Posts

Hacking Humans: How Cybercriminals Trick Their Victims

Intel Security has compiled a list of the top ways cybercriminals play with the minds of their targeted victims. And the chief way that the cybercriminals do this is via phishing scams—that are designed to take your money.

11DThe fact that two-thirds of all the emails out there on this planet are phishy tells me that there’s a heck of a lot of people out there who are easily duped into giving over their money. I’m riled because many of these emails (we all get them) scream “SCAM!” because their subject lines are so ridiculous, not to mention the story of some befallen prince that’s in the message

I bet there’s a dozen phishing emails sitting in your junk folder right now. Unfortunately, a lot of these scam emails find their way into your inbox as well.

McAfee Labs™ has declared that there’s over 30 million URLS that may be of a malicious nature. Malicious websites are often associated with scammy emails—the email message lures you into clicking on a link to the phony website.

Clicking on the link may download a virus, or, it may take you to a phony website that’s made to look legitimate. And then on this phony site, you input sensitive information like your credit card number and password because you think the site really IS your bank’s site, or some other service that you have an account with.

6 ways hackers get inside your head:

  1. Threatening you to comply…or else. The “else” often being deactivation of their account (which the scammer has no idea you have, but he sent out so many emails with this threat that he knows that the law of numbers means he’ll snare some of you in his trap).
  2. Getting you to agree to do something because the hacker knows that in general, most people want to live up to their word. That “something,” of course, is some kind of computer task that will compromise security—totally unknown to you, of course.
  3. Pretending to be someone in authority. This could be the company CEO, the IRS or the manager of your bank.
  4. Providing you with something so that you feel obligated to return the favor.
  5. “If everyone else does it, it’s okay.” Hackers apply this concept by making a phishing email appear that it’s gone out to other people in the your circle of friends or acquaintances.
  6. Playing on your emotions to get you to like the crook. A skilled fraudster will use wit and charm, information from your social profiles, or even a phony picture he took off of a photo gallery of professional models to win your trust.

In order to preventing human hacking via phishing scams, you need to be aware of them. Aware of the scams, ruses, motivations and then simply hit delete. Whenever in doubt, pick up the phone and call the sender to confirm the email is legit.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Stolen Social Security number? Don’t Worry!

Just when you think it was safe to believe your Social Security number can’t get stolen…news breaks of the Anthem data breach. Over 80,000,000 patient records were compromised, including SSNs and home addresses. Like a meteor striking the earth, a disastrous ripple effect is underway, with patients getting hit up with phishing e-mails.

1PIf you ever suspect your SSN has been stolen, some suggest contacting the IRS and Social Security Administration and notify them of your situation. The thief can do bad things with your number, but if you contact these agencies, can you really protect yourself from that? I’m not sure these agencies can really do anything based on the volume of fraud happening today.

So what should you do to guard against ID theft while you’re still ahead?

Your credit report should have a fraud alert placed on it. This way, lenders and creditors will be stricter about identifying you as the authentic applicant. Thus, a thief will probably flunk these extra steps. Contact either Equifax, Experian or Transunion and they’ll place the 90-day fraud alert. You can also ask for an extension. Consider re-establishing the fraud alert every 90 days. The fraud alert will net you a copy of your credit report. Examine it carefully.

Watch your credit like a hawk. If nothing happens during those 90 days, this doesn’t mean you’re in the clear. A thief may act after 90 days, or, just as a baseline good practice, you should still always monitor your credit. Self-monitoring your credit involves either buying your credit report as often as you’d like or getting it free, quarterly at AnnualCreditReport.com.

Credit freeze. A more secure measure is to freeze your credit, but this means you too can’t do anything like apply for a refinance on your house until it’s “thawed”. But if you don’t foresee needing to do that or open new lines of credit in the near future, then you’ll get more peace of mind with a credit freeze.

If an unforeseen need to apply for a loan surfaces, you can unfreeze your credit. Just keep good notes regarding the user/pass and web address to quickly thaw your credit. A credit freeze/thaw requires a one-time fee of $5-$15.00. Cheap and effective.

Identity theft protection. This is a no brainer. For $100-$300 annually for an individual or family of 4, your identity is being monitored 24/7 by professionals who will also restore your identity in the event of loss. Check with the companies Terms of Service and their features/benefits to determine what the will and will not protect against.

