Posts

Protecting Mail from Identity Theft

While criminal hackers are cracking databases and stealing millions of electronic records every year, street level identity thieves are a more insidious element of the identity theft epidemic. Thieves of this nature live in your neighborhood. In some parts of the country, local identity thieves tend to be meth heads.

Local identity thieves understand all too well that the money is in your mailbox. They simply open your mailbox and steal any mail that could provide an opportunity for identity theft.

Think about what comes in the mail. Bank, credit card, and financial statements. Utility, mobile phone, and membership statements. Pension, Social Security, and benefit statements. Employment, tax, and income statements. Checks, disbursements, and credit card offers.

These sensitive documents contain enough information for an identity thief to take over your existing accounts or open new accounts in your name. While some data is left off paper statements for privacy’s sake, they generally contain enough sensitive details for a thief to impersonate you over the phone in order to obtain even more details, enough to fill in the puzzle pieces of your identity.

Protect yourself by getting rid of paper statements. Electronic statements in your email inbox are eco-friendly and more manageable and secure than paper statements.

Get a mailbox with a lock. You can get a chain for under $60 at most hardware stores, which allow the carrier to put mail in the box, but requires a key to get mail out.

Get a P.O. box. Any sensitive mail that I can’t receive digitally goes to my P.O. box. A P.O. box is locked, and the only one with access is the postal carrier.

If you go more than a few days without receiving new mail, it may be getting stolen, so call the post office.

Pay attention to the delivery dates of all bills. You should know when to expect recurring mailings, so you’ll notice if they don’t arrive on schedule.

Have yourself removed from the Direct Marketing Association’s lists. Eliminate all unnecessary solicitation to minimize mail that creates a risk.

Opt out of preapproved credit card offers. Go to OptOutPrescreen.com or call 1-888-5-OPT-OUT (1-888-567-8688) and get removed now.

McAfee Identity Protection includes proactive identity surveillance to monitor subscribers’ credit and personal information and access to live fraud resolution agents who can help subscribers work through the process of resolving identity theft issues. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

23% of Online Fraud is “Friendly”

Friendly fraud occurs when a customer makes an online purchase with a credit card and then, once the merchandise has arrived, calls the credit card company, claims never to have received the item, and requests a chargeback. The merchant has no way of proving the legitimacy of this card-not-present transaction, and is forced to refund the customer’s money.

According to a new study released by LexisNexis Risk Solutions, retailers lost more than $139 billion to fraud last year, with friendly fraud accounting for one fifth of those losses.

The problem for you, the consumer, is that banks and merchants tend not to believe identity theft victims, because friendly fraud complicates the reimbursement process. It’s not uncommon for victims to be required to sign affidavits and have them notarized.

Online merchants need a better system. Device reputation offered by anti-fraud experts iovation, would be one step in the right direction. While a customer is placing an order, device identification technology recognizes and re-recognizes PCs, smartphones, or tablets used to access online businesses across the Internet. Then, device reputation technology determines whether or not device the being used has a history of fraud (including histories of friendly fraud) or if high risk is assessed at transaction time. When a particular transaction is reported as fraudulent, that information goes into a globally shared knowledge base and the fraudster’s device and its related accounts are flagged in order to prevent repeated attempts under new identities. This protects the merchant and honest consumers from billions of dollars in losses to fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Washington Man Steals Over 1000 Identities

While we often hear about international criminal hackers compromising databases and stealing credit card information, identity theft is often committed locally, by someone with access to sensitive paperwork.

In one such case, a suspected identity thief was recently arrested in Washington, after driver’s licenses, credit cards, and Social Security numbers were stolen from more than a thousand victims across the state.

Detectives believe the documents were stolen from cars and homes and used to open fraudulent bank accounts in victims’ names. Seized evidence includes bags of driver’s licenses, credit cards, credit card swipers, Social Security cards, and a list of thousands of names and Social Security numbers. It is difficult to estimate the total financial loss as the investigation is still underway, but so far the number is into the high thousands, and sure to increase.

