification information provided by credit applicants.

By evaluating a device for criminal history or high risk while its connected to the online site, creditors can automatically detect and reject fraudulent applications.  This worked very well for one Fortune 100 credit issuer.  A Forrester Consulting Total Economic Impact study found that the device reputation service provided by Oregon-based iovation Inc., identified 43,000 fraudulent credit applications and saved the financial institution $8 million USD over two years in reduced fraud losses and operational efficiencies that their fraud prevention process and team gained.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses child predators online on Fox News. Disclosures

Putting An End to Data Breaches As We Know Them

The AP reports “WikiLeaks’ release of secret government communications should serve as a warning to the nation’s biggest companies: You’re next.”

According to the Privacy Rights Clearinghouse’s Chronology of Data Breaches, more than 500 million sensitive records have been breached in the past five years. The Chronology of Data breaches lists specific examples of incidents in which personal data is compromised, lost, or stolen: “employees losing laptop computers, hackers downloading credit card numbers and sensitive personal data accidentally exposed online.”

WikiLeaks has been quite the news topic and for good reason. Data breaches cost in many ways. One cost is of course in the form or dollars. But when it is military secrets breached, that can cost lives.

It shouldn’t be this way.

The talk show pundits buzz that with the release of thousands of additional secret government documents, it leads to the conclusion that there is no way to protect sensitive data. If the government can’t even prevent a Private in the Army from stealing confidential data, what hope is there?

Nearly all WikiLeaks articles conclude that you have to tradeoff security with productivity, implying that content becomes unusable with higher levels of security in place. In this Associated Press article ‘Companies beware: The next big leak could be yours’, Jordan Robinson of the Associated Press, states:

“But the more companies control information, the more difficult it is for employees to access documents they are authorized to view. That lowers productivity and increases costs in the form of the additional help from technicians.”

This is true for traditional content security measures but ignores significant advances made by security company Zafesoft, whose solution does not require a change in user behavior or complex technical support to maintain. Companies that do a little research will find there is a way to protect their valuable information without compromising productivity and at a reasonable cost.

Robert Siciliano is a Personal Security and Identity Theft Expert. See him discussing another databreach on Good Morning America. (Disclosures)

The 12 Scams of Christmas and Other Attacks

Identity Thieves and Cybercriminals Take Advantage of the Holiday Season, Aiming to Steal Consumers’ Money, Identities and Financial Information. As cybercriminals begin to take advantage of the holiday season, be cautious.

Scam I: Charity Phishing Scams

Hackers take advantage of citizens’ generosity by sending e-mails that appear to be from legitimate charitable organizations.

Scam II: Fake Invoices from Delivery Services

Cybercriminals often send fake invoices and delivery notifications appearing to be from Fed Ex, UPS or the U.S. Customs Service.

Scam III: Social Networking Scams

Cybercriminals send authentic-looking “New Friend Request” e-mails from social networking sites.

Scam IV: Fake Holiday E-Cards

Cyber thieves cash in on consumers who send holiday e-cards in an effort to be environmentally conscious. Worms mask as Hallmark e-cards and more.

Scam V: “Luxury” Holiday Jewelry

Scam campaign that leads shoppers to malware-ridden sites offering “discounted” luxury gifts from brand names.

Scam VI: Practice Safe Holiday Shopping – Online Identity Theft on the Rise

Researchers predict online holiday sales will increase this year, as more bargain hunters turn to the Web for deals. While this is the season for giving, don’t give away your identity.  Cybercrooks promote fake gift card offers and other schemes with the goal of stealing consumers’ money and information, which is then sold to marketers or used for ID thefts.

Scam VII: Risky Holiday Searches

Hackers create fraudulent holiday-related websites for people searching for a holiday ringtone or wallpaper, Christmas carol lyrics or a festive screensaver.

Scam VIII: Job-Related E-mail Scams

Scammers are preying on desperate job-seekers with the promise of high-paying jobs and work-from-home moneymaking opportunities.

Scam IX: Auction Site Fraud

Buyers should beware of auction deals that appear too good to be true, because often times these purchases never reach their new owner.

Scam X: Password Stealing Scams

Thieves use low-cost tools to uncover a person’s password and send out malware to record keystrokes, called keylogging.

Scam XI: E-Mail Banking Scams

Cybercriminals trick consumers into divulging their bank details by sending official-looking e-mails from financial institutions.

Scam XII: Ransomware Scams

Hackers gain control of people’s computers then act as virtual kidnappers to hijack computer files and encrypt them, making them unreadable and inaccessible.