Be smart. Though some hackers are amazingly ingenious and subtle with their schemes, other tricks are so obvious that it’s astounding that anyone who’s smart enough to use a computer could fall for them.

A college degreed professional can be so caught up in the latest trash or tragic news about a very high profile celebrity that they could be lured right into the palm of a ruthless scammer: The bait is a link to an exclusive interview with the celebrity’s mother. Hah! Click the link, and you’ll become the mouse in a trap.

  • Never click links inside e-mails, even if it seems that the sender is from someone you know.
  • Don’t even bother opening e-mails with sensationalistic subject lines like “Exclusive Video of Bruce Jenner in Mini Skirt.”
  • When using various online accounts, see if they offer two-factor authentication; then use it.
  • Use different passwords for all of your accounts, and make them long and unique, not “123Kitty.”
  • Use antivirus and anti-malware and keep them updated; also use a firewall.
  • Shred all personal documents before putting them in the rubbish.

Never give out your SSN except for job applications, loan applications, credit card applications and other “big stuff.”

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Victim overcomes Identity Theft with Art

Does your wallet contain enough information about you for someone to steal your identity and commit crimes under your name? That’s what happened to Jessamyn Lovell when Erin Hart stole her wallet in 2011.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Hart shoplifted, checked into hotels and rented cars in Lovell’s name. Of all the nerve.

Lovell tracked Hart down and documented this in “Dear Erin Hart,” a photo project. Lovell couldn’t find the heartless Hart on her own, so she hired a private investigator. Turns out Hart was sitting in jail on numerous charges. Hart served eight months and upon exiting the city lockup, was photographed by Lovell.

That was just the start of stalking Hart. Lovell, the PI and two of his assistants followed the thief around all day, taking pictures of her doing ordinary things like buying cigarettes and shopping at a thrift store. The trail disintegrated after she entered an alley.

Lovell had a chance to confront Hart, but opted not to, concerned that it could turn ugly. But the several thousand dollars that this 2013 venture cost Lovell was worth it.

The following year Lovell, with the PI’s help, found Hart again. And in September 2014, Lovell opened her show at SF Camerawork—the very location of the wallet theft. Lovell is writing a book and hopes to have it out in March this year.

Lovell has also gone as far as sending an e-mail to Hart (via her probation officer), asking for Hart to respond, but Hart has not.

“I just wanted her to know that she impacted a real person,” Lovell says in an article on wired.com.

Lovell actually feels some degree of connection with her identity theif because she grew up poor and figures that Hart is hard up for money (though Hart certainly didn’t need to waste what little money she had on cigarettes). Nevertheless, she has no desire to try to make friends with Hart.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Mobile Apps Failing Security Tests

It’s been said that there are over a million different apps for the smartphone. Well, however many may exist, know that not all of them are passing security tests with flying colors.

5WYou may already be a user of at least several of the 25 most downloaded apps And what’s so special about the top 25? 18 of them flunked a security test that was given by McAfee Labs™ this past January. And they flunked the test four months after their developers had been notified of these vulnerabilities.

App creators’ first priority is to produce the next winning app before their competitors do. Hence, how secure it is doesn’t top the priority list, and that’s why there’s such a pervasive problem with security in the mobile app world.

Because these apps failed to set up secure connections, this opens the door for cybercriminals to snatch your personal information such as credit card numbers and passwords. And this is growing because this weakness in apps is so well known and it’s pretty easy for cybercriminals to purchase toolkits that help them infect smartphones via these vulnerable apps.

The technique is called a “man in the middle” attack. The “man” stands between you and the hacker, seizing your personal information. The “man” may capture your usernames and passwords for social media accounts and so much more—enough to open up a credit card account in your name and then max it out (guess who will get the bills); and enough to commit a lot of damage by manipulating your Facebook account.

So What Can You Do?