According to court documents, the suspect admits being involved in identity theft in order to support his drug habit.

It is important to observe basic security precautions to protect your identity, like using a locked mailbox and checking your online statements often. But while you can store paperwork containing personal information in a locked safe and refrain from keeping sensitive documents in your car, there’s little you can do to ensure the safety of your personal information when it’s stored by corporations and government agencies.

Consumers should consider an identity theft protection product that offers daily credit monitoring, proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on their accounts. McAfee Identity Protection includes all these features, as well as immediate assistance from fraud resolution agents if your identity is ever compromised. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)

When a Good Guy Steals Your Identity

Chris Roberts is a hacker. But not a black hat hacker, like the bad guys you may associate with the term. He’s a white hat hacker, or an ethical hacker, and no, that isn’t an oxymoron. Chris is the kind of guy you definitely want on your team, because if he weren’t, he’d be your worst nightmare.

I had the opportunity to meet up with him at the McAfee Focus 2010 event. His appearance fits the hacker stereotype: he’s tall and lanky, with a Viking beard and, I’m pretty sure, some tattoos. And he carries around a bag of tricks that could probably take down the Pentagon. He’s got every sort of gadget that could be used to sniff, spy, and hack.

Companies hire Chris to determine what their weaknesses are, and how vulnerable they are to a potential attack.

NetworkWorld profiled Chris, and, in the article, he brought attention to the fact that many people assume they won’t be targeted by identity thieves because they don’t have money, or status, or even good credit:

“So many people look at themselves or the companies they work for and think… Why would somebody want something from me? I don’t have any money or anything anyone would want… While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal.”

No kidding.

Your Social Security number, which represents your total identity, is always valuable to a criminal. Because our system lacks full accountability when it comes to identification, anyone can use your data to pose as you.

Until the day comes, if it ever does, that we are effectively identified and authenticated, we will always be vulnerable to imposter fraud and identity theft.

Identity theft can happen to anyone. McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. McAfee Identity Protection puts victims first and provides live access to fraud resolution agents. For additional tips, visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss credit and debit card fraud on CNBC. (Disclosures)

Beware Of PC Remote Access Assistance Scams

Admittedly, I don’t know EVERYTHING about computers. I know enough to break them and enough to fix them most of the time. But, occasionally I need help.  Generally that help comes in the form of remote assistance from Dell, where I buy all my PCs.

With each PC I get the 3 year Dell warranty, so if something fails they replace or will come in remotely and fix. Just this week, my built in webcam failed. Little bugger was working just fine, then, nothing.  So I reinstalled the software, rebooted and still no webcam. My fear was the hardware failed so I called Dell.

Dell tech support agents always request the user log into a website and punch a code, and then download a program that allows for them to come in and remotely access my PC to diagnose the issue. Every time this occurs I watch each move they make so I’m comfortable knowing they aren’t downloading or installing anything not approved to later access my PC. That said, I trust Dell and don’t think they’d do that, but its good security to watch.

The Windsor Star reports “police are warning people about a new scam to hit the area after criminals almost duped a man into handing over remote access to his computer, along with all his personal and financial information. The so-called technician started by telling the man his computer had sent an error message to Microsoft and he was calling to help him rectify the problem. The scammer told him to press “Windows Key + R” which opens the “Run” dialogue.”

Fortunately, the intended victim got suspicious and hung up.

In this process, if the victim moved forward, he would have inevitably downloaded a program and installed it on his PC that would have allowed the criminal the ability to come into the persons PC any time he wanted.

Any time anyone emails or calls you with a ruse that your PC needs attention, just hang up or delete the email.

And as for my webcam? Dells tech went into my device manager and uninstalled the cam and went to Dells website and got an updated version of my cams software. Apparently, an update I did corrupted the cameras software and the version I had was conflicting. I could have figured this out and it might have taken me another 30-90 minutes to do so. But one quick call to Dell and 10 minutes later it was done. Nice.  Not all remote assistance is bad.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover.