Protect yourself:

1.     Never Click on Links in E-Mails: Go directly to a company or charity’s website by typing in the address or using a search engine.

2.     Use Updated Security Software: Protect your computer from malware, spyware, viruses and other threats with updated security suites.

3.     Shop and Bank on Secure Networks: Only check bank accounts or shop online on secure networks at home or work, wired or wireless. Wi-Fi networks should always be password-protected.

4.     Use Different Passwords: Never use the same passwords for multiple online accounts. Diversify passwords and use a complex combination of letters, numbers and symbols.

5.     Use Common Sense: If you are ever in doubt that an offer or product is not legitimate, do not click on it.

6.     Get Identity Theft Protection: McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss how a person becomes an identity theft victim on (Disclosures)

What Security Issues Should You Worry About?

First thing I tell my seminar attendees is “The chances of anything bad ever happening to you is very slim. So don’t worry about. However you should still put these systems in place.”

Are you a helicopter parent? An “alarmist”? Or Chicken Little: The sky is falling, the sky is falling! I heard somewhere along the line that 90% of what we worry about never happens. It might be even closer to 99%. But there is still that one percent that concerns.

Deciding what to worry about may be a conscious or unconscious (or sub-conscious) decision.

Often what we worry about comes from what we see and are fed in the media. It is well known that the nightly news is built on the premise “If it bleeds it leads”. Blood and guts is what sells airtime and newspapers.

These worries when confronted are often dumbed down by statisticians, researchers, some security professionals, social psychologists and are called “baseless paranoid fears”. Books written in this regard are designed to give perspective. My feeling is they are written simply to sell a contrarian idea to stimulate conversation (and sell books) and in reality the author is no less of a “worrier” than anyone else.

Perspective is good. Too much “worry” can have ill health affects and significantly detract from quality of life.

My gripe with the “Don’t worry, it’s a 1 in 10 million chance” mentality is that it fosters the “It can’t happen to me” syndrome which prevents people from taking responsibility for their security in the first place.

If you knew the statistical probability of the chances of your kid being shot at school or your child being kidnapped or even being struck by lightning and all were “slim”, would you take any less precaution to protect yourself or your family?

Would you stand next to a metal pole in a lightning storm? Would you drive without a seatbelt? Would you allow your 7 year old who is perfectly capable of navigating their way to school go by themselves even though the chance of them being kidnapped is extremely slim?

For many of the issues we worry about the chances of them happening might be 1 in a 100,000 or 1 in 10 million. Your chances of something bad happening may equate to the same statistics as winning the lottery, which is very slim, but you still might play the number.

Does it really matter what the odds are?

Every day someone somewhere wins the lottery. Every day someone somewhere is a victim of a heinous crime.

Knowing what I know I’m concerned about it all and I take the necessary steps to prevent what’s in my control. Do I worry?  Well, a part of my life’s energy goes into putting measures in place to prevent “bad”. If being proactive and taking responsibility is “worry” then yes. And I feel safe, secure and grounded without any nagging “paranoid” angst that detracts from the quality of life.

What’s so wrong with that?

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.

Botnets Turn Your PC into A Zombie

A botnet is a group of Internet-connected personal computers that have been infected by a malicious application, which allows a hacker to control the infected computers without alerting the computer owners. Since the infected PCs are controlled remotely by a single hacker, they are known as bots, robots, or zombies.

Consumers’ and small businesses’ lax security practices are giving scammers a base from which to launch attacks. Hackers use botnets to send spam and phishing emails, and to deliver viruses and other malware.

A botnet can consist of as few as ten PCs, or tens or hundreds of thousands. Millions of personal computers are potentially part of botnets.

Spain-based botnet Mariposa consisted of nearly 13 million zombie PCs in more than 190 countries. Further investigation determined that the botnet included PCs from more than half the Fortune 1000. This botnet’s sole purpose was to gather usernames and passwords for online banking and email services.

There are more than 70 varieties of malware, and while they all operate differently, most are designed to steal data. Mariposa’s technology was built on the “Butterfly” botnet kit, which is available online, and which does not require advanced hacking skills to operate.

The criminals in this operation ran the Mariposa botnet through anonymous virtual private network servers, making it difficult for law enforcement to trace back to the ringleaders.

The botnet problem persists. PCs that aren’t properly secured are at risk of being turned into zombies. Certain user behaviors can also invite attacks.

Surfing pornography websites increases your risk, as does frequenting gaming websites hosted in foreign countries. Downloading pirated content from P2P (peer-to-peer) websites is also risky. Remember, there is no honor among thieves.