Here’s some tips to help you protect yourself from these unsecure apps:

  • Before purchasing an app, get familiar with its security features—read reviews and check what permissions the app is asking access to. You don’t want to end up with an app that accesses way more information about you than necessary for what you want the app for in the first place.
  • Download only from reputable app stores, not third-party vendors. This will reduce your chance of downloading a malicious app.
  • Don’t have your apps set to auto login. Even though it may be a pain when you want to access Facebook, it’s better to be safe than sorry.
  • Make sure you use different passwords for each of your apps. Sorry, I know that’s a hassle, but that’s what you must do. And make sure your password is long and strong.

Here’s to staying safe on our mobile devices.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

Credit Card Fraud isn’t the same as Identity Theft

Just as important as taking down the decorations, throwing out all the debris from opened gifts and getting the house back in order after the holiday activities, is that of scrutinizing your credit card statements.

2CWhy? To make sure that all the purchases on there were made by you and only you. The holiday season means more credit card use = more identity theft. In this case, it’s “account takeover.”

The crook gets your credit (or debit) card information in one of several ways: digging through trash to get credit card information; tampering with ATMs; hacking; and perhaps the thief is the person you gave the card to to pay for your restaurant meal.

Yet another way the thief could get you is to obtain a new credit card line—using your name, address and Social Security number. He maxes out his new card and doesn’t pay the bill. One day you get a call from a collection agency, along with knowledge that your credit has been ruined. This is called “new account fraud”

Account takeover can be discovered via unauthorized charges on your statements, or the thief’s spending habits may alert the company (via its anomaly detection software) to something suspicious, such as a lot of spending halfway across the globe one hour after you purchased something in your home town.

You have 60 days to report suspicious activity to save yourself from paying the unpaid bills. The zero liability policy protects you. The most you’ll pay out is $50. But if you delay reporting the fraudulent activity, you’re screwed.

Thus, you must make time to just sit down and look over every charge on your statements, even if this means that the only time you have to do it is when you’re on the toilet. But you DO have time. You have time to read someone’s drivel on Facebook or something about Duchess Kate’s hair…you certainly have time to read your card statements every month.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.

Background Checks aren’t as easy as you’d think

With seemingly more and more people being harassed, stalked and getting their identities stolen, the rate of background check requests (e.g., a small business owner hiring a private investigator) has increased quite a bit.

The background check is no longer some snoopy kind of thing for extra-curious people; it’s become a necessary tool in a world fraught with frivolous lawsuits but also cybercrime and identity theft. For example, if the “furnace guy” rapes and murders the homeowner, his company would be held accountable. We hear of cases like this all the time—another example would be a bus driver fondling a student. The bus company is held liable.

It’s a no-brainer that background checks should be conducted for people ranging from school officials, nannies and cafeteria workers to home health aides…you name it: all adult employees and volunteers. If you own a business, you’ll never regret getting a background check on your employees.

As crucial as this practice is, however, it’s full of land mines. But don’t let that stop you from acquiring a professional-grade background check to screen for criminality.

First off, the subject’s identity must be validated. But even if you have the correct name, the subject’s birthdate must also be correct. Usually, a photo ID will suffice. But when it’s not available, there are other methods. To see if the subject’s claimed name and DOB match, their driving record is pulled via the state DMV. But there again, we have a loophole: How do you know that the given name and DOB, that pops up in the DMV results, belongs to the subject?

A background check requires the SSN. When the SSN is run through, it will bring up a history of names and addresses, plus previous residential locations of the subject. We now can zero in on various locations to narrow down the investigation. If any aliases pop up, these too must be checked.

The third stop is the court record check in all the counties where the subject has resided in   the past decade. The court’s website should have this information. However, it can also be obtained in person at the courthouse. The investigation will also include the federal court level.

The general criminal check comes next, and is often called a “nationwide” criminal check. It’s not 100 percent accurate but will turn up criminal history if, indeed, the subject is a crook. In addition, the state prison records need to be checked to see if the subject has served some time.

But zero results here don’t mean that the subject was never incarcerated, due to flaws in the search system. On the other hand, if a red flag appears, the investigator will know to dig deeper. To aid with this, the investigator should do an online search on the federal prison site.

The sex offender history is even tougher. Unfortunately in some states, a sex offender history can’t be used to refuse employment to someone. But this doesn’t mean that the investigator can’t investigate, including going straight to the affiliated court and then turning this information over to the individual wanting the background check. Sex offender checks usually turn up empty, but they should always be done.