Are Internet Cookies Good or Bad?

Neither, they are just a mechanism to how the Web works.  The bigger question is, are the uses thereof good or bad.

Microsoft, Google, and Firefox are implementing do-not-track features into their browsers, giving consumers the option to block cookies that may track their surfing for advertising purposes.

Most major websites now install cookies on your computer, which, over time, help develop a profile that serves as your digital fingerprint. This is why, after searching for a specific product, you may notice advertisements for that particular product or brand appearing on various other websites.

But not all cookies track you in order to sell you something. Many are there for security purposes. Merchant Risk Council considers “where the line is drawn between the proper and improper uses of this type of technology (protecting against online fraud vs. targeted online marketing).”

Several companies use cookies as well as other technologies, such as tokens, along with sophisticated and unique pattern matching that can only be derived from extensive and unique experiences with a shared reputation database, to identify and re-identify devices.

I don’t see any physical harm or identity theft ever happening as a result of of this refined marketing or especially device identification, especially when it comes to techniques meant to watch your back and protect you.

With privacy watchdogs addressing this kind of advertising as a major concern, and the Obama administration now stepping in, we will surely see the implementation of some standards in this kind of marketing practice over the next few years.

The MRC wonders, “As this issue gets more play, and consumers become more aware of this technology, will there be any effect on “good customer” behavior by potentially scaring people away from online shopping?”

I doubt it. But right now, government, industry, and consumers need to understand the difference between good cookies and bad cookies, before rash decisions designed to give us slightly more privacy make us more vulnerable to fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Online Credit Applications Ripe For Fraud

We currently rely on easily counterfeited identification, and we transmit credit card applications using the phone, fax, Internet, or snail mail, all of which are relatively anonymous methods.

Fraudulent credit card applications are the most lucrative form of credit card fraud. Identity thieves love credit cards because they are the easiest accounts to open, and they allow thieves to quickly turn data into cash. Meanwhile, consumers don’t find out that credit cards have been opened in their names until they are denied credit or bill collectors start calling.

Identity thieves use any number of tricks to fool banks, retailers, and creditors into approving their online credit applications, extending credit that leaves the creditor on the line for losses.

It doesn’t need to be this way.

Instead of simply verifying the identification provided by fraudulent applicants, newer technologies allow creditors to verify the reputation of the computer or smartphone being used to submit the application. By instantly evaluating a device’s history for criminal activity, creditors can prevent fraudulent transactions.

“In addition to telling businesses that a single device has been involved in fraud, iovation can also determine if that device is associated with bad activity through its associations,” said, Jon Karl, VP of Corporate Development for iovation.  “Beyond fingerprinting and reputation, we provide our clients with early warnings about devices visiting their website in real-time, based on the behavior of devices and accounts associated with that device.”

Device fingerprinting and device reputation analysis help identify bad guys during the application process, allowing creditors to avoid more expensive solutions.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosure)

Lost or Stolen Mobile Can Lead to Identity Theft

We lose stuff. You put something down, you get distracted, you forget about it and it’s gone. Stuff falls out of pockets and bags all the time. I’m one of those people that’s so smart, I’m stupid and absent  minded when it comes to my stuff. Where’s my wallet, where my keys, where’s my phone? After 40+ years I have a system of where I put my stuff, but it’s far from perfect.

At Oktoberfest many smart stupid people lost stuff including 410 wallets, 4 wedding rings, 1 toaster, 1 set of dentures, 1 prosthetic leg and 320 mobile phones. I could easily be a one legged, toothless, ringless mess who lost his mobile and wallet.

That’d be me hoppin around trying to make a call worried if my wife would be more upset I lost my leg or ring. NO MORE OKTOBERFEST FOR YOU!

While wallets are problematic, phones are the biggest issue here. Number of phones left in taxis every 6 months = 3 per taxi. Number of phones stolen in London alone = 120,000 a year!!!