Computers with old, outdated, or unsupported operating systems like Windows 95, 98, and 2000 are extremely vulnerable. Systems using old or outdated browsers such as IE 5, 6, or older versions of Firefox offer the path of least resistance.

To protect yourself, update your operating system to XP SP3 or Windows 7. Make sure to set your antivirus software to update automatically. Keep your critical security patches up-to-date by setting Windows Update to run automatically as well. And don’t engage in risky online activities that invite attacks.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures

Spear Phishers Know Your Name

“Spear phishing” refers to phishing scams that are directed at a specific target. Like when Tom Hanks was stranded on the island in the movie Cast Away. He whittled a spear and targeted specific fish, rather than dropping a line with bait and catching whatever came by. When phishing attacks are directed at company officers or senior executives, it’s called “whaling,” appropriately enough. I don’t know who sits around and coins this stuff but it makes analogical sense.

Spear phishers target their victims in a number of ways.

They may select a specific industry, target specific employees with a specific rank, and pull a ruse that has been successful in the past. For example, a spear phisher might choose a human resources employee whose information is available on the company website. The phisher could then create an email that seems to come from the company’s favorite charity, assuming this information is also available online, requesting that the targeted employee post a donation link on the company’s intranet. If the target falls for the scam, the scammer has now bypassed the company’s firewall. When employees click on the malicious link, the company’s servers will be infected and antivirus software may be overridden.

Lawyers are popular targets, since they are often responsible for holding funds in escrow. A spear phisher might contact a lawyer by name, leading him or her to believe that the scammer is an American businessperson who needs help moving money while overseas.

I was recently targeted in a spear phishing scam, one aimed specifically at professional speakers. The scammers requested that I present a program in England, and once my fee was agreed upon, I was asked to get a “work permit,” which costs $850.

People who are not be targeted based on their professions may be targeted based on their use of social media. Facebook, Twitter and LinkedIn are known playgrounds for spear phishers, who obtain users’ email addresses and create email templates that mimic those sent by the social networking website. Scammers may even weave in names of your contacts, making the ruse appear that much more legitimate.

Knowing how spear phishers operate allows you to understand how to avoid being phished. Never click on links within the body of an email, for any reason. Bypass the links and go directly to the website responsible for the message. Any unsolicited email should be suspect. If you manage employees, test their ability to recognize a phishing email, show them how they got hooked, and then test them again.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses phishing on NBC Boston. Disclosures

Identity Theft Part 2 – 5 More Identity Theft Myths Unveiled

#1 Publically available information is not valuable to an identity thief.

If I was an identity thief I’d start with the phone book. All information about you is of value to an identity thief. The bad guy gathers as much intelligence about you as possible. Once they get enough data to become you they are off and running. The breadcrumbs we leave behind and the information we post is all used to help them gather a complete profile.

#2 Shredding will protect me.

Shredding will keep some of your data out of the hands of a dumpster diver. But when your information is hacked because someone like your bank was hacked or your mortgage broker threw it away, you are vulnerable. While you should still shred, you should also invest in identity theft protection and a credit freeze.

#3 I don’t use the Internet, I pay in cash, my credit stinks, so I am safe.

Wrongo bongo. While you may not use the internet, others that have your information in their internet connected databases make it vulnerable. Using credit cards doesn’t mean your identity is at risk or using cash means you are any less at risk. Credit card fraud isn’t identity theft. It’s credit card fraud. Just call the credit cards issuing bank and refute the charges within 60 days and you are fine. Bad credit just means not all lenders will grant you credit. Everyone with a SSN, a pulse and even some who are dead are vulnerable.

#4 My privacy settings in social media sites are locked down, so I am safe.

Negative. The mere fact you are sharing personal identifying information of any kind with anyone online means you are at risk. Anyone who you are connected to is a potential leak, whether you know them or not. If you tell a secret to one person, you are vulnerable. If you tell it to 250 people, the secret is out. Never share information in social media that could be used to crack the code of a password reset.

#5 Shopping or banking online isn’t secure.

It all depends. More than likely the etailer or bank where you do business is more secure than your PC. It is often the consumer who is the path of least resistance to fraud. As long as your PC is secured with updated antivirus and spyware protection then you should be fine. Always look for httpS:// in the address bar. The “S” means it’s a more secure site.

Robert Siciliano personal security expert to Home Security Source presenting 20 slides on identity theft at 20 seconds each to the National Speakers Association. Disclosures.