The investigator should also search for arrest reports, but there’s no guarantee that the unveiled information can be legally presented to the client who hired the investigator.

And finally, is the subject wanted by the police? Historically, PIs were not privy to this information (it was available only to law enforcement). But fairly recently, PIs can now get ahold of this information, though the search process has flaws. Nevertheless, it should be done, especially since the fee is low.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Synthetic Identity Theft hard to detect

A criminal can do a lot with “only” your Social Security number, says a report from darkreading.com. Okay, so he doesn’t have the name that goes with the number. Big deal—he’ll just make one up to go with it! This is called synthetic identity theft.

10DAnd this crime has proven worthwhile for the crooks. Nowadays, there’s an increased risk for this crime, says a report by ID Analytics. This is because thieves exploit new SSN randomization practices, says Dr. Stephen Coggeshall, author of the report, and chief analytics and science officer for ID Analytics.

In 2011, the SS Administration began issuing the numbers randomly rather than by pattern to help protect against ID theft. This change has backfired because it trips up anti-fraud technology that’s supposed to spot when a number, that was issued a few years ago, is linked to a phony identity.

The implementation of chip-and-pin cards will fuel the risk and growth of synthetic ID theft. Chip-and-pin point-of-sale transactions will inspire ID theft specialists to figure out new fraud tactics. And they will. They always will. They’re not dumb.

The ID Analytics report says that this crime goes undetected for long stretches because there’s no specific consumer victim. Like, who’s Alekksandreya Puytwashrinjeku? Or, who’s John Smith? Alekksandreya will open up small accounts just to get some credit going under “her” name. The next step is to apply for a big loan—that will never be paid.

The long-term nature of undetection allows the criminal to generate increasingly larger credit limits when compared to the typical ID theft case, says Coggeshall.

As you can see, there’s no actual consumer victim, but instead, the victims are the banks, along with the companies that offer the products that are illegally obtained by the fraudsters. The U.S. government is also a victim. The report explains that over a time period of three years, nearly 1.4 percent of tax returns seemed to be synthetic, costing the government $20 million.

You don’t hear much, if at all, about synthetic ID theft, but the report also points out that a credit card issuer did an analysis and discovered that over a three year period, about two percent of the total application volume consisted of this type of crime.

Still, an identity that incorporates identity theft protection is less likely to be victimized and more secure. And synthetic identity theft can sometimes be detected by a protection service.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Social Media Identity Theft leads to Arrest

Are you one who believes you’re too smart, too savvy, to get your identity stolen in the social media world? Nobody thinks this will happen to them, and Stephanie Francis, 24, was no exception to that way of thinking.

http://www.dreamstime.com/royalty-free-stock-image-keyboard-recycle-button-green-white-icon-image35645776A report from firstcoastnews.com that the Jacksonville, Florida woman claims her identity was stolen—on social media of all places—and that the thief used it to create a phony Facebook account. This is interesting because there’s probably a ton of Facebook accounts under the name of “Stephanie Francis.” But there’s more to a fake Facebook account than using a name that a lot of other users have.

Francis says she’s being charged with a crime and wants to know how she can protect herself. As just mentioned, there’s more to this than just a duplicate of a common name. Francis explains in the article, “Someone created a Facebook with my name and picture on it and has been stalking my ex-boyfriend.”

This is just too easy to do: Find an online picture of the person, for instance, who bullied you in high school (it could be from an article announcing their promotion at a company, who knows?), then sign up on Facebook using that person’s name and photo for the profile page. How easy is that? And if you do anything illegal like stalk the bully’s ex-wife, the authorities will blame the bully! Social media is a magnet for cybercrime.

Francis has been charged with cyber stalking. She’s contacted Facebook and law enforcement, and the case has now gone to court. How did the imposter learn of her ex-boyfriend? Is this detail of Francis’s life in her social media posts? Maybe the imposter is a coworker and overheard her tell someone about the ex-boyfriend.

This case not only teaches the lesson of be careful what you post online, but also whom you share in person the details of your life—how loudly you talk, and who might be nearby to overhear.

Francis has created a Facebook account under a different name and faces another trip to court to try to resolve the situation.