Your phones transmit almost 17 billion texts per day, then 52% of us store passwords on our phones, 87.5 million of us bank on our phones and I bet even more of us have naked pictures on there… of our pets.

Much of this loser-ness can lead to identity theft if that mobile falls into the wrong hands.

So what are your options for protecting your digital life extension?

Invest in a service that locates, locks, wipes and when you get a new phone, restores your data.

McAfee WaveSecure will:

# Remotely lock down your device. Wipe out important data stored on your mobile to protect your privacy

# Back up your data from your phone or remotely on the web. Access your data online from anywhere. Restore your data to a new phone

# Locate your lost phone and plot the locations on a map. Track SIM cards inserted and phone calls made to help get your lost phone back

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

Identity Theft Strikes Local Couple – Again

When someone works under your name, it can cause lots of headaches and sometimes results in financial loss. One common loss is the time lost in clearing up the employment fraud, and as we know, time is money.

Lancasteronline.com reports that when a couple applied for public assistance at a local government office, they discovered that someone has used their personal information to obtain a job in Ohio.  In fact, their personal info, including Social Security Number (SSN), had been used several times between 2003 and 2009 to collect paychecks from various companies in Connecticut, New Jersey and Minnesota.

Why would someone work under your identity instead of their own?  They may use your SSN and identity for any number of reasons: running from the law, evading taxes, or an illegal immigrant seeking a job.

The Social Security Number is currently as our national identification card – even though it’s not supposed to be used for identification.  A 1998 NY Times article states: WASHINGTON— For many years, Social Security cards carried an admonition that they were to be used ”for Social Security and tax purposes — not for identification.” That assurance rings hollow today. Congress has authorized so many uses of the nine-digit number, and Americans use it for so many unauthorized purposes, that it has just about become a national identifier.

Today your social security number is connected to everything.

Identity theft protection will not prevent employment fraud. However having a fraud resolution agent assist in identity theft restoration is an invaluable asset. McAfee Identity Protection, offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

Survey Shows “Account Takeover Fraud” Drops

Account takeover happens when your existing bank or credit card accounts are infiltrated and money is siphoned out. A hacked account or stolen credit card is often to blame.

The drop in account takeover may be due in part to a few different things.

Less breaches. There was a drop in data breaches from 221 million records in 604 breaches during 2009 to 26 million records breached in 404 reported breaches during 2010. Criminal hacker Albert Gonzalez and his gang were responsible for many of those hacked records and he and many of his cohorts are now in jail.

PCI standards. All those responsible for accepting credit cards are now under strict Payment Card Industry Standards rules and regulations that require a level of security that took about 5 years to implement. Today many of those merchants are doing a much better job of protecting data.

Device reputation management. Technology that checks an Internet transaction by looking at the PC, smartphone or tablet to see if it has a history of bad behavior or is high risk based on device characteristics and behavior. iovation is one such company that has blocked 35 million fraudulent transactions of this sort just last year.

Javelin reports “When examining account takeover trends, the two most popular tactics for fraudsters were adding their name as a registered user on an account or changing the physical address of the account. In 2010, changing the physical address became the most popular method, with 44 percent of account takeover incidents conducted this way.”

If device reputation was integrated at the “profile update / account update” website integration point, a flag would go up when:

– Too many devices are accessing the account (the business has a predetermined threshold)

– Too many countries are accessing the account (Ex: a United States account is being accessed from Ghana)

– A non-allowed country accesses the account (Your United States-only dating site just had devices from Russia and Romania trying to get into accounts, but it’s blocked automatically with customized business rules.)

It’s no secret that it’s often a few bad apples that upset the bunch. Here’s where the 90/10 rule applies. 90% of people are honest whereas maybe 10% aren’t. And it’s the 10% that do 90% of the stealing.  Device reputation knows who is good and who isn’t. Identity thieves are stopped cold and can’t use the hacked data to commit fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)