Perhaps this mess could have been prevented:

  • Create a super strong password that would take a hacker’s machine two million years to crack.
  • Think! Think! Think before you post on social media!
  • Make your FB account as private as possible.
  • Seel out your likeness on social and the moment you discover an imposter, report it.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

7 Things You Can Do To Protect Your Identity

One of my favorite commercials is a guy working out with his personal trainer. The trainer asks him if he’s been eating his vegetables every day. When he replies, “When I can,” the trainer bops him on the head. He could have had a V8!

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Just like the man thought that eating his daily vegetables would be hard, sometimes protecting your identity seems like a chore. But it doesn’t have to be that way. Here are 7 “duh” steps you can take to protect your identity this holiday season and all year round.

  1. Inspect credit card statements. Make a habit of regularly looking through your credit card statements for strange looking activity. If you notice just one unauthorized charge, assume that someone out there will strike again, and again and again—unless you take immediate action and contact your credit card company.
  2. Shred documents with personal information. Thieves will rummage through your garbage and recycling searching for intact documents that show Social Security numbers, credit cards and bank account information, etc. The next best thing to a cross-cut shredder is scissors. Shear up anything that could be revealing, including credit card purchase receipts.
  3. Review your credit reports. At least once a year, review your credit reports from the three major bureaus. This way you’ll be able to spot any suspicious actions, such as a thief opening a credit card account in your name.
  4. Credit freeze. If you’ve been a victim of identity theft, you might want to consider putting a freeze on your credit.While this will prevent you from getting loans or credit cards until you unfreeze it, this will also block criminals from opening accounts in your name and smearing your credit.
  5. Limit accessibility. In addition to using a shredder or scissors, consider getting a safe where you can store sensitive documents and limit the number of credit cards you carry with you. Have a list of important phone numbers (e.g., bank, credit card companies) already made up, in the event that you need to contact them immediately upon realizing you have lost or someone has stolen your identity or your physical credit cards, wallet, etc. 
  6. Password protection. If your device is lost or stolen, will someone be able to simply pick it up and access all your data? They won’t if it is password protected. Don’t use your cat’s name as your password; rather create a complicated password with upper and lower-case letters and numbers.
  7. Use comprehensive security software. It is essential that all your digital devices have updated security software, like McAfee LiveSafe™ service that can safeguard your data and protect against identity theft.

For more tips on protecting your identity, check out the Intel Security Facebook page or follow them on Twitter.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Identity Theft of the Dead affects the Living

You don’t have to be living to have your identity stolen. Every year in America there’s 2.5 million cases of ID theft involving the deceased. And while your first reaction might be “So what, I’ll be dead and I won’t care”, you need to keep in mind that identity theft of the dead often significantly affects the living. How can this be prevented or at least, minimized?

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813Shut Down Social Media

Though it’s hard to do, closing down the decedent’s Facebook page will contribute to preventing ID theft.

Contact the Social Security Administration

This agency has a “death master file” of the SS numbers of deceased people that should be rendered inactive. This way a thief can’t use the number. Don’t wait for a funeral director to do this (though that’s their job); do it yourself for faster results.

Obits

When composing an obituary, people should post very little information. Crooks actually read these in search of a possible ID theft victim. The information to leave out includes names of survivors, complete addresses and professional history.

Receiving Bills

If a decedent’s identity has been hijacked, a survivor may begin receiving bills in that person’s name…and eventually, calls from collection agencies. “The problem isn’t so much financial — it’s emotional,” says Maria Cordeiro with the Chubb Group of Insurance Companies in an article from business-news.thestreet.com. You may have to be dragged through the pain of proving that your deceased loved-one is, in fact, no longer around.

How do you fix this problem?

  • Get all the needed documentation together, because you’ll need to send it out to any entity that requires it for proof.
  • Obtain a credit report prior to the person’s death. Of course, this works in cases of a diagnosed terminal condition versus accident. Once you have the person’s credit report, then six months after death, obtain another for comparison, says Cordeiro. The decedent’s name and SSN, six months later, should be in the death master file.
  • Do some credit monitoring. This is easier than obtaining a credit report for someone who’s dead.
  • Do a credit freeze. For a small fee, the credit report gets frozen shut, preventing a thief from opening a new account.